Hybrid Approaches Towards Optimized Network Discovery Techniques

1
Hybrid Approaches Towards Optimized Network
Discovery Techniques

• By David Meltzer

2

• Preface
• Download the tool Im presenting about
• http//www.cambia.com/papmap

3

• The Premise
• A tool that gave you a constantly updated
  real-time view of the devices on a network would
  be a really useful thing to have.

4

• Agenda
• Active vs. passive network discovery
• Hybrid discovery
• Introduce PAPMap
• DEMO
• Conclusions

5

• Network Discovery Defined
• Answer These Questions
• What hosts are on the network?
• What ports are open?
• What services are running?
• What is the configuration state of those
  services?
• As deep as you want to go

6

• Assumptions
• No host-based tools
• No access to routers or switches
• Network changes

7

• Active vs. Passive Discovery
• Active Directly probe devices by sending packets
  to them.
• nmap.
• Passive Listen silently to network traffic.
• sniffers, ids, p0f, etc.
• Some commercial tools.

8

• Passive Discovery History
• Passive vulnerability signatures in RealSecure
  IDS
• Meltzer 97
• Passive Vulnerability Detection
• Gula 99
• Target-Based IDS
• - Roesch 00
• Vulnerability Detection Systems (VDS) -
  Meltzer 02
• Passive Vulnerability Scanner (PVS)
• - Gula 03
• Passive Network Discovery Systems (PNDS)
• Roesch 04

9

• Comparing Discovery Techniques
• The Metrics
• Turbidity
• Disruptiveness to network/hosts
• Speed
• Time-to-Detect
• Coverage
• What can it tell you?
• Accuracy
• False positives/negatives?

10

• Passive Discovery AnalysisTurbidity
• Listening is safe (mostly).
• Why people like IDS.
• Why people like anything passive.

11

• Passive Discovery AnalysisSpeed
• Real-Time
• But
• At first use

12

• Passive Discovery AnalysisCoverage
• Good for discovering the basics
• Bad for discovering the details
• Some things only/better discovered passively
• Some things discovered equally well passively or
  actively
• MANY things only discovered actively

13

• Passive Discovery AnalysisAccuracy
• Depends
• IF you are content with poor coverage, you can
  have perfectly accurate passive scanning.

14

• Hybrid Discovery Approach
• Realizing active and passive discovery are
  complementary techniques
• Why should you have to choose?

15

• Hybrid Network Discovery Defined
• Gathering network inventory data using both
  active and passive techniques integrated into a
  single system.

16

• Hybrid Advantages
• Independent active/passive engines
• Double the hassle
• Substantially more turbidity
• Waste resources
• Manually resolve conflicts
• Hybrid approach
• Single configuration
• Uses less bandwidth than pure active
• Single output

17

• Hybrid Discovery
• Introducing PAPMap
• Combines passive and active scanning techniques
  for network discovery.
• Operates as a drop-in replacement for nmap.
• Utilizes nmap for active discovery.
• A complete and functional hybrid scanner.

18

• PAPMap v1.0 Requirements
• R-1. Takes same command line as nmap.
• R-2. Produces almost same output as nmap.
• R-3. Runs nmap scan then switches to passive
  listening mode and updates output anytime a
  change in TCP port open/closed state detected.

19

• PAPMap v2.0 Requirements
• v1.0 plus
• R-1. Linux version
• R-2. UDP port discovery
• R-3. Passive app-layer service detection
• R-4. Hybrid Features
• a. Integrated active port scans
• b. Integrated active service detection
• c. Scheduled active rescans
• d. Optimized active rescans
• e. Passive-first mode

20

• PAPMap History
• V1.0 released July 2004 _at_ ruxcon.au
• Proof of concept
• Windows only
• TCP port discovery only
• V2.0 released now.
• Ready for primetime

21

• PAPMap Basic Usage Part I
• nmap
• nmap oX nmap-results.xml 192.168.1.0/24
• papmap
• papmap oX nmap-results.xml 192.168.1.0/24

22

• PAPMap Basic Usage Part II
• Executes nmap
• Loads nmap XML output into in-memory database
• Starts listening promiscuously on network

23

• PAPMap Basic Usage Part III
• Line output to stdout indicating new status of
  the port.
• Nmap XML file is updated to reflect real-time
  state of network being mapped (but updates cached
  to avoid flailing disk).
• Monitoring continues until user quits.

24

• PAPMap Features
• TCP Port Discovery
• Port is listening IF
• SYN sent TO port AND
• SYN/ACK reply FROM port
• Port is NOT listening IF
• SYN sent TO port AND
• RST reply FROM port
• No reply to a SYNIs port closed?
• Did I drop a packet?
• Was SYN malformed?
• Firewall?

25

• PAPMap Features
• UDP Port Discovery
• UDP Is Always Hard
• Port is active IF
• Traffic coming from port
• BUT
• Is it listening or just a client?
• And how do I know if it closes?
• Evidence
• ICMP Unreachables
• Sending to multiple destinations
• Active probing results

26

• PAPMap Features
• Service Detection
• 1. Reassemble TCP Stream
• 2. Grab initial banner prior to client-side
  command
• 3. Match against null probe signature database
• 4. Match client-side command to client probe
  command database
• 5. Grab subsequent banner
• 6. Match against probe signature database
• 7. Output identified service in same format as-if
  nmap had actively probed for it.
• Uses same file format as nmap services probes.

27

• PAPMap Features
• Hybrid Host/Port Scans
• IF a new host is detected passively
• Launch nmap scan against host to determine open
  ports
• IF a new port is detected passively
• Launch nmap service detection against port to
  identify service

28

• PAPMap Features
• Active rescans
• On a scheduled time interval
• Relaunch nmap and rescan to update with newest
  active information
• Optimization
• Any port state determined passively within N
  seconds of active rescan, do not actively probe.

29

• PAPMap Features
• Passive-first/only mode
• Start building discovery database in passive mode
  without first actively scanning from nmap.
• Combine with active rescans or use as a pure
  passive tool.

30

• PAPMap v2.0 Demo

31

• PAPMap Status
• v2.0 released at Pacsec 04
• Source and binaries freely available right now
  at
• http//www.cambia.com/papmap

32

• Questions
• ?