Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

Similar documents
CIT 480: Securing Computer Systems

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

Know your network. NebraskaCERT May 2006 CSF. Aaron Grothe CISSP/Security+

Evaluating Website Security with Penetration Testing Methodology

Practical Training in. IT-Security. Information gathering. - Experiment manual - Tasks. B.Sc. BG 24 M.Sc. AI MN 1 M.Sc. EB 10

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

What this talk is about?

Ethical Hacking Basics Course

Nessus Scan Report. Hosts Summary (Executive) Hosts Summary (Executive) Mon, 15 May :27:44 EDT

Nmap & Metasploit. Chun-Jen (James) Chung. Arizona State University

Network Security: Scan

Security principles Host security

Basics of executing a penetration test

Basic Linux Security. Roman Bohuk University of Virginia

Penetration Testing with Kali Linux

Using Neural Networks for remote OS Identification

This material is based on work supported by the National Science Foundation under Grant No

The Wonderful World of Services VINCE

Manual Shell Script Linux If File Exists And

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

netcat Johannes Franken

Revolutionizing Active Operating System Fingerprinting The Present & Future of Xprobe2. Ofir Arkin

Handbook. Step by step practical hacking training

SinFP3. More Than a Complete Framework for Operating System Fingerprinting v1.0. Patrice

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Module 19 : Threats in Network What makes a Network Vulnerable?

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.2

Unicornscan Documentation Getting Started

Preview from Notesale.co.uk Page 3 of 36

Assessment. automation: Deux ex Machina. Rube Goldberg Machine? 2005 LAS VEGAS

Sam Spade 1.14 Open Source Security Tool by Steve Atkins

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Layered Networking and Port Scanning

CSC 574 Computer and Network Security. TCP/IP Security

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

Some Ubuntu Practice...

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Ofir Arkin CTO

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

On Assessing the Impact of Ports Scanning on the Target Infrastructure

Buzztouch Server 2.0 with Amazon EC2

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

Building an IPS solution for inline usage during Red Teaming

Coding for Penetration

Linux Essentials Objectives Topics:

Manual Shell Script Linux If Not Exist Directory Does

Project 4: Penetration Test

OptiRain Open 2 Installation Guide for LInux. This guide provides general instructions for installing OptiRain Open 2 on a Linux based server.

Freshservice Discovery Probe User Guide

CDX REPORT TEAM #8 JACOB CHAPMAN SNEHESH THALAPANENI DEVISHA SRIVASTAVA

Bitnami MariaDB for Huawei Enterprise Cloud

Nsauditor White Paper. Abstract

CE Advanced Network Security Honeypots

Blacklist'd. A daemon to manage network attacks. Christos Zoulas

Linux Systems Administration Getting Started with Linux

COMS 6100 Class Notes 3

IK2206 Internet Security and Privacy Firewall & IP Tables

Linux Systems Security. Logging and Network Monitoring NETS1028 Fall 2016

Laboratory assignment 5 Sunscreen firewall Applied Computer Security B, 5p DTAB80

TexSaw Penetration Te st in g

Once the VM is started, the VirtualBox OS Manager window can be closed. But our Ubuntu VM is still running.

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

Relay Proxy User Guide

B a s h s c r i p t i n g

Deployment, Testing of the Framework and Results Obtained

OSSIM data flow. (

Coding for Penetration Testers Building Better Tools

Host Identity Sources

Introduction: What is Unix?

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Parallels Plesk Control Panel. Plesk 8.4 for Linux/Unix Firewall Module Administrator's Guide. Revision 1.0

Install Cacti on Debian, CentOS, SuSE and Gentoo Linux - Tracking graphically server performance

Firewall Identification: Banner Grabbing

Bitnami MySQL for Huawei Enterprise Cloud

Ftp Command Line Manual Windows Example Port 22

Network Monitoring & Management. A few Linux basics

NCAR-Developed Tools. Bill Anderson and Marc Genty National Center for Atmospheric Research HUF 2017

Web Server ( ): FTP, SSH, HTTP, HTTPS, SMTP, POP3, IMAP, POP3S, IMAPS, MySQL (for some local services[qmail/vpopmail])

Computer Science 3CN3 and Software Engineering 4C03 Final Exam Answer Key

Perl and R Scripting for Biologists

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Linux at the Command Line Don Johnson of BU IS&T

SANS SEC504. Hacker Tools, Techniques, Exploits and Incident Handling.

McAfee Certified Assessment Specialist Network

*nix Crash Course. Presented by: Virginia Tech Linux / Unix Users Group VTLUUG

Bitnami OroCRM for Huawei Enterprise Cloud

Bitnami Pimcore for Huawei Enterprise Cloud

Manually Ftp Windows Xp Command Line Port Scan

Service Cloaking and Anonymous Access; Combining Tor with Single Packet Authorization (SPA)

CENG 334 Computer Networks. Laboratory I Linux Tutorial

NEW TOOLS. ngage vaping. MATT GRISWOLD

Certified Vulnerability Assessor

Using RANCID. Contents. 1 Introduction Goals Notes Install rancid Add alias Configure rancid...

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS Fingerprinting

Configuring Vulnerability Assessment Devices

RSA NetWitness Logs. Tenable Nessus. Event Source Log Configuration Guide. Last Modified: Wednesday, August 09, 2017

Introduction to Linux. Woo-Yeong Jeong Computer Systems Laboratory Sungkyunkwan University

Transcription:

Change Management: DYNAMIC NETWORK MAPPING LinuxWorld San Francisco Security Track Presented by Joshua D. Abraham August 16th 2006 jabra@ccs.neu.edu Northeastern University

Agenda How do we scan? What are the limitations of the tools? Nmap and Xprobe What are new ways to handle these limitations? PBNJ 1.0 PBNJ 2.0 3 of 40

Knowledge is Everything What your machines are running? What other machines on your network are running? If you don't know your network & when it's changing, you're not secure Changes that occur ex: Rogue FTP service Web server keeps crashing 4 of 40

Who Needs to Know this? Network Managers Unix Admins Windows Admins Network Admins Security Professionals 5 of 40

Current Technologies Active Scanners Network Mapping Vulnerability Scanner (Nikto & Nessus) Application Mapping (Nmap & Xprobe) (Nmap & Amap) Passive Scanners P0f, PADS, etc 6 of 40

Active Scanners Scan only the targets you want single target or range of targets Control over the scan XML Output (Nmap and Nessus) 7 of 40

Fingerprinting Probes TCP SYN, TCP Connect, Xmas Tree, ACK ICMP echo (ping), timestamp req, info req or UDP closed port Compare the properties for each OS database or matrix 8 of 40

Version Detection Connection to port soft banner or hard banner Probe service for banner (NULL, Get, help, etc) Compare banner and service list for a match using Regular expressions Then pull out the Version from the banner 9 of 40

Passive Scanners Can handle range of IPs and is not limited to specific target or targets Version Detection banner grabbing Fingerprint 10 of 40

Limitations of Active Scanners Out of date instantly Loud This can alert targets of you (IDS & logs) Quality of scan can be affected firewalls, routers and targets firewalls Affect targets TCP stack state tables logs 11 of 40

Nmap's Limitations Only a snapshot in time Banner grabbing isn't displayed Fingerprinting isn't very accurate 4.20 >= are a lot better than previous versions Still not perfect 12 of 40

Nmap Changes Demo ( tkdiff ) 13 of 40

Changes with Nmap tkdiff is ok for the people who like gui's people who have the time for dealing with comparing files what about diff & grep? 14 of 40

Nmap Changes by Hand 1 $ diff -u test1.out test2.out grep -Eo \ "((^\+[0-9].*) (^\-[0-9].*))" +25/tcp open smtp Postfix smtpd Not bad but I want to be notified via email 15 of 40

Nmap Changes by Hand 2 $ diff -u test1.out test2.out grep -Eo \ "((^\+[0-9].*) (^\-[0-9].*))" \\ mail Changes `date` root 16 of 40

Nmap Changes by Hand 3 Store the previous and the current in logical files diff -u prev.out current.out grep -Eo \ "((^\+[0-9].*) (^\-[0-9].*))" \\ mail Changes `date` root 17 of 40

Issues Good and Bad Good Works okay for a single IP Email is a plus Could be automated (requires scripting) Bad Tedious Does not work with IP ranges Error prone Not flexible 18 of 40

Xprobe's Limitations Lack of intelligence in scanning Database is out of date Based on ICMP probes Can be and is often intentionally blocked Doesn't have the dev community Nmap does 19 of 40

Limitations of Passive Scanners Need privileges to sniff Encrypted or Tunnelled traffic hidden Identification mostly based on banner Does not work on a switched network, spanning ports are needed 20 of 40

What if we store the information, so we can monitor changes over time? 21 of 40

PBNJ 1.0 First tool to monitors changes over time Based on Nmap scan parsed to Amap Security LiveCDs (Backtrack and nubuntu) Output CSV TABS CSV parsed to HTML Email (whole output, just the latest changes or both) 22 of 40

PBNJ 1.0 - Limitations Not efficient does not use modules does not use Nmap's XML output Stores data in a CSV file User looks directly at the CSV file 23 of 40

PBNJ 2.0 - Redesign Plan Deprecate Amap (low number of dependencies) Store the information from the scans in database Flexible for user queries Parse XML rather than text 24 of 40

PBNJ 2.0 - Store Data in Database SQLite (File database) doesn't require a real DB won't have to worry about secure connection to DB won't require a lot of effort to use User can dump the data elsewhere if needed Configurable for any DBI database 25 of 40

Scanner Functionality DB Nmap Nmap:: Parser scanpbnj 26 of 40

PBNJ 2.0 Increased Flexibility User specified information history of the scans specific timespan previous scan Used with other tools develop other tools to process the data develop other tools to parse the data 27 of 40

PBNJ 2.0 - Output the way you want it CSV TAB HTML Standard Output... develop a module... 28 of 40

Output Functionality 1 Query Config outputpbnj 2 DB 3 Output 29 of 40

Query Configuration File ry e u Q f o Name n o i t p i r c Des Query Version to compare 30 of 40

PBNJ 2.0 Easily extract the data you need User wants specific information develop a SQL query use popular SQL queries Have only the information you want in output Transfer data to real database(e.g. mysql) 31 of 40

Scan Insert Host Inserting Machine Running SSH and SMTP 32 of 40

Scan Without Change No State or Version/Product Changes 33 of 40

Output - Database Process Demo ut p t Ou y r e u Q of Output to file 34 of 40

Scan - Service Change Stop Service Service State Down 35 of 40

Output - Latestinfo Query Hostname Protocol State Date of Change Service Version 36 of 40

Scan Nmap XML Input Nmap XML file 37 of 40

Shell Script for Alerting #!/bin/bash # PBNJ 2.0 script to only send an email when a new change occurs DIR=/root/data CHANGE=change.out TMP=tmp.out USER=root SUBJECT="[PBNJ] Latestinfo Alert `date`" # sends the changes in email to the user send_mail() { mv $TMP $CHANGE cat $CHANGE mail -s "$SUBJECT" "$USER" } mkdir -p $DIR cd $DIR scanpbnj 192.168.10.0/24 > /dev/null 2> /dev/null outputpbnj -q latestinfo -t csv > $TMP 2> /dev/null if [ -e $CHANGE ] ; then diff $CHANGE $TMP > /dev/null if [ $? -ne 0 ] ; then send_mail fi else send_mail fi 38 of 40

Set Proper Privs Make sure the file is executable: $ sudo chmod +x /root/bin/alert_changes.sh 39 of 40

Add Entry to Crontab We then add the script to the Cron scheduler. # scan of the 10 network every 2 hours #m h dom mon dow user command 16 */2 * * * root /root/bin/alert_changes.sh 40 of 40

Scenario Discovery Scheduled Scans of a Range All machines running only SSH Rogue FTP Service Service or Host Discovery 41 of 40

Scenario Monitor Runs web server Notice Web server crashes Scheduled Scans of Localhost Monitor Local or Remote Systems 42 of 40

Demo PBNJ 2.0 43 of 40

Available Today PBNJ a suite of tools to monitor changes on a network over time http://pbnj.sourceforge.net Version 2.0 available today! Version 1.0 still available http://www.samag.com/documents/s=10112/sam0702a/ 0702a.htm http://pbnj.sf.net/scripts/alert_changes.sh 44 of 40

Install PBNJ with Package Management Debian ( as root ) apt-get install pbnj Gentoo ( as root ) emerge pbnj FreeBSD ( as root ) cd /usr/ports/security/pbnj make install clean 45 of 40

Q/A 46 of 40

References Fyodor, Remote OS detection via TCP/IP Stack FingerPrinting, June 2002 Arkin Ofir, ICMP Usage in Scanning Version 3.0, June 2001 Skoudis Ed, Counter Hack, Prentice Hall 2002 2002er Emailing a text-message to a phone http://www.livejournal.com/tools/textmessage.bml?mode=details 47 of 40

PBNJ 2.0 - Schema Machine Table changes mean a new machine Service Table state changes version changes banner changes 48 of 40

Thank You for Coming! 49 of 40

50 of 40

51 of 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback