Hybrid Approaches Towards Optimized Network Discovery Techniques

By David Meltzer

Preface

Download the tool Im presenting about: http://www.cambia.com/papmap

The Premise

A tool that gave you a constantly updated real-time view of the devices on a network would be a really useful thing to have.

Agenda Active vs. passive network discovery Hybrid discovery Introduce PAPMap

DEMO
Conclusions

Network Discovery Defined: Answer These Questions: What hosts are on the network? What ports are open? What services are running? What is the configuration state of those services? As deep as you want to go

Assumptions No host-based tools No access to routers or switches

Network changes

Active vs. Passive Discovery Active: Directly probe devices by sending packets to them. nmap.

Passive: Listen silently to network traffic. sniffers, ids, p0f, etc. Some commercial tools.

Passive Discovery History

Passive vulnerability signatures in RealSecure IDS Meltzer 97 Passive Vulnerability Detection Gula 99 Target-Based IDS - Roesch 00 Vulnerability Detection Systems (VDS) - Meltzer 02 Passive Vulnerability Scanner (PVS) - Gula 03 Passive Network Discovery Systems (PNDS) Roesch 04

Comparing Discovery Techniques The Metrics: Turbidity Disruptiveness to network/hosts Speed Time-to-Detect Coverage What can it tell you? Accuracy False positives/negatives?

Passive Discovery Analysis: Turbidity

Listening is safe (mostly).

Why people like IDS. Why people like anything passive.

Passive Discovery Analysis: Speed

Real-Time

But At first use

Passive Discovery Analysis: Coverage

Good for discovering the basics Bad for discovering the details
Some things only/better discovered passively Some things discovered equally well passively or actively MANY things only discovered actively

Passive Discovery Analysis: Accuracy

Depends

IF you are content with poor coverage, you can have perfectly accurate passive scanning.

Hybrid Discovery Approach Realizing active and passive discovery are complementary techniques

Why should you have to choose?

Hybrid Network Discovery Defined

Gathering network inventory data using both active and passive techniques integrated into a single system.

Hybrid Advantages Independent active/passive engines:

Double the hassle Substantially more turbidity Waste resources Manually resolve conflicts

Hybrid approach:
Single configuration Uses less bandwidth than pure active Single output

Hybrid Discovery: Introducing PAPMap Combines passive and active scanning techniques for network discovery.

Operates as a drop-in replacement for nmap.

Utilizes nmap for active discovery. A complete and functional hybrid scanner.

PAPMap v1.0 Requirements R-1. Takes same command line as nmap. R-2. Produces almost same output as nmap.

R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.

PAPMap v2.0 Requirements v1.0 plus R-1. Linux version R-2. UDP port discovery R-3. Passive app-layer service detection R-4. Hybrid Features: a. Integrated active port scans b. Integrated active service detection c. Scheduled active rescans d. Optimized active rescans e. Passive-first mode

PAPMap History
V1.0 released July 2004 @ ruxcon.au
Proof of concept Windows only TCP port discovery only

V2.0 released now.

Ready for primetime

PAPMap Basic Usage: Part I

nmap: % nmap oX nmap-results.xml 192.168.1.0/24

papmap: % papmap oX nmap-results.xml 192.168.1.0/24

PAPMap Basic Usage: Part II

1. Executes nmap 2. Loads nmap XML output into in-memory database

3. Starts listening promiscuously on network

PAPMap Basic Usage: Part III

4. Line output to stdout indicating new status of the port. Nmap XML file is updated to reflect real-time state of network being mapped (but updates cached to avoid flailing disk). Monitoring continues until user quits.

5.

6.

PAPMap Features: TCP Port Discovery

Port is listening IF SYN sent TO port AND SYN/ACK reply FROM port
Port is NOT listening IF SYN sent TO port AND RST reply FROM port No reply to a SYN: Is port closed? Did I drop a packet? Was SYN malformed? Firewall?

PAPMap Features: UDP Port Discovery

UDP Is Always Hard
Port is active IF Traffic coming from port BUT Is it listening or just a client? And how do I know if it closes? Evidence ICMP Unreachables Sending to multiple destinations Active probing results

PAPMap Features: Service Detection

1. 2. 3. 4. Reassemble TCP Stream Grab initial banner prior to client-side command Match against null probe signature database Match client-side command to client probe command database 5. Grab subsequent banner 6. Match against probe signature database 7. Output identified service in same format as-if nmap had actively probed for it.

Uses same file format as nmap services probes.

PAPMap Features: Hybrid Host/Port Scans

IF a new host is detected passively Launch nmap scan against host to determine open ports
IF a new port is detected passively Launch nmap service detection against port to identify service

PAPMap Features: Active rescans

On a scheduled time interval Relaunch nmap and rescan to update with newest active information

Optimization Any port state determined passively within N seconds of active rescan, do not actively probe.

PAPMap Features: Passive-first/only mode

Start building discovery database in passive mode without first actively scanning from nmap.
Combine with active rescans or use as a pure passive tool.

PAPMap v2.0 Demo

PAPMap Status v2.0 released at Pacsec 04 Source and binaries freely available right now at: http://www.cambia.com/papmap

Questions