Professional Documents
Culture Documents
By David Meltzer
Preface
The Premise
A tool that gave you a constantly updated real-time view of the devices on a network would be a really useful thing to have.
Agenda Active vs. passive network discovery Hybrid discovery Introduce PAPMap
DEMO
Conclusions
Network Discovery Defined: Answer These Questions: What hosts are on the network? What ports are open? What services are running? What is the configuration state of those services? As deep as you want to go
Network changes
Active vs. Passive Discovery Active: Directly probe devices by sending packets to them. nmap.
Passive: Listen silently to network traffic. sniffers, ids, p0f, etc. Some commercial tools.
Comparing Discovery Techniques The Metrics: Turbidity Disruptiveness to network/hosts Speed Time-to-Detect Coverage What can it tell you? Accuracy False positives/negatives?
Real-Time
Good for discovering the basics Bad for discovering the details
Some things only/better discovered passively Some things discovered equally well passively or actively MANY things only discovered actively
Depends
IF you are content with poor coverage, you can have perfectly accurate passive scanning.
Hybrid Discovery Approach Realizing active and passive discovery are complementary techniques
Gathering network inventory data using both active and passive techniques integrated into a single system.
Hybrid approach:
Single configuration Uses less bandwidth than pure active Single output
Hybrid Discovery: Introducing PAPMap Combines passive and active scanning techniques for network discovery.
PAPMap v1.0 Requirements R-1. Takes same command line as nmap. R-2. Produces almost same output as nmap.
R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.
PAPMap v2.0 Requirements v1.0 plus R-1. Linux version R-2. UDP port discovery R-3. Passive app-layer service detection R-4. Hybrid Features: a. Integrated active port scans b. Integrated active service detection c. Scheduled active rescans d. Optimized active rescans e. Passive-first mode
PAPMap History
V1.0 released July 2004 @ ruxcon.au
Proof of concept Windows only TCP port discovery only
5.
6.
Optimization Any port state determined passively within N seconds of active rescan, do not actively probe.
PAPMap Status v2.0 released at Pacsec 04 Source and binaries freely available right now at: http://www.cambia.com/papmap
Questions