Network Situational Awareness with d00gle

Transcript

1. Network Situational Awareness with d00gle Dug Song [email protected]

2. Background Time to update dsniff! • Suite of traffic interception

   tools for penetration testing Last public release almost exactly 4 years ago • dsniff's ARP/DNS, SSH/SSL Man-In-The-Middle techniques to intercept switched, encrypted traffic are quite common now • Interesting traffic analysis tools are still rare Total Information Awareness, CALEA, why should the government have all the fun? dsniff becomes d00gle...

3. The Crumbling Perimeter

4. Environment Vulnerability-aware Internet perimeter • client-side exploits, VPN clients, worms

   / viruses, wardriving Little / no access control / encryption internally • internal firewalls / IPSs cannot disrupt business processes Unpatched production systems • legacy software, heterogeneous hardware, rare change management windows for non-critical upgrades Limited visibility • little / no instrumentation for measurement / monitoring

5. Client Attack Something to do at cafes, airports, hotels Identify

   interesting users to target • corporate VPN users on vulnerable hosts • unsophisticated, unencrypted users Standard MITM, TCP injection, protocol downgrade, client-side attacks apply Leverage into an attack on the home / corporate network

6. Network Attack! What is the organizational reporting structure? What are

   the passwords for this user? For this router / switch? What does this user have access to? Where are the shared public resources (fileservers, intranet webservers, login servers), and what are they running? Where are the remote loghosts? Has anyone detected the intrusion?

7. Our Goals Intelligence, Surveillance, Reconnaissance Extract as much information as

   we can passively Assemble it into a coherent relational database Perform data correlation and analysis real-time Support interesting queries and visualization of the data Enable rapid prototyping of new traffic analysis tools Maintain dsniff's tool-oriented modularity Share the code (GPL) to encourage experimentation

8. Data collected Login / authentication information Phone numbers / calls

   E-mail messages Instant messages WWW usage Connection information Host inventory: IP, mac address, hostname/DHCP name, OS version, open ports / services / applications Interactive / encrypted sessions

9. Why Python? C extension modules for performance-critical code Portability, maintainability,

   modularity Easy to learn, but still powerful Python versus C lines of code: • dsniff - 1700 vs 6800 LOC • p0f2 - 519 vs 1798 LOC • vomit - 54 vs 1864 LOC Great for lazy programmers like me!

10. Example Code 6-line sniffer :-) import dsniff class TestSniff(dsniff.FlowDecode): ip_protos

    = (1, 6, 17) def handle_data(self, flow, buf): return repr(buf) dsniff.main()

11. Dependencies New Python modules: • pypcap - portable packet capture

    • pyevent - portable event-based programming • libdnet - portable low-level network APIs • dpkt - fast packet dissection

12. Architecture Simple Python modules + glue FlowDecode subclasses handle flow

    start, data, and end events Decodes can be registered dynamically with the flow engine for arbitrary Ethernet / IP / RPC program triggers Each module can be run as a separate command-line tool Can use any Python DB-API compliant database backend (default sqlite) UI is served by simple standalone Python webserver

13. *snarf authsnarf - Password sniffer for AIM, Citrix ICA, CVS,

    FTP, Cisco HSRP, HTTP, IMAP, IRC, LDAP, Meeting Maker, NFS, Napster, NNTP, Oracle SQL*Net, OSPF, PC Anywhere, POP, Postgres, Halflife, QuakeWorld (many games), RIP, Rlogin, Cisco VOIP, Sybase and Microsoft SQL, Microsoft SMB, SMTP, SNMP, NAI Sniffer, SOCKS, Telnet, VRRP, X11, YP/NIS, various web login forms urlsnarf - Record all visited URLs and browser versions mailsnarf - Record all e-mail messages in SMTP and POP traffic msgsnarf - Record all AIM, ICB, IRC, Jabber, MSN, Yahoo instant messages

14. vomit Voice Over Misconfigured Internet Telephones Original version by Niels

    Provos ([email protected]) Records all SIP/Cisco SCCP phone calls: • Watches control channel for call setup • Intercepts negotiated media channel, saving the voice data as a WAV file Rip offline to MP3 with appropriate ID3 tags

15. netics Original version by Marius Eriksen ([email protected]) Attempts to identify

    interactive, encrypted sessions on any protocol or port Interactivity heuristic: • small client packet sizes • ratio of client/server segments • interpacket arrival time Encryption heuristic: • Ueli Maurer's universal randomness test

16. p0f Straight Python port of p0fv2 by Michal Zalewski Passive

    OS fingerprinting of IP endpoints based on TCP SYN, SYN/ACK parameters • operating system and version • host uptime (TCP timestamp option) • distance (TTL inference) • link type (maximum segment size)

17. nmapv Passive application fingerprinting • service protocol • specific application

    name and version Simple hack of nmap's regex-based service response match • nmap version scan minus the scan - just match replies • some entries (e.g. SSL) need modification

18. Query interface Google is smarter than me - ape their

    interface Query language is simple (text, wildcards, +/-), but more advanced queries possible with search operators (e.g. "app:Apache*") Query engine maps Google-style queries to SQL Would like to support stored queries, and a simple query history

19. Related work Python fragroute • evade dsniff detection! :-) Arbor

    Networks Peakflow • scalable traffic monitoring, engineering, and behavioral analysis for service providers and enterprises

20. Future work User / social network profiling Semantic analysis of

    conversation data Auto-focus Speech transcription for full-text VOIP search? :-) Other Big Brother stuff Contributions and derived work from users like you!

21. Conclusion Everything you do on a network is observable in

    some way What is your network saying about you? :-) http://monkey.org/~dugsong/dpkt/ http://monkey.org/~dugsong/pypcap/ http://monkey.org/~dugsong/pyevent/ http://monkey.org/~dugsong/dsniff/