Penetration Testing mailing list archives
RE: Heavyweight Network Mapping Tools
From: "Robert E. Lee" <robert () isecom org>
Date: Fri, 28 Nov 2003 23:44:45 -0800
Being someone who hates to identify a problem without a solution I'm looking for a premier network mapping tool for a customer that will actively scan up to a class A for hosts, identifying the hosts in up to 3 stages:
There are a couple of places I'd direct you to: http://www.lumeta.com/ipsonar.html and http://www.opte.org The Lumeta stuff is very good, but costly and mostly closed. It is leveraging work from William Cheswick and Hal Burch. The OPTE project has Barret Lyon of Network Presence (main developer) and Dan Kaminsky of Avaya's Enterprise Security Practice (Author of Paketto/scanrand) behind it. The goals for the OPTE project are slightly different than what you've described, but could easily be adapted to your needs.
Mandatory Hosts alive through ICMP
Fyi, I plan on taking the OPTE project base and modifying it for uses such as what you've described. However, instead of using ICMP I plan on implementing automated scans/system finding based on an abbreviated Section C, Modules 1-3 of the OSSTMM (http://www.osstmm.org pages 45-48). This is far more complete for flushing out live systems and works equally well on internal and external systems alike. I'll have all of this stuff logging back to an SQL server. This helps when dealing with large sets of data.
Hosts OS through active OS fingerprinting
This can be done in a second phase after flushing out live systems, although there are interesting things you can assume based on how the systems respond to the 1st wave of scanning, ie timing, ports, etc. Add banner grabbing, nmap/xprobe/p0f/etc and you have an effective OS fingerprint, again being careful to map this data back to a database.
Advantageous
Not sure what you mean by this.
Patch Compliance without host residing agents
There are tools that you can use on the windows side in this phase without a host agent, but it requires having an administrative login/password for the system in question. Not sure what Unix automated tools exist for this purpose.
Results must be displayable in 3D and be drilled down to individual hosts using filters. (look pretty for budget enhancement whilst being useable)
The OPTE project uses LGL (http://bioinformatics.icmb.utexas.edu/lgl/) to visualize the network maps. You can pull from your database to make the OS/hostname/IP information overlay onto the map and then export the data to a VRML format. This will allow for interesting 3D walkthroughs with the ability to zoom in and see ip/host/os/etc information. See http://www.opte.org/maps/ for the pictures of the latest maps and the raw LGL data from that project as a reference as to what is possible.
Must have continual use and not a snapshot based managed service
Not sure what you mean here. Please expound.
I'm also looking to schedule and throttle the output without having to use a packet shaper. (don't want to consume too much bandwidth)
scanrand has the -b (bandwidth) option for this reason.
Does anyone have any further recommendations regarding cool or useful features in such a product and better still products that meet or come close to the above.
Again, I want to automate as much of the OSSTMM based scanning as possible (complete section C), as those techniques are the most thorough and reliable that I've run across. Other than the work of OPTE and Lumeta, I'm not sure who else is playing in this space.
I have collected details on light and medium weight enumerators at http://www.securitywizardry.com/enum.htm but need more oomph!
If you have any other project goals/needs/ideas, please respond. If it's useful to you, it's likely useful to the rest of the community too :). For more immediate response, come join us on IRC (efnet #opte). Sincerely, Robert Robert E. Lee Co-Chairman of the Board Institute for Security and Open Methodologies www.isecom.org www.osstmm.org ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM Professional Security Analyst (OPSA) certification authority. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Heavyweight Network Mapping Tools Andy Cuff [Talisker] (Nov 28)
- Re: Heavyweight Network Mapping Tools Alvin Oga (Nov 28)
- RE: Heavyweight Network Mapping Tools Robert E. Lee (Nov 30)
- Re: Heavyweight Network Mapping Tools Andy Cuff [Talisker] (Nov 30)