Penetration Testing mailing list archives
Re: Heavyweight Network Mapping Tools
From: "Andy Cuff [Talisker]" <talisker () securitywizardry com>
Date: Sat, 29 Nov 2003 21:59:46 -0000
Hi Robert, Thanks a lot for such a comprehensive reply
http://www.lumeta.com/ipsonar.htmlThe Lumeta stuff is very good, but costly and mostly closed. It isleveraging work from William Cheswick and Hal Burch.
I've come across this before and to my knowledge and largely confirmed by the site case studies they run the discovery themselves, whilst this is ok it tends to be expensive furthermore subsequent updates get expensive. I'd look for the ability to schedule the scan for the quiet hours and have multiple threads so as not to adversely effect any individual sub network too greatly. As soon as the initial scan is complete the process starts over, highlighting changes from the initial baseline. The output from this is then used to drive the active OS fingerprinting. The visualisation is perfect
http://www.opte.org
The OPTE project has Barret Lyon of Network Presence (main developer) and
Dan Kaminsky of Avaya's Enterprise Security Practice (Author of Paketto/scanrand) behind it. The goals for the OPTE project are slightly different than what you've described, but could easily be adapted to your needs.
The code is only 70% complete, though the data is very interesting, where do I find the base?
Mandatory Hosts alive through ICMPFyi, I plan on taking the OPTE project base and modifying it for uses such as what you've described. However, instead of using ICMP I plan on implementing automated scans/system finding based on an abbreviated
Section
C, Modules 1-3 of the OSSTMM (http://www.osstmm.org pages 45-48). This is far more complete for flushing out live systems and works equally well on internal and external systems alike. I'll have all of this stuff logging back to an SQL server. This helps when dealing with large sets of data.Hosts OS through active OS fingerprintingThis can be done in a second phase after flushing out live systems,
although
there are interesting things you can assume based on how the systems
respond
to the 1st wave of scanning, ie timing, ports, etc. Add banner grabbing, nmap/xprobe/p0f/etc and you have an effective OS fingerprint, again being careful to map this data back to a database.
I'd be very interested in what you come up with, my only concern would be a great increase in the number of packets to replace ICMP, which over multiple class B's may slow things down. Though as you mention they may reduce the packets required for fingerprinting. Feeding it all into an SQL database is the way forward, I'm just looking forward to some bright entrepenaur seeing a niche and providing it.
AdvantageousNot sure what you mean by this.
Sorry poor choice of words be my, Desireable would have been a better one.
Patch Compliance without host residing agentsThere are tools that you can use on the windows side in this phase without
a
host agent, but it requires having an administrative login/password for
the
system in question. Not sure what Unix automated tools exist for this purpose.
I was loooking more for the vulnerability scanning approach without actually exploiting the vulnerability to prove it's presence. The recent scanners from eEye, Foundtsone and EVEN Microsoft for the MS026 and 039 vulnerabilities show there are tools out there. The reason I say patch compliance as apposed to a full blown vulnerability scan is purely bandwidth and the cost of said scanners for larger networks.
Results must be displayable in 3D and be drilled down to individual
hosts
using filters. (look pretty for budget enhancement whilst being useable)The OPTE project uses LGL (http://bioinformatics.icmb.utexas.edu/lgl/) to visualize the network maps. You can pull from your database to make the OS/hostname/IP information overlay onto the map and then export the data
to
a VRML format. This will allow for interesting 3D walkthroughs with the ability to zoom in and see ip/host/os/etc information. See http://www.opte.org/maps/ for the pictures of the latest maps and the raw LGL data from that project as a reference as to what is possible.Must have continual use and not a snapshot based managed serviceNot sure what you mean here. Please expound.
Rather than scan the network once I want it to be a permanent ongoing process
I'm also looking to schedule and throttle the output without having to
use
a packet shaper. (don't want to consume too much bandwidth)scanrand has the -b (bandwidth) option for this reason.Does anyone have any further recommendations regarding cool or useful features in such a product and better still products that meet or come close to the above.Again, I want to automate as much of the OSSTMM based scanning as possible (complete section C), as those techniques are the most thorough and
reliable
that I've run across. Other than the work of OPTE and Lumeta, I'm not
sure
who else is playing in this space.I have collected details on light and medium weight enumerators at http://www.securitywizardry.com/enum.htm but need more oomph!If you have any other project goals/needs/ideas, please respond. If it's useful to you, it's likely useful to the rest of the community too :).
For
more immediate response, come join us on IRC (efnet #opte).
Cheers Robert is has been a pleasure ! -andy --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Heavyweight Network Mapping Tools Andy Cuff [Talisker] (Nov 28)
- Re: Heavyweight Network Mapping Tools Alvin Oga (Nov 28)
- RE: Heavyweight Network Mapping Tools Robert E. Lee (Nov 30)
- Re: Heavyweight Network Mapping Tools Andy Cuff [Talisker] (Nov 30)