1 / 48

The Siphon Project

The Siphon Project. An Implementation of Stealth Target Acquisition & Information Gathering Methodologies. Contact Information. Marshall Beddoe: marshall@gravitino.net Christopher Abad: chris@gravitino.net URL: www.gravitino.net/projects/siphon. Overview.

affrica
Download Presentation

The Siphon Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Blackhat USA 2001

  2. Contact Information • Marshall Beddoe: marshall@gravitino.net • Christopher Abad: chris@gravitino.net • URL: www.gravitino.net/projects/siphon Blackhat USA 2001

  3. Overview • A definition of general network mapping • Active techniques • Passive techniques (Siphon) • Example Siphon report Blackhat USA 2001

  4. What is Network Mapping? • The process of gathering information in order to identify and understand the internetworking of systems Blackhat USA 2001

  5. Why is this Important? • To gather information • To identify weaknesses • To learn how the network operates Blackhat USA 2001

  6. Network Mapping Information • Port Information • Operating System Information • Information Enumeration • Topology Map Generation • Vulnerability Information Blackhat USA 2001

  7. Port Information • Vulnerable services run on TCP/UDP ports • Perception of security on the network and/or host • Ability to perform accurate OS identification Blackhat USA 2001

  8. Operating System Information • Survey of the types of OS’ on a network • Vulnerabilities specific to operating systems Blackhat USA 2001

  9. Information Enumeration • “Harmless” information that can later lead to the compromise of a network • Examples: E-mail addresses, NetBIOS names, NFS exports, usernames, hostnames, whois information, etc. Blackhat USA 2001

  10. Topology Map Generation • Understanding the physical layout of the network • Possible discovery of alternate penetration routes Blackhat USA 2001

  11. Vulnerability Information • Consists of all previously explained network mapping information • Discovering vulnerabilities on systems and in network configuration • One vulnerability can lead to the compromise of an entire network Blackhat USA 2001

  12. Current Mapping Techniques • Active Network Mapping • Nmap • Queso • Nessus • Passive Network Mapping • Siphon Blackhat USA 2001

  13. Active Network Mapping • Sending queries to receive responses in order to gather port information, operating system information, etc. • Requires employing applications that generate “noise” on a network Blackhat USA 2001

  14. Active Mapping Techniques • Active port mapping • Active operating system identification • Active information enumeration • Active topology map generation • Active vulnerability assessment Blackhat USA 2001

  15. Active Port Mapping • TCP connect() scan (1) • TCP SYN “stealth” scan (2) • Special TCP FIN, XMAS & NULL scans (3) • Vanilla UDP scan (4) SYN to port 23 FIN to port 23 (1) SYN|ACK from port 23 (3) ACK to port 23 No RST response, port is open SYN to port 23 UDP packet to port 67 (4) (2) SYN|ACK from port 23 No ICMP port unreachable, port is open Blackhat USA 2001

  16. Active OS Identification • TCP Advertised Window • TCP Options • FIN Probes • ISN Sampling • Frag Handling TCP Packet Blackhat USA 2001

  17. Active Information Enumeration • NetBIOS name gathering • NetBIOS drive sharing • Sendmail EXPN probes • Finger information • WHOIS information • NFS exports Blackhat USA 2001

  18. Active Topology Mapping • Traceroute Host B INTERNET Host A Host C Blackhat USA 2001

  19. Active Vulnerability Assessment • Banner checking • RPC portmapper queries • DNS version queries TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Blackhat USA 2001

  20. Pros Assessment can be conducted from a different network Requires little time to gather information Cons Generates network noise Alarms intrusion detection systems Reveals source of probe Accuracy problems Intrusive Pros & Cons of Active Mapping Blackhat USA 2001

  21. The Siphon Project • When it was created • January 2000 • Why it was created • Does not generate network noise • Does not trigger IDS alarms • Does not reveal source of probe • Does not send out a single packet • Stealth technique • Datalink layer level mapping Blackhat USA 2001

  22. Passive Network Mapping • Gathering information about a network without sending out a single packet • By monitoring traffic, can determine the entire layout of the network and the configuration of hosts connected to the network Blackhat USA 2001

  23. Is Passive Feasible? • Does passive mapping provide complete information? • For the most part, the only difference is that passive network mapping takes more time to gather information • Hosts that never receive network traffic on a network might not be reported by Siphon • Who would use passive network mapping? • Network administrators that operate in red-tape environments such as the US Government/Military • Skilled hackers that move slowly to avoid detection Blackhat USA 2001

  24. Siphon Mapping Techniques • Passive port mapping • Passive operating system identification • Passive information enumeration • Passive topology map generation • Passive vulnerability assessment • Report generation Blackhat USA 2001

  25. Passive TCP Port Mapping • Monitoring SYN|ACK packets • Logging the source port SYN to port 23 SYN|ACK from port 23 ACK to port 23 Host A Host B Siphon Blackhat USA 2001

  26. TCP Port Mapping Challenges • Problem: Corruption of information caused by spoofed connections • Solution: Monitor TCP state SYN|ACK from host A src port 666 Network Host C Siphon No initial SYN sent to port 666 of host A, Will not record Blackhat USA 2001

  27. Passive UDP Port Mapping • Monitoring UDP packets • Listening for ICMP port unreachable packets UDP packet to port 53 Host A Host B Siphon No ICMP port unreachable, port is open Blackhat USA 2001

  28. UDP Port Mapping Challenges • Problem: Accuracy • Solution: Decode application layer protocols that use UDP DNS Query to UDP port 53 DNS Query Response from UDP port 53 Host A Host B Siphon Standard DNS query response from Host B, UDP port 53 is open Blackhat USA 2001

  29. Passive OS Identification • Operating system is determined by monitoring TCP SYN|ACK packets • An OS is fingerprinted based upon the TCP advertised window, the IP DF bit, the default TTL, the TCP options, and the MSS TCP option set by the connecting host. SYN to port 23 SYN|ACK from port 23 TCP advertised window = 0x4000 DF bit = ON TTL = 64 Host C Host A OS Fingerprints: 4000:ON:64 = FreeBSD Siphon Blackhat USA 2001

  30. Passive OS Ident. Challenges • Problem: Multiple fingerprints for one OS version • Solution: Siphon passive OS identification algorithm Problem OS Fingerprints File: 7D78:64:1:Linux 2.1.122 - 2.2.14 77C4:64:1:Linux 2.1.122 - 2.2.14 7BF0:64:1:Linux 2.1.122 - 2.2.14 7BC0:64:1:Linux 2.1.122 - 2.2.14 Blackhat USA 2001

  31. Siphon OS Ident. Algorithm Blackhat USA 2001

  32. Passive OS Ident Challenges • After applying the Siphon OS identification algorithm, we now have only one entry for Linux 2.1.122 - 2.2.14 Fixed OS Fingerprints File: 7D78:77C4:64:1:Linux 2.1.122 - 2.2.14 Blackhat USA 2001

  33. Passive Information Enumeration • Monitoring telnet traffic to gather usernames & passwords • Monitoring incoming mail traffic to gather usernames • Monitoring incoming web traffic to gather hostnames • Monitoring DNS queries and responses to gather hostnames • Monitoring file sharing: NFS, NetBIOS, etc. • Performing traffic analysis, peak hours, etc. • Network hardware fingerprinting Blackhat USA 2001

  34. Passive Topology Mapping • Dynamic routing protocols • RIP topology mapping (general distance vector) • OSPF topology mapping (link state protocol) • Path vector routing topology • TTL estimation Blackhat USA 2001

  35. Routing Information Protocol • Interior gateway protocol • Distance vector protocol • Uses hop count as its metric • Sends routing-update messages frequently • Further Information • Request For Comments (RFC) 1058 and 1723 Blackhat USA 2001

  36. Topology Mapping with RIP • Monitor RIP packets on multiple subnets running Siphon • Run results through our distance vector to link state routing conversion algorithm RIP Siphon A Siphon B Blackhat USA 2001

  37. DV to LS Routing Conversion as a Convex Optimization Blackhat USA 2001

  38. DV to LS Conversion Cont. Blackhat USA 2001

  39. DV to LS Conversion Example Blackhat USA 2001

  40. Continued… Blackhat USA 2001

  41. Open Shortest Path First • Designed to correct problems associated with RIP • Link state protocol • Learns of routing information through link-state advertisements • This information includes interface status and metrics used • A topological database is maintained by the collection of LSA’s received • All routers in the same area have the same topological database Blackhat USA 2001

  42. Topology Mapping with OSPF • Periodic full LSA updates • Generate topology map based off LSA updates OSPF LSA Update Topology Map […] Siphon Blackhat USA 2001

  43. Passive Vuln. Assessment • Analysis of packet payload • Monitoring application banners • Monitoring DNS version queries • Monitoring RPC queries • Monitoring HTTP GET requests TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Host B Host A Siphon Log: Host B is VULNERABLE Siphon Blackhat USA 2001

  44. Traffic Analysis • Port statistics are used to determine server roles • Auditing logins, email and web access can determine user behavioral patterns and machine roles. • Analysis on initial sequence numbers and other similar challenge protocol fields can reveal the nature of the hosts’ PRNG. • Assistance in Operating System Identification • TCP Sequence Guessing Blackhat USA 2001

  45. Example Siphon Report • Report: Our Siphon software was run for 1 day on our test network Blackhat USA 2001

  46. Future Features of Siphon • Non-TCP operating system fingerprinting • Default installation fingerprinting • Passive Wireless LAN (802.11b) network mapping • Rogue access point detection • SSID gathering • Network statistics (Signal strength, etc.) • OSPF integration • Windows 2000 Version Blackhat USA 2001

  47. Summary • Active and passive mapping are different in nature depending on the purpose and motivation of the user • Passive network mapping is performed by monitoring network traffic without sending out a single packet • Active network mapping is performed by sending out queries and gathering responses generating massive amounts of network noise, crashing machines and setting off IDS alarms Blackhat USA 2001

  48. Contact Information • Marshall Beddoe: marshall@gravitino.net • Christopher Abad: chris@gravitino.net • URL: www.gravitino.net/projects/siphon • Questions? We have answers! Blackhat USA 2001

More Related