1 / 50

Casing the Joint

Casing the Joint. What we already know about your network. batz@vapour . Casing the Joint. Contents Context for this information. Hierarchical breakdown of information that can be used to describe a network into

thom
Download Presentation

Casing the Joint

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Casing the Joint What we already know about your network. batz@vapour.

  2. Casing the Joint • Contents • Context for this information. • Hierarchical breakdown of information that can be used to describe a network into "Areas". • Mock ASN.1 notation will describe each Area and extensible attributes within its domain and how they pertain to finding vulnerabilities.

  3. Casing the Joint • Evaluate information contained in attributes and how it can be damaging • How a heuristic like this could be used by automated attacks described by Caesar in related presentation. • Questions, comments, violent objections.

  4. Casing the Joint • Recent events: • December 1999, RTMark uses organized flooding tactics to DoS Etoys.com. Stock price conspicuously falls like rock. • DDoS attacks cause mild interruption to search engine in February. News media and lobbyists still recovering.

  5. Casing the Joint • First major distributed attack since Morris Worm. • Internet connected hosts vulnerable to distributed attacks for the foreseeable future.

  6. Casing the Joint • Each service provided by a host can provide a wealth of information to a potential attacker. • Attempt to formalize some elements of how that information can be gathered and what it can tell us.

  7. Casing the Joint • Types of information: • Protocols Layer 3 and up. • Addressing, naming schemes. • Port ranges of un/filtered services. • Applications. • Implicit and Explicit Trust.

  8. Casing the Joint • AREAS • Autonomous System • Route • DNS Domain • Segment • Host

  9. Casing the Joint • Autonomous System • At.ASN • BGP routing information for all routes. • Paths to other networks, traffic flow, and Peers. • Routing policy.

  10. Casing the Joint • Information readily available from RAdb, or any • BGP speaking peer on the Internet. • Very holistic information for a single host.

  11. Casing the Joint • AREA TYPE: ROUTE • At.Route.Rt • A CIDR block that contains the IP addresses contained within targets At.Host or At.DNS. • At.Route.Origin • The AS that this route be being announced from. Useful for collating other routes from other agents.

  12. Casing the Joint • At.Route.routers • list of all routers within the address space one aggregated prefix length shorter than the one defined in At.Route.Rt. • At.Route.gateways • The default gateways of all hosts that are within this netblock.

  13. Casing the Joint • At.Route.multicast • Each gateway that may route multicast. • Potentially a list of multicast groups memberships if possible.

  14. Casing the Joint • AREA TYPE: DNS DOMAIN • Set of all hosts listed in forward and reverse zones for the first level domain.

  15. Casing the Joint • At.DNS.forward-zone • A zone transfer of the domain and/or subdomain that is contained in At.Host.DNSName if available.

  16. Casing the Joint • At.DNS.reverse-zone • In the event that a zone transfer is available, the reverse zone for the /24 that At.Host.Addr is contained in.

  17. Casing the Joint • At.DNS.reverse-lookup • If the whole zone is not available, then the individual ip addresses in the range of /24 or contiguous addresses should be listed within a predefined range.

  18. Casing the Joint • At.DNS.RR • This is for specific resource records such as MX and esoteric entries if the full zone is not available. i.e

  19. Casing the Joint • At.DNS.RR.SOA • At.DNS.RR.MX • At.DNS.RR.A • At.DNS.RR.CNAME • etc...

  20. Casing the Joint • At.DNS.RR.SOA • At.DNS.RR.MX • At.DNS.RR.A • At.DNS.RR.CNAME • etc...

  21. Casing the Joint • AREA TYPE: SEGMENT • Sharing an Ethernet Segment is a huge amount of trust to be put between devices. Use with caution.

  22. Casing the Joint • The best information that an agent will have will be gained via the local segment. Much of this information can be attained through more active, but less covert means.

  23. Casing the Joint • At.Segment.macaddr • The mac address of the host that the agent has • attached itself to.

  24. Casing the Joint • At.Segment.arpTable • A copy of the ARP table of the agents host. • The format of this table should make • an XML DTD more appealing.

  25. Casing the Joint • At.Segment.Protocols From captured Ethernet frames, a table of Layer 3 protocols should be kept so that other agents can be informed of local customs. Possible extensible elements of this in next slide.

  26. Casing the Joint • At.Segment.Protocols.ether.stp • At.Segment.Protocols.ether.vlan • At.Segment.Protocols.ipv4 • At.Segment.Protocols.ipv6 • At.Segment.Protocols.esp • At.Segment.Protocols.ipsec • At.Segment.Protocols.ttcp • At.Segment.Protocols.ipx • At.Segment.Protocols.atm • At.Segment.Protocols.pppoe • At.Segment.Protocols.whatever

  27. Casing the Joint • Each of these would have their subsequent address • tables, which would be passed to interested agents.

  28. Casing the Joint • At.Segment.Protocols.Management • Some of these can be determined remotely. • List is not complete. • Gives information about routing architecture.

  29. Casing the Joint • At.Segment.Protocols.Management.DHCP • At.Segment.Protocols.Management.IGMP • At.Segment.Protocols.Management.RIPv1 • At.Segment.Protocols.Management.RIPv2 • At.Segment.Protocols.Management.OSPF • At.Segment.Protocols.Management.MOSPF • At.Segment.Protocols.Management.EIGRP • At.Segment.Protocols.Management.IS-IS

  30. Casing the Joint • At.Segment.Promiscuous • In the event that an agent was on a segment where the detection of a promiscuous interface could be detected, it would be nice to know.

  31. Casing the Joint • At.Segment.Promiscuous.yay • At.Segment.Promiscuous.nay • At.Segment.Promiscuous.yay.arpinfo (mac/ip addr)

  32. Casing the Joint • AREA TYPE: HOST • At.Host is defined as a /32 address allocation to an interface or device.

  33. Casing the Joint • At.Host.Addr • The ip address of the device in question. • At.Host.DNSName • The reverse DNS lookup of the ip address as discovered by a local agent.

  34. Casing the Joint • At.Host.OsType • This is the operating system, and possible version number/ • patch level. This information can be ascertained through • IP stack fingerprinting, login banners, or services.

  35. Casing the Joint • At.Host.IPForwarding • Does the host forward IP datagrams?

  36. Casing the Joint • At.Host.IPForwarding.tcp • At.Host.IPForwarding.udp • At.Host.IPForwarding.icmp • At.Host.IPForwarding.multicast • At.Host.IPForwarding.multicast_sourceroute • At.Host.IPForwarding.sourceroute • At.Host.IPForwarding.rfc1918 (if no icmp was sent)

  37. Casing the Joint • At.Host.IPForwarding.filter • Are there filtered ports/services on this device? • At.Host.DefaultGateway • The gateways that a packets travels through (within 1 hop) when the host responds to an agents scan.

  38. Casing the Joint • At.Host.PrivilagedTCPServices Services running on ports less than 1024. This can be obtained from a scan from a local agent, or less accurately, from sniffed traffic on the local net that the agent has access to.

  39. Casing the Joint • At.Host.PrivilagedUDPServices • Similar to TCP services, but of course, UDP services. These are especially useful to attackers and distributed agents due to the connectionless nature of the protocol.

  40. Casing the Joint • At.Host.NonprivilagedTCPServices • All tcp services within predefined agent range greater than 1024

  41. Casing the Joint • At.Host.NonprivilagedUDPServices • All UDP services within predefined agent range greater than 1024.

  42. Casing the Joint • At.Host.PrivilagedTCPServices.version • At.Host.PrivilagedUDPServices.version • At.Host.NonPrivilagedTCPServices.version • At.Host.NonPrivilagedUDPServices.version

  43. Casing the Joint • Version information on each service will • allow each agent to correlate services with • vulnerabilities.

  44. Casing the Joint • Within the constraints of this rough model, an agent with access to this information could easily make a reasonable decision on how vulnerable a host is to a wide variety of attacks.

  45. Casing the Joint • FUTURE RESEARCH • The mock ASN.1 notation in this presentation was to illustrate the feasibility of integrating a similar system into a network of agents.

  46. Casing the Joint • This information could easily be described in XML, or a number of other heuristics with the purpose of inter-agent communication.

  47. Casing the Joint • With the advent of the DDoS systems that have been revealed in the last year, it would be reasonable prediction that attacks against networks will be perpetrated less by individuals than by malicious software acting of its own volition.

  48. Casing the Joint “What was once thought, can never be unthought” --The Physicists, Friedrich Durrenmatt batz@vapour.net

More Related