The Siphon Project An Implementation of Stealth Target Acquisition
48 Slides1.04 MB
The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies 06/27/23 Blackhat USA 2001 1
Contact Information Marshall Beddoe: [email protected] Christopher Abad: [email protected] URL: www.gravitino.net/projects/siphon 06/27/23 Blackhat USA 2001 2
Overview A definition of general network mapping Active techniques Passive techniques (Siphon) Example Siphon report 06/27/23 Blackhat USA 2001 3
What is Network Mapping? The process of gathering information in order to identify and understand the internetworking of systems 06/27/23 Blackhat USA 2001 4
Why is this Important? To gather information To identify weaknesses To learn how the network operates 06/27/23 Blackhat USA 2001 5
Network Mapping Information Port Information Operating System Information Information Enumeration Topology Map Generation Vulnerability Information 06/27/23 Blackhat USA 2001 6
Port Information Vulnerable services run on TCP/UDP ports Perception of security on the network and/or host Ability to perform accurate OS identification 06/27/23 Blackhat USA 2001 7
Operating System Information Survey of the types of OS’ on a network Vulnerabilities specific to operating systems 06/27/23 Blackhat USA 2001 8
Information Enumeration “Harmless” information that can later lead to the compromise of a network Examples: E-mail addresses, NetBIOS names, NFS exports, usernames, hostnames, whois information, etc. 06/27/23 Blackhat USA 2001 9
Topology Map Generation Understanding the physical layout of the network Possible discovery of alternate penetration routes 06/27/23 Blackhat USA 2001 10
Vulnerability Information Consists of all previously explained network mapping information Discovering vulnerabilities on systems and in network configuration One vulnerability can lead to the compromise of an entire network 06/27/23 Blackhat USA 2001 11
Current Mapping Techniques Active Network Mapping Nmap Queso Nessus Passive Network Mapping 06/27/23 Siphon Blackhat USA 2001 12
Active Network Mapping Sending queries to receive responses in order to gather port information, operating system information, etc. Requires employing applications that generate “noise” on a network 06/27/23 Blackhat USA 2001 13
Active Mapping Techniques Active Active Active Active Active 06/27/23 port mapping operating system identification information enumeration topology map generation vulnerability assessment Blackhat USA 2001 14
Active Port Mapping TCP connect() scan (1) TCP SYN “stealth” scan (2) Special TCP FIN, XMAS & NULL scans Vanilla UDP scan (4) (3) SYN to port 23 (1) SYN ACK from port 23 ACK to port 23 FIN to port 23 (3) No RST response, port is open SYN to port 23 (2) SYN ACK from port 23 UDP packet to port 67 (4) No ICMP port unreachable, port is open 06/27/23 Blackhat USA 2001 15
Active OS Identification TCP Advertised Window TCP Options FIN Probes ISN Sampling Frag Handling 06/27/23 Blackhat USA 2001 TCP Packet 16
Active Information Enumeration NetBIOS name gathering NetBIOS drive sharing Sendmail EXPN probes Finger information WHOIS information NFS exports 06/27/23 Blackhat USA 2001 17
Active Topology Mapping Traceroute INTERNE T Host B Host A Host C 06/27/23 Blackhat USA 2001 18
Active Vulnerability Assessment Banner checking RPC portmapper queries DNS version queries TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. 06/27/23 Blackhat USA 2001 19
Pros & Cons of Active Mapping Pros Cons Assessment can be conducted from a different network Requires little time to gather information 06/27/23 Blackhat USA 2001 Generates network noise Alarms intrusion detection systems Reveals source of probe Accuracy problems Intrusive 20
The Siphon Project When it was created January 2000 Why it was created 06/27/23 Does not generate network noise Does not trigger IDS alarms Does not reveal source of probe Does not send out a single packet Stealth technique Datalink layer level mapping Blackhat USA 2001 21
Passive Network Mapping Gathering information about a network without sending out a single packet By monitoring traffic, can determine the entire layout of the network and the configuration of hosts connected to the network 06/27/23 Blackhat USA 2001 22
Is Passive Feasible? Does passive mapping provide complete information? For the most part, the only difference is that passive network mapping takes more time to gather information Hosts that never receive network traffic on a network might not be reported by Siphon Who would use passive network mapping? 06/27/23 Network administrators that operate in red-tape environments such as the US Government/Military Skilled hackers that move slowly to avoid detection Blackhat USA 2001 23
Siphon Mapping Techniques Passive port mapping Passive operating system identification Passive information enumeration Passive topology map generation Passive vulnerability assessment Report generation 06/27/23 Blackhat USA 2001 24
Passive TCP Port Mapping Monitoring SYN ACK packets Logging the source port SYN to port 23 SYN ACK from port 23 ACK to port 23 Host A Host B Siphon 06/27/23 Blackhat USA 2001 25
TCP Port Mapping Challenges Problem: Corruption of information caused by spoofed connections Solution: Monitor TCP state Network SYN ACK from host A src port 666 Host C Siphon No initial SYN sent to port 666 of host A, Will not record 06/27/23 Blackhat USA 2001 26
Passive UDP Port Mapping Monitoring UDP packets Listening for ICMP port unreachable packets UDP packet to port 53 Host A Host B Siphon No ICMP port unreachable, port is open 06/27/23 Blackhat USA 2001 27
UDP Port Mapping Challenges Problem: Accuracy Solution: Decode application layer protocols that use UDP DNS Query to UDP port 53 DNS Query Response from UDP port 53 Host A Host B Siphon 06/27/23 Standard DNS query response from Host B, UDP port 53 is open Blackhat USA 2001 28
Passive OS Identification Operating system is determined by monitoring TCP SYN ACK packets An OS is fingerprinted based upon the TCP advertised window, the IP DF bit, the default TTL, the TCP options, and the MSS TCP option SYN to porthost. 23 set by the connecting SYN ACK from port 23 TCP advertised window 0x4000 Host A Host C DF bit ON TTL 64 OS Fingerprints: Siphon 06/27/23 Blackhat USA 2001 4000:ON:64 FreeBSD 29
Passive OS Ident. Challenges Problem: Multiple fingerprints for one OS version Solution: Siphon passive OS identification Problem OS Fingerprints File: algorithm 7D78:64:1:Linux 2.1.122 - 2.2.14 77C4:64:1:Linux 2.1.122 - 2.2.14 7BF0:64:1:Linux 2.1.122 - 2.2.14 7BC0:64:1:Linux 2.1.122 - 2.2.14 06/27/23 Blackhat USA 2001 30
Siphon OS Ident. Algorithm W { set of known windows } Ws sample window where Ws W or Ws W Legal-Bits Mask W M Wi i 1 Static-Bits Mask W M Wi i 1 OS Detection Algorithm hamd(M (M )’ Ws) / hamd (M (M )’) IFF Ws (M ) M and Ws M M 06/27/23 Blackhat USA 2001 31
Passive OS Ident Challenges After applying the Siphon OS identification algorithm, we now have only one entry for Linux 2.1.122 - 2.2.14 Fixed OS Fingerprints File: 7D78:77C4:64:1:Linux 2.1.122 - 2.2.14 06/27/23 Blackhat USA 2001 32
Passive Information Enumeration Monitoring telnet traffic to gather usernames & passwords Monitoring incoming mail traffic to gather usernames Monitoring incoming web traffic to gather hostnames Monitoring DNS queries and responses to gather hostnames Monitoring file sharing: NFS, NetBIOS, etc. Performing traffic analysis, peak hours, etc. Network hardware fingerprinting 06/27/23 Blackhat USA 2001 33
Passive Topology Mapping Dynamic routing protocols RIP topology mapping (general distance vector) OSPF topology mapping (link state protocol) Path vector routing topology 06/27/23 TTL estimation Blackhat USA 2001 34
Routing Information Protocol Interior gateway protocol Distance vector protocol Uses hop count as its metric Sends routing-update messages frequently Further Information 06/27/23 Request For Comments (RFC) 1058 and 1723 Blackhat USA 2001 35
Topology Mapping with RIP Monitor RIP packets on multiple subnets running Siphon Run results through our distance vector to link state routing conversion algorithm RIP Siphon A 06/27/23 Siphon B Blackhat USA 2001 36
Conversion as a Convex Optimization Distance vector routing table for network i T Ni [ ni1 ni2 nim-1 nim ] I { all known routing tables of networks 1, 2, , m } Routing matrix with respect to network i Ri [r ijk] where r ijk { if j k Nik else if j i Nij else if k i { x : x Nij – Nik (1 - ) Nij Nik , 0 1 } Ideal routing matrix with respect to all networks in I { R’ [r’jk] where r’jk Njk i I 06/27/23 if j k if j I rijk otherwise Blackhat USA 2001 37
DV to LS Conversion Cont. Problem of network routing disjunction therefore we need to redefine the ideal routing 1 1 Matrix as a matrix of functions r’jk : R - R { { 1 if x 0 else 0 } { 1 if x Njk else 0 } R’ [r’ jk] where r’ jk(x) i I if j k if j I 1 if x r ijk 0 otherwise otherwise Global maxima of r’ jk(x) as a most probable metric of routing between Nj and Nk Path proof for rijk 06/27/23 Blackhat USA 2001 38
DV to LS Conversion Example Network 1 (N1) Routing Table N11 0 Network 2 (N2) Routing Table N21 2 N12 2 N22 0 N13 5 N23 7 N13 8 N24 7 N14 3 N25 5 Network 1 (R1) Routing Matrix R1i1 R1i2 R1i3 R1i4 Network 2 (R2) Routing Matrix R2i1 R2i2 R2i3 R2i4 R1i5 R2i5 R11j {} R21j {} R12j 2 {} R22j 2 {} R13j 5 [3,7] {} R23j [5,9] 7 {} R14j 8 [6,10] [3,13] {} R24j [5,9] 7 [0,14] {} R15j 3 [1,5] [2,8] [5,11] {} R25j [3,7] 5 [2,12] [2,12] {} 06/27/23 Blackhat USA 2001 39
Continued R2i1 R' Routing Matrix R2i2 R2i3 R2i4 R2i5 R21j {} R22j 2 {} R23j 5 7 {} R24j 8 7 [3,13] {} R25j 3 5 [2,8] [5,11] {} 06/27/23 Blackhat USA 2001 40
Open Shortest Path First Designed to correct problems associated with RIP Link state protocol Learns of routing information through link-state advertisements This information includes interface status and metrics used A topological database is maintained by the collection of LSA’s received All routers in the same area have the same topological database 06/27/23 Blackhat USA 2001 41
Topology Mapping with OSPF Periodic full LSA updates Generate topology map based off LSA updates OSPF LSA Update Topology Map [ ] Siphon 06/27/23 Blackhat USA 2001 42
Passive Vuln. Assessment Analysis of packet payload Monitoring Monitoring Monitoring Monitoring application banners DNS version queries RPC queries HTTP GET requests TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Host B Host A Siphon Log: Host B is VULNERABLE Siphon 06/27/23 Blackhat USA 2001 43
Traffic Analysis Port statistics are used to determine server roles Auditing logins, email and web access can determine user behavioral patterns and machine roles. Analysis on initial sequence numbers and other similar challenge protocol fields can reveal the nature of the hosts’ PRNG. 06/27/23 Assistance in Operating System Identification TCP Sequence Guessing Blackhat USA 2001 44
Example Siphon Report Report: Our Siphon software was run for 1 day on our test network 06/27/23 Blackhat USA 2001 45
Future Features of Siphon Non-TCP operating system fingerprinting Default installation fingerprinting Passive Wireless LAN (802.11b) network mapping Rogue access point detection SSID gathering Network statistics (Signal strength, etc.) OSPF integration Windows 2000 Version 06/27/23 Blackhat USA 2001 46
Summary Active and passive mapping are different in nature depending on the purpose and motivation of the user Passive network mapping is performed by monitoring network traffic without sending out a single packet Active network mapping is performed by sending out queries and gathering responses generating massive amounts of network noise, crashing machines and setting off IDS alarms 06/27/23 Blackhat USA 2001 47
Contact Information Marshall Beddoe: [email protected] Christopher Abad: [email protected] URL: www.gravitino.net/projects/siphon Questions? We have answers! 06/27/23 Blackhat USA 2001 48
