From: Robert E. Lee (robert@dyadsecurity.com)
Date: Thu Oct 30 2003 - 15:04:10 EST
One more thing to throw into this conversation:
Dan Kaminsky - http://www.doxpara.com of Paketto Keiretsu fame is
working on some very cool updates to the scanrand tool. Currently it
has the ability to output to SQL servers, which allows for some very
sophisticated data correlation queries. You can also dump this
information into other various tools for graphical summaries of the
information.
Just for kicks you might want to check out the following dump output:
http://www.dyadsecurity.com/sample_dump
This is just a taste of the graphical representations that are possible
with your scan output. As an additional ISECOM - http://www.isecom.org
related project I am working with Dan on a front-end to his tools with
an emphasis on how to graphically represent this data.
For now, if you're interested in playing with it, I'd suggest you find a
copy of one of Dan's more recent talks (check the Black Hat conference
repositories). These talks contain enough information to start playing
with the new scanrand stuff.
Just a quick usage primer:
To dump to a mysql DB, create a new database and user account with full
permissions to the new db.
Create a new table in your new database:
create table demotable (abs_tv_sec integer unsigned, abs_tv_usec integer
unsigned, rel_tv_sec integer unsigned, rel_tv_usec integer unsigned,
stat char(5), src varchar(64), dst varchar(64), port integer unsigned,
hopcount integer unsigned, trace_hop integer unsigned, qos integer
unsigned, trace_src varchar(64), trace_dst varchar(64), trace_mid
varchar(64));
Kick off a listening scanrand thread that dumps directly to your
database:
scanrand2 -e -L -s key -t0 -T demotable -M1 | mysql -u <mysql username>
-p "demodb"
Now you can do any set of scans/traceroutes that you want and have it
all dump directly to your scanrand listener and populate your mysql
database:
scanrand2 -i <ip to send from> -S -s key -b200k
<ip_range_to_scan>:<ports_to_scan>
Now for a good sample query:
select hopcount,dst,port,stat,trace_mid from demotable where src="<ip
you sent from>" and stat!="DOWN" order by dst,port;
That query shows you ICMP error messages, and active TCP ports. It
orders it by the destination, and then by the port on the destination.
It also shows you your hopcount (distance), and the server IP that send
the ICMP message back to you. The possible ways to represent this data
are numerous, and will be very "pretty"/graphical soon.
If you have any other questions about this particular project, I'll try
to keep up to date with my email account :). Also, if you're interested
in helping with the coding of the front-end stuff, I could definitely
use additional volunteers.
Thanks,
Robert
Robert E. Lee
CTO, http://www.dyadsecurity.com
3400 Irvine Ave, Building 118
Newport Beach, Ca 92660
T (949) 486-6600
F (949) 486-6001
robert@dyadsecurity.com
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_pen-test_031023
and use priority code SF4.
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT