Re: Heavyweight Network Mapping Tools

From: Andy Cuff [Talisker] (talisker@securitywizardry.com)
Date: Sat Nov 29 2003 - 16:59:46 EST


Hi Robert,
Thanks a lot for such a comprehensive reply

> http://www.lumeta.com/ipsonar.html
>> The Lumeta stuff is very good, but costly and mostly closed. It is
> leveraging work from William Cheswick and Hal Burch.

I've come across this before and to my knowledge and largely confirmed by
the site case studies they run the discovery themselves, whilst this is ok
it tends to be expensive furthermore subsequent updates get expensive. I'd
look for the ability to schedule the scan for the quiet hours and have
multiple threads so as not to adversely effect any individual sub network
too greatly. As soon as the initial scan is complete the process starts
over, highlighting changes from the initial baseline. The output from this
is then used to drive the active OS fingerprinting.

The visualisation is perfect

>
> http://www.opte.org
The OPTE project has Barret Lyon of Network Presence (main developer) and
> Dan Kaminsky of Avaya's Enterprise Security Practice (Author of
> Paketto/scanrand) behind it. The goals for the OPTE project are slightly
> different than what you've described, but could easily be adapted to your
> needs.

The code is only 70% complete, though the data is very interesting, where do
I find the base?
>
> > Mandatory
> > Hosts alive through ICMP
> Fyi, I plan on taking the OPTE project base and modifying it for uses such
> as what you've described. However, instead of using ICMP I plan on
> implementing automated scans/system finding based on an abbreviated
Section
> C, Modules 1-3 of the OSSTMM (http://www.osstmm.org pages 45-48). This is
> far more complete for flushing out live systems and works equally well on
> internal and external systems alike. I'll have all of this stuff logging
> back to an SQL server. This helps when dealing with large sets of data.
>
> > Hosts OS through active OS fingerprinting
> This can be done in a second phase after flushing out live systems,
although
> there are interesting things you can assume based on how the systems
respond
> to the 1st wave of scanning, ie timing, ports, etc. Add banner grabbing,
> nmap/xprobe/p0f/etc and you have an effective OS fingerprint, again being
> careful to map this data back to a database.

I'd be very interested in what you come up with, my only concern would be a
great increase in the number of packets to replace ICMP, which over multiple
class B's may slow things down. Though as you mention they may reduce the
packets required for fingerprinting.

Feeding it all into an SQL database is the way forward, I'm just looking
forward to some bright entrepenaur seeing a niche and providing it.
>
> > Advantageous
> Not sure what you mean by this.
Sorry poor choice of words be my, Desireable would have been a better one.
>
> > Patch Compliance without host residing agents
> There are tools that you can use on the windows side in this phase without
a
> host agent, but it requires having an administrative login/password for
the
> system in question. Not sure what Unix automated tools exist for this
> purpose.

 I was loooking more for the vulnerability scanning approach without
actually exploiting the vulnerability to prove it's presence. The recent
scanners from eEye, Foundtsone and EVEN Microsoft for the MS026 and 039
vulnerabilities show there are tools out there. The reason I say patch
compliance as apposed to a full blown vulnerability scan is purely bandwidth
and the cost of said scanners for larger networks.

>
> > Results must be displayable in 3D and be drilled down to individual
hosts
> > using filters. (look pretty for budget enhancement whilst being useable)
>
> The OPTE project uses LGL (http://bioinformatics.icmb.utexas.edu/lgl/) to
> visualize the network maps. You can pull from your database to make the
> OS/hostname/IP information overlay onto the map and then export the data
to
> a VRML format. This will allow for interesting 3D walkthroughs with the
> ability to zoom in and see ip/host/os/etc information.
>
> See http://www.opte.org/maps/ for the pictures of the latest maps and the
> raw LGL data from that project as a reference as to what is possible.
>
> > Must have continual use and not a snapshot based managed service
>
> Not sure what you mean here. Please expound.

Rather than scan the network once I want it to be a permanent ongoing
process

>
> > I'm also looking to schedule and throttle the output without having to
use
> > a packet shaper. (don't want to consume too much bandwidth)
>
> scanrand has the -b (bandwidth) option for this reason.
>
> > Does anyone have any further recommendations regarding cool or useful
> > features in such a product and better still products that meet or come
> > close to the above.
>
> Again, I want to automate as much of the OSSTMM based scanning as possible
> (complete section C), as those techniques are the most thorough and
reliable
> that I've run across. Other than the work of OPTE and Lumeta, I'm not
sure
> who else is playing in this space.
>
> > I have collected details on light and medium weight enumerators at
> > http://www.securitywizardry.com/enum.htm but need more oomph!
>
> If you have any other project goals/needs/ideas, please respond. If it's
> useful to you, it's likely useful to the rest of the community too :).
For
> more immediate response, come join us on IRC (efnet #opte).

Cheers Robert is has been a pleasure !

-andy

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT