The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies 11/7/2015 Blackhat USA 2001
Download ReportTranscript The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies 11/7/2015 Blackhat USA 2001
The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies 11/7/2015 Blackhat USA 2001 1 Contact Information Marshall Beddoe: [email protected] Christopher Abad: [email protected] URL: www.gravitino.net/projects/siphon 11/7/2015 Blackhat USA 2001 2 Overview A definition of general network mapping Active techniques Passive techniques (Siphon) Example Siphon report 11/7/2015 Blackhat USA 2001 3 What is Network Mapping? The process of gathering information in order to identify and understand the internetworking of systems 11/7/2015 Blackhat USA 2001 4 Why is this Important? To gather information To identify weaknesses To learn how the network operates 11/7/2015 Blackhat USA 2001 5 Network Mapping Information Port Information Operating System Information Information Enumeration Topology Map Generation Vulnerability Information 11/7/2015 Blackhat USA 2001 6 Port Information Vulnerable services run on TCP/UDP ports Perception of security on the network and/or host Ability to perform accurate OS identification 11/7/2015 Blackhat USA 2001 7 Operating System Information Survey of the types of OS’ on a network Vulnerabilities specific to operating systems 11/7/2015 Blackhat USA 2001 8 Information Enumeration “Harmless” information that can later lead to the compromise of a network Examples: E-mail addresses, NetBIOS names, NFS exports, usernames, hostnames, whois information, etc. 11/7/2015 Blackhat USA 2001 9 Topology Map Generation Understanding the physical layout of the network Possible discovery of alternate penetration routes 11/7/2015 Blackhat USA 2001 10 Vulnerability Information Consists of all previously explained network mapping information Discovering vulnerabilities on systems and in network configuration One vulnerability can lead to the compromise of an entire network 11/7/2015 Blackhat USA 2001 11 Current Mapping Techniques Active Network Mapping Nmap Queso Nessus Passive Network Mapping 11/7/2015 Siphon Blackhat USA 2001 12 Active Network Mapping Sending queries to receive responses in order to gather port information, operating system information, etc. Requires employing applications that generate “noise” on a network 11/7/2015 Blackhat USA 2001 13 Active Mapping Techniques Active Active Active Active Active 11/7/2015 port mapping operating system identification information enumeration topology map generation vulnerability assessment Blackhat USA 2001 14 Active Port Mapping TCP connect() scan (1) TCP SYN “stealth” scan (2) Special TCP FIN, XMAS & NULL scans Vanilla UDP scan (4) (3) SYN to port 23 (1) SYN|ACK from port 23 ACK to port 23 FIN to port 23 (3) No RST response, port is open SYN to port 23 (2) SYN|ACK from port 23 UDP packet to port 67 (4) No ICMP port unreachable, port is open 11/7/2015 Blackhat USA 2001 15 Active OS Identification TCP Advertised Window TCP Options FIN Probes ISN Sampling Frag Handling 11/7/2015 Blackhat USA 2001 TCP Packet 16 Active Information Enumeration NetBIOS name gathering NetBIOS drive sharing Sendmail EXPN probes Finger information WHOIS information NFS exports 11/7/2015 Blackhat USA 2001 17 Active Topology Mapping Traceroute INTERNET Host B Host A Host C 11/7/2015 Blackhat USA 2001 18 Active Vulnerability Assessment Banner checking RPC portmapper queries DNS version queries TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. 11/7/2015 Blackhat USA 2001 19 Pros & Cons of Active Mapping Pros Cons Assessment can be conducted from a different network Requires little time to gather information 11/7/2015 Blackhat USA 2001 Generates network noise Alarms intrusion detection systems Reveals source of probe Accuracy problems Intrusive 20 The Siphon Project When it was created January 2000 Why it was created 11/7/2015 Does not generate network noise Does not trigger IDS alarms Does not reveal source of probe Does not send out a single packet Stealth technique Datalink layer level mapping Blackhat USA 2001 21 Passive Network Mapping Gathering information about a network without sending out a single packet By monitoring traffic, can determine the entire layout of the network and the configuration of hosts connected to the network 11/7/2015 Blackhat USA 2001 22 Is Passive Feasible? Does passive mapping provide complete information? For the most part, the only difference is that passive network mapping takes more time to gather information Hosts that never receive network traffic on a network might not be reported by Siphon Who would use passive network mapping? 11/7/2015 Network administrators that operate in red-tape environments such as the US Government/Military Skilled hackers that move slowly to avoid detection Blackhat USA 2001 23 Siphon Mapping Techniques Passive port mapping Passive operating system identification Passive information enumeration Passive topology map generation Passive vulnerability assessment Report generation 11/7/2015 Blackhat USA 2001 24 Passive TCP Port Mapping Monitoring SYN|ACK packets Logging the source port SYN to port 23 SYN|ACK from port 23 ACK to port 23 Host A Host B Siphon 11/7/2015 Blackhat USA 2001 25 TCP Port Mapping Challenges Problem: Corruption of information caused by spoofed connections Solution: Monitor TCP state SYN|ACK from host A src port 666 Network Host C Siphon No initial SYN sent to port 666 of host A, Will not record 11/7/2015 Blackhat USA 2001 26 Passive UDP Port Mapping Monitoring UDP packets Listening for ICMP port unreachable packets UDP packet to port 53 Host A Host B Siphon No ICMP port unreachable, port is open 11/7/2015 Blackhat USA 2001 27 UDP Port Mapping Challenges Problem: Accuracy Solution: Decode application layer protocols that use UDP DNS Query to UDP port 53 DNS Query Response from UDP port 53 Host A Host B Siphon Standard DNS query response from Host B, UDP port 53 is open 11/7/2015 Blackhat USA 2001 28 Passive OS Identification Operating system is determined by monitoring TCP SYN|ACK packets An OS is fingerprinted based upon the TCP advertised window, the IP DF bit, the default TTL, the TCP options, and the MSS TCP option set by the connecting host. SYN to port 23 SYN|ACK from port 23 TCP advertised window = 0x4000 Host A Host C DF bit = ON TTL = 64 OS Fingerprints: Siphon 11/7/2015 Blackhat USA 2001 4000:ON:64 = FreeBSD 29 Passive OS Ident. Challenges Problem: Multiple fingerprints for one OS version Solution: Siphon passive OS identification algorithm Problem OS Fingerprints File: 7D78:64:1:Linux 2.1.122 - 2.2.14 77C4:64:1:Linux 2.1.122 - 2.2.14 7BF0:64:1:Linux 2.1.122 - 2.2.14 7BC0:64:1:Linux 2.1.122 - 2.2.14 11/7/2015 Blackhat USA 2001 30 Siphon OS Ident. Algorithm W = { set of known windows } Ws = sample window where WsW or WsW Legal-Bits Mask |W| M = Wi i=1 Static-Bits Mask |W| M = Wi i=1 OS Detection Algorithm hamd(M(M)’ Ws) / hamd (M(M)’) IFF Ws(M) = M and Ws + M = M 11/7/2015 Blackhat USA 2001 31 Passive OS Ident Challenges After applying the Siphon OS identification algorithm, we now have only one entry for Linux 2.1.122 2.2.14 Fixed OS Fingerprints File: 7D78:77C4:64:1:Linux 2.1.122 - 2.2.14 11/7/2015 Blackhat USA 2001 32 Passive Information Enumeration Monitoring telnet traffic to gather usernames & passwords Monitoring incoming mail traffic to gather usernames Monitoring incoming web traffic to gather hostnames Monitoring DNS queries and responses to gather hostnames Monitoring file sharing: NFS, NetBIOS, etc. Performing traffic analysis, peak hours, etc. Network hardware fingerprinting 11/7/2015 Blackhat USA 2001 33 Passive Topology Mapping Dynamic routing protocols RIP topology mapping (general distance vector) OSPF topology mapping (link state protocol) Path vector routing topology 11/7/2015 TTL estimation Blackhat USA 2001 34 Routing Information Protocol Interior gateway protocol Distance vector protocol Uses hop count as its metric Sends routing-update messages frequently Further Information 11/7/2015 Request For Comments (RFC) 1058 and 1723 Blackhat USA 2001 35 Topology Mapping with RIP Monitor RIP packets on multiple subnets running Siphon Run results through our distance vector to link state routing conversion algorithm RIP Siphon A 11/7/2015 Siphon B Blackhat USA 2001 36 DV to LS Routing Conversion as a Convex Optimization Distance vector routing table for network i Ni = [ ni1 ni2 … nim-1 nim ]T I = { all known routing tables of networks 1, 2, …, m } Routing matrix with respect to network i Ri = [r ijk] where r ijk = { if j = k Nik else if j = i Nij else if k = i { x : x = |Nij – Nik| + (1 - )|Nij + Nik | , 0 <= <= 1 } Ideal routing matrix with respect to all networks in I R’ = [r’jk] where r’jk = Njk { if j = k if j I rijk otherwise iI 11/7/2015 Blackhat USA 2001 37 DV to LS Conversion Cont. Problem of network routing disjunction therefore we need to redefine the ideal routing Matrix as a matrix of functions r’jk : R1 -> R1 { 1 if x = 0 else 0 } { 1 if x = Njk else 0 } R’ = [r’ jk] where r’ jk(x) = { 1 if x r ijk 0 otherwise if j = k if j I otherwise iI Global maxima of r’ jk(x) as a most probable metric of routing between Nj and Nk Path proof for rijk 11/7/2015 Blackhat USA 2001 38 DV to LS Conversion Example Network 1 (N1) Routing Table N11 0 Network 2 (N2) Routing Table N21 2 N12 2 N22 0 N13 5 N23 7 N13 8 N24 7 N14 3 N25 5 Network 1 (R1) Routing Matrix R1i1 R1i2 R1i3 R1i4 Network 2 (R2) Routing Matrix R2i1 R2i2 R2i3 R2i4 R1i5 R2i5 R11j {} … … … … R21j {} … … … … R12j 2 {} … … … R22j 2 {} … … … R13j 5 [3,7] {} … … R23j [5,9] 7 {} … … R14j 8 [6,10] [3,13] {} … R24j [5,9] 7 [0,14] {} … R15j 3 [1,5] [2,8] [5,11] {} R25j [3,7] 5 [2,12] [2,12] {} 11/7/2015 Blackhat USA 2001 39 Continued… R2i1 R' Routing Matrix R2i2 R2i3 R2i4 R2i5 R21j {} … … … … R22j 2 {} … … … R23j 5 7 {} … … R24j 8 7 [3,13] {} … R25j 3 5 [2,8] [5,11] {} 11/7/2015 Blackhat USA 2001 40 Open Shortest Path First Designed to correct problems associated with RIP Link state protocol Learns of routing information through link-state advertisements This information includes interface status and metrics used A topological database is maintained by the collection of LSA’s received All routers in the same area have the same topological database 11/7/2015 Blackhat USA 2001 41 Topology Mapping with OSPF Periodic full LSA updates Generate topology map based off LSA updates OSPF LSA Update Topology Map […] Siphon 11/7/2015 Blackhat USA 2001 42 Passive Vuln. Assessment Analysis of packet payload Monitoring Monitoring Monitoring Monitoring application banners DNS version queries RPC queries HTTP GET requests TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Host B Host A Siphon Log: Host B is VULNERABLE Siphon 11/7/2015 Blackhat USA 2001 43 Traffic Analysis Port statistics are used to determine server roles Auditing logins, email and web access can determine user behavioral patterns and machine roles. Analysis on initial sequence numbers and other similar challenge protocol fields can reveal the nature of the hosts’ PRNG. 11/7/2015 Assistance in Operating System Identification TCP Sequence Guessing Blackhat USA 2001 44 Example Siphon Report Report: Our Siphon software was run for 1 day on our test network 11/7/2015 Blackhat USA 2001 45 Future Features of Siphon Non-TCP operating system fingerprinting Default installation fingerprinting Passive Wireless LAN (802.11b) network mapping Rogue access point detection SSID gathering Network statistics (Signal strength, etc.) OSPF integration Windows 2000 Version 11/7/2015 Blackhat USA 2001 46 Summary Active and passive mapping are different in nature depending on the purpose and motivation of the user Passive network mapping is performed by monitoring network traffic without sending out a single packet Active network mapping is performed by sending out queries and gathering responses generating massive amounts of network noise, crashing machines and setting off IDS alarms 11/7/2015 Blackhat USA 2001 47 Contact Information Marshall Beddoe: [email protected] Christopher Abad: [email protected] URL: www.gravitino.net/projects/siphon Questions? We have answers! 11/7/2015 Blackhat USA 2001 48