• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Network Situational Awareness with d00gle (2005)

Network Situational Awareness with d00gle (2005)



Presented at the first Microsoft BlueHat conference.

Presented at the first Microsoft BlueHat conference.

The extensive demo looked at the footprint of some Microsoft employees who were apparently with me on the flight to SEATAC. :-)



Total Views
Views on SlideShare
Embed Views



3 Embeds 83

https://twitter.com 78
https://si0.twimg.com 4
http://twitter.com 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Network Situational Awareness with d00gle (2005) Network Situational Awareness with d00gle (2005) Presentation Transcript

    • Network SituationalAwareness with d00gleDug Songdugsong@monkey.org
    • BackgroundTime to update dsniff! • Suite of traffic interception tools for penetration testingLast public release almost exactly 4 years ago • dsniffs ARP/DNS, SSH/SSL Man-In-The-Middle techniques to intercept switched, encrypted traffic are quite common now • Interesting traffic analysis tools are still rareTotal Information Awareness, CALEA, why should thegovernment have all the fun?dsniff becomes d00gle...
    • The Crumbling Perimeter
    • EnvironmentVulnerability-aware Internet perimeter • client-side exploits, VPN clients, worms / viruses, wardrivingLittle / no access control / encryption internally • internal firewalls / IPSs cannot disrupt business processesUnpatched production systems • legacy software, heterogeneous hardware, rare change management windows for non-critical upgradesLimited visibility • little / no instrumentation for measurement / monitoring
    • Client AttackSomething to do at cafes, airports, hotelsIdentify interesting users to target • corporate VPN users on vulnerable hosts • unsophisticated, unencrypted usersStandard MITM, TCP injection, protocol downgrade, client-sideattacks applyLeverage into an attack on the home / corporate network
    • Network Attack!What is the organizational reporting structure?What are the passwords for this user?For this router / switch?What does this user have access to?Where are the shared public resources (fileservers, intranetwebservers, login servers), and what are they running?Where are the remote loghosts?Has anyone detected the intrusion?
    • Our GoalsIntelligence, Surveillance, ReconnaissanceExtract as much information as we can passivelyAssemble it into a coherent relational databasePerform data correlation and analysis real-timeSupport interesting queries and visualization of the dataEnable rapid prototyping of new traffic analysis toolsMaintain dsniffs tool-oriented modularityShare the code (GPL) to encourage experimentation
    • Data collectedLogin / authentication informationPhone numbers / callsE-mail messagesInstant messagesWWW usageConnection informationHost inventory: IP, mac address, hostname/DHCP name, OSversion, open ports / services / applicationsInteractive / encrypted sessions
    • Why Python?C extension modules for performance-critical codePortability, maintainability, modularityEasy to learn, but still powerfulPython versus C lines of code: • dsniff - 1700 vs 6800 LOC • p0f2 - 519 vs 1798 LOC • vomit - 54 vs 1864 LOCGreat for lazy programmers like me!
    • Example Code6-line sniffer :-)import dsniffclass TestSniff(dsniff.FlowDecode): ip_protos = (1, 6, 17) def handle_data(self, flow, buf): return repr(buf)dsniff.main()
    • DependenciesNew Python modules: • pypcap - portable packet capture • pyevent - portable event-based programming • libdnet - portable low-level network APIs • dpkt - fast packet dissection
    • ArchitectureSimple Python modules + glueFlowDecode subclasses handle flow start, data, and end eventsDecodes can be registered dynamically with the flow engine forarbitrary Ethernet / IP / RPC program triggersEach module can be run as a separate command-line toolCan use any Python DB-API compliant database backend(default sqlite)UI is served by simple standalone Python webserver
    • *snarfauthsnarf - Password sniffer for AIM, Citrix ICA, CVS, FTP,Cisco HSRP, HTTP, IMAP, IRC, LDAP, Meeting Maker, NFS,Napster, NNTP, Oracle SQL*Net, OSPF, PC Anywhere, POP,Postgres, Halflife, QuakeWorld (many games), RIP, Rlogin,Cisco VOIP, Sybase and Microsoft SQL, Microsoft SMB, SMTP,SNMP, NAI Sniffer, SOCKS, Telnet, VRRP, X11, YP/NIS,various web login formsurlsnarf - Record all visited URLs and browser versionsmailsnarf - Record all e-mail messages in SMTP and POP trafficmsgsnarf - Record all AIM, ICB, IRC, Jabber, MSN, Yahooinstant messages
    • vomitVoice Over Misconfigured Internet TelephonesOriginal version by Niels Provos (provos@monkey.org)Records all SIP/Cisco SCCP phone calls: • Watches control channel for call setup • Intercepts negotiated media channel, saving the voice data as a WAV fileRip offline to MP3 with appropriate ID3 tags
    • neticsOriginal version by Marius Eriksen (marius@monkey.org)Attempts to identify interactive, encrypted sessions on anyprotocol or portInteractivity heuristic: • small client packet sizes • ratio of client/server segments • interpacket arrival timeEncryption heuristic: • Ueli Maurers universal randomness test
    • p0fStraight Python port of p0fv2 by Michal ZalewskiPassive OS fingerprinting of IP endpoints based on TCP SYN,SYN/ACK parameters • operating system and version • host uptime (TCP timestamp option) • distance (TTL inference) • link type (maximum segment size)
    • nmapvPassive application fingerprinting • service protocol • specific application name and versionSimple hack of nmaps regex-based service response match • nmap version scan minus the scan - just match replies • some entries (e.g. SSL) need modification
    • Query interfaceGoogle is smarter than me - ape their interfaceQuery language is simple (text, wildcards, +/-), but moreadvanced queries possible with search operators (e.g."app:Apache*")Query engine maps Google-style queries to SQLWould like to support stored queries, and a simple query history
    • Related workPython fragroute • evade dsniff detection! :-)Arbor Networks Peakflow • scalable traffic monitoring, engineering, and behavioral analysis for service providers and enterprises
    • Future workUser / social network profilingSemantic analysis of conversation dataAuto-focusSpeech transcription for full-text VOIP search? :-)Other Big Brother stuffContributions and derived work from users like you!
    • ConclusionEverything you do on a network is observable in some wayWhat is your network saying about you? :-)http://monkey.org/~dugsong/dpkt/http://monkey.org/~dugsong/pypcap/http://monkey.org/~dugsong/pyevent/http://monkey.org/~dugsong/dsniff/