Network Situational Awareness with d00gle (2005)

Network SituationalAwareness with d00gle

Dug Song

[email protected]

Background

Time to update dsniff!• Suite of traffic interception tools for penetration testing

Last public release almost exactly 4 years ago• dsniff's ARP/DNS, SSH/SSL Man-In-The-Middle techniques to

intercept switched, encrypted traffic are quite common now

• Interesting traffic analysis tools are still rare

Total Information Awareness, CALEA, why should thegovernment have all the fun?

dsniff becomes d00gle...

The Crumbling Perimeter

Environment

Vulnerability-aware Internet perimeter• client-side exploits, VPN clients, worms / viruses, wardriving

Little / no access control / encryption internally• internal firewalls / IPSs cannot disrupt business processes

Unpatched production systems• legacy software, heterogeneous hardware, rare change management

windows for non-critical upgrades

Limited visibility• little / no instrumentation for measurement / monitoring

Client Attack

Something to do at cafes, airports, hotels

Identify interesting users to target• corporate VPN users on vulnerable hosts

• unsophisticated, unencrypted users

Standard MITM, TCP injection, protocol downgrade, client-sideattacks apply

Leverage into an attack on the home / corporate network

Network Attack!

What is the organizational reporting structure?

What are the passwords for this user?

For this router / switch?

What does this user have access to?

Where are the shared public resources (fileservers, intranetwebservers, login servers), and what are they running?

Where are the remote loghosts?

Has anyone detected the intrusion?

Our Goals

Intelligence, Surveillance, Reconnaissance

Extract as much information as we can passively

Assemble it into a coherent relational database

Perform data correlation and analysis real-time

Support interesting queries and visualization of the data

Enable rapid prototyping of new traffic analysis tools

Maintain dsniff's tool-oriented modularity

Share the code (GPL) to encourage experimentation

Data collected

Login / authentication information

Phone numbers / calls

E-mail messages

Instant messages

WWW usage

Connection information

Host inventory: IP, mac address, hostname/DHCP name, OSversion, open ports / services / applications

Interactive / encrypted sessions

Why Python?

C extension modules for performance-critical code

Portability, maintainability, modularity

Easy to learn, but still powerful

Python versus C lines of code:• dsniff - 1700 vs 6800 LOC

• p0f2 - 519 vs 1798 LOC

• vomit - 54 vs 1864 LOC

Great for lazy programmers like me!

Example Code

6-line sniffer :-)

import dsniff

class TestSniff(dsniff.FlowDecode): ip_protos = (1, 6, 17) def handle_data(self, flow, buf): return repr(buf)

dsniff.main()

Dependencies

New Python modules:• pypcap - portable packet capture

• pyevent - portable event-based programming

• libdnet - portable low-level network APIs

• dpkt - fast packet dissection

Architecture

Simple Python modules + glue

FlowDecode subclasses handle flow start, data, and end events

Decodes can be registered dynamically with the flow engine forarbitrary Ethernet / IP / RPC program triggers

Each module can be run as a separate command-line tool

Can use any Python DB-API compliant database backend(default sqlite)

UI is served by simple standalone Python webserver

*snarf

authsnarf - Password sniffer for AIM, Citrix ICA, CVS, FTP,Cisco HSRP, HTTP, IMAP, IRC, LDAP, Meeting Maker, NFS,Napster, NNTP, Oracle SQL*Net, OSPF, PC Anywhere, POP,Postgres, Halflife, QuakeWorld (many games), RIP, Rlogin,Cisco VOIP, Sybase and Microsoft SQL, Microsoft SMB, SMTP,SNMP, NAI Sniffer, SOCKS, Telnet, VRRP, X11, YP/NIS,various web login forms

urlsnarf - Record all visited URLs and browser versions

mailsnarf - Record all e-mail messages in SMTP and POP traffic

msgsnarf - Record all AIM, ICB, IRC, Jabber, MSN, Yahooinstant messages

vomit

Voice Over Misconfigured Internet Telephones

Original version by Niels Provos ([email protected])

Records all SIP/Cisco SCCP phone calls:• Watches control channel for call setup

• Intercepts negotiated media channel, saving the voice data as a WAVfile

Rip offline to MP3 with appropriate ID3 tags

netics

Original version by Marius Eriksen ([email protected])

Attempts to identify interactive, encrypted sessions on anyprotocol or port

Interactivity heuristic:• small client packet sizes

• ratio of client/server segments

• interpacket arrival time

Encryption heuristic:• Ueli Maurer's universal randomness test

p0f

Straight Python port of p0fv2 by Michal Zalewski

Passive OS fingerprinting of IP endpoints based on TCP SYN,SYN/ACK parameters

• operating system and version

• host uptime (TCP timestamp option)

• distance (TTL inference)

• link type (maximum segment size)

nmapv

Passive application fingerprinting• service protocol

• specific application name and version

Simple hack of nmap's regex-based service response match• nmap version scan minus the scan - just match replies

• some entries (e.g. SSL) need modification

Query interface

Google is smarter than me - ape their interface

Query language is simple (text, wildcards, +/-), but moreadvanced queries possible with search operators (e.g."app:Apache*")

Query engine maps Google-style queries to SQL

Would like to support stored queries, and a simple query history

Related work

Python fragroute• evade dsniff detection! :-)

Arbor Networks Peakflow• scalable traffic monitoring, engineering, and behavioral analysis for

service providers and enterprises

Future work

User / social network profiling

Semantic analysis of conversation data

Auto-focus

Speech transcription for full-text VOIP search? :-)

Other Big Brother stuff

Contributions and derived work from users like you!

Conclusion

Everything you do on a network is observable in some way

What is your network saying about you? :-)

http://monkey.org/~dugsong/dpkt/http://monkey.org/~dugsong/pypcap/http://monkey.org/~dugsong/pyevent/http://monkey.org/~dugsong/dsniff/