The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce.

Slides:



Advertisements
Similar presentations
RIP V1 W.lilakiatsakun.
Advertisements

RIP V2 CCNP S1(5), Chapter 4.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.
Network Security Testing Techniques Presented By:- Sachin Vador.
Computer Security and Penetration Testing
COEN 252: Computer Forensics Router Investigation.
Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
OSI Model Routing Connection-oriented/Connectionless Network Services.
Ana Chanaba Robert Huylo
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
CIS 450 – Network Security Chapter 3 – Information Gathering.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Network Assessment How intrusion techniques contribute to system/network security Network and system monitoring System mapping Ports, OS, applications.
Chapter 2 Scanning Last modified Determining If The System Is Alive.
Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.
1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
Routing and Routing Protocols
Retina Network Security Scanner
1 Version 3.1 Module 6 Routed & Routing Protocols.
Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 2 TCP/IP Concepts Review Last modified
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
Network Devices and Firewalls Lesson 14. It applies to our class…
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
CCNA 2 Router and Routing Basics Module 8 TCP/IP Suite Error and Control Messages.
Malathi Veeraraghavan (originals by Jörg Liebeherr) 1 Link State Routing Algorithm Use a routing protocol to collect the whole network topology Obtain.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
1 Computer Networks Chapter 5. Network layer The network layer is concerned with getting packets from the source all the way to the destination. Getting.
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
CompTIA Security+ Study Guide (SY0-401)
Port Scanning James Tate II
Dynamic Routing Protocols II OSPF
Footprinting and Scanning
CITA 352 Chapter 5 Port Scanning.
Port Scanning (based on nmap tool)
What Are Routers? Routers are an intermediate system at the network layer that is used to connect networks together based on a common network layer protocol.
TCP/IP Internetworking
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Chapter 4: Routing Concepts
Security Scan melalui Internet
TCP/IP Internetworking
CIT 480: Securing Computer Systems
Footprinting and Scanning
CompTIA Security+ Study Guide (SY0-401)
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
Routing.
Internet Control Message Protocol (ICMP)
ITIS 6167/8167: Network Security
Dynamic Routing Protocols II OSPF
Introduction to networking
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Routing.
EVAPI - Enumeration Auburn Hacking club
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
Presentation transcript:

The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce self: Name, Current Workplace, How long we Have been working on this project Introduce topic of discussion: A new method for information enumeration and network mapping 11/14/2018 Blackhat USA 2001

Contact Information Marshall Beddoe: marshall@gravitino.net Christopher Abad: chris@gravitino.net URL: www.gravitino.net/projects/siphon 11/14/2018 Blackhat USA 2001

Overview A definition of general network mapping Active techniques Passive techniques (Siphon) Example Siphon report Active Port Mapping, OS detection, vulnerability analysis and topology mapping. Nmap, traceroute Later, Passive methods for each of these network mapping techniques. Lastly, passive information enumeration techniques. 11/14/2018 Blackhat USA 2001

What is Network Mapping? The process of gathering information in order to identify and understand the internetworking of systems Network mapping can be formally defined as the process of gathering information in order to identify and understand the internetworking of systems. 11/14/2018 Blackhat USA 2001

Why is this Important? To gather information To identify weaknesses To learn how the network operates This is important because it allows an attacker or an administrator-type to gather information about the network, such as traffic patterns, trusted hosts, etc. To an attacker it may allow the discovery of alternate penetration routes, times to attack and other times to lay low, trusted hosts, etc. To an administrator, it will allow them to understand how the network operates and thus keep it protected. 11/14/2018 Blackhat USA 2001

Network Mapping Information Port Information Operating System Information Information Enumeration Topology Map Generation Vulnerability Information Network Mapping Information Includes: 11/14/2018 Blackhat USA 2001

Port Information Vulnerable services run on TCP/UDP ports Perception of security on the network and/or host Ability to perform accurate OS identification Discovering open ports on machines is important because… It also allows an attacker or an administrator to gain a perception of the security on the network.. Lastly, open ports allow one to perform accurate operating system identification. 11/14/2018 Blackhat USA 2001

Operating System Information Survey of the types of OS’ on a network Vulnerabilities specific to operating systems 11/14/2018 Blackhat USA 2001

Information Enumeration “Harmless” information that can later lead to the compromise of a network Examples: E-mail addresses, NetBIOS names, NFS exports, usernames, hostnames, whois information, etc. 11/14/2018 Blackhat USA 2001

Topology Map Generation Understanding the physical layout of the network Possible discovery of alternate penetration routes 11/14/2018 Blackhat USA 2001

Vulnerability Information Consists of all previously explained network mapping information Discovering vulnerabilities on systems and in network configuration One vulnerability can lead to the compromise of an entire network 11/14/2018 Blackhat USA 2001

Current Mapping Techniques Active Network Mapping Nmap Queso Nessus Passive Network Mapping Siphon 11/14/2018 Blackhat USA 2001

Active Network Mapping Sending queries to receive responses in order to gather port information, operating system information, etc. Requires employing applications that generate “noise” on a network 11/14/2018 Blackhat USA 2001

Active Mapping Techniques Active port mapping Active operating system identification Active information enumeration Active topology map generation Active vulnerability assessment 11/14/2018 Blackhat USA 2001

Active Port Mapping TCP connect() scan (1) TCP SYN “stealth” scan (2) Special TCP FIN, XMAS & NULL scans (3) Vanilla UDP scan (4) SYN to port 23 FIN to port 23 (1) SYN|ACK from port 23 (3) ACK to port 23 No RST response, port is open SYN to port 23 UDP packet to port 67 (2) (4) SYN|ACK from port 23 No ICMP port unreachable, port is open 11/14/2018 Blackhat USA 2001

Active OS Identification TCP Advertised Window TCP Options FIN Probes ISN Sampling Frag Handling TCP Packet 11/14/2018 Blackhat USA 2001

Active Information Enumeration NetBIOS name gathering NetBIOS drive sharing Sendmail EXPN probes Finger information WHOIS information NFS exports 11/14/2018 Blackhat USA 2001

Active Topology Mapping Traceroute Host B INTERNET Host A Host C 11/14/2018 Blackhat USA 2001

Active Vulnerability Assessment Banner checking RPC portmapper queries DNS version queries TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. 11/14/2018 Blackhat USA 2001

Pros & Cons of Active Mapping Assessment can be conducted from a different network Requires little time to gather information Cons Generates network noise Alarms intrusion detection systems Reveals source of probe Accuracy problems Intrusive 11/14/2018 Blackhat USA 2001

The Siphon Project When it was created Why it was created January 2000 Does not generate network noise Does not trigger IDS alarms Does not reveal source of probe Does not send out a single packet Stealth technique Datalink layer level mapping 11/14/2018 Blackhat USA 2001

Passive Network Mapping Gathering information about a network without sending out a single packet By monitoring traffic, can determine the entire layout of the network and the configuration of hosts connected to the network 11/14/2018 Blackhat USA 2001

Is Passive Feasible? Does passive mapping provide complete information? For the most part, the only difference is that passive network mapping takes more time to gather information Hosts that never receive network traffic on a network might not be reported by Siphon Who would use passive network mapping? Network administrators that operate in red-tape environments such as the US Government/Military Skilled hackers that move slowly to avoid detection 11/14/2018 Blackhat USA 2001

Siphon Mapping Techniques Passive port mapping Passive operating system identification Passive information enumeration Passive topology map generation Passive vulnerability assessment Report generation 11/14/2018 Blackhat USA 2001

Passive TCP Port Mapping Monitoring SYN|ACK packets Logging the source port SYN to port 23 SYN|ACK from port 23 ACK to port 23 Host A Host B Siphon 11/14/2018 Blackhat USA 2001

TCP Port Mapping Challenges Problem: Corruption of information caused by spoofed connections Solution: Monitor TCP state SYN|ACK from host A src port 666 Network Host C Siphon No initial SYN sent to port 666 of host A, Will not record 11/14/2018 Blackhat USA 2001

Passive UDP Port Mapping Monitoring UDP packets Listening for ICMP port unreachable packets UDP packet to port 53 Host A Host B Siphon No ICMP port unreachable, port is open 11/14/2018 Blackhat USA 2001

UDP Port Mapping Challenges Problem: Accuracy Solution: Decode application layer protocols that use UDP DNS Query to UDP port 53 DNS Query Response from UDP port 53 Host A Host B Siphon Standard DNS query response from Host B, UDP port 53 is open 11/14/2018 Blackhat USA 2001

Passive OS Identification Operating system is determined by monitoring TCP SYN|ACK packets An OS is fingerprinted based upon the TCP advertised window, the IP DF bit, the default TTL, the TCP options, and the MSS TCP option set by the connecting host. SYN to port 23 SYN|ACK from port 23 TCP advertised window = 0x4000 DF bit = ON TTL = 64 Host C Host A OS Fingerprints: 4000:ON:64 = FreeBSD Siphon 11/14/2018 Blackhat USA 2001

Passive OS Ident. Challenges Problem: Multiple fingerprints for one OS version Solution: Siphon passive OS identification algorithm Problem OS Fingerprints File: 7D78:64:1:Linux 2.1.122 - 2.2.14 77C4:64:1:Linux 2.1.122 - 2.2.14 7BF0:64:1:Linux 2.1.122 - 2.2.14 7BC0:64:1:Linux 2.1.122 - 2.2.14 11/14/2018 Blackhat USA 2001

Siphon OS Ident. Algorithm 11/14/2018 Blackhat USA 2001

Passive OS Ident Challenges After applying the Siphon OS identification algorithm, we now have only one entry for Linux 2.1.122 - 2.2.14 Fixed OS Fingerprints File: 7D78:77C4:64:1:Linux 2.1.122 - 2.2.14 11/14/2018 Blackhat USA 2001

Passive Information Enumeration Monitoring telnet traffic to gather usernames & passwords Monitoring incoming mail traffic to gather usernames Monitoring incoming web traffic to gather hostnames Monitoring DNS queries and responses to gather hostnames Monitoring file sharing: NFS, NetBIOS, etc. Performing traffic analysis, peak hours, etc. Network hardware fingerprinting 11/14/2018 Blackhat USA 2001

Passive Topology Mapping Dynamic routing protocols RIP topology mapping (general distance vector) OSPF topology mapping (link state protocol) Path vector routing topology TTL estimation 11/14/2018 Blackhat USA 2001

Routing Information Protocol Interior gateway protocol Distance vector protocol Uses hop count as its metric Sends routing-update messages frequently Further Information Request For Comments (RFC) 1058 and 1723 11/14/2018 Blackhat USA 2001

Topology Mapping with RIP Monitor RIP packets on multiple subnets running Siphon Run results through our distance vector to link state routing conversion algorithm RIP Siphon A Siphon B 11/14/2018 Blackhat USA 2001

DV to LS Routing Conversion as a Convex Optimization 11/14/2018 Blackhat USA 2001

DV to LS Conversion Cont. 11/14/2018 Blackhat USA 2001

DV to LS Conversion Example 11/14/2018 Blackhat USA 2001

Continued… 11/14/2018 Blackhat USA 2001

Open Shortest Path First Designed to correct problems associated with RIP Link state protocol Learns of routing information through link-state advertisements This information includes interface status and metrics used A topological database is maintained by the collection of LSA’s received All routers in the same area have the same topological database 11/14/2018 Blackhat USA 2001

Topology Mapping with OSPF Periodic full LSA updates Generate topology map based off LSA updates OSPF LSA Update Topology Map […] Siphon 11/14/2018 Blackhat USA 2001

Passive Vuln. Assessment Analysis of packet payload Monitoring application banners Monitoring DNS version queries Monitoring RPC queries Monitoring HTTP GET requests TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Host B Host A Siphon Log: Host B is VULNERABLE Siphon 11/14/2018 Blackhat USA 2001

Traffic Analysis Port statistics are used to determine server roles Auditing logins, email and web access can determine user behavioral patterns and machine roles. Analysis on initial sequence numbers and other similar challenge protocol fields can reveal the nature of the hosts’ PRNG. Assistance in Operating System Identification TCP Sequence Guessing 11/14/2018 Blackhat USA 2001

Example Siphon Report Report: Our Siphon software was run for 1 day on our test network 11/14/2018 Blackhat USA 2001

Future Features of Siphon Non-TCP operating system fingerprinting Default installation fingerprinting Passive Wireless LAN (802.11b) network mapping Rogue access point detection SSID gathering Network statistics (Signal strength, etc.) OSPF integration Windows 2000 Version 11/14/2018 Blackhat USA 2001

Summary Active and passive mapping are different in nature depending on the purpose and motivation of the user Passive network mapping is performed by monitoring network traffic without sending out a single packet Active network mapping is performed by sending out queries and gathering responses generating massive amounts of network noise, crashing machines and setting off IDS alarms 11/14/2018 Blackhat USA 2001

Contact Information Marshall Beddoe: marshall@gravitino.net Christopher Abad: chris@gravitino.net URL: www.gravitino.net/projects/siphon Questions? We have answers! 11/14/2018 Blackhat USA 2001

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.