Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive.

Slides:

Advertisements

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Advertisements

COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Computer Security Fundamentals

CIS 193A – Lesson13 Attack and Defense. CIS 193A – Lesson13 Focus Question Describe how Nmap, psad, and iptables work together for playing out attack.

NMAP Scanning Options. EC-Council NMAP  Nmap is the most popular scanning tool used on the Internet.  Cretead by Fyodar ( it.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

Table of Contents 3 - IDS types 8 - Ethernet Frame 9 - IP frame 10 - TCP frame 11 - UDP frame 12 - ICMP Frame way handshake 15 - TCP flags 16 -

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated

Scanning Determining if the system is alive IP Scanning Port Scanning War Dialing.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Three-Layer Model Distributed data communications involves three primary components: Networks Computers Applications Three corresponding layers Network.

Copyright © 2005 Department of Computer Science CPSC 641 Winter WAN Traffic Measurements There have been several studies of wide area network traffic.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

Honey Inspector Mike Clark Honeynet Project. Honeynet Inspector  Background.

Computer Security and Penetration Testing

1 WAN Measurements Carey Williamson Department of Computer Science University of Calgary.

Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Exploring How TCP/IP Works INTRO v2.0—4-1.

Penetration Testing.

Prentice HallHigh Performance TCP/IP Networking, Hassan-Jain Chapter 3 Performance Measurement of TCP/IP Networks.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

IDS Mike O’Connor Eric Tallman Matt Yasiejko. Overview IDS defined IDS defined What it does What it does Sample logs Sample logs Why we need it Why we.

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

Ana Chanaba Robert Huylo

Penetration Testing Security Analysis and Advanced Tools: Snort.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

What is FORENSICS? Why do we need Network Forensics?

Protocols and the TCP/IP Suite

Port Scanning 0x470~0x480 Presenter SangDuk Seo 1.

Attack Lifecycle Many attacks against information systems follow a standard lifecycle: –Stage 1: Info. gathering (reconnaissance) –Stage 2: Penetration.

Beyond Ethereal: Crafting A Tivo for Security Datastreams Gregory Conti

Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.

MIS Week 4 Site:

Countering Denial of Information Attacks with Network Visualization Gregory Conti

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

Linux Networking and Security

Information Networking Security and Assurance Lab National Chung Cheng University 1 Port Scanners.

Network Attack Visualization Greg Conti

Chapter 2 Scanning Last modified Determining If The System Is Alive.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

Network Security: Lab#5 Port Scanners and Intrusion Detection System

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.

Real Time and Forensic Network Data Analysis Using Animated Combined Visualizations Sven Krasser Gregory Conti Julian Grizzard Jeff Gribschaw Henry Owen.

Network Security Data Visualization Greg Conti CS6262

WIRESHARK Lab#3. Computer Network Monitoring  Port Scanning  Keystroke Monitoring  Packet sniffers  takes advantage of “friendly” nature of net. 

Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.

Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.

Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Protection (tools).

Chapter4 Packet and Protocol.

CITA 352 Chapter 5 Port Scanning.

The Devil and Packet Trace Anonymization

Footprinting (definition 1)

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Wireshark Lab#3.

Overview of Networking & Operating System Security

Firewalls Purpose of a Firewall Characteristic of a firewall

CPSC 641: WAN Measurement Carey Williamson

Carey Williamson Department of Computer Science University of Calgary

Presentation transcript:

Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Passive Visual Fingerprinting of Network Attack Tools Gregory Conti Kulsoom Abdullah College of Computing Georgia Institute of Technology Nessus 2.0.10, IP to Port to Port to IP

Motivation Common network reconnaissance and vulnerability assessment tools can be visualized in such a way as to identify the attack tool used. Law enforcement forensics Identify characteristics of new tools/worms Provide insight into attacker’s methodology & experience level Help network defender to initiate appropriate response

System Architecture Ethernet Packet Capture Parse Process Plot tcpdump (pcap, snort) Perl xmgrace (gnuplot) winpcap VS tcpdump capture files Packet Capture Parse Process Plot Interact

Examining Available Data… Link Layer (Ethernet) All raw data available on the wire: Application layer data Transport layer header Network layer header Link layer header Network Layer (IP) Focused on: Source / Destination Port Source / Destination IP Timestamp Length of raw packet Protocol Type Transport Layer (TCP) IP: http://www.ietf.org/rfc/rfc0791.txt UDP: http://www.ietf.org/rfc/rfc0768.txt TCP: http://www.ietf.org/rfc/rfc793.txt Transport Layer (UDP) Ethernet: http://www.itec.suny.edu/scsys/vms/OVMSDOC073/V73/6136/ZK-3743A.gif

Attacks Fingerprinted nessus 2.0.10 nmap 3.0 nmap 3.5 nmapwin 1.3.1 Superscan 3.0 Superscan 4.0 nikto 1.32 scanline 1.01 sara 5.0.3 NSA CDX dataset 2003 http://www.insecure.org/tools.html

Visualizations Time Sequence Data Port and IP Mapping Sequence of Source/Destination Ports and IP’s Sequence of Packet Lengths Sequence of Packet Protocols Port and IP Mapping Source Port to Destination Port Source IP to Destination IP Source IP to Destination Port Source Port/IP to Destination IP/Port Source IP/Port to Destination Port/IP Characterization of home/external network Fixed memory requirements

parallel plot views External IP Internal IP 255.255.255.255 255.255.255.255 0.0.0.0 0.0.0.0 External Port Internal Port 65,535 65,535 0 0 External IP Internal Port 255.255.255.255 65,535 0.0.0.0 0

Baseline External Port Internal Port External IP Internal IP

nmap 3 (RH8) nmap 3 UDP (RH8) scanline 1.01 (XP) SuperScan 3.0 (XP) Using (mostly) default scan options TCP = Green UDP = Orange Foundstone… superscan family, scanline NMapWin… runs on an nmap 3 engine NMapWin 3 (XP) nmap 3.5 (XP) nikto 1.32 (XP) SuperScan 4.0 (XP)

Sara 5.0.3 (port to port) Light Medium Heavy

Georgia Tech Honeynet External IP Internal Port External Port Internal Port External IP Internal IP

Also a Port to IP to IP to Port View External IP External Port Internal Port Internal IP 255.255.255.255 65,535 65,535 255.255.255.255 0.0.0.0 0 0 0.0.0.0 Also a Port to IP to IP to Port View

Exploring nmap 3.0 in depth (port to IP to IP to port) default (root) stealth FIN (-sF) NULL (-sN) UDP (-sU) SYN (-sS -O) stealth SYN (-sS) CONNECT (-sT) XMAS (-sX)

nmap within Nessus (port to IP to IP to port) CONNECT (-sT) Nessus 2.0.10 UDP (-sU)

SuperScan Evolution (port to IP to IP to port) scanline 1.01

packet length and protocol type over time packets ports length

WinNMap Compress the time domain to distill sequence

SuperScan 4.0

time sequence data (external port vs. packet) nmap win superscan 3 ports ports packets packets Also internal/external IP and internal port

tool interface

Findings (Weaknesses) Interaction with personal firewalls Countermeasures Scale / labeling are issues Occlusion is a problem Greater interactivity required for forensics and less aggressive attacks Some tools are very flexible Source code not available for some tools

Findings (Strengths) Aggressive tools have distinct visual signatures Threading / multiple processes may be visible Some source code lineage may be visible Some OS/Application features are visible Some classes of stealthy attack are visible

Findings (Strengths) Sequence of ports scanned visible Frequently attacked ports visible Resistant to high volume network traffic Viable in the presence of routine traffic Useful against slow scans (hours-weeks) Useful against distributed scans

Future Work Add forensic capability Task driven interactivity (Zoom & filter, details on demand) Smart books (images & movies) Usability studies Stress test Explore less aggressive attack classes

Demo

classic infovis survey security infovis survey rumint tool http://www.rumint.com/software.html classic infovis survey www.cc.gatech.edu/~conti security infovis survey www.cc.gatech.edu/~conti VizSEC Paper/Slides http://users.ece.gatech.edu/~kulsoom/research.html www.cc.gatech.edu/~conti Visual Security Community http://www.ninjabi.net/index.php?option=com_nxtlinks& catid=41&Itemid=47 Kulsoom’s Research http://users.ece.gatech.edu/~kulsoom/research.html

Acknowledgements Dr. John Stasko Dr. Wenke Lee Dr. John Levine http://www.cc.gatech.edu/~john.stasko/ Dr. Wenke Lee http://www.cc.gatech.edu/~wenke/ Dr. John Levine http://www.eecs.usma.edu/ Julian Grizzard http://www.ece.gatech.edu/ 404.se2600 Clint Hendrick icer Rockit StricK

Questions? Greg Conti conti@cc.gatech.edu www.cc.gatech.edu/~conti Kulsoom Abdullah gte369k@mail.gatech.edu http://users.ece.gatech.edu/~kulsoom/research.html Image: http://altura.speedera.net/ccimg.catalogcity.com/210000/211700/211780/Products/6203927.jpg