Presentation is loading. Please wait.

Presentation is loading. Please wait.

Casing the Joint What we already know about your network.

Published byEzra Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "Casing the Joint What we already know about your network."— Presentation transcript:

1 Casing the Joint What we already know about your network. batz@vapourbatz@vapour.

2 Casing the Joint Contents Context for this information. Hierarchical breakdown of information that can be used to describe a network into "Areas". Mock ASN.1 notation will describe each Area and extensible attributes within its domain and how they pertain to finding vulnerabilities.

3 Casing the Joint Evaluate information contained in attributes and how it can be damaging How a heuristic like this could be used by automated attacks described by Caesar in related presentation. Questions, comments, violent objections.

4 Casing the Joint Recent events: December 1999, RTMark uses organized flooding tactics to DoS Etoys.com. Stock price conspicuously falls like rock. DDoS attacks cause mild interruption to search engine in February. News media and lobbyists still recovering.

5 Casing the Joint First major distributed attack since Morris Worm. Internet connected hosts vulnerable to distributed attacks for the foreseeable future.

6 Casing the Joint Each service provided by a host can provide a wealth of information to a potential attacker. Attempt to formalize some elements of how that information can be gathered and what it can tell us.

7 Casing the Joint Types of information: Protocols Layer 3 and up. Addressing, naming schemes. Port ranges of un/filtered services. Applications. Implicit and Explicit Trust.

8 Casing the Joint AREAS Autonomous System Route DNS Domain Segment Host

9 Casing the Joint Autonomous System At.ASN BGP routing information for all routes. Paths to other networks, traffic flow, and Peers. Routing policy.

10 Casing the Joint Information readily available from RAdb, or any BGP speaking peer on the Internet. Very holistic information for a single host.

11 Casing the Joint AREA TYPE: ROUTE At.Route.Rt A CIDR block that contains the IP addresses contained within targets At.Host or At.DNS. At.Route.Origin The AS that this route be being announced from. Useful for collating other routes from other agents.

12 Casing the Joint At.Route.routers list of all routers within the address space one aggregated prefix length shorter than the one defined in At.Route.Rt. At.Route.gateways The default gateways of all hosts that are within this netblock.

13 Casing the Joint At.Route.multicast Each gateway that may route multicast. Potentially a list of multicast groups memberships if possible.

14 Casing the Joint AREA TYPE: DNS DOMAIN Set of all hosts listed in forward and reverse zones for the first level domain.

15 Casing the Joint At.DNS.forward-zone A zone transfer of the domain and/or subdomain that is contained in At.Host.DNSName if available.

16 Casing the Joint At.DNS.reverse-zone In the event that a zone transfer is available, the reverse zone for the /24 that At.Host.Addr is contained in.

17 Casing the Joint At.DNS.reverse-lookup If the whole zone is not available, then the individual ip addresses in the range of /24 or contiguous addresses should be listed within a predefined range.

18 Casing the Joint At.DNS.RR This is for specific resource records such as MX and esoteric entries if the full zone is not available. i.e

19 Casing the Joint At.DNS.RR.SOA At.DNS.RR.MX At.DNS.RR.A At.DNS.RR.CNAME etc...

20 Casing the Joint At.DNS.RR.SOA At.DNS.RR.MX At.DNS.RR.A At.DNS.RR.CNAME etc...

21 Casing the Joint AREA TYPE: SEGMENT Sharing an Ethernet Segment is a huge amount of trust to be put between devices. Use with caution.

22 Casing the Joint The best information that an agent will have will be gained via the local segment. Much of this information can be attained through more active, but less covert means.

23 Casing the Joint At.Segment.macaddr The mac address of the host that the agent has attached itself to.

24 Casing the Joint At.Segment.arpTable A copy of the ARP table of the agents host. The format of this table should make an XML DTD more appealing.

25 Casing the Joint At.Segment.Protocols From captured Ethernet frames, a table of Layer 3 protocols should be kept so that other agents can be informed of local customs. Possible extensible elements of this in next slide.

26 Casing the Joint At.Segment.Protocols.ether.stp At.Segment.Protocols.ether.vlan At.Segment.Protocols.ipv4 At.Segment.Protocols.ipv6 At.Segment.Protocols.esp At.Segment.Protocols.ipsec At.Segment.Protocols.ttcp At.Segment.Protocols.ipx At.Segment.Protocols.atm At.Segment.Protocols.pppoe At.Segment.Protocols.whatever

27 Casing the Joint Each of these would have their subsequent address tables, which would be passed to interested agents.

28 Casing the Joint At.Segment.Protocols.Management Some of these can be determined remotely. List is not complete. Gives information about routing architecture.

29 Casing the Joint At.Segment.Protocols.Management.DHCP At.Segment.Protocols.Management.IGMP At.Segment.Protocols.Management.RIPv1 At.Segment.Protocols.Management.RIPv2 At.Segment.Protocols.Management.OSPF At.Segment.Protocols.Management.MOSPF At.Segment.Protocols.Management.EIGRP At.Segment.Protocols.Management.IS-IS

30 Casing the Joint At.Segment.Promiscuous In the event that an agent was on a segment where the detection of a promiscuous interface could be detected, it would be nice to know.

31 Casing the Joint At.Segment.Promiscuous.yay At.Segment.Promiscuous.nay At.Segment.Promiscuous.yay.arpinfo (mac/ip addr)

32 Casing the Joint AREA TYPE: HOST At.Host is defined as a /32 address allocation to an interface or device.

33 Casing the Joint At.Host.Addr The ip address of the device in question. At.Host.DNSName The reverse DNS lookup of the ip address as discovered by a local agent.

34 Casing the Joint At.Host.OsType This is the operating system, and possible version number/ patch level. This information can be ascertained through IP stack fingerprinting, login banners, or services.

35 Casing the Joint At.Host.IPForwarding Does the host forward IP datagrams?

36 Casing the Joint At.Host.IPForwarding.tcp At.Host.IPForwarding.udp At.Host.IPForwarding.icmp At.Host.IPForwarding.multicast At.Host.IPForwarding.multicast_sourceroute At.Host.IPForwarding.sourceroute At.Host.IPForwarding.rfc1918 (if no icmp was sent)

37 Casing the Joint At.Host.IPForwarding.filter Are there filtered ports/services on this device? At.Host.DefaultGateway The gateways that a packets travels through (within 1 hop) when the host responds to an agents scan.

38 Casing the Joint At.Host.PrivilagedTCPServices Services running on ports less than 1024. This can be obtained from a scan from a local agent, or less accurately, from sniffed traffic on the local net that the agent has access to.

39 Casing the Joint At.Host.PrivilagedUDPServices Similar to TCP services, but of course, UDP services. These are especially useful to attackers and distributed agents due to the connectionless nature of the protocol.

40 Casing the Joint At.Host.NonprivilagedTCPServices All tcp services within predefined agent range greater than 1024

41 Casing the Joint At.Host.NonprivilagedUDPServices All UDP services within predefined agent range greater than 1024.

42 Casing the Joint At.Host.PrivilagedTCPServices.version At.Host.PrivilagedUDPServices.version At.Host.NonPrivilagedTCPServices.version At.Host.NonPrivilagedUDPServices.version

43 Casing the Joint Version information on each service will allow each agent to correlate services with vulnerabilities.

44 Casing the Joint Within the constraints of this rough model, an agent with access to this information could easily make a reasonable decision on how vulnerable a host is to a wide variety of attacks.

45 Casing the Joint FUTURE RESEARCH The mock ASN.1 notation in this presentation was to illustrate the feasibility of integrating a similar system into a network of agents.

46 Casing the Joint This information could easily be described in XML, or a number of other heuristics with the purpose of inter-agent communication.

47 Casing the Joint With the advent of the DDoS systems that have been revealed in the last year, it would be reasonable prediction that attacks against networks will be perpetrated less by individuals than by malicious software acting of its own volition.

48 Casing the Joint “What was once thought, can never be unthought” --The Physicists, Friedrich Durrenmatt batz@vapour.net

49

50

Download ppt "Casing the Joint What we already know about your network."

Similar presentations

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation 0000110000100010.

4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Announcement r Recitation tomorrow on Project 2 r Midterm Survey at the end of this class.

Announcement r Recitation tomorrow on Project 2 r Midterm Survey at the end of this class.
Review of Important Networking Concepts

Review of Important Networking Concepts
CS 164: Global Internet Slide Set -- 11. In this set... More about subnets Classless Inter Domain Routing (CIDR) Border Gateway Protocol (BGP) Areas with.

CS 164: Global Internet Slide Set In this set... More about subnets Classless Inter Domain Routing (CIDR) Border Gateway Protocol (BGP) Areas with.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.

11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
Introduction to TCP/IP

Introduction to TCP/IP
Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.

Inside the Internet. INTERNET ARCHITECTURE The Internet system consists of a number of interconnected packet networks supporting communication among host.
Extending Networks. Three Levels of Extension Physical Layer –Repeaters Link Layer –Bridges –Switches Network –Routers: “Connecting networks”

Extending Networks. Three Levels of Extension Physical Layer –Repeaters Link Layer –Bridges –Switches Network –Routers: “Connecting networks”
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Kazi Fall 2007 CSCI 370/EENG 480 1 CSCI-370/EENG-480 Computer Networks Khurram Kazi.

Kazi Fall 2007 CSCI 370/EENG CSCI-370/EENG-480 Computer Networks Khurram Kazi.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Networking Components

Networking Components
© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.

© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Each computer and router interface maintains an ARP table for Layer 2 communication The ARP table is only effective for the broadcast domain (or LAN)

Each computer and router interface maintains an ARP table for Layer 2 communication The ARP table is only effective for the broadcast domain (or LAN)

Similar presentations

Ads by Google