Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce.

Published byMarian Bridges Modified over 5 years ago

Similar presentations

Presentation on theme: "The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce."— Presentation transcript:

1 The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce self: Name, Current Workplace, How long we Have been working on this project Introduce topic of discussion: A new method for information enumeration and network mapping 11/14/2018 Blackhat USA 2001

2 Contact Information Marshall Beddoe: Christopher Abad: URL: 11/14/2018 Blackhat USA 2001

3 Overview A definition of general network mapping Active techniques
Passive techniques (Siphon) Example Siphon report Active Port Mapping, OS detection, vulnerability analysis and topology mapping. Nmap, traceroute Later, Passive methods for each of these network mapping techniques. Lastly, passive information enumeration techniques. 11/14/2018 Blackhat USA 2001

4 What is Network Mapping?
The process of gathering information in order to identify and understand the internetworking of systems Network mapping can be formally defined as the process of gathering information in order to identify and understand the internetworking of systems. 11/14/2018 Blackhat USA 2001

5 Why is this Important? To gather information To identify weaknesses
To learn how the network operates This is important because it allows an attacker or an administrator-type to gather information about the network, such as traffic patterns, trusted hosts, etc. To an attacker it may allow the discovery of alternate penetration routes, times to attack and other times to lay low, trusted hosts, etc. To an administrator, it will allow them to understand how the network operates and thus keep it protected. 11/14/2018 Blackhat USA 2001

6 Network Mapping Information
Port Information Operating System Information Information Enumeration Topology Map Generation Vulnerability Information Network Mapping Information Includes: 11/14/2018 Blackhat USA 2001

7 Port Information Vulnerable services run on TCP/UDP ports
Perception of security on the network and/or host Ability to perform accurate OS identification Discovering open ports on machines is important because… It also allows an attacker or an administrator to gain a perception of the security on the network.. Lastly, open ports allow one to perform accurate operating system identification. 11/14/2018 Blackhat USA 2001

8 Operating System Information
Survey of the types of OS’ on a network Vulnerabilities specific to operating systems 11/14/2018 Blackhat USA 2001

9 Information Enumeration
“Harmless” information that can later lead to the compromise of a network Examples: addresses, NetBIOS names, NFS exports, usernames, hostnames, whois information, etc. 11/14/2018 Blackhat USA 2001

10 Topology Map Generation
Understanding the physical layout of the network Possible discovery of alternate penetration routes 11/14/2018 Blackhat USA 2001

11 Vulnerability Information
Consists of all previously explained network mapping information Discovering vulnerabilities on systems and in network configuration One vulnerability can lead to the compromise of an entire network 11/14/2018 Blackhat USA 2001

12 Current Mapping Techniques
Active Network Mapping Nmap Queso Nessus Passive Network Mapping Siphon 11/14/2018 Blackhat USA 2001

13 Active Network Mapping
Sending queries to receive responses in order to gather port information, operating system information, etc. Requires employing applications that generate “noise” on a network 11/14/2018 Blackhat USA 2001

14 Active Mapping Techniques
Active port mapping Active operating system identification Active information enumeration Active topology map generation Active vulnerability assessment 11/14/2018 Blackhat USA 2001

15 Active Port Mapping TCP connect() scan (1) TCP SYN “stealth” scan (2)
Special TCP FIN, XMAS & NULL scans (3) Vanilla UDP scan (4) SYN to port 23 FIN to port 23 (1) SYN|ACK from port 23 (3) ACK to port 23 No RST response, port is open SYN to port 23 UDP packet to port 67 (2) (4) SYN|ACK from port 23 No ICMP port unreachable, port is open 11/14/2018 Blackhat USA 2001

16 Active OS Identification
TCP Advertised Window TCP Options FIN Probes ISN Sampling Frag Handling TCP Packet 11/14/2018 Blackhat USA 2001

17 Active Information Enumeration
NetBIOS name gathering NetBIOS drive sharing Sendmail EXPN probes Finger information WHOIS information NFS exports 11/14/2018 Blackhat USA 2001

18 Active Topology Mapping
Traceroute Host B INTERNET Host A Host C 11/14/2018 Blackhat USA 2001

19 Active Vulnerability Assessment
Banner checking RPC portmapper queries DNS version queries TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. 11/14/2018 Blackhat USA 2001

20 Pros & Cons of Active Mapping
Assessment can be conducted from a different network Requires little time to gather information Cons Generates network noise Alarms intrusion detection systems Reveals source of probe Accuracy problems Intrusive 11/14/2018 Blackhat USA 2001

21 The Siphon Project When it was created Why it was created January 2000
Does not generate network noise Does not trigger IDS alarms Does not reveal source of probe Does not send out a single packet Stealth technique Datalink layer level mapping 11/14/2018 Blackhat USA 2001

22 Passive Network Mapping
Gathering information about a network without sending out a single packet By monitoring traffic, can determine the entire layout of the network and the configuration of hosts connected to the network 11/14/2018 Blackhat USA 2001

23 Is Passive Feasible? Does passive mapping provide complete information? For the most part, the only difference is that passive network mapping takes more time to gather information Hosts that never receive network traffic on a network might not be reported by Siphon Who would use passive network mapping? Network administrators that operate in red-tape environments such as the US Government/Military Skilled hackers that move slowly to avoid detection 11/14/2018 Blackhat USA 2001

24 Siphon Mapping Techniques
Passive port mapping Passive operating system identification Passive information enumeration Passive topology map generation Passive vulnerability assessment Report generation 11/14/2018 Blackhat USA 2001

25 Passive TCP Port Mapping
Monitoring SYN|ACK packets Logging the source port SYN to port 23 SYN|ACK from port 23 ACK to port 23 Host A Host B Siphon 11/14/2018 Blackhat USA 2001

26 TCP Port Mapping Challenges
Problem: Corruption of information caused by spoofed connections Solution: Monitor TCP state SYN|ACK from host A src port 666 Network Host C Siphon No initial SYN sent to port 666 of host A, Will not record 11/14/2018 Blackhat USA 2001

27 Passive UDP Port Mapping
Monitoring UDP packets Listening for ICMP port unreachable packets UDP packet to port 53 Host A Host B Siphon No ICMP port unreachable, port is open 11/14/2018 Blackhat USA 2001

28 UDP Port Mapping Challenges
Problem: Accuracy Solution: Decode application layer protocols that use UDP DNS Query to UDP port 53 DNS Query Response from UDP port 53 Host A Host B Siphon Standard DNS query response from Host B, UDP port 53 is open 11/14/2018 Blackhat USA 2001

29 Passive OS Identification
Operating system is determined by monitoring TCP SYN|ACK packets An OS is fingerprinted based upon the TCP advertised window, the IP DF bit, the default TTL, the TCP options, and the MSS TCP option set by the connecting host. SYN to port 23 SYN|ACK from port 23 TCP advertised window = 0x4000 DF bit = ON TTL = 64 Host C Host A OS Fingerprints: 4000:ON:64 = FreeBSD Siphon 11/14/2018 Blackhat USA 2001

30 Passive OS Ident. Challenges
Problem: Multiple fingerprints for one OS version Solution: Siphon passive OS identification algorithm Problem OS Fingerprints File: 7D78:64:1:Linux 77C4:64:1:Linux 7BF0:64:1:Linux 7BC0:64:1:Linux 11/14/2018 Blackhat USA 2001

31 Siphon OS Ident. Algorithm
11/14/2018 Blackhat USA 2001

32 Passive OS Ident Challenges
After applying the Siphon OS identification algorithm, we now have only one entry for Linux Fixed OS Fingerprints File: 7D78:77C4:64:1:Linux 11/14/2018 Blackhat USA 2001

33 Passive Information Enumeration
Monitoring telnet traffic to gather usernames & passwords Monitoring incoming mail traffic to gather usernames Monitoring incoming web traffic to gather hostnames Monitoring DNS queries and responses to gather hostnames Monitoring file sharing: NFS, NetBIOS, etc. Performing traffic analysis, peak hours, etc. Network hardware fingerprinting 11/14/2018 Blackhat USA 2001

34 Passive Topology Mapping
Dynamic routing protocols RIP topology mapping (general distance vector) OSPF topology mapping (link state protocol) Path vector routing topology TTL estimation 11/14/2018 Blackhat USA 2001

35 Routing Information Protocol
Interior gateway protocol Distance vector protocol Uses hop count as its metric Sends routing-update messages frequently Further Information Request For Comments (RFC) 1058 and 1723 11/14/2018 Blackhat USA 2001

36 Topology Mapping with RIP
Monitor RIP packets on multiple subnets running Siphon Run results through our distance vector to link state routing conversion algorithm RIP Siphon A Siphon B 11/14/2018 Blackhat USA 2001

37 DV to LS Routing Conversion as a Convex Optimization
11/14/2018 Blackhat USA 2001

38 DV to LS Conversion Cont.
11/14/2018 Blackhat USA 2001

39 DV to LS Conversion Example
11/14/2018 Blackhat USA 2001

40 Continued… 11/14/2018 Blackhat USA 2001

41 Open Shortest Path First
Designed to correct problems associated with RIP Link state protocol Learns of routing information through link-state advertisements This information includes interface status and metrics used A topological database is maintained by the collection of LSA’s received All routers in the same area have the same topological database 11/14/2018 Blackhat USA 2001

42 Topology Mapping with OSPF
Periodic full LSA updates Generate topology map based off LSA updates OSPF LSA Update Topology Map […] Siphon 11/14/2018 Blackhat USA 2001

43 Passive Vuln. Assessment
Analysis of packet payload Monitoring application banners Monitoring DNS version queries Monitoring RPC queries Monitoring HTTP GET requests TCP connect() to port 21 220 FTP Server (Version wu-2.6.0(1) ready. Host B Host A Siphon Log: Host B is VULNERABLE Siphon 11/14/2018 Blackhat USA 2001

44 Traffic Analysis Port statistics are used to determine server roles
Auditing logins, and web access can determine user behavioral patterns and machine roles. Analysis on initial sequence numbers and other similar challenge protocol fields can reveal the nature of the hosts’ PRNG. Assistance in Operating System Identification TCP Sequence Guessing 11/14/2018 Blackhat USA 2001

45 Example Siphon Report Report: Our Siphon software was run for 1 day on our test network 11/14/2018 Blackhat USA 2001

46 Future Features of Siphon
Non-TCP operating system fingerprinting Default installation fingerprinting Passive Wireless LAN (802.11b) network mapping Rogue access point detection SSID gathering Network statistics (Signal strength, etc.) OSPF integration Windows 2000 Version 11/14/2018 Blackhat USA 2001

47 Summary Active and passive mapping are different in nature depending on the purpose and motivation of the user Passive network mapping is performed by monitoring network traffic without sending out a single packet Active network mapping is performed by sending out queries and gathering responses generating massive amounts of network noise, crashing machines and setting off IDS alarms 11/14/2018 Blackhat USA 2001

48 Contact Information Marshall Beddoe: Christopher Abad: URL: Questions? We have answers! 11/14/2018 Blackhat USA 2001

Download ppt "The Siphon Project An Implementation of Stealth Target Acquisition & Information Gathering Methodologies Introduction: Introduce self, Chris introduce."

Similar presentations

RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
RIP V2 CCNP S1(5), Chapter 4.

RIP V2 CCNP S1(5), Chapter 4.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
IP Network Scanning.

IP Network Scanning.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.

Hacking Exposed 7 Network Security Secrets & Solutions Chapter 2 Scanning 1.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Port Scanning.

Port Scanning.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)

IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.

1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.

Similar presentations

Ads by Google