DAVIX Visualization Bootcamp 25C3 Visualize Your Network! Jan P. - PDF document

DAVIX Visualization Bootcamp 25C3 Visualize Your Network! Jan P. Monsch Marius Ciepluch About Your Hosts Jan P. Monsch Marius Ciepluch l l DAVIX Project Initiator & DAVIX User & l l Lead Engineer Workshop Assistant Senior Security Analyst l Student in Security and Student in l l Forensic Computing Computer Science @ Dublin City University @ University Lübeck

Workshop Preparation Get DAVIX l Visit http://82.197.185.121/davix/release/ l Download l davix-1.0.1-defcon16.iso.gz l davix-manual-1.0.1.pdf l 25c3-workshop.lzm l Recommended setup l VMware Player or VMware Fusion l Bridged or NAT networking l Configure host to access 25C3 network l See chapter 6.1.1 & 6.1.2 in manual for assistance l Agenda l Introduction DAVIX l Visualization l Walk-Through DAVIX l Hands-on Lab l Visualization Contest

Introduction DAVIX Initial Situation l Security visualization is quite new l Currently two books available [1, 2]

Initial Situation l Many free visualization tools But installation is often cumbersome l Compiler version and library issues l Code difficult to build or broken l Diverse runtime environments: l Java, Perl, Ruby, Python, Windows Applications l Huge hurdle for people to get start with security visualization Mission Statement l DAVIX shall provide the audience with a workable and l integrated tools set, enable them to immediately start with security l visualization and motivate them to contribute to the security l visualization community.

Inside the DAVIX Live CD Live Linux CD system based on SLAX 6 [3] l Software packages are modularized l Easy customizable l Runs from CD/DVD, USB stick or hard drive l Collection of free tools for processing & visualization l Tools work out of the box l No compilation or installation of tools required l Comes with documentation [4] l Quick start description for the most important tools l Links to manuals and tutorials l DAVIX 1.0.1 Tools Processing Visualization Capture l l l Shell Tools Network Traffic Network Tools l l l awk, grep, sed EtherApe l l Argus l InetVis l Snort l tnv Visualization l l Wireshark l Preprocessing AfterGlow Generic l l Logging l LGL l AfterGlow l syslog-ng l Graphviz l Extraction l LGL Viewer l Fetching Data Chaosreader l l Mondrian l wget R Project l l Data Enrichment Treemap l ftp l l geoiplookup l scp l whois, gwhois l

Highlights Upcoming 1.0.5 α Processing Visualization Capture l l l Integration Network Traffic Network Tools l l l Splunk FlowTag l l Bro IDS l NSM Console INAV l l NetGrok l Zenmap PCAP l l manipulation/ extraction Generic l ngrep l NAZAR l tcpxtract l Octave l tcpslice l tcpflow l Visualization

Visualization l Raffael Marty “A picture is worth a thousand log records.” [2] l l Ben Shneiderman “The purpose of viz is insight, not pictures.” [5] l Information Seeking Mantra [6] Details Overview on Demand Zoom and Filter

Information Viz Process [2] Interface Issue Each visualization tool l ? has its own file format PCAP interfaces ? Data must be converted l to match the import ? interfaces CSV TM3 These adapters are l mostly self-written Viz Tool 1 Viz Tool 2 Viz Tool 3 Viz Tool 4 snippets of code

Walk-Through User Interface l Menu organized around Info Viz Process Capture Visualize Process l Tools often cover more than one category Afterglow � Process, Visualize l l Additional tools/services Apache, MySQL, NTP l

PDF User Manual l Content Quick start guide l Network setup information l Tool usage examples l Links to online resource l Customizing DAVIX l User Manual in the Menu The manual is browsable by chapter … l … or individual tool chapters l

Hands-on Lab Overview Lab built around l Info Viz Process Problem DAVIX Tools Overview l Definition Processing l Wireshark / tshark [7] l p0f [8] l awk [9], sed, uniq l Details Filter Snort [10] l on Demand Visualization l AfterGlow [11] l Visualize Graphviz [12] l Treemap [13] l

Problem Definition l Type of Traffic? l Network Topology? Gateway? l Team Server? l Other Team Systems? l l Activities? Communication Pattern? l Attacks? l Type of Traffic

Overview - Background CTF DEFCON 12 l PCAP File l 6 teams l 1 server per team l with vulnerable services Many team l member systems Symmetrical setup l for all teams. Overview - Wireshark l Basic statistics 54 MB PCAP file l Date 31.07.2004 l 41 min of traffic l 100’000 packets l

Overview - Wireshark Packets Protocols Traffic Volume l l Mostly IP Mostly TCP l l Mostly TCP l Some UDP l Overview - Wireshark l TCP Mostly HTTP l Some DCE RPC � Windows l

Overview - Wireshark l Traffic Shape Constant at begin l Massive increase l at the end. tcp.port==80 Network Topology

Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway 001_network_topology_gateway.sh Zoom & Filter - tshark l CSV of source/destination IP to source/destination MAC addresses 0.0.0.0,00:00:86:5b:e9:6a l 0.0.0.0,00:04:5a:a2:d4:08 192.168.1.2,00:c0:95:e0:0e:af 192.168.3.2,00:c0:95:e0:0e:af 192.168.4.1,00:c0:95:e0:0e:af 192.168.4.152,00:09:6b:53:8a:81 192.168.4.153,00:c0:95:e0:0e:af ...

001_network_topology_gateway.sh Zoom & Filter - tshark Extract IP addresses and their MAC addresses l tshark -r davix_workshop_captures.pcap l -e ip.src -e eth.src -Tfields -E separator=, -R ip > ip_mac.csv tshark -r davix_workshop_captures.pcap l -e ip.dst -e eth.dst -Tfields -E separator=, -R ip >> ip_mac.csv cat ip_mac.csv | sort | uniq > l ip_mac_distinct.csv 001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz l Visualize CSV file using AfterGlow cat ip_mac_distinct.csv | l afterglow.pl -t | neato -Tpng -o ip_mac_distinct.png l View resulting image gqview l

001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway 002_network_topology_operating_system.sh Overview – p0f Other teams come through NAT l Results 192.168.4.1,FreeBSD 4.7-5.2 l (or MacOS X 10.2-10.4) 192.168.4.1,FreeBSD 4.8-5.1 (or MacOS X 10.2-10.3) 192.168.4.1,Linux 2.4-2.6 192.168.4.1,OpenBSD 3.0-3.9 192.168.4.1,Windows 2000 SP4, XP SP1+ 192.168.4.1,Windows XP SP1+, 2000 SP3 192.168.4.152,Linux 2.4-2.6 192.168.4.153,Linux 2.4-2.6 192.168.4.154,Linux 2.4-2.6 192.168.4.157,Linux 2.4-2.6 192.168.4.159,Linux 2.4-2.6 192.168.4.160,Linux 2.4-2.6 192.168.4.45,Linux 2.4-2.6

002_network_topology_operating_system.sh Overview – p0f l Identify Involved Operating Systems p0f -f /etc/p0f/p0f.fp -s l davix_workshop_captures.pcap -N | sed "s/ (up.*$//" | sed "s/:[0-9]* - /,/" | sort | uniq Visualize – Visio ;-) l Topology Opponents 192.168.1.2 192.168.3.2 192.168.5.2 192.168.6.2 192.168.7.2 192.168.4.1 192.168.4.153 NAT IP Linux 00:C0:95:E0:0E:AF 00:0B:5F:69:B2:01 00:E0:98:08:F7:E2 CISCO

Visualize – Visio ;-) l Our Team 00:0B:5F:69:B2:01 00:E0:98:08:F7:E2 CISCO 192.168.4.2 WIN 192.168.4.3 192.168.4.33 192.168.4.35 192.168.4.36 192.168.4.45 WIN Linux ?Unix? Linux 192.168.4.152 192.168.4.154 192.168.4.157 192.168.4.159 192.168.4.160 Linux Linux Linux Linux Linux Activities Linked Graphs

003_activity_connections.sh Visualize: AfterGlow / Graphviz l Green Our team l l Red Other teams l l Yellow NAT IP l l Blue Neutral l 003_activity_connections.sh Zoom & Filter - tshark l Extract source & destination IP addresses tshark -r davix_workshop_captures.pcap l -e ip.src -e ip.dst -Tfields -E separator=, -R ip > ipsrc_ipdst.csv

003_activity_connections.sh Visualize: AfterGlow / Graphviz l Visualize CSV file using AfterGlow cat ipsrc_ipdst.csv | l afterglow.pl -c color1.properties -t | neato -Tpng -o ipsrc_ipdst.png l View resulting image gqview l 003_activity_connections.sh Visualize: AfterGlow / Graphviz l AfterGlow color1.properties color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); l color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); l color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon"

003_activity_connections.sh Visualize: AfterGlow / Graphviz l Green Our team l l Red Other teams l l Yellow NAT IP l l Blue Neutral l 003_activity_connections.sh Visualize: AfterGlow / Graphviz l Zoom Image l 192.168.4.0/24 attacking other teams l But who is the most active IP?