IVRE Network Recon Framework Network cartography using passive traffic analysis VENUTI Vivien CEA ( Alternative Energies and Atomic Energy Commission ) 11 avril 2019 CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 1/26
Contents 1 IVRE 2 Context 3 Active Scan 4 Passive Monitoring 5 View 6 What’s next CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 2/26
IVRE Network Recon Framework Started by Pierre Lalet in 2011, GPL licensed Written in python, support from 2.6 to 3.7 Build test using Travis Quality check using flake8, codacy, ... CLI, GUI, Python API Links Repository : https://github.com/cea-sec/ivre/ WebSite : https://ivre.rocks/ Twitter : @IvreRocks IVRE DB backends : MongoDB, Postgresql, SQLite , Neo 4 j CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 3/26
IVRE Architecture IVRE CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 4/26
Use cases Use cases Everyday Monitoring Zeek + passiverecon / p0f ( ipinfo ) Zeek / Argus / NetFlow ( flow ) Audit, Pentesting Nmap / Masscan ( scancli ) Context Zeek / ... ( ipinfo / flow ) CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 5/26
Addressed Issue Issue : Various use cases Heterogeneous tools Common goals Solution : Keep independant databases Unify analysis tools under UI Context CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 6/26
Active tools Active Scan CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 7/26
SYN Scan SYN Scan Determine open TCP ports Fast and small footprint Most common way of scanning Active Scan SYN SYN|ACK / (RST) ACK CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 8/26
XML output format x0b\x06\x80\x00”></service></port></ports></host> Active Scan 12 </nmaprun> 11 </runstats> 10 <hosts up=”24720” down=”0” total=”24720” /> 9 <finished time=”1524397449” timestr=”2018-04-22 ␣ 11:44:09” elapsed=”1003” /> 8 7 <runstats> response” reason_ttl=”114” /><service name=”s7comm” banner=”\x03\x00\x00\ 1 <?xml version=”1.0”?> ports><port protocol=”tcp” portid=”102”><state state=”open” reason=” 6 <host endtime=”1524396450”><address addr=”130.236.252.73” addrtype=”ipv4”/>< 5 <scaninfo type=”syn” protocol=”tcp” /> xmloutputversion=”1.03”> 4 <nmaprun scanner=”masscan” start=”1524396448” version=”1.0-BETA” 3 <?xml-stylesheet href=”” type=”text/xsl”?> 2 <!-- masscan v1.0 scan --> CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 9/26
ftp-anon 2 1170 2048 Jul 19 18:48 incoming [NSE: writeable] 8 | d--x--x--x 2 root root 1024 Jan 14 2002 lib 9 | drwxr-sr-x 924 2 1170 1024 Aug 5 2004 pub Active probing scripts Can establish connection with encrypted services Can check configuration errors (eg: root without password) Can check for vulnerabilities Active Scan 924 7 | drwxr-srwt Nmap Anonymous FTP Listing 31 Mar 28 1 PORT STATE SERVICE 2 21/tcp open ftp 3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) 4 | -rw-r--r-- 1 1170 924 2001 .banner 1999 etc 5 | d--x--x--x 2 root root 1024 Jan 14 2002 bin 6 | d--x--x--x 2 root root 1024 Aug 10 CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 10/26
CANNOT scan on every system! Research Reactor OSIRIS Fusion Research Installation Tore-Supra source : <www.cea.fr/multimedia/> Active Scan CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 11/26
Passive tools Passive Monitoring CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 12/26
Passiverecon Use Passive Monitoring CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 13/26
Passiverecon Script 8 6 recon_type : Type &log &default =UNKNOWN; 7 source : string &log &optional ; value : srvport : string &log ; 9 targetval : string &log &optional ; 10 } ; Passive Monitoring port &log &optional ; 5 Record format { Custom, fixed set of fields Event type identified by recon_type Meaning of the fields depends on event 1 type Info : record 2 addr &log &optional ; ts : time &log ; 3 uid : string &log ; 4 host : CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 14/26
Banner extraction - 2008-06-20 14:22:20 - PassiveRecon::SSH_CLIENT - SSH-1.99-Cisco-1.25 - 5 #close 2019-04-04-21-51-27 Formatted data 1 10.0.0.2 22 SSH_SERVER SSH-2.0-Cisco-1.25 (1 time) 2008-06-20 14:22:20 2 C5PFZj40WKttMOTD36 service_name: ssh 3 service_extrainfo: protocol 2.0 4 service_ostype: IOS 5 service_product: Cisco SSH 6 service_version: 1.25 Passive Monitoring 10.0.0.1 4 1213964540.267709 Raw log addr 1 #fields ts uid host srvport recon_type source value targetval 2 #types time string port - enum string string string 3 1213964540.267709 C5PFZj40WKttMOTD36 10.0.0.2 22 PassiveRecon::SSH_SERVER - SSH-2.0-Cisco-1.25 CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 15/26
Nmap fingerprints 1 match ssh m|^SSH-(\d[\d.]+)-Cisco-(\d[\d.]+)\r?\n$| p/Cisco SSH/ v/$2/ i/ protocol $1/ o/IOS/ cpe:/a:cisco:ssh:$2/ cpe:/o:cisco:ios/a Regexp based Extraction of variable fields Easy to use and store in JSON Generic rules to match partially Passive Monitoring CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 16/26
Passiverecon Format 16 ”infos”: { 13 ”service_name”: ”ssh”, 14 ”service_ostype”: ”IOS”, 15 ”service_product”: ”Cisco SSH”, ”service_version”: ”1.25”, ”value”: ”SSH-2.0-Cisco-1.25”, 17 ”service_extrainfo”: ”protocol 2.0” 18 } 19 } Passiverecon data as stored in IVRE Passive Monitoring 12 11 1 { ”firstseen”: ”2008-06-20 14:22:20.267709”, 2 ”addr”: ”10.0.0.2”, 3 ”sensor”: ””, 4 ”count”: 1, 5 6 ”targetval”: ””, ”lastseen”: ”2008-06-20 14:22:20.267709”, 7 ”port”: 22, 8 ”recontype”: ”SSH_SERVER”, 9 ”source”: ””, 10 CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 17/26
Combine active and passive View CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 18/26
Active vs Passive Active scan will detect all hosts and services if up Passive monitoring will detect all streams that occur A rogue client won’t be detected by a scan Proper traffic sniff will not cause perturbation Time period of monitoring, or moment of scan has great impact! View CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 19/26
db2view View CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 20/26
Passive to View Conversion Passive to View Generic conversion process 19 different passive recontype - eg: SSH_SERVER, HTTP_SERVER, P0F, TCP_BANNER, ... 8 extractors currently implemented - Value is parsed again (eg : nmap fingerprints) - Easily extensible View CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 21/26
Conversion with Extraction 6 , 13 756932) , 18 , 6 , 2 , 11 , datetime . datetime (2003 , 22 , ’ lastseen ’ : 12 ’ b8162aaee40c4c13fda7af52aaaf73e7016f3011bf33dfaebb921e9e4e3bb296 ’ } , ’ sha256 ’ : 11 ’2 a1c5cb270cb1cce82879a42f37affb95556cfcb ’ , ’ port ’ : 14 10 ’ targetval ’ : View rsa \\x00\\x00\\x00\\x01 . . . \ \ x11 \\x02\\x19 ’ } ’\\ x00\\x00\\x00\\x07ssh ’ value ’ : 18 ’ ’ , 17 ’ recontype ’ : ’ SSHv2 ’ , ’ source ’ : 16 ’ ’ , ’ sensor ’ : 15 ’SSH_SERVER_HOSTKEY ’ , ’ sha1 ’ : ’1170991138...0455603093695918136982250777549537817 ’ , Passive record 1 , 2 , 11 , 6 , datetime . datetime (2003 , ’ firstseen ’ : 4 ’ count ’ : ’modulus ’ : 3 ’ 1 7 2 . 2 8 . 2 . 3 ’ , ’ addr ’ : 2 4 , { ’ _id ’ : 1 6 , 18 , 756932) , 7 9 ’207 ce596b04ecea4dbe4aa29e8909807 ’ , ’md5 ’ : 8 ’35 ’ , ’ exponent ’ : 1024 , 5 ’ bits ’ : 6 rsa ’ , ’ ssh { ’ algo ’ : ’ infos ’ : − − CEA ( Alternative Energies and Atomic Energy Commission ) | 11 avril 2019 | PAGE 22/26
Recommend
More recommend
