RE: Heavyweight Network Mapping Tools

From: Robert E. Lee (robert@isecom.org)
Date: Sat Nov 29 2003 - 02:44:45 EST


> Being someone who hates to identify a problem without a solution I'm
> looking for a premier network mapping tool for a customer that will
> actively scan up to a class A for hosts, identifying the hosts in up to 3
> stages:

There are a couple of places I'd direct you to:
http://www.lumeta.com/ipsonar.html
and
http://www.opte.org

The Lumeta stuff is very good, but costly and mostly closed. It is
leveraging work from William Cheswick and Hal Burch.

The OPTE project has Barret Lyon of Network Presence (main developer) and
Dan Kaminsky of Avaya's Enterprise Security Practice (Author of
Paketto/scanrand) behind it. The goals for the OPTE project are slightly
different than what you've described, but could easily be adapted to your
needs.

> Mandatory
> Hosts alive through ICMP
Fyi, I plan on taking the OPTE project base and modifying it for uses such
as what you've described. However, instead of using ICMP I plan on
implementing automated scans/system finding based on an abbreviated Section
C, Modules 1-3 of the OSSTMM (http://www.osstmm.org pages 45-48). This is
far more complete for flushing out live systems and works equally well on
internal and external systems alike. I'll have all of this stuff logging
back to an SQL server. This helps when dealing with large sets of data.

> Hosts OS through active OS fingerprinting
This can be done in a second phase after flushing out live systems, although
there are interesting things you can assume based on how the systems respond
to the 1st wave of scanning, ie timing, ports, etc. Add banner grabbing,
nmap/xprobe/p0f/etc and you have an effective OS fingerprint, again being
careful to map this data back to a database.

> Advantageous
Not sure what you mean by this.

> Patch Compliance without host residing agents
There are tools that you can use on the windows side in this phase without a
host agent, but it requires having an administrative login/password for the
system in question. Not sure what Unix automated tools exist for this
purpose.

> Results must be displayable in 3D and be drilled down to individual hosts
> using filters. (look pretty for budget enhancement whilst being useable)

The OPTE project uses LGL (http://bioinformatics.icmb.utexas.edu/lgl/) to
visualize the network maps. You can pull from your database to make the
OS/hostname/IP information overlay onto the map and then export the data to
a VRML format. This will allow for interesting 3D walkthroughs with the
ability to zoom in and see ip/host/os/etc information.

See http://www.opte.org/maps/ for the pictures of the latest maps and the
raw LGL data from that project as a reference as to what is possible.

> Must have continual use and not a snapshot based managed service

Not sure what you mean here. Please expound.

> I'm also looking to schedule and throttle the output without having to use
> a packet shaper. (don't want to consume too much bandwidth)

scanrand has the -b (bandwidth) option for this reason.

> Does anyone have any further recommendations regarding cool or useful
> features in such a product and better still products that meet or come
> close to the above.

Again, I want to automate as much of the OSSTMM based scanning as possible
(complete section C), as those techniques are the most thorough and reliable
that I've run across. Other than the work of OPTE and Lumeta, I'm not sure
who else is playing in this space.

> I have collected details on light and medium weight enumerators at
> http://www.securitywizardry.com/enum.htm but need more oomph!

If you have any other project goals/needs/ideas, please respond. If it's
useful to you, it's likely useful to the rest of the community too :). For
more immediate response, come join us on IRC (efnet #opte).

Sincerely,

Robert

Robert E. Lee
Co-Chairman of the Board
 
Institute for Security and Open Methodologies
www.isecom.org
www.osstmm.org

ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM
Professional Security Analyst (OPSA) certification authority.

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:43 EDT