RE: Heavyweight Network Mapping Tools

From: Robert E. Lee (robert_at_isecom.org)
Date: 11/29/03

  • Next message: TJ O'Grady: "Reporting aspect of pen-testing" 
    To: "'Andy Cuff [Talisker]'" <lists@securitywizardry.com>, <pen-test@securityfocus.com>
Date: Fri, 28 Nov 2003 23:44:45 -0800

    > Being someone who hates to identify a problem without a solution I'm
    > looking for a premier network mapping tool for a customer that will
    > actively scan up to a class A for hosts, identifying the hosts in up to 3
    > stages:

    There are a couple of places I'd direct you to:
    http://www.lumeta.com/ipsonar.html
    and
    http://www.opte.org

    The Lumeta stuff is very good, but costly and mostly closed. It is
    leveraging work from William Cheswick and Hal Burch.

    The OPTE project has Barret Lyon of Network Presence (main developer) and
    Dan Kaminsky of Avaya's Enterprise Security Practice (Author of
    Paketto/scanrand) behind it. The goals for the OPTE project are slightly
    different than what you've described, but could easily be adapted to your
    needs.

    > Mandatory
    > Hosts alive through ICMP
    Fyi, I plan on taking the OPTE project base and modifying it for uses such
    as what you've described. However, instead of using ICMP I plan on
    implementing automated scans/system finding based on an abbreviated Section
    C, Modules 1-3 of the OSSTMM (http://www.osstmm.org pages 45-48). This is
    far more complete for flushing out live systems and works equally well on
    internal and external systems alike. I'll have all of this stuff logging
    back to an SQL server. This helps when dealing with large sets of data.

    > Hosts OS through active OS fingerprinting
    This can be done in a second phase after flushing out live systems, although
    there are interesting things you can assume based on how the systems respond
    to the 1st wave of scanning, ie timing, ports, etc. Add banner grabbing,
    nmap/xprobe/p0f/etc and you have an effective OS fingerprint, again being
    careful to map this data back to a database.

    > Advantageous
    Not sure what you mean by this.

    > Patch Compliance without host residing agents
    There are tools that you can use on the windows side in this phase without a
    host agent, but it requires having an administrative login/password for the
    system in question. Not sure what Unix automated tools exist for this
    purpose.

    > Results must be displayable in 3D and be drilled down to individual hosts
    > using filters. (look pretty for budget enhancement whilst being useable)

    The OPTE project uses LGL (http://bioinformatics.icmb.utexas.edu/lgl/) to
    visualize the network maps. You can pull from your database to make the
    OS/hostname/IP information overlay onto the map and then export the data to
    a VRML format. This will allow for interesting 3D walkthroughs with the
    ability to zoom in and see ip/host/os/etc information.

    See http://www.opte.org/maps/ for the pictures of the latest maps and the
    raw LGL data from that project as a reference as to what is possible.

    > Must have continual use and not a snapshot based managed service

    Not sure what you mean here. Please expound.

    > I'm also looking to schedule and throttle the output without having to use
    > a packet shaper. (don't want to consume too much bandwidth)

    scanrand has the -b (bandwidth) option for this reason.

    > Does anyone have any further recommendations regarding cool or useful
    > features in such a product and better still products that meet or come
    > close to the above.

    Again, I want to automate as much of the OSSTMM based scanning as possible
    (complete section C), as those techniques are the most thorough and reliable
    that I've run across. Other than the work of OPTE and Lumeta, I'm not sure
    who else is playing in this space.

    > I have collected details on light and medium weight enumerators at
    > http://www.securitywizardry.com/enum.htm but need more oomph!

    If you have any other project goals/needs/ideas, please respond. If it's
    useful to you, it's likely useful to the rest of the community too :). For
    more immediate response, come join us on IRC (efnet #opte).

    Sincerely,

    Robert

    Robert E. Lee
    Co-Chairman of the Board
     
    Institute for Security and Open Methodologies
    www.isecom.org
    www.osstmm.org

    ISECOM is the OSSTMM Professional Security Tester (OPST) and OSSTMM
    Professional Security Analyst (OPSA) certification authority.

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: TJ O'Grady: "Reporting aspect of pen-testing"