Penetration Testing mailing list archives
RE: OT: the detection of illegal gateways
From: "Ward, Jon" <Jon_Ward () syntelinc com>
Date: Tue, 25 May 2010 15:27:59 -0400
I like the traffic analysis idea mentioned below. It's not enough to conclusively determine that there is no additional connection there, but it could certainly give you some places to begin investigation. If it were me, I'd start with gathering complete network inventory information. It's easily attainable and once you have a complete inventory, you can analyze the information in many different ways. A complete inventory is great launch pad for additional information gathering. 1.) Get the MAC address of each node on the network. The first half of each MAC address is vendor specific. These could give you clues. If you see a Cisco NIC, for example, where you know that your organization uses 3Com NICs in your systems, that might be a good place to look. If you can connect to each of your organization's switches, these will readily available, and reliable. If it's not in your switch's MAC table, it's probably not getting any frames. Perhaps a quick shell script to loop through an IP address range and ARP each would give you what you need. Keep in mind that you'll need to launch the arp command from a node on the target subnet. If not, everything will point to your next hop router. If you're in a windows environment, try nbtstat. 2.) nmap has some features that could help. The standard "nmap -sS -v -O 172.16.0.0/16" CL will give you lots of info to weed out the majority of PCs, servers and printers. Maybe use -PO to scan for IP addresses that have certain protocols enabled that most hosts do not (http://nmap.org/svn/nmap-protocols). Check out other capabilities that could point out differences between hosts. 3.) Remember that almost any host on a network could have routing capability, so don't eliminate them as possible offenders too early. The connection that you seek may be on the other side of a windows or *nix machine. It may prove beneficial to retrieve the routing table from each host. (eg: "ROUTE PRINT" at a windows CL will show the interfaces and routes for that host) 4.) If these pathways are being established covertly, they may be more difficult to detect as they may not be physical devices or connections. It is pretty easy to set up an encrypted tunnel through a proxy server and firewall and use a virtual interface that routes through this tunnel. You could retrieve processes from each host and examine/scan each list. It might be easier to generate a packet that will be routed to an internet IP (send spoofed packets to every internal host that will be responded to via the internet). My suggestion is to gather as much information as possible and let your analytic creativity run wild. Don't forget to consider your goal in finding these gateways, because the amount you can spend on this defense is limited by what/how much your organization could potentially lose. Are you trying to manage traffic and network costs? Are you trying to eliminate paths for bad guys to get in? Are you trying to eliminate paths for information to get out unchecked? Trying to keep employees from looking at porn? The implication is that some methods are easier than others, and some are more thorough and effective. Some are more expensive and time-consuming. How far do you want to go? How much is it worth to you? Jon Ward, CEPT, CISA Vulnerability Testing Technical Lead Syntel, Inc. Jon_Ward () syntelinc com Cell: (773) 680-8090 Office: (901) 748-3625 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Lee Sent: Saturday, May 22, 2010 9:43 AM To: J Hein Cc: pen-test () securityfocus com Subject: Re: OT: the detection of illegal gateways There's been a lot of good suggestions for finding 'illegal' routers. The two I like the best are:
5) talk with purchasing dept and give them 'keywords' that they can
use to
look through purchases to see where an internet connection may have
been
purchased with a corporate credit card ... 7) if all internet traffic is supposed to pass through an internet
firewall
or proxy, look for "lack of traffic" from IP blocks on your WAN. Even
a
regular windows machine sitting at rest is sending out queries to
windows
update, NTP, DNS, etc.
What I haven't seen mentioned yet is using Netflow to report on layer 2 traffic. If you're ok with writing your own software & the customer has the right hardware you could try modifying he cisco TCL Portscanner (http://www.packetlevel.ch/html/cisco/ciscotcl.html) to loop thru all addresses on the user subnet doing a ip route $internetWebServer 255.255.255.255 $host connect $internetWebServer 80 no ip route $internetWebServer 255.255.255.255 $host to find the 'illegal' routers. Regards, Lee On 5/17/10, J Hein <j.hein () ymail com> wrote:
hi all, this post might be somewhat off-topic, so please accept my apologies
first.
I have a somewhat difficult problem to crack - there is a large
corporate
network which covers several Nordic countries, and unfortunately there
have
been cases in the past where a device with routing capability has been plugged into the network (for creating a "faster" connection to the
internet
for a branch office). Because this violates corporate policies and
creates
"invisible" entry points to the internal network, I have been given a
task
to find a suitable software for finding such kind of illegal routers. Are there any good products for detecting illegally installed boxes
with a
routing capability? One of my fellow consultants suggested IP Sonar
(by
Lumeta) for this purpose which (as he claims) has been successfully
used by
BT in the past. From the product description I've got an impression
that IP
Sonar cleverly uses traceroute for detecting routers that illegally
exchange
information between internal networks and the internet (so called
"network
leaks"). I understand that router detection is a complex issue, and in order to address this problem fully, one needs to analyze traffic that flows
through
all key routers and switches in the whole corporate network.
Unfortunately,
since the deployment of such monitoring system takes a lot of time,
I'd like
to begin with a relatively simple solution which attempts to locate
network
leaks by polling the network from few points only (like IP Sonar does,
using
traceroute for that purpose). Can anyone recommend any such commercial or open source tools? (open
source
utilities would actually be my preference :) Also, what is your
experience
with IP Sonar -- is it really a good stuff? Thanks in advance :) -- jhein
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- OT: the detection of illegal gateways J Hein (May 18)
- Message not available
- Re: OT: the detection of illegal gateways Zack Payton (May 19)
- Re: OT: the detection of illegal gateways Adam Mooz (May 19)
- RE: OT: the detection of illegal gateways John Lampe (May 21)
- Re: OT: the detection of illegal gateways Zack Payton (May 19)
- Message not available
- Re: OT: the detection of illegal gateways ulric (May 19)
- Re: OT: the detection of illegal gateways BMF (May 21)
- Re: OT: the detection of illegal gateways Kurt Buff (May 21)
- Re: OT: the detection of illegal gateways Lee (May 24)
- RE: OT: the detection of illegal gateways Demetris Papapetrou (May 25)
- RE: OT: the detection of illegal gateways Ward, Jon (May 26)