Port Scanning Without Sending Packets

Video thumbnail (Frame 0) Video thumbnail (Frame 856) Video thumbnail (Frame 2021) Video thumbnail (Frame 4278) Video thumbnail (Frame 5227) Video thumbnail (Frame 6412) Video thumbnail (Frame 7546) Video thumbnail (Frame 10521) Video thumbnail (Frame 11535) Video thumbnail (Frame 12705) Video thumbnail (Frame 16021) Video thumbnail (Frame 18330) Video thumbnail (Frame 22304) Video thumbnail (Frame 23182) Video thumbnail (Frame 24280) Video thumbnail (Frame 25714) Video thumbnail (Frame 27723) Video thumbnail (Frame 28861) Video thumbnail (Frame 30281) Video thumbnail (Frame 31457) Video thumbnail (Frame 32344) Video thumbnail (Frame 33200) Video thumbnail (Frame 38347) Video thumbnail (Frame 39565) Video thumbnail (Frame 40459) Video thumbnail (Frame 42560) Video thumbnail (Frame 44069) Video thumbnail (Frame 45975) Video thumbnail (Frame 48749) Video thumbnail (Frame 50733) Video thumbnail (Frame 52745) Video thumbnail (Frame 54662) Video thumbnail (Frame 56942) Video thumbnail (Frame 60354) Video thumbnail (Frame 61205) Video thumbnail (Frame 63505)
Video in TIB AV-Portal: Port Scanning Without Sending Packets

Formal Metadata

Title
Port Scanning Without Sending Packets
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Gregory Pickett - Port Scanning Without Sending Packets https://www.defcon.org/images/defcon-19/dc-19-presentations/Pickett/DEFCON-19-Pickett-Port-Scanning-Without-Packets.pdf https://www.defcon.org/images/defcon-19/dc-19-presentations/Pickett/DEFCON-19-Pickett-Resources.pdf With auto-configuration protocols now being added to operating systems and implemented by default in your network devices, hosts are now actively advertising their available attack surfaces to anyone listening on the network. By collecting background traffic on the network, and analyzing it, we can perform a host discovery, a port scan, and a host profile which even includes configuration information; all without sending any packets. This means that threats both inside and outside your network can assess and target your network hosts silently without leaving a trail. In this session, we'll start out by covering what makes this all possible, then examine typical network traffic to see what is made available to us, end up using several brand new tools that I have developed to utilize this information in an actual attack against a vulnerable network host, and finally finish our time discussing what you can as a network defender do about it. Gregory Pickett CISSP, GCIA, GPEN, also known as rogu3ag3nt, is the lead Intrusion Analyst on the Abbott Laboratories Network Security team by day and a penetration tester for Hellfire Security by night. As a penetration tester, his primary areas of focus and occasional research are network and host penetration testing with an interest in using background network traffic to target and exploit network hosts using their own traffic against them. He holds a B.S. in Psychology which is completely unrelated but interesting to know. While it does nothing to contribute to how he makes a living, it does demonstrate how screwed up he actually is.

Related Material

Video is accompanying material for the following resource
Bit Information security Information security
Enterprise architecture Software Lipschitz-Stetigkeit
Statistics Variety (linguistics) Source code Directory service Mereology Event horizon Neuroinformatik Type theory Process (computing) Software Different (Kate Ryan album) System identification Determinant Window
Peer-to-peer Direct numerical simulation Addition Service (economics) Software Information Interface (computing) Image resolution Configuration space Bit Mereology Communications protocol
Dataflow Dependent and independent variables Information Image resolution Dependent and independent variables Image resolution Uniqueness quantification Multiplication sign 1 (number) Bit Distance Direct numerical simulation Category of being Software Query language Operator (mathematics) Local ring Address space Row (database)
Direct numerical simulation Addition Implementation Distribution (mathematics) Service (economics) Software Information Data storage device Number Row (database)
Point (geometry) Service (economics) Local area network Code 1 (number) Unicastingverfahren Parameter (computer programming) Direct numerical simulation Selectivity (electronic) Address space Software development kit Addition Dependent and independent variables Information Uniqueness quantification Electronic mailing list Menu (computing) Bit Instance (computer science) File Transfer Protocol Type theory Message passing Pointer (computer programming) Software Query language Order (biology) Window Row (database)
Point (geometry) Service (economics) Information Code Digitizing Workstation <Musikinstrument> Artificial neural network Generic programming Instance (computer science) Flow separation Neuroinformatik Band matrix Direct numerical simulation Pointer (computer programming) Cuboid Right angle Window Row (database) Physical system
Group action Information Interface (computing) Right angle
Group action Dependent and independent variables Service (economics) Information State of matter Maxima and minima File Transfer Protocol Word Software Query language Core dump Speech synthesis Software testing Codec Quicksort Address space Resolvent formalism
Direct numerical simulation Group action Goodness of fit Link (knot theory) Software Computer configuration Utility software Parameter (computer programming) Address space
Dialect Enterprise architecture Dataflow Group action Game controller Bit rate Software Structural load Quadrilateral Maxima and minima Resultant
Service (economics) Software Port scanner Codec
Direct numerical simulation Service (economics) Software Information Electronic mailing list Configuration space Computer network Configuration space Open set Product (business) Row (database)
Direct numerical simulation Service (economics) Link (knot theory) Bit rate Surface Electronic mailing list UDP <Protokoll>
Process (computing) User interface Artificial neural network Java applet Bit Software testing Arithmetic progression
Point (geometry) Dataflow Presentation of a group Multiplication Service (economics) Demo (music) Information Multiplication sign MIDI Electronic mailing list Bit Bookmark (World Wide Web) File Transfer Protocol Data stream Type theory Software Radio-frequency identification Password Telecommunication Configuration space Software testing Routing Address space
State observer String (computer science) Cuboid Configuration space Airfoil
Service (economics) Mapping Multiplication sign Set (mathematics) Student's t-test Web 2.0 Direct numerical simulation Software Query language Network topology String (computer science) Right angle Quicksort Information security
Computer virus Implementation Server (computing) Service (economics) Information Uniqueness quantification Direction (geometry) Workstation <Musikinstrument> Set (mathematics) Plastikkarte Bit Cartesian coordinate system Type theory Category of being Different (Kate Ryan album) Videoconferencing Configuration space Cuboid Local ring Fingerprint Row (database)
Building Implementation Service (economics) System administrator Workstation <Musikinstrument> Maxima and minima Network-attached storage Neuroinformatik Web 2.0 Revision control Direct numerical simulation Casting (performing arts) Cuboid Endliche Modelltheorie Curvature Maß <Mathematik> Fingerprint Identity management Multiplication Matching (graph theory) Information Hoax Image warping Bit Database Color management Social engineering (security) Uniform resource locator Configuration space Right angle Communications protocol Row (database)
Domain name Dataflow Dependent and independent variables Game controller Graph (mathematics) Local area network Multiplication sign View (database) Weight Source code Limit (category theory) Broadcasting (networking) Type theory Digital photography Bit rate Personal digital assistant Intrusion detection system Boundary value problem Router (computing) Communications protocol Local ring Row (database) Physical system Directed graph
Purchasing Axiom of choice Game controller Block (periodic table) 1 (number) Virtual machine Online help Bit Cartesian coordinate system Computer configuration Personal digital assistant Right angle Quicksort Physical system
Onlinecommunity Time zone Game controller Server (computing) Local area network Firewall (computing) Electronic mailing list Bit Flow separation Antivirus software Virtual LAN Process (computing) Software Operator (mathematics)
Covering space Scripting language Authentication Enterprise architecture Group action Dependent and independent variables Service (economics) Electronic mailing list 1 (number) Planning Cartesian coordinate system Element (mathematics) Degree (graph theory) Direct numerical simulation Data management Software Convex hull Router (computing) Resolvent formalism Row (database)
Authentication Game controller Mechanism design Dependent and independent variables Service (economics) Integrated development environment Software Image resolution Configuration space Communications protocol
Enterprise architecture Default (computer science) Slide rule Service (economics) Information Electronic mailing list Product (business) Revision control Software Hash function Authorization Website Quicksort Communications protocol Spacetime
hello everyone and first off I want to thank you for coming out in this early on a Sunday morning especially since many of you have been engaged in quite a bit of drinking here today at in many days here prior at Def Con so it's thank you for coming out making it out this early Oh louder is that better okay all right so today's talk is port scanning without sending packets my name is
Gregory Pickett with Hellfire security this is a short overview of the talk
today we'll start with how this all got started or how I ran across this followed by it's really not a magic trick it is actually pretty straightforward next is loose lips sink ships because ultimately it is what average it is what is advertised on the network that allows us to do what we're going to do today and that next is catch me if you can and finally we're going to go back to the future or how to ultimately mitigate this risk in an enterprise all right so we'll start with suppose you have this guy on your network you really don't know what
you're going to get right well and this
guy is involved in some suspicious possibly malicious activity on your network how do you identify me as
intrusion analyst I have a three-step process in approaching events characterizing the activity profiling the hosts involved and using that to make a determination as well as to select next steps when profiling it is important for me to be able to identify my source and that often begins with a host name names are one way to quickly categorize a host as an asset or an intruder and can often lead to an easy identification of the source for the most part window windows hosts are rather easy I just run MBT stat against the host and utilize you know the ending or netbios name service to get a host name but what about linux and what about apple computers and there are a whole lot more out there different types of hosts like printers and a variety of different networking appliances so this is the problem that I had as an analyst and the question that i was looking to answer now when i began to look for my
answer as an intrusion analyst i'm looking at the network quite a bit and I was examining the traffic that was flown to my interface and I saw quite a bit of multicast that I was not familiar with now the interesting thing about this multicast was that there was a tremendous amount of name information and I was very excited of course because this was something that looked like it might be an answer to the problem that I was having so I went ahead and did a little research on this multicast and this is what i found it is multicast or
was multicast dns and the purpose of multicast DNS is peer-to-peer name resolution it does have a history multicast DNS is the successor to appletalk named binding protocol and it was eventually added to Apple zero configuration networking initiative now in addition to multicast DNS being part of this initiative there was also an addition by Apple of DNS SD vm multicast or dns service discovery the via multicast to the initiative to allow for peer-to-peer service discovery in addition to the name resolution all right so you can begin to see how this is going to look the features well it is
DNS just running over multicast each host participating in multicast DNS maintains its own local domain and queries and responses are sent to the multicast address / UDP port 53 53 so that all participating hosts can answer queries sent and all participating hosts can update their dns cache with the responses that are returned ok everyone is aware of the resolution that other ones are making their able to update their cash so that they don't have to duplicate that's weird activity so you see a lot of flow of information a lot of questions being asked and answered over the multicast ok now there are a few basic operations
that these hosts engage in and this is important when we take a look a little bit about how this information flows of the network later on first off there's the probe the probe basically is a situation in which there is a record that this host is going to contain and it wants to establish this as a unique record so goes having probes in a very much like a you cotuit as ARP to make sure that this host distance record is actually going to be unique followed up by an announcement to let everyone on in the local community of those participating in the multicast DNS community that these are the records that I'm going to be holding and these are going to be the unique records as well as any shared records should records are very special they are something what can be looking a little bit more later on and what we do rely on alright so once it's done this announcement it then engages in the query and responding to queries there's some information there you take a look at that later either basically specific properties about that activity to identify these sorts of operations and finally there is a good bye in the multicast DNS there are unique as well as shared records with unique records are not unlike traditional DNS there is a time to time to live so that if it's unique record and timely expires everyone realizes this is no longer valid and they they dumped the record however if you have a community where multiple hosts are sharing or all you know that i have this record contained on their host would it expire if one member decides to no longer participate well it would not because we have a lot of other holes that are maintaining that record that shared record so you want to make sure you say goodbye so that the hosts out there know that you are no longer you will no longer be responding for this record no one will be responding to quarters for this record so it's been way to drop out when you are sharing records with others all right I want to take a look quickly
at some implementations of multicast DNS and this is important when we look at some things later on first off it was all started by Apple of course people who are with RFC are from Apple but it was picked up by avahi and you find this service available as developed by avahi and a great number of linux distributions now and then more surprising than that is actually there are tremendous amount of implementations on networking appliances I believe even tivo joining this so tivo you have network attached storage cameras any number multiplied and divided printers everything is seems to be loaded with this now okay now these are just a
little example of method talk about this were just looking at the records that are utilized or keen on these hosts these are names for the hosts and also you know services service records service records to be utilized in the dns service discovery okay also in addition there is txt record unlike traditional dns service record in multicast dns is pair of the txt record to give some information about how that service is configured for any host that wishes to utilize that service they can look at that record in know exactly what they'll be dealing with and then there is the H info record also utilized in multicast inas ok now the for move on it
is important to provide some additional information regarding a dns service discovery as it is very important to what I'm about to show you host participating in multicast DNS are often participating in DNS service discovery as well and this is a little bit about what these hosts are doing and what we will take advantage of later on first off dns service discovery is not unique to multicast dns it works over standard and multicast dns however when it operates over multicast dns it's fully compliant it is involved in continuous querying because if a user wants to utilize or piece of software wants to utilize one of the services available out there it wants to make sure that the list that it has to select from is fresh it is valid so it doesn't constantly be worrying and collecting responses in order to make sure that that list is valid now it's important to keep in mind when you're dealing with multicast DNS of shared records because shared records in DNS service discovery are basically you have situation in which let's say you have a community of hosts participating in multicast DNS and also dns service discovery and of those that say you have five that offer ftp services those five will actually share the pointer record for the ftp service so when this pointer record when someone actually queries the community for upon record these these host these five holes will return a response to that query with a pointer pointing back though not lesion on the shared record pointing back though in each instance to their own deployment of them so each host will point back to their particular instance so that the software or the user making the selection and can then you know have the records available or can go get the records available to utilize any particular service that they decide that they want to use on the ones that return a response ok so these point of records that well shared among those five point back to unique service and txt records they each host will then have to make available so that you figure out about that service engines and you'd like utilize it ok all right so when I saw
this I was pretty excited you know I had an additional way to profile my hosts quickly like I was often able to do with windows house and so I created a tool called mdns hostname the parameter there it does a reverse lookup of the ipv4 address I did repurpose some code that was designed for traditional or conventional DNS so it basically just does a kit is the same message but sends it to UDP port 53 53 so operates using a basically unicast legacy query to UDP port 53 53 of the target in addition well I was looking through these these records that i was seeing over you know being advertised or multicast there i saw a lot of about informational types of Records and begin to identify some unique things about these hosts that were responding and you'll delivering these these records over the local network said well let's go ahead and make a tool to take a look at those records so I can maybe once i get the hostname i can go ahead and find out little bit more about the house continue the profiling so i made em DNS lookup there's the parameters there now it's important to realize that it submits the question is given if you fat fingered or screwed up you're out of luck so if you don't get an answer especially in situations when you were expecting an answer go ahead and reevaluate that to make sure that your your question is correct and it also operates using a unicast legacy query to UDP port 53 53 the target I'm going to
go ahead and do a demonstration of that real quick if I have a host here oops
that was weird alright so
I'm going to start off by asking this house let's say this is one of this dishes hosts that I'm investigating I'm going to ask it its name and there goes you return the name pretty quickly and apparently its name is Ubuntu i'm guessing you know what operating system at is right there's a lot of information in the name so let's go ahead and take a look at the host let's say that you okay you may suspect it's a linux box but maybe you don't maybe it's some kind of generic name like Bob's computer all right so you want to maybe explore with all the records that this will respond to to get a better idea what you're dealing with the same target I'm going to go and ask it if it's running the workstation service using the pointer record on that service and I'm going to make sure that it knows that I want the pointer okay there we go you return the point of record it also returned several other records multicast DNS is very what conserves bandwidth and when headed packaged a couple other digital records in there that it may that it thinks that I may want later so might as well given it to me now in the same packet it's giving me most likely this service in the text records to go along with it so that once I point to that unique instance you know I might ask those records is going ahead and giving them to me now the blank and one is most likely n sec and that's because I didn't write any code to parse 10 sec so if his blankets probably in second and then finally it went ahead and gave me the a record as well so I can follow up and then you know directly address the service on that port okay so quickly you know we went over this and I was of course when I did all this I was very excited because windows boxes of course is a lot out there but there's a lot that are not windows and so this allowed me to address a gap that I had okay
but I had a question for myself here I said isn't this just formed them in my interface on its own I never joined any groups I never sent any packets on anybody saying you know add me to this group throughout the local you know Robert add me this to this group so I said okay you know I could really you
know do some cool things with this all this information flowing to me all right
but what could I do i also have a background as a penetration tester so for me this was great information gathering right if there is a host advertised in any sort of information speaking at all on this multicast address I immediately knew the core state was live okay and if there were any hosts out there that were responding to queries for services I could pretty much write down okay that host says he has ftp I'm gonna take him at his word got ftp this guy says he's got ftp the great so i can take all this information and I can pretty much recorded and in essence do a port scan and that's what we'll be doing in just a minute alright
but there are some requirements you must have active responders someone has to be offering out there someone's gotta have services available you also must be connected to the same switch as other resolvers someone's got out there asking but if you must you can join the group and of course it works best on a busy network because you need hosts out there asking a lot of questions so that you can collect the most answers so first
cool thing host discovery I'm all excited I want to use this on the network I want to see what's out there was advertising so their other parameters and the guinea good discovery tool you are able to give this this utility arrange that you're interested in it reports on any host communicating to the multicast address for multicast DNS it does not join the group but it does have the option so it's do a quick
demonstration of that I believe my traffic is still playing I
started some traffic at the beginning originally I had some traffic that I
recorded from a very large enterprise network seen the group's the fortune groups there i want to say which group but so I recorded that but then I want to hit listen down the hotels or a wired network and with my tools and lit them up so I went ahead and recorded well crap load of i can say that of a package off that work and i'm going to replay that i actually have been replaying it so let's go ahead and on this first tool mdns discovery there you go now this is being played back so the rate of discovery is artificial ok you do not have control when you're actually using it live on who's asking questions when they ask questions and who responds so it can be very erratic very regular flow but you can see there are a lot of hosts out there weren't there at this hotel advertising Here I am you know you're on come get me okay is this sound still
good okay the end result of course is
completely silent passive host discovery and the network guy is very unhappy very happy okay but wait there is more second
cool thing port scanning okay the gym at host performing in essence port scans or actually you're asking one question for one service it's more like a service discovery with one packet couldn't I perform a port scan with no packets just listening and that's right so multicast
DNS also running a DNS service discovery is two products two products and one is it magic nope it's apples zero
configuration networking Thank You Apple so let's do this dns service discovery
occurs continuously over the network want to make sure for the user or for the software itself wants to make sure that that list is fresh so it's continually discovering this information out there making sure that this is fresh for the software for the user so listen for it over multicast DNS the you know the dns service discovery traffic don't rely on known service records it's a very long list it's too limiting when a host responds to a discovery request for all of the SRV or service record ports in it supplies as ports open on that host okay so i'm still excited and
coding late into the night to make rate mdns scan my like any good port scanning tool it allows you to select a range major interested in as well as any particular service ports that you're interested in currently over 22 services i shouldn't say currently 22 services over 18 ports have been identified and you using this method many more impossible as I said based on that exhaustive list that they have for our dns service discovery is one of the links that i have that on refers you to that list of all the different surfaces out there they're supposedly available somewhere and findable you know using dns service discovery now this tool does not join the group either do a quick
demonstration and our good friends the
hotel here i'm gonna go i'm going to go
ahead and leave it open here we go this is once again an artificial flow rate but you can see that there's quite a bit out there okay
now i'm going to go ahead and show you one more and stop this real quick and show you a demonstration that i recorded because traditionally we talking about penetration testing you talking about hacking in general this is not the progression whether i should say there is a certain progression you take in that process and so i decided to go and take these tools and utilize them in that process so i utilize in basically
in a typical penetration testing
scenario so i decided to go ahead and leave it open there a run emptiness discovery to see what host are out there basically just to get an idea of what I have to work with who's advertising out there once again come get me and you can make it look at that list and there's not a lot of information I but I think that ultimately what you want to do is find out who is the most active because it's very likely than they have the most services out there okay so you go to that list and when you come across one that interests you either you're just randomly picking it out or because it's just got a lot of communication flowing over the multi has address which hopefully will translate or means there's a lot of services available you go ahead and go and stop that stop that right here and now that's a real flow there so you saw alive how quickly these hosts are communicating and advertising and how much they're advertising to you alright so I'm going to go into ask and I'm going to target that host but leave open the ports because I kind of want to all all of what's available and this takes a little bit of time though because I'm once again relying on someone to be asking the question out there so I can hear the answer there we go nope not yet I'm actually I am actually going to be stopping this halfway through because I am able to actually compromise our host realizing these tools very ninja you know go in there very quickly and since there was no active flows from me is able to get into pretty quickly and take the host and actually at a certain point there is a lot of information revealed that pretty much opens up the the network for me and I want to stop the demo before you guys see that all right so we got FTP HTTP oh my one of my favorites tell them we'll let it keep going there because maybe we can get a better idea of what type of host it is by the ports that are open waiting there you go 631 i believe is IPP can be wrong now let's get those mixed up so it possibly printed in phi 15 lpr believe and looking a lot more like a printer did anyone here see the presentation on using the multifunction printers to own the network yeah that's this is beginning to look a lot like that 90 100 PDL data stream pretty sure there's a burner ok so i'm going to go and try some of those services to see if i'm able to get in and i'm pretty cheeky so i'm going to actually use route what the hell start out there and see if i'm able to get in what do you know i'm l get get able to get in with no password someone had not set the password on this printer wasn't telling that open it was Wow and what it tells me it kind of already knew it was not set the password but there it is and that gives you a couple of things to start with their the commands and then of course what do you know dump the config you probably didn't see that it was rather fast I'm going to stop that right now and that is because after I
saw all the commands just to get an idea of what i could do with the box like to play with these things then I want to end up the config and what I ended up seeing was the SNMP community strings read and write so one host as it does in many compromises gave me hundreds based on the advertising that was seeing and some other observation i was doing earlier and this is why many compromise many compromises no matter you know how minor can ultimately be devastating a one-house let unsecured because no one really cared much about it he thought it was pretty instant again can lead to a host that is significant ok very important all right let's go ahead and continue here demonstration and I wanted quickly
to take a look at comparing lien active scan versus this sort of this type of passive scan this is what our sensor see in a typical active scan and it's our end map user there it lights than IPS up like a Christmas tree this is not even all of the students that fired and what
do our network censors see there's me there during this passive scan they see absolutely nothing okay so what does
this mean completely silent passive port scans there were security guy they are still very unhappy okay now the reason why of course that this is not picked up is because any traffic flowing from your host would be very customary and wouldn't set you apart from others on the network assuming you're not doing anything else you know that would set anything off if you just do a typical web browsing which is of course ultimately it's just a DNS query and you know some HTTP traffic so wouldn't appear suspicious or malicious in any way and know if you're not accepting any attack behavior then of course it would not trigger any alarms alright and this doesn't that do that now this does not get everything out there alright but we'll get you some of the most vulnerable hosts because if they do not take the time to turn off or very sanitized multicast DNS and the service discovery happening over using DNS SD then probably they didn't take the time to harden them and we actually saw an example right there and I'll have you know that I was able to repeat the example over and over and over again you know without of course those SNMP community strings right okay
so as I said to myself there was a lot more goodies weren't there right so what else could I do well first off we know from before that there are unique implementations all right if you look a little bit more what's being advertised you realize there are unique records meaning that different device categories contain different records that are unique to the epic type of device type printers would have those printer records right dealing are dealing with you know printer services 5 on 5 6 31 and 9100 but if you look even further you realize there are unique sets so that not only are you going to find a unique type of record on a device type you are going to find actually a particular set that you will find only on a particular virus type made by a particular manufacturer so could this be used to fingerprint toast yes yes it
could if you have services dns SD UDP local and you have work stations tcp local and in particular the service record then you pretty much dealing with a linux box if you have the services dns SD UDP local AFP over tcp tcp local and that's the server send txt record you know on that host and as well as a device info tcp local txt record and guess what you probably have an apple post printers printers will have IPP printer and one of the three and i find in particular that HP does a HP direct cards have all three now if you have black armor for the info the UDP local black I'm afford the config TCP local service and txt records you know only dealing with a attached origin as but you're also dealing with one specifically from seagate IP cameras if you have a host with the excess video TTP local service record on it you pretty much done with an IP camera and you are dealing with an axis IP camera the very specific in that name right but there's actually little
bit more because we talked a little bit about dns service discovery earlier and in dns service discovery there is that service record which is in or not unique to multicast dns and dns service discovery / or via multiple casting as there's also the txt record which always accompanies it and that's very particular to dns service discovery so not only do unique recordsets allow you to fingerprint participating hosts but information in these records that specifically the text records deliver configuration information to you and here are some examples we have a linux box there in the txt record for the workstation service you have some information there not a lot but it does confirm that we're dealing with an IE implementation of multicast dns on the Apple computer there in the device info txt record there is if you look right down toward the what says model right there it tells me exactly what model of Apple this is this is a macbook pro 6.2 in the txt record for those printer sorry txt record for angeles printer services it gives you the den j'en it gives you the make model and version of the printer it gives you the admin URL they are nice enough to also give me the building it was in and the user was next to can anyone say social engineering all right so it's printer and then for the black armor for the info records the txt record that goes with that particular service record you get not only the device model and the vendor will we already knew a seagate from their unique record set that offered but it confirms here you also get the webui protocol and the web UI port thank you very much so someday I want to create a mdns
fingerprint and build a database of identifying recordsets collect all information records and organized by host right match against the database and then extract we can figure it from extract the configuration information so that can return the identity and configuration information for each host to the user of that tool okay but there
are some limitations multicast routers between the recipient and the source must be multicast enabled okay not such a big limitation it after all because this is most effective on your local network she's not really looking to go too far you're looking to basically you know rate burn and pillage your neighbors there so you know well not real worried about the router getting in the way mdns has some limitations as well if you talk about just querying just try and get that name you're just trying to ask it what records it has or see if it has a particular record there you are only going to get linked local responses and that's actually something that's designing the protocol itself and if your time what listening which is where the real fun is that you are limited by layer two boundaries the broadcast domain as well as the layer to broadcast domain as well as any view then containment that they've implemented okay now our next step of
course is to take a look and controls that are out already and what they see you know can they handle this can they cope with this first off we already know of intrusion detection prevention systems don't do anything in this to a case they don't see anything either ape is not going to really well it won't do anything for you because there are no sinks there is no single host where all the traffic is flowing through four to pick up and light up on that graph so oh sorry there are no traffic sinks you know there is no particular host that all the traffic is flowing through to show up on that graph you know the either it shows for you it gives you and of course there are no unusual flows to be picked up by net flow or stealthWatch you know there's no surge in traffic to your there's no unusual amount of traffic your host there is no traditional type of legworm activity where one host scans a whole bunch of them and then one of those hosts of skating a bunch of you know those there are no initial flows your photos look like everyone else is slow out there so it's not going to help you any so ultimately do they detect anything no they do not I've tried this of course I'm the wanted to make sure I did it before I came here because if i was wrong i'm sure one of you out there wouldn't would tell me right away all right so let's take a look next at some
defenses okay so maybe we can't see it can really stop it can it be stopped or will it be stopped well we talked about the host first antivirus anti-spyware and spam well the threat is really not on the host so there's nothing there for it to see the firewall in port blocking there is some option there you can pour block on the host 5353 but the thing is there are a lot of holes out there that are unmanaged all right I know you wish they all were but they're not people bring a lot of machines in either their machines that the company's purchase but no one's decided to inventory no one's decide to do and to the system they just cook them up there or overall you can use it for a little while right and it's there for three years and then of course there are a lot of devices out that don't have and user protection so you know you have the gap there so well it can limit your exposure a little bit it's just not a good choice and you really Alton I don't know what you going to break when you start implementing the sort of things and of course the intrusion prevention system doesn't help you any and application control device control and others aren't really relevant in this case okay alright so do
these help any no no they do not help
all right so we then look at you know
what is tradition thought of you know your defense on the network here firewalls well we're talking about listening on your your local network and firewall separate zones of trust I'm operating within a zone of trust so they would not be involved really you know network access control well to dinner at least the first gen network access control it's going to make sure that I patched and then I have an antivirus before I do all this to you do them which is nice of it makes you know it's very interested in my well-being but it's not going to help you in here x is control list there's a possibility there there is a good possibility there but i think that x is control this is probably not the best solution for this but if you have nothing else you can do that and but you do have to keep in mind what do you break out there all right and of course VLANs VLANs are great they're doing a great job out there you can contain the problem a little bit by walling off your servers from your your end user community but a lot of what is advertising out there is devices in the end user community so you really don't really completely solve the problem you do limit it somewhat the damage someone but you really don't fully address it so
how about these not really not really some covers there but really not the best solution for this what can we do
them well first off we want to work with igmp implement igmp snooping make me join the group make me notify myself or no it's myself in some way out there that that make me announce that i'm going to be listening and i'm participating and if you can authenticate group membership using iga p if it is available so the only valid or authorized listeners are out there participating and recourse or resolvers alright and also if you can track members this is actually a lot harder to do I look for some maybe some management applications out there that maybe would be able to help report on this or you know on the memberships in these groups but there wasn't really i saw it was very easy you had to basically go out to the routers and you don't get a manual list there maybe run a script sunk that to retrieve it but track the members so that you do know it was participating you're aware of what you have out there and now as far as multicast DNS is concerned so the first one was basically to deal with people listening out there on the network but how do you deal people who are advertising I think it's important to take the tools that I've developed and cuz i know that actually i've been doing to locate the NBN s responders out there disable the service if you can and if you can't harden the box in particular the services that are offered to make sure if you can also sanitize those records now we know of course that the enterprise is full we do the best we can full of very soft tender easy targets and it's very difficult to get people to stay on top of hardening the whole thing should our host their harden properly but at least if you are able to locate the ones that are advertising you can prioritize your efforts ok because they do present a much higher degree of risk because they are not just vulnerable but they're telling everyone around them a you come get me again once again oh that all right so altering the plan of attack is
hunt down mdns responders with these tools remove them or harden them and then implement any controls you have for multicast in your environment the igmp snooping that's for ipv4 MLD v2 and those environments that have implemented ipv6 implemented telecourse IG ap if you have it or any ipv6 multicast authentication mechanisms available and of course monitor find out who is out there participating ok before I go today
I'm going to mention a couple other protocols the simple service discovery protocol ssdp and a link-local multicast name resolution these are Microsoft's answer doesn't always have an alternate answer for zero configuration networking or the zero configuration networking that Apple came up with and both both less developed but still in use still see advertisement out there from SST host utilizing ssdp okay but my
final pots our hosts are now actively advertising they're available tax services to anyone listening on the network it's great for passive information gathering but it can be controlled to limit your exposure but ultimately this sort of activity is not for the enterprise the authors of the protocol say this in RFC they say this is for the home this is for the small business this is not the enterprise unfortunately as it occurs mostly in you know in the vendor space they're all competing I'll try to pile on and the most features they can so they are doing is they are putting these protocols and turn them on by default the putting these on their products and I don't think people are aware of it you know aware of this and so they're putting them these devices in the network and they're advertising so this is also not for the enterprise so you need to track this down and you need to squash it before it becomes a problem okay this
actually is the conclusion of my talk thank you for coming today there are a couple of slides like you there a couple slides here the md5 md5 hashes are the tools as well as the site to get the updates I don't think that the updated tools around the DVD because I updated the tools and look for a download and there was none so make sure you go out that site I'll put them up probably tomorrow go out to that side get them the list most up-to-date version some
links if you're interested in reading more about it so once again this is the end of my talk thank you for coming you
Feedback