DAVIX Visualization Bootcamp 25C3

Transcription

1 DAVIX Visualization Bootcamp 25C3 Visualize Your Network! Jan P. Monsch Marius Ciepluch About Your Hosts Jan P. Monsch DAVIX Project Initiator & Lead Engineer Marius Ciepluch DAVIX User & Workshop Assistant Senior Security Analyst Student in Security and Forensic Dublin City University Student in Computer University Lübeck

2 Workshop Preparation Get DAVIX Visit Download davix defcon16.iso.gz davix-manual pdf 25c3-workshop.lzm Recommended setup VMware Player or VMware Fusion Bridged or NAT networking Configure host to access 25C3 network See chapter & in manual for assistance Agenda Introduction DAVIX Visualization Walk-Through DAVIX Hands-on Lab Visualization Contest

3 Introduction DAVIX Initial Situation Security visualization is quite new Currently two books available [1, 2]

4 Initial Situation Many free visualization tools But installation is often cumbersome Compiler version and library issues Code difficult to build or broken Diverse runtime environments: Java, Perl, Ruby, Python, Windows Applications Huge hurdle for people to get start with security visualization Mission Statement DAVIX shall provide the audience with a workable and integrated tools set, enable them to immediately start with security visualization and motivate them to contribute to the security visualization community.

5 Inside the DAVIX Live CD Live Linux CD system based on SLAX 6 [3] Software packages are modularized Easy customizable Runs from CD/DVD, USB stick or hard drive Collection of free tools for processing & visualization Tools work out of the box No compilation or installation of tools required Comes with documentation [4] Quick start description for the most important tools Links to manuals and tutorials DAVIX Tools Capture Network Tools Argus Snort Wireshark Logging syslog-ng Fetching Data wget ftp scp Processing Shell Tools awk, grep, sed Visualization Preprocessing AfterGlow LGL Extraction Chaosreader Data Enrichment geoiplookup whois, gwhois Visualization Network Traffic EtherApe InetVis tnv Generic AfterGlow Graphviz LGL Viewer Mondrian R Project Treemap

6 Highlights Upcoming 1.0.5α Capture Network Tools Bro IDS Processing Integration Splunk NSM Console PCAP manipulation/ extraction ngrep tcpxtract tcpslice tcpflow Visualization Network Traffic FlowTag INAV NetGrok Zenmap Generic NAZAR Octave Visualization

7 Visualization Raffael Marty A picture is worth a thousand log records. [2] Ben Shneiderman The purpose of viz is insight, not pictures. [5] Information Seeking Mantra [6] Details on Demand Overview Zoom and Filter

8 Information Viz Process [2] Interface Issue Each visualization tool has its own file format interfaces Data must be converted to match the import interfaces These adapters are mostly self-written snippets of code Viz Tool 1 PCAP CSV? TM3 Viz Tool 2 Viz Tool 3?? Viz Tool 4

9 Walk-Through User Interface Menu organized around Info Viz Process Capture Process Visualize Tools often cover more than one category Afterglow Process, Visualize Additional tools/services Apache, MySQL, NTP

10 PDF User Manual Content Quick start guide Network setup information Tool usage examples Links to online resource Customizing DAVIX User Manual in the Menu The manual is browsable by chapter or individual tool chapters

11 Hands-on Lab Overview Lab built around Info Viz Process DAVIX Tools Processing Wireshark / tshark [7] p0f [8] awk [9], sed, uniq Snort [10] Visualization AfterGlow [11] Graphviz [12] Treemap [13] Problem Definition Details on Demand Visualize Overview Filter

12 Problem Definition Type of Traffic? Network Topology? Gateway? Team Server? Other Team Systems? Activities? Communication Pattern? Attacks? Type of Traffic

13 Overview - Background l CTF DEFCON 12 l l 6 teams l l l PCAP File 1 server per team with vulnerable services Many team member systems Symmetrical setup for all teams. Overview - Wireshark l Basic statistics l l l l 54 MB PCAP file Date min of traffic packets

14 Overview - Wireshark Packets Protocols Mostly IP Mostly TCP Some UDP Traffic Volume Mostly TCP Overview - Wireshark TCP Mostly HTTP Some DCE RPC Windows

15 Overview - Wireshark Traffic Shape Constant at begin Massive increase at the end. tcp.port==80 Network Topology

16 Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway Zoom & Filter - tshark 001_network_topology_gateway.sh CSV of source/destination IP to source/destination MAC addresses ,00:00:86:5b:e9:6a ,00:04:5a:a2:d4: ,00:c0:95:e0:0e:af ,00:c0:95:e0:0e:af ,00:c0:95:e0:0e:af ,00:09:6b:53:8a: ,00:c0:95:e0:0e:af...

17 Zoom & Filter - tshark 001_network_topology_gateway.sh Extract IP addresses and their MAC addresses tshark -r davix_workshop_captures.pcap -e ip.src -e eth.src -Tfields -E separator=, -R ip > ip_mac.csv tshark -r davix_workshop_captures.pcap -e ip.dst -e eth.dst -Tfields -E separator=, -R ip >> ip_mac.csv cat ip_mac.csv sort uniq > ip_mac_distinct.csv 001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ip_mac_distinct.csv afterglow.pl -t neato -Tpng -o ip_mac_distinct.png View resulting image gqview

18 001_network_topology_gateway.sh Visualize: AfterGlow / Graphviz Possible Gateways Not a Gateway Overview p0f 002_network_topology_operating_system.sh Other teams come through NAT Results ,FreeBSD (or MacOS X ) ,FreeBSD (or MacOS X ) ,Linux ,OpenBSD ,Windows 2000 SP4, XP SP ,Windows XP SP1+, 2000 SP ,Linux ,Linux ,Linux ,Linux ,Linux ,Linux ,Linux

19 Overview p0f 002_network_topology_operating_system.sh Identify Involved Operating Systems p0f -f /etc/p0f/p0f.fp -s davix_workshop_captures.pcap -N sed "s/ (up.*$//" sed "s/:[0-9]* - /,/" sort uniq Visualize Visio ;-) Topology Opponents :C0:95:E0:0E:AF NAT IP Linux 00:0B:5F:69:B2:01 CISCO 00:E0:98:08:F7:E2

20 Visualize Visio ;-) Our Team 00:0B:5F:69:B2:01 CISCO 00:E0:98:08:F7:E WIN WIN Linux ?Unix? Linux Linux Linux Linux Linux Linux Activities Linked Graphs

21 Visualize: AfterGlow / Graphviz Green Our team Red Other teams Yellow NAT IP Blue Neutral 003_activity_connections.sh Zoom & Filter - tshark 003_activity_connections.sh Extract source & destination IP addresses tshark -r davix_workshop_captures.pcap -e ip.src -e ip.dst -Tfields -E separator=, -R ip > ipsrc_ipdst.csv

22 Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ipsrc_ipdst.csv afterglow.pl -c color1.properties -t neato -Tpng -o ipsrc_ipdst.png View resulting image gqview 003_activity_connections.sh Visualize: AfterGlow / Graphviz AfterGlow color1.properties 003_activity_connections.sh color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon"

23 Visualize: AfterGlow / Graphviz Green Our team Red Other teams Yellow NAT IP Blue Neutral 003_activity_connections.sh Visualize: AfterGlow / Graphviz Zoom Image 003_activity_connections.sh /24 attacking other teams But who is the most active IP?

24 Visualize: AfterGlow / Graphviz Size of nodes dependent on volume of activity 004_activity_connections_volume.sh Visualize: AfterGlow / Graphviz AfterGlow color2.properties 004_activity_connections_volume.sh color.source="khaki1" if ($fields[0]=~/^192\.168\.4\.1$/); color.source="palegreen" if ($fields[0]=~/^192\.168\.4\..*/); color.source="lightblue" if ($fields[0]=~/^0\.0\.0\.0$/); color.source="lightblue" if ($fields[0]=~/^255\.255\.255\.255$/); color.source="lightblue" if ($fields[0]=~/^198\.123\.30\.132$/); color.source="lightsalmon" size.source=$sourcecount{$sourcename}; maxnodesize=1; color.target="khaki1" if ($fields[1]=~/^192\.168\.4\.1$/); color.target="palegreen" if ($fields[1]=~/^192\.168\.4\..*/); color.target="lightblue" if ($fields[1]=~/^0\.0\.0\.0$/); color.target="lightblue" if ($fields[1]=~/^255\.255\.255\.255$/); color.target="lightblue" if ($fields[1]=~/^198\.123\.30\.132$/); color.target="lightsalmon" size.target=$targetcount{$targetname};

25 Visualize: AfterGlow / Graphviz Visualize CSV file using AfterGlow cat ipsrc_ipdst.csv afterglow.pl -c color2.properties -t neato -Tpng -o ipsrc_ipdst_2.png View resulting image gqview 004_activity_connections_volume.sh Visualize: AfterGlow / Graphviz Most active talker is _activity_connections_volume.sh

26 Activities Communication Patterns Visualize: Treemap 005_activity_connections_treemap.sh

27 Visualize: Treemap 005_activity_connections_treemap.sh TM3 formatted file IP Src IP Dest Count STRING STRING INTEGER Zoom & Filter: tshark 005_activity_connections_treemap.sh Extract source/destination IP & packet count tshark -r davix_workshop_captures.pcap -e ip.src -e ip.dst -Tfields E separator=/t -R "ip" sort uniq -c awk '{print $2 "," $3 "," $1}' > ipsrc_ipdst_pktcount.csv

28 Visualize: Treemap Convert CSV to TM3 format 005_activity_connections_treemap.sh cat ipsrc_ipdst_pktcount.csv awk -F, 'BEGIN { print "IP Src\tIP Dest\tCount"; print "STRING\tSTRING\tINTEGER" } { print $1 "\t" $2 "\t" $3 }' > ipsrc_ipdst_pktcount.tm3 Visualize: Treemap Open TM3 file in Treemap In Legend tab Set Label to count Set Size to count Set Color to IP Dest In Hierarchy tab Add IP Src to Hierarchy Add IP Dest to Hierarchy 005_activity_connections_treemap.sh

29 Visualize: Treemap 005_activity_connections_treemap.sh Contest Attacks

30 Zoom & Filter - Snort Extract Snort alerts 006_activity_attacks.sh snort -c /etc/snort/snort.bleeding.conf -r davix_workshop_captures.pcap Convert Snort alerts to CSV file cat /var/log/snort/alert snortalert2csv.pl "sip dip name" sort uniq Zoom & Filter - Snort Snort CSV file 006_activity_attacks.sh , ,(http_inspect) BARE BYTE UNICODE ENCODING , ,BLEEDING-EDGE PHPNuke general SQL injection attempt , ,BLEEDING-EDGE WEB-MISC Poison Null Byte , ,(http_inspect) OVERSIZE CHUNK ENCODING , ,BLEEDING-EDGE SCAN NMAP -sa (1) , ,(http_inspect) OVERSIZE CHUNK ENCODING , ,(http_inspect) WEBROOT DIRECTORY TRAVERSAL , ,BLEEDING-EDGE PHPNuke general SQL injection attempt , ,BLEEDING-EDGE SCAN NMAP -sa (1) , ,BLEEDING-EDGE WEB-MISC Poison Null Byte

31 006_activity_attacks.sh Visualize: Contest Modify existing workshop script 004_activity_connections_volume.sh and AfterGlow configuration color2.properties such that the shape of the nodes represent attacking nodes. the type of attack is visible in the linked graph. Visualize: Contest Terms and Conditions The best submission, which has solved exercise 1 AND 2, wins a copy of Raffael Marty's "Applied Security Visualization" book Result submissions must include a shell script that generates the graph be handed in until January 6, :59 UTC be sent to jan dot monsch ät iplosion dot com Legal recourse is excluded 006_activity_attacks.sh

32 Q & A davix.secviz.org References I [1] Conti G. Security Data Visualization. No Starch Press, [2] Marty R. Applied Security Visualization. Pearson Education, [3] Matějíček T. SLAX 6. [4] Monsch J. P., Marty R. DAVIX Manual pdf [5] Shneiderman B. Keynote VizSec. Boston: 2008 [6] Shneiderman B. The Eyes Have It: A Task by Data Type Taxonomy for Information Visualization. IEEE Visual Languages. pp

33 References II [7] Wireshark / tshark Manual [8] p0f [9] awk Tutorial [10] Snort Manual [11] AfterGlow Manual [12] Graphviz Documentation [13] Treemap Manual