Know my net
- Create topology initially based on documentation
- Notice that reality does not reflect the documentation
- New (own) host appears in topoview ip list
- Filter known hosts
NG topo: Select documented hosts -> exclude
or identity view: use search (with regexps) to find known hosts -> exclude
- Check the traffic of undocumented hosts
- Name accordingly
Search for malicious traffic
Metasploit: use search view -> channel_interactive (or similar)
- Port view: sort by most packets and/or flows
- Someone fetches docs from for exampple ftp-site, you will notice it pretty quickly
- Limit to ftp-traffic
- Check unknowns, who is accessing
- Clear limiters + limit to unknowns
- Check all traffic from unknowns
- Check most traffic
One practical finding: metasploit used port 80 as call-home port. When ever unknown potentially malicious host received traffic to port 80 which didn't seem to be HTTP, unplug host.
- it was really easy to find
- reverse nat in use
- check all traffic from external 'countries'
- Topo NG: create container for scanners
- when you notice a new scanner, add to topology view
- You have a nice documentation of the usual suspects
- 'Why there is extra traffic from unknown hosts to our AD servers?
Full alive documentation
- Export topology to wiki
Use clarifiedtopology macro & metamap
- Tables which included topology components (containers), nmap results, nessus results.
- Dsniff to selected trafffic in my network
when you find an attack, limit traffic to attack traffic and run tcpxtract
- Honeypots: tried Nepenthes, when real human attacking, useless, as the human will immediately knows
- Opencollab idea: as we now have documentation on open interfaces, run typical tests against different interfaces with the usual-suspect tools (ftp, anonymous acces, http cgi/tomcat/php admin interfaces etc).