The purpose of this talk is to improve an administrator's awareness of the
hosts and services on a network using open source tools. First I will
introduce dhcpdump, a tool to sniff DHCP traffic. Admins can use this
tool to keep track of IP addresses assigned to systems as they join a
network, independent of any logs kept by the DHCP server.
Next I will explain the Passive Asset Detection System (PADS), a tool
which watches network traffic and records the services it sees. This
program helps an admin passively enumerate services; it is not an active
assessment application like Nessus.
After PADS, I will describe P0f. This tool determines the operating
system of hosts it sees communicating on the network. It complements
PADS, which does not make OS guesses.
Finally I will provide information on the Security Analyst Network
Connection Profiler (SANCP). SANCP is a session data collection program
which passively summarizes conversations on the network. It can track TCP
flows and estimates sessions for stateless protocols like UDP and ICMP. SANCP is integrated with Sguil, the subject of my talk at BSDCan 2004.
All of these programs work on UNIX and most are in the FreeBSD ports tree.
I will give installation instructions and sample output from each.
Should I have any extra time to spare, I may cover other open source tools
for NSM purposes. I have a few others in mind already. I'll probably
build a case study around using these tools.
speaker: Richard Bejtlich
location not assigned