network scanning Archives | Forensic Blogs

December 6, 2018 by LCDI

Automated Network Scanning % Success Over Error

Network Scanning Wrap Up Now That We’re Done

Welcome to the final installment of the Automated Network Scanning % team’s official blog. Our project is now over. The final tweaks are being made to our script, our scans are all shut down, and our team is beginning to finish their internship hours. A lot has happened since our last blog. We spent the majority of November running our scanner against different targets. The results we received from these scans were helpful in deciding what changes to make to our script. Despite our progress made on the scanner, there are a few things we could have done to make it better, if time permitted.

Testing Our Scanner

To test our scanner, our team used a combination of our VM, Pi, Pi network, and LCDI network. We began by targeting our Pi network that we made last month. First by running our scan on the VM. Then we believed that the superior power of the VM would make the scan run faster. Once we confirmed this, we would use our Pi scanner on the network. Our first scan was a smashing success. We used our VM to scan our pi network and it found all the servers we installed on the Pis. Now that we knew our script worked, we scaled up by testing our scan against the LCDI network.

The LCDI network scan performed without any errors. Our only issue was that it took too long. We made some improvements to the script that we believed would speed it up and then reran our test. This time the script worked much faster. This gave us much more confidence in our script, so we moved onto scanning off of our pi. As predicted, this scan was slower than the previous, but not beyond the realm of useable.

Error again

At this stage we decided to make another improvement to our scanner. We wanted to make our Pi run the script for the scan on boot. This meant that as the Pi was turning on ,it would automatically run our scanner. This process turned out to be more difficult than we thought, but eventually we got it working. In the meantime, we ran two more scans of the LCDI network that also worked. After these tests, the team felt comfortable to say our scanner worked without error.

Test results

The results that our scanner got were exactly what we were hoping to get. The first scan of the Pi network finished in 19.05 seconds. The scan found our ssh server, our http server, and both of the ports needed for our file server. We reran this scan to confirm our results and found that indeed our script worked. We then moved on to scanning the LCDI network. Our first scan of the LCDI network took 4 hours 25 minutes and 48 seconds. After adding our improvements, the scan only took 2 hours 28 minutes and 48 seconds. The three scans we did from the Pi averaged out to taking 3 hours 58 minutes and 48 seconds. This met our goal of being under four hours for a scan.

The picture above is a screenshot of the results from our third scan. The host IP’s and MAC addresses have been removed for security purposes. Using our scan results, we were able to identify multiple things about the LCDI network. The first thing we saw was the locations of both of the LCDI subnet’s. We also found a few IP’s that are up but not running any services.

What else could be done

The team is very happy with the work we have done here at the LCDI, but if we had some more time there are a few things that we would have improved. First, we would attempt to make the scanner faster. We met our goal of being under four hours, but we could still do better. We have some ideas of how to do this, like splitting the IP’s up into smaller groups and scanning these groups. Another improvement we would’ve liked to make was automatically identifying aspects of a targeted network. We could have coded in a function into our script that automatically identified subnets based off of our scan results. We also could have a function that identified IP’s that are up but not running any services, and give reasons as to why this is happening.

However, over all, our project was completed successfully.

The post Automated Network Scanning % Success Over Error appeared first on The Leahy Center for Digital Investigation.

November 30, 2018 by LCDI

Network Scanning + Update 2

Introduction

As November comes to a close, we are nearing the end of our project. With the script complete, all we have left to do is finish up a final report and a few more scans. Due to some yet to be solved bug in our code, the script fails when run from the physical Pi. As a temporary workaround, we’ve been scanning solely from our virtual machine, or VM. Our team is doing their best to solve this problem before the end of the week.

Problem Solving

Due to time restrictions, we were unable to automate our script. However, this is not really a setback, as all we have to do is manually start the scanner. So while this is not desirable, it is in no way a catastrophe. Of course, if we had more time, our team would have found a way to automate our script, and add other features. The ability to utilize WiFi, while not necessary, would make our scanner much more convenient to use. A cleaner looking output would have also been a nice touch. Most of the features we would have added are superficial, and only serve to add convenience.

As for the bug in our script, we so far have no idea what is causing it. The scanner starts correctly and runs for a couple of hours before shutting down. There is no output on the console and no printed report. This has happened to well over five scans. Since we’ve encountered this issue, we have been unable to get a scan to run properly on the physical Pi. However, the script runs perfectly on the VM so we’ve been using that for scans instead. Other than trying to solve this, most of our time and energy is going towards our final report.

Conclusion

We have spent most of November in the home stretch of this project. From completing our script to working on the final report, we are wrapping up rather nicely. We did encounter an issue with running our script on the Pi which set us back, but we’ve managed despite the issue. While we are attempting to fix it, we will not be at a complete loss in this project if our attempts are unsuccessful.

The post Network Scanning + Update 2 appeared first on The Leahy Center for Digital Investigation.

November 26, 2018 by LCDI

Automated Network Scanning ! Update

Our Progress

The Automated Network Scanning ! team ran into several issues writing our scanner. The first approach we took was incredibly slow and inefficient, as we scanned every host with a separate Nmap scan. This meant that our program had to start up a new Nmap process every time. While this approach worked well on our smaller network of four Raspberry Pis, it ran into issues with large-scale tests on the LCDI network; it took over two hours to scan sixteen hosts. Our team decided to switch to scanning every host simultaneously. As you can see in the diagram, we initialized Nmap very few times, increasing the efficiency of our scan.

Our initial solution compared to our revised version.

During this process, we ran into issues with our OS fingerprinting process and the heartbleed-ssl vulnerability scanning. The OS fingerprinting had extreme issues fingerprinting the Windows IOT Raspberry Pi as the scan would throw errors and not complete. Specifically, the SYN Stealth scans used in OS Fingerprinting would return a packet with a negative travel time. Although we ensured synchronicity of the times on the Pis, we were unable to overcome this issue. Due to this setback, we decided to remove OS fingerprinting from the scope of our network scanner.

Because of the change in structure of our scans, we removed our script’s heartbleed-ssl functionality. Initially, we were able to use a regular expression, or regex to find if the host scanned was vulnerable, as each heartbleed-ssl scan corresponded to a single host. However, once we scanned all of the hosts simultaneously, we had to change our approach to use inbuilt functions in the python-libnmap package we used. These functions were unable to retrieve the data from the script, so we ultimately had to remove this heartbleed-ssl functionality.

Conclusion

Although our team started development with great ideas, we had to scale back to create a more efficient network scanner. Sometimes, you have to take a step backwards before you can take two steps forward!

To learn more about this and other blogs of the LCDI visit us here: LCDI Blog.

Stay in the loop on our current and upcoming projects and events by following us on Facebook, Twitter, or Instagram.

The post Automated Network Scanning ! Update appeared first on The Leahy Center for Digital Investigation.