Passive Python Network Mapping

In this excerpt from chapter two of Passive Python Network Mapping, author Chet Hosmer discusses securing your devices against network security threats.

Passive Python Network Mapping

The following is an excerpt from Passive Python Network Mapping by author Chet Hosmer and published by Syngress. This section from chapter two explores what's running on our networks that we don't know about.

Modern environments boast massive infrastructures and sophisticated security technologies designed to keep the bad guys out.

What if the bad guys are already in?

Today, the defensive technology mix includes traditional firewalls, application firewalls, a demilitarized zone (DMZ), virtual private networks (VPN), antivirus, anti-spyware, patch management infrastructures, content filters, host and network data leak protection (DLP), specialized privilege guards and security event and incident management (SEIM) solutions. Unfortunately, these systems and technologies do little to protect against new threats or hidden vulnerabilities that exist within the environment they protect. In some cases, they exist within the security solutions themselves!

In addition, the solutions today bear resemblance and similar weaknesses to those created by the French Minister of War, Andre Maginot, who in the 1930's created fortifications to protect France from a German invasion. Much like the Maginot line (see figure 2-1), modern cyber security solutions provide great protection against a direct attack, but can be circumvented by insiders through the exploitation of unknown vulnerabilities, via new attack vectors, by means of social engineering activities and can be infiltrated due to lack of deep understanding of one's own environment.

Big vs. Little

It turns out that many smaller organizations are more difficult to penetrate due to the fact that the environment is better understood by both the Information

Maginot Line

Technology (IT) teams and the Cyber Security teams that protect them. Larger organizations in many cases have undergone numerous mergers and acquisitions along with the melding of information systems. They have also been around longer and likely employ legacy technologies, or have systems operating throughout their network that have simply been forgotten and are running services that are vulnerable.

The following statement is critically important….

The more you know about your environment, the better you can protect your assets, the easier you can detect anomalous activity, and the faster you can react to new attacks and vulnerabilities.

We Care About What's Running on Our Systems

This might seem obvious as you read this, but you are likely to be surprised by systems and services that are operating on your network. We tend to think only about servers and desktop workstations, since our view of the world is that this is where the information is created, accessed and utilized. Obviously, our infrastructures are changing and what is running or attached to our network is also evolving. Let's just take a look at just a small list of devices and systems we need to be concerned about today (I have purposely left out Servers and Desktop Workstations from the list):

  • Android phones and tablets
  • iOS phones and tablets
  • Windows phones and tablets
  • Blackberry phones and tablets
  • Printers and multifunction devices (print, scan, fax)
  • Copiers and Biz Centers
  • Voice Over Internet Protocol (VOIP) systems
  • Security cameras
  • Internet radios
  • Handheld personal cameras
  • Near Field Communication Devices (NFC)
  • Conference room phones
  • Wearable technologies (fitness, surveillance see Figures 2-2–2-4)

At the end of the day, these are all computers at their core with access to networks, the Internet and possibly your corporate infrastructure and information. The questions are:

  1. Can you identify them on your network?
  2. Do you know where they are located?
  3. What data do they have access to?
  4. Most importantly, what is the risk and potential impact they pose if compromised?

The other important aspect of the mobile, wireless, Bluetooth, wearables and NFC devices is that they tend to leave very temporal footprints. Meaning that traditional active network mapping methods may be ineffective in detecting their presence or tracking their behaviors.

Passive Python Network Mapping

Author: Chet Hosmer

Learn more about  Passive Python Network Mapping from publisher Syngress

At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles

Based on this brief introduction, you can see that there are significant advantages to having a firm understanding of the devices that should be attached to our networks, whether these devices are servers, workstations or mobile devices. Think of this as home-field advantage, by understanding what should be operating on your network it becomes easier to identify those devices that shouldn't be there.

As I demonstrated in Chapter 1, actively identifying devices on a network using NMAP quickly provides information about the obvious suspects. What we are looking for here are those devices that operate either in a temporal fashion or are purposely stealthy. Approaching the problem from a passive point view is different in that we have to wait for devices to reveal their presence by actively participating.

Read an excerpt

Download the PDF of chapter 2 in full to learn more!

Once again we will turn to tcpdump to demonstrate some of the ways to capture packets in a passive manner. You might realize that I can do the same thing with Wireshark or a host of other proprietary toolsets. However, one of the problems with this approach is that in order to capture packets at the kernel level, you must be operating at a very high privilege level, and using complex and far-reaching security tools to do so is risky business. Thus my approach throughout the book will be to use simple well-known open-source technologies to perform operations at high levels of privilege. In this way we can limit the need to provide root privilege to only those processes that are absolutely necessary. Likewise our analysis tools (after we have captured the necessary packet samples) can and should operate at a user level.


About the author:

Chet Hosmer is the Founder and President of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. He serves as a visiting professor at Utica College in the Cybersecurity Graduate program where his research and teaching focus on advanced steganography/data hiding methods and related defenses. Chet is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program where he is researching and working with graduate students to advance the application Python to solve hard problems facing digital investigators. He makes numerous media appearances each year to discuss emerging cyber threats, is the author of three recent Elsevier/Syngress books, and delivers keynote and plenary talks on various cyber security-related topics around the world each year.

This was last published in July 2017

Dig Deeper on Network security