-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.html
314 lines (312 loc) · 13.8 KB
/
README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Etherbat — Ethernet topology discovery</title>
<link rel="stylesheet" type="text/css" href="style.css" />
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Etherbat — Ethernet topology discovery</h2>
<h3>What is <a href="http://etherbat.cryptonix.org/">Etherbat</a>?</h3>
<p>
Etherbat performs Ethernet topology discovery between 3 hosts: the machine running Etherbat and two other devices.
</p>
<ul>
<li>Are they in the same switch?</li>
<li>Are they in three separate switches?</li>
<li>Which host is closer to local machine?</li>
<p>
— these are example questions answered by Etherbat.
</p>
</ul>
<p>
Etherbat could be described as layer 2 equivalent of traceroute.
</p>
<p>
No manageable switches nor extra software on remote hosts is required.
</p>
<h3>Use cases</h3>
<h4>Locating hosts</h4>
<p>
Attacker: "Where is that internal database server located?"
</p>
<p>
Admin: "I know there is an internal attack executing right now, but where it originates from?"
</p>
<h4>Network mapping</h4>
<p>
Admin: "I want to have detailed map of the network, but I don't want to track every cable physically. The boss doesn't want to buy manageable switches."
</p>
<p>
Auditor: "Let's check if the network documentation describes real network structure."
</p>
<p>
Note: The map of the network could be created by repeatedly executing Etherbat with different host combinations and joining gathered results. Etherbat won't do this automatically.
</p>
<h3>Features</h3>
<ul>
<li>Ethernet topology discovery between 3 hosts</li>
<li>8 different topologies recognized</li>
<li>
No manageable switches required:
<ul>
<li>reduces costs for network owner,</li>
<li>no need to get access to them for an attacker.</li>
</ul>
</li>
<li>No extra software on remote hosts is neccessary.</li>
<li>Error detection and correction decreases probability of false result.</li>
<li>Different switch types supported.</li>
<li>Mostly clean and (I hope) easy to read OO Ruby code, GPL.</li>
</ul>
<h3>Limitations</h3>
<p>
<b>Warning!</b> Etherbat was tested only on wired network. It won't work on wireless. Also, it could give incorrect results:
</p>
<ul>
<li>on networks with hubs and/or some (broken) switch types and software bridges (i.e. Linux bridge used by many wireless Access Points)</li>
<li>on some enterprise switches due to delayed MAC learning process (may be fixed in future versions by increasing timeouts)</li>
<li>when hosts being tested are generating traffic during test and it's not detected by Etherbat</li>
<li>in some situations if Windows machines are being tested (in these cases Etherbat displays warning message)</li>
<li>probably in other cases due to not yet discovered bugs</li>
</ul>
<h3>How does it work?</h3>
<p>
Etherbat uses MAC spoofing to create invalid paths in the network, probes how it changed by injecting specially crafted ARP requests and checks for replies or absence of them. Afterwards it makes the network return to normal state.
</p>
<p>
For more detailed explanation please read the <a href="#documentation">documentation</a>.
</p>
<h3>Requirements</h3>
<ul>
<li><a href="http://www.ruby-lang.org/">Ruby</a> (1.8.4 tested)</li>
<li><a href="http://www.packetfactory.net/libnet/">Libnet</a> (1.1.2.1 tested)</li>
<li><a href="http://www.tcpdump.org/">Libpcap</a> 0.9.3 or higher. Previous versions <b>will not</b> work as pcap_setdirection() function is needed (as far as I know this function is implemented only on Linux and *BSD)</li>
<li><a href="http://www.gtk.org/">Glib 2.0</a> (2.12.4 tested)</li>
<li>Libnet, Libpcap and Glib headers and c toolchain for compilation</li>
</ul>
<p>
Etherbat is written in interpreted language, but needs to launch external processes for frame injection and sniffing. Those are C programs which needs to be compiled.
</p>
<h3>Download</h3>
<p>
<p>
Etherbat releases can be downloaded from <a href="https://launchpad.net/etherbat/+download">Launchpad project page</a>.
</p>
<p>
There is also the <a href="https://code.launchpad.net/etherbat/">Bazaar repository</a>. To get the latest version of Etherbat type:
</p>
<pre>
$ bzr branch http://bazaar.launchpad.net/~launchpad-cryptonix/etherbat/trunk</pre>
<p>
Etherbat source code is released under the terms of <a href="http://www.gnu.org/licenses/gpl.html">GPLv2</a> license.
</p>
<h3>Compilation and installation</h3>
<p>
You are advised to check Etherbat tarball integrity against
my gpg key, which can be downloaded
from <a href="https://secure.cryptonix.org/">here</a>.
If the tarball and signature are in the current working directory,
issue:
</p>
<pre>
$ gpg --verify etherbat-*.tar.gz.asc</pre>
<p>
After positive verification, you can extract Etherbat source
distribution with:
</p>
<pre>
$ tar zxf etherbat-*.tar.gz</pre>
<p>
Then enter newly created directory and optionally alter instalation path at the beginning of Makefile. If you want to link Libnet and Libpcap libraries to be linked dynamically (you should do this if your distribution ships <i>shared</i> versions of these libraries like Debian does) execute:
</p>
<pre>
$ make</pre>
<p>
Otherwise, you need to specify <code>libpcap.a</code> and/or <code>libnet.a</code> files to link statically with. For example if both are places in <code>/usr/lib/</code> you should type:
</p>
<pre>
$ make PCAP_STATIC=/usr/lib/libpcap.a LIBNET_STATIC=/usr/lib/libnet.a</pre>
<p>
After successful compilation, if you are using sudo issue:
</p>
<pre>
$ sudo make install</pre>
<p>
or if you are using su:
</p>
<pre>
$ su -c "make install"</pre>
<p>
Note that the installation is required for program to run correctly. You can uninstall it with:
</p>
<pre>
$ sudo make uninstall</pre>
<p>
or if you are using su:
</p>
<pre>
$ su -c "make uninstall"</pre>
<h3>Usage</h3>
<p>
Etherbat requires two IP addresses as arguments. It will display how local machine and hosts with those addresses are connected in form of ASCII diagram. Here is example output (for those of you typing ^fscreenshot in Firefox ;-) )
</p>
<pre>
# etherbat 10.0.0.1 10.0.0.2
0: 10.0.0.10 (00:12:1b:d8:a9:86)
1: 10.0.0.1 (00:0f:18:ce:5f:29)
2: 10.0.0.2 (00:26:b4:c5:8c:12)
1 2 0
\ / |
*-~-*</pre>
<p>
Use <code>-h</code> to see list of possible options.
</p>
<p>
To understand what does all of this ASCII art mean and how to use some options read <a href="tests.html">tests description</a>.
</p>
<h3>Documentation<a name="documentation"> </a></h3>
<p>
I gave a talk on Etherbat on <a href="http://2007.confidence.org.pl/">Confidence 2007</a> — you will find the presentation in the <a href="http://www.cryptonix.org/papers.html">papers section</a> of <a href="http://www.cryptonix.org/">my website</a>.
</p>
<p>
Also there is <a href="tests.html">tests documentation</a> with every step explained in details (<code>tests.*</code> in tarball).
</p>
<p>
I've planned to write whitepaper about Ethernet topology discovery, but some time after I had finished Etherbat 1.0.0 I've found <a href="http://www.ieee-icnp.org/2004/papers/9-1.pdf">this document</a>. It describes similiar technique invented by three Microsoft guys (Richard Black, Austin Donnelly and Cedric Fournet) and presented in 2004 on IEEE conference. Reading it will give you almost everything needed to understand how Etherbat works.
</p>
<p>
Recently I've found this technique was implemented in Windows Vista as <a href="http://www.microsoft.com/whdc/Rally/LLTD-spec.mspx">Link Layer Topology Discovery (LLTD)</a> and used in <a href="http://www.microsoft.com/windows/products/windowsvista/features/details/networking.mspx">Network Map</a> feature.
</p>
<p>
When I was writing Etherbat I was unaware of Microsoft researchers work. General idea of LLTD and the technique used by Etherbat is the same, but there are some differences.
</p>
<p>
The main difference is that LLTD is far more complex (as it's distibuted system) and has more features, ie. it provides extensions for QoS tests, integrates anti-DoS functions. And last but not least — every host being located could provide his own icon to appear on the map (I wonder when LLTD themes will show on the Internet ;-)
</p>
<table>
<tr>
<td>LLTD</td>
<td>Etherbat</td>
<td>Notes</td>
</tr>
<tr>
<td>
LLTD maps entire network.
</td>
<td>
Etherbat discovers topology between 3 hosts.
</td>
<td>
It is possible to create application which invokes Etherbat repeatedly for different host combinations and joins results somehow to build the map. Also see <a href="#TODO">TODO</a>.
</td>
</tr>
<tr>
<td>LLTD requires all hosts to have <i>responders</i> installed to be placed on the map.</td>
<td>Etherbat doesn't need any extra software on remote hosts.</td>
<td>LLTD authors consider support for devices without <i>responders</i> (see section 5, paragraph "Uncooperative hosts" of mentioned <a href="http://www.ieee-icnp.org/2004/papers/9-1.pdf">paper</a>), but as far as I know it's not implemented (yet?).</td>
</tr>
<tr>
<td>
LLTD <i>enumerator</i> (the tool coordinating topology discovery) is available for Windows Vista only.
</td>
<td>
Etherbat works on Linux and should work on *BSD systems without modifications (but wasn't tested). Porting to other platforms should be straightforward as majority of code is written in Ruby.
</td>
<td>
</td>
</tr>
<tr>
<td>
LLTD <i>enumerator</i> source code is not available.
</td>
<td>
Etherbat code is released under GPL license.
</td>
<td>
LLTD <i>responder</i> source code is available to download.
</td>
</tr>
<tr>
<td>
LLTD uses special MAC address family which doesn't collide with MAC addresses used in the network — normal traffic is not affected.
</td>
<td>
Etherbat impersonates host being tested, so it may temporarily cause traffic destined to this host to be lost.
</td>
<td>
</td>
</tr>
<tr>
<td>
LLTD operation is not disturbed by other host transmissions.
</td>
<td>
Etherbat is sensitive to traffic generated by hosts being tested.
</td>
<td>
</td>
</tr>
<tr>
<td>
LLTD correctly detect hubs and wireless stuff; topology detected is generally more accurate. Authors presented formal proof of algorithm correctness and completeness.
</td>
<td>
Etherbat doesn't support hubs and wireless.
</td>
<td>
</td>
</tr>
</table>
<h3>TODO<a name="TODO"> </a></h3>
<ul>
<li><b>HIGH PRIORITY: Three remote hosts mode. It is more resistant to different switch types and better handles Windows machines.</b></li>
<li>One host mode — fingerprint path from local host to remote machine (taking advantage of different switch types behavior and some other tricks).</li>
<li>Support for other asymetric protocols and techniques, i.e. IPv6 (NDP in place of ARP), IPX, ARP+L3/4 (no need for asymetric ARP — poison ARP cache, send spoofed ping and wait for reply; can be used with TCP or UDP).</li>
<li>Are all recognized topologies correct? In particular direct connections on ASCII diagrams may not be direct in case of some switch types.</li>
<li>Batch mode to test many host combinations in one invocation (for use by third party mapping apps).</li>
<li>Increase performance under high pps (optimize frame handling, use bpf filters to ignore irrelevant frames).</li>
<li>Optimize tests to generate less traffic.</li>
</ul>
<h3>FAQ</h3>
<ol>
<li>
<p>
Can I use Etherbat to map remote network which is somewhere in the Internet?
</p>
<p>
Etherbat is a layer 2 tool, uses MAC spoofing and ARP protocol. This kind of stuff won't be forwarded by routers.<br />
The only possibility is too use some kind of Ethernet over IP tunneling (note: when the tunnel is not 100% transparent it may impact result).
</p>
</li>
<li>
<p>
What is there are hubs (Ethernet repeaters) in the network?
</p>
<p>
Depending on hub placement Etherbat will work good, refuse to work or work badly and display incorrect results.
</p>
</li>
<li>
<p>
Etherbat doesn't display all switches.
</p>
<p>
If there are multiple switches <i>in the line</i> between hosts under test they are displayed as 0, 1 or more switches. See symbols description at the end of <a href="tests.html">tests description</a>.
</p>
</li>
</ol>
<h3>Author/contact</h3>
<p>
This software was written by me, Paweł Pokrywka. You can find my email address as well as my gpg key at:<br />
<a href="https://secure.cryptonix.org/">https://secure.cryptonix.org/<a>
</p>
<h3></h3>
</body>
</html>