HitB2010Ams - XProbe-NG: Building efficient Network Discovery ToolsFrank Breedijk
XProbe-NG was written to discover a rouge server in a network of the major Taiwanese internet provider. It turned out that XProbe was not sufficient to handle all the application level stuff that was going on in this case.
However doing level 7 probes introduced two problems:
- Bandwidth – Having to send far more data
- Time – Making sure you finish in time
- Scanning other protocols then IP only
- Bulk scanning
- Probing “en-route” systems
- Migration to IPv6
- Improving precision
- Caching proxies, transparent proxies
- L7 switches
- Reactive IDS/IPS
- Application Firewalls
- Active Spoofing attacks
- Information Gain metrix
- “Lazy Mode” execution
- “target” drive execution
- New scan engine (in progress)
Excluding 0 gain modules and only scanning for ports that are interesting for the plugins is called “Lazy mode” execution.
Neither optimisations are ideal, but gaining performance is always a trade-off between efficiency and accuracy.
After July 7 XProbe-NG can be downloaded at: http://xprobe.sourceforge.net/ or grabbed from the GIT repository.