HitB2010Ams - XProbe-NG: Building efficient Network Discovery Tools

By Fyodor Yarachkin To clear up a common misunderstanding, this Fyodor is not the same Fyodor as the author of Nmap.

XProbe-NG was written to discover a rouge server in a network of the major Taiwanese internet provider. It turned out that XProbe was not sufficient to handle all the application level stuff that was going on in this case.

However doing level 7 probes introduced two problems:
 
  • Bandwidth – Having to send far more data
  • Time – Making sure you finish in time
Other motivations for XProbe-NG include:
  • Scanning other protocols then IP only
  • Bulk scanning
  • Probing “en-route” systems
  • Migration to IPv6
  • Honeypots/nets
  • Improving precision
“en-route” findings include:
  • Caching proxies, transparent proxies
  • L7 switches
  • Reactive IDS/IPS
  • Application Firewalls
  • Active Spoofing attacks
How do you minimize the network load of a tool like XProbe?
  • Information Gain metrix
  • “Lazy Mode” execution
  • “target” drive execution
  • New scan engine (in progress)
Information gain means that each plugin has a rating that characterizes how much “information” the probe might bring givne what we know allready. Plugins that cause the most information gain will be executed first and probes that don’t gain information do not have to be executed.

Excluding 0 gain modules and only scanning for ports that are interesting for the plugins is called “Lazy mode” execution.

Neither optimisations are ideal, but gaining performance is always a trade-off between efficiency and accuracy.

After July 7 XProbe-NG can be downloaded at: http://xprobe.sourceforge.net/ or grabbed from the GIT repository.

About the speaker

Fyodor Yarochkin is a security hobbyist and happy programmer with a few years spent in business objectives and the "security" service delivery field. These years, however, were not completely wasted – Fyodor has been contributing his spare time to a few open and closed source projects, that attracted limited use among non-business oriented computer society. He has a background of system administration and programming and holds Engineering degree in Software Engineering.

0 Comments


Not Published

0/1000 characters
Go Top