Rogue Network Link Detection

Title:
Rogue Network Link Detection
Last Updated:
December 5, 2005
Summary:
Unauthorized network links are one of the biggest problems facing large enterprise networks. Users intent on bypassing corporate proxies will often use cable modems, wireless networks, or even full-fledged T1s to access the internet. These network links can have a drastic affect on organizational security; any perimeter access controls are completely bypassed, making it nearly impossible for the administrators to effectively concentrate their monitoring and intrusion prevention efforts. This document attempts to describe different approaches and techniques that can be used to detect these rogue network links.
Researcher(s):
H D Moore (hdm[at]metasploit.com)
Documents and Tools:
Rogue Network Detection Paper
Rogue Network Tools v0.01

Using the Rogue Network Tools:

The Rogue Network Tools (v0.01) are still very simplistic, this code was written a few years ago and has not been maintained since.

There are two components to this package - the detector and the sender. The detector (rogue_det.pl) must be run, as root, on an Internet-facing system, preferably one with as little firewalling as possible. The sender (rogue_syn.pl) is launched on the internal network against each system you would like to test.

This package has only been tested on Linux and will require modifications to use on any other operating system. The build system (build.sh) requires libpcap (and associated header files) to be installed.

Building the package is straightforward and should be performed on both the detector and sender systems:

# ./build.sh

This should create a subdirectory called 'perl_lib' that contains all of the compiled perl modules.

The next step is to run the detector script - you really should specify a port number, otherwise it will try to decode any and every TCP packet it sees. The following example configures the detector to monitor all incoming packets with destination TCP port 2005 (the default destination port for the sender):

# ./rogue_det.pl -p 2005
[*] No authorized subnets defined, reporting all requests.
[*] No device defined, defaulting to eth0.
[*] Using filter: (icmp or (tcp src port 2005)) and not src a.b.c.d
[*] Monitoring requests...

Finally, use rogue_syn.pl to probe the target network, specifying the address of the detector system, the target IP range, and optionally the source and destination TCP ports:

# ./rogue_syn.pl -t 192.168.0.0/24 -m a.b.c.d -s 1981 -d 2005
[-] Sending 254 probes from a.b.c.d to port 2005
[-] sending probe to 192.168.0.1
[-] sending probe to 192.168.0.2
[-] sending probe to 192.168.0.3
[-] sending probe to 192.168.0.4
[-] sending probe to 192.168.0.5
[-] sending probe to 192.168.0.6
[-] sending probe to 192.168.0.7
[ .. ]

On the monitoring system's console, you should now see incoming requests:

# ./rogue_det.pl -p 2005
[...]
[*] Monitoring requests...
TCP     67.9.1x.x:2005       a.b.c.d:1981     192.168.0.2     closed
TCP     67.9.1x.x:2005       a.b.c.d:1981     192.168.0.21    closed

The first column is the source address, the second is the destination (the monitor), and the third is the internal IP address. The internal IP is encoded as the TCP sequence number and the ICMP data.