Today I will speak about my finally degree project: Auditing system for corporative networks using open source software on a Raspberry Pi. The project is mainly written in Python and it has two separate parts. The main one runs on the Raspberry and performs several analysts on the target network. The other part is a Python/Django based server deployed on a remote location.
Raspberry
On the Raspberry, a script called main.py acts as the controller, uploading the obtained data do the remote server and sequencially calling three scripts. Each of those scripts performs a different analysis on the network, namely: passive, ports-services and vulnerabilities.
The passive analysis, after obtaining an IP address using DHCP, captures all the traffic it receives but doesn't send any packet to the network. Therefore, the likeliness of raising any alarms is significant reduced. This analysis was implemented using Scapy, a powerful library for Python designed to assist in network packet manipulation. Using broadcast traffic (e.g. NetBIOS, SSDP...), it's possible to discover information about machines on the network, such as their name or the operating system they are ruining.
Most of the complexity of this part lied on the lack of information about some of the analysed protocols, some of them weren't even detected by Scapy, hence they were directly read in hexadecimal. Moreover, I found the leaning curve for Scapy to be quite long, mainly due to the limited documentation availability. I I'm planning on further discussing passive analysis on a later post.
The ports and services analysis is performed right after the passive one. Using the machine list previously obtained, nmap is run, connected to our code with the python-nmap library. During this stage ports and services running on them are scanned, improving the machine information from the previous analysis. Nmap scan is limited to very common ports (e.g. 80, 443, 137...) and to those ports used by nodes to send broadcast traffic. By default, nmap is run with the -T0 option, trying to reduce the chances of being detected.
Finally, a vulnerability analysis is performed. OpenVAS, a framework for vulnerability assessment, is the tool is selected for this part, connected to Python through the openvas.omplib library. The main challenges faced at this stage were once again related with the lack of documentation, both for OpenVAS installation and setup and for starting the scan and parsing the results from Python. Moreover, the limited resources of the Raspberry Pi were quite obvious when installing and running OpenVAS. As a result, the framework needs to be started at the same time as the main.py script, in order to leave time for it to load.
During every analysis, main.py periodically sends a JSON file with the obtained information to the server. Additionally, when the vulnerability analysis is performed, the JSON file —with vulnerability assessment information appended— is sent together with the OpenVAS HTML report to the remote server. During early development stages of the project, this traffic was sent to the server using the audited network. However, in order to avoid sending more traffic than needed to the target network, an auxiliary connection was set up. Particularly, I used a 3G/4G USB dongle, but WiFi could also be a wise choice, depending on the circumstances. In any case, traffic is sent encrypted, using HTTPS.
Server
The server receives information from one or several Raspberries. Using the /upload address, Raspberries can upload the analysts results in JSON or HTML. They are authenticated by a client certificate installed on them. Thus, communication security is ensured.
On the other hand, users are granted access to the web GUI when they log in with their username and password. This graphical interface shows (left to right):
- A list of the devices (Raspberries) that have sent information to the server.
- The list of audited networks for the selected device.
- A graph of the detected machines on the selected network.
- The information of the selected machine, together with the link to the related OpenVAS report in HTML, should it be available.
Conclusion
Overall, the project achived the main objectives that I had established. The auditing device performs a wide analysis of the machines within the same broadcast domain and sends the obtained information to a remote server through an independent connection.
However, I would definitely improve the web interface, both its graphical design (starting by making it responsive) and its functionality (e.g. adding a control panel for controlling the Raspberries from the web app). Moreover, extensions such as WiFi network auditing could prove interesting in order to obtain more information about networks within an organisation.
Best Online Slots Casino Games - DrmCD
ReplyDeletePlay over 200 of the best 양주 출장안마 slot games 경주 출장샵 with amazing bonuses for free or real money. Top Rated Online Slots for 군포 출장샵 2021 - Play the Best Casino Slots 안동 출장마사지 and Win 광주 출장안마