[[Boris]]
 
Table of Contents

Boris

Boris
ethsniff.jpg
founder: ruza
depends on:
interested: Stevko
EDITME2
software license: -
hardware license: -
status: active

Idea

The idea is to have an ready-for-use network segment that will analyse outgoing communication of any device connected to that network. Not necessarily all network communication is visible to analyst when sniffing directly on the same device that is analysed. That's the main reason why we need analyst PC in the architecture with network bridge. Device analysed than might not know that is being analysed.

Setup

Setup will probably consist of:

Analyst PC:

  • HW: 3 NIC's
    • eth0, (remote access) - brmLAN ethernet, IP configured (boris.brm, 192.168.77.25): analyst pc ssh access, dns resolving, software updates, data synchronization, ..
    • eth1, (transparent uplink for device analysed) - brmLAN ethernet, NO IP configured
    • eth2, (CONNECT YOUR DEVICE HERE) - internal (sniffed) ethernet, NO IP configured
    • wlan0 - NOT INSTALLED YET FIXME (maybe later) low powered AP for wireless devices
      1. internal (sniffed) Wi-Fi,
    • br0, (sniffing interface)
      • network bridge consist of eth1 and eth2 (wlan0 if applicable)
      • no IP address configured, invisible to device analysed
    • sufficient disc space and disc i/o to save br0 traffic
  • OS:
    • Host/Dom0: Linux
    • Hosted/virtual: Windows based - Sysinternals tools, ProcDot, Process explorer, IDA
    • other?
  • some type of network firewall FIXME (iptables based probably)
    • predefined network profiles (EverythingAllowed, NoIncomingTraffic)
    • simple and quick possibility to save user defined profile
    • possiblity to dynamically reconfigure/tune firewall rules that is geeky enough yet still usable. something like popup “Would You like to allow this new connection …[y/n]?” FIXME
  • possiblity to turn on automatic or manual analysis of stored and sniffed traffic (ntopng, snort, tcpdump, wireshark, iptraf, iftop, ..), session hijacking tools, PassiveDNS, etc
  • TLS MITM FIXME
  • own DHCP for eth2 (Nice-To-Have) .. to be able to preconfigure device with desired settings FIXME
  • own DNS (Nice-To-Have) server for internally connected devices (eth2, wlan0) to be able to forge DNS replies FIXME

TODO: popisky ifaces

 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki