Omphalos: Difference between revisions

 
(46 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[File:omphalos.png|right]]
[[File:omphalos-2011-12-01.jpg|thumb|right|Three omphalos processes, 2011-12-01]]
[[File:omphalos-2011-12-01.jpg|thumb|right|Three omphalos processes, 2011-12-01]]
A tool for network enumeration, protection, observation and domination. Omphalos makes use of passive and active portscanning, DNS/DHCP/[[Zeroconf]] server interrogation, portknock detection, covert channel detection and establishment, ARP scanning, automatic WEP cracking, man-in-the-middling, and a whole host of other tricks. GPS integration? Oh yes. Coordination across multiple interfaces? Of course. Use of Linux's MMAP_RX_SOCKET and MMAP_TX_SOCKET? Wouldn't have it any other way. Userspace networking is made visible to the host via a [[TUN/TAP]] device. While designed as an offensive tool, omphalos has proven useful for network debugging and troubleshooting, as well as experimentation.


'''The latest release is [http://dank.qemfd.net/src/omphalos/rel/current/ 0.99.0 (β)], released 2011-12-01.'''
A tool for network enumeration, protection, observation and domination. Omphalos makes use of passive and active portscanning, DNS/DHCP/[[Zeroconf]] server interrogation, portknock detection, covert channel detection and establishment, ARP scanning, automatic WEP cracking, man-in-the-middling, and a whole host of other tricks. GPS integration? Oh yes. Coordination across multiple interfaces? Of course. Use of Linux's <tt>MMAP_RX_SOCKET</tt> and <tt>MMAP_TX_SOCKET</tt>? Wouldn't have it any other way. Userspace networking is made visible to the host via a [[TUN/TAP]] device. While designed as an offensive tool, omphalos has proven useful for network debugging and troubleshooting, as well as experimentation.


Omphalos is not a "''point-and-click''" tool so much as "''pull the pin''" or perhaps "''spray the area''". Default behavior is to redirect and seize all traffic, attack weak cryptosystems, archive authentication materials, and learn everything that can be learned. Ideally, a tiny microprocessor would be paired with power and a network device, stealthily physically inserted into a network, and left there; <tt>omphalos</tt> and [[Hackery#liburine|liburine]] would then combine to provide complete network dominance. I hope to combine network programming and high-performance computing to create a tool capable of much havoc.
* '''The latest release is [https://github.com/dankamongmen/omphalos/releases/tag/v0.99.9 0.99.9], released 2019-11-20.'''
* [[Arch]]'s AUR contains [https://aur.archlinux.org/packages/omphalos/ omphalos]


'''Omphalos: Because one layer is never enough.''' Code is hosted on [https://github.com/dankamongmen/omphalos GitHub]. Bugtracking is hosted on [http://dank.qemfd.net/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=omphalos qemfd-bugzilla]. There's a mailing list at [http://groups.google.com/group/omphalos-dev Google Groups].
Omphalos is not a "''point-and-click''" tool so much as "''pull the pin''" or perhaps "''spray the area''". Default behavior is to redirect and seize all traffic, attack weak cryptosystems, archive authentication materials, and learn everything that can be learned. Ideally, a tiny microprocessor would be paired with power and a network device, stealthily physically inserted into a network, and left there; <tt>omphalos</tt> and [[Hackery#liburine|liburine]] would then combine to provide complete network dominance. I hope to combine network programming and the techniques of high-performance computing to create a tool capable of much havoc.
 
'''Omphalos: Because one layer is never enough.''' Code is hosted on [https://github.com/dankamongmen/omphalos GitHub], as are [https://github.com/dankamongmen/omphalos/issues modern issues]. Old bugs are still available at [https://nick-black.com/bugzilla/buglist.cgi?cmdtype=runnamed&namedcmd=omphalos bugzilla]. There's a mailing list at [http://groups.google.com/group/omphalos-dev Google Groups].
==Similar Tools==
==Similar Tools==
* [http://www.thoughtcrime.org/software/sslsniff/ SSLSNIFF] from Thoughtcrime Labs
* [http://www.thoughtcrime.org/software/sslsniff/ SSLSNIFF] from Thoughtcrime Labs
* [http://ettercap.sourceforge.net/ ettercap] by Alberto Ornaghi and Marco Valleri
* [http://ettercap.sourceforge.net/ ettercap] by Alberto Ornaghi and Marco Valleri
* [http://www.nixgeneration.com/~jaime/netdiscover/ Netdiscover] by Jaime Peñalba
* [http://www.nixgeneration.com/~jaime/netdiscover/ Netdiscover] by Jaime Peñalba
* [http://www.netresec.com/?page=NetworkMiner NetworkMiner] from NETRESEC AB
* [http://www.jdisc.com/ JDisc Discovery] from JDisc UG
* [http://www.lantopolog.com/ LanTopolog] by Yuriy Volokitin
* [http://code.google.com/p/mirandaupnptool/ Miranda] by Craig Heffner
===Countertools===
===Countertools===
We want to defeat systems like:
We want to defeat systems like:
Line 182: Line 189:


==Analysis and Attack Capabilities==
==Analysis and Attack Capabilities==
===Physical Layer Support===
{| class="wikitable" border="1"
! Protocol
! [[Standards|Standard]]
! [[Pcap|libpcap]] linktype
! Linux ARP type
! Analyzed?
|-
| BSD Loopback
| ?
| DLT_NULL
| N/A
| No
|-
| Linux Cooked Capture
| [http://linuxmanpages.com/man7/packet.7.php packet(7)]
| DLT_LINUX_SLL
| N/A
| Yes
|-
| [[Ethernet]]
* Ethernet II/DIX
* Novell 802.3
* IEEE 802.2 LLC
* SNAP
* 802.1Q VLAN/802.1p QoS (IEEE 802.3ac)
| IEEE 802.3-2008
| DLT_EN10MB
| ARPHRD_ETHER
| Yes
|-
| Token Ring
| IEEE 802.5
| DLT_IEEE802
| ARPHRD_IEEE802_TR
| No
|-
| ARCNET
| ANSI 878.1
|
* DLT_ARCNET
* DLT_ARCNET_LINUX
| ARPHRD_ARCNET
| No
|-
| SLIP
(Serial Line Internet Protocol)
|
* RFC 1055 (SLIP)
* RFC 1154 (CSLIP)
| DLT_SLIP
|
* ARPHRD_SLIP
* ARPHRD_SLIP6
* ARPHRD_CSLIP
* ARPHRD_CSLIP6
| No
|-
| PPP (Point-to-Point Protocol)
* BSD/OS PPP
* PPP over serial
* PPPoE (PPP over [[Ethernet]])
* PPPoA (PPP over ATM)
* Cisco PPP/HDLC
| RFC 1661
* ?
* RFC 1662
* RFC 2516
* RFC 2364
* RFC 1547
| DLT_PPP
* DLT_PPP_BSDOS
* DLT_PPP_SERIAL
* DLT_PPP_ETHER
* ?
* DLT_C_HDLC
| ARPHRD_PPP
| Partial
* No
* No
* No
* No
* Yes
|-
| FDDI
(Fiber Distributed Data Interface)
|
* MAC: ANSI X3.139-1987 / ISO 9314-2
* PHY: ANSI X3.148-1988 / ISO 9314-1
| DLT_FDDI
| ARPHRD_FDDI
| No
|-
| Fibre Channel
| RFC 2625
| DLT_IP_OVER_FC
|
* ARPHRD_FCPP
* ARPHRD_FCAL
* ARPHRD_FCPL
* ARPHRD_FCFABRIC
| No
|-
| IrDA
(Infrared Data Association)
|
* IrDA PHY Spec v1.5
* IrDA Link Access Protocol v1.1
| DLT_LINUX_IRDA
| ARPHRD_IRDA
| Yes
|-
| Radiotap
| De facto
| DLT_IEEE802_11_RADIO
| ARPHRD_IEEE80211_RADIOTAP
| Yes
|-
| Firewire
| IEEE 1394
| N/A
| ARPHRD_IEEE1394
| Yes
|-
| Frame Relay
| ?
| DLT_FRELAY
| ARPHRD_FRAD
| No
|-
| Apple LocalTalk
| ?
| DLT_LTALK
| ARPHRD_APPLETLK
| No
|-
| LAPD
(Link Access Protocol - D Channel)
| ITU Q.921
| DLT_LINUX_LAPD
| ARPHRD_LAPB
| No
|-
|}
===Layer 2===
===Layer 2===
====Topology Discovery====
''For more information, see the [[Topology Discovery]] page.''
{| class="wikitable" border="1"
|-
! Protocol
! Standard
! Support
|-
| [[Topology_Discovery#Link-Local_Topology_Discovery_.28LLTD.29_Protocol|LLTDP]]
| Microsoft
|
* Extraction of data from HELLO packets
* Enumeration via DISCOVERY requests
|-
| [[Topology_Discovery#Link-Layer_Discovery_Protocol_.28LLDP.29|LLDP]]
| IEEE 802.1AB-2005
|
* None yet
|-
| [[Topology_Discovery#Cisco_Discovery_Protocol_.28CDP.29|CDP]]
| Cisco
|
* None yet
|-
| STP
| IEEE 802.1D
|
* Minimal analysis of BDPUs
|-
|}
====802.3/Ethernet II====
====802.3/Ethernet II====
* Detect physical hosts on the network via MAC analysis
* Detect physical hosts on the network via MAC analysis
Line 196: Line 378:
* VLAN hopping
* VLAN hopping


====802.11====
====[[WiFi|802.11]]====
* Passively attack weak cryptosystems (especially WEP), or do so actively if configured
* Passively attack weak cryptosystems (especially WEP), or do so actively if configured
* Channel hopping or locked operation
* Channel hopping or locked operation
Line 202: Line 384:
* Respond as master to probed networks, on a to-order basis
* Respond as master to probed networks, on a to-order basis
* Ability to run omphalos in as an AP client via userspace networking atop radiotap (Monitor mode) and WPA/EAPOL support
* Ability to run omphalos in as an AP client via userspace networking atop radiotap (Monitor mode) and WPA/EAPOL support
** Or, more likely, some kind of hostapd control using Master mode
* "[http://www.airtightnetworks.com/WPA2-Hole196 Hole 196]" injection
* "[http://www.airtightnetworks.com/WPA2-Hole196 Hole 196]" injection
* Viehbock's [http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf WPS EAP-NACK] brute-force attack ([http://www.kb.cert.org/vuls/id/723755 US-CERT #723755])


====STP====
* '''FIXME'''
====DTP====
* '''FIXME'''
===Layer 3===
===Layer 3===
* ICMP redirects
* ICMP redirects
Line 222: Line 402:
* Cryptographic downgrade attacks on HTTPS etc
* Cryptographic downgrade attacks on HTTPS etc
===Layer 5===
===Layer 5===
* FireSheep-like session hijacking
* FireSheep- and BEAST-like session hijacking
* Progressive user identity/demographic discovery aka "maximum creepy" (heuristics on machine name, web pages visited, accounts revealed, mails sent etc)
* Progressive user identity/demographic discovery aka "maximum creepy" (heuristics on machine name, web pages visited, accounts revealed, mails sent etc)
** Watch for and aggregate probed wireless networks, DHCP lease renewals, etc
** Watch for and aggregate probed wireless networks, DHCP lease renewals, etc
Line 231: Line 411:
Omphalos currently only runs or indeed builds on fairly recent Linux systems, due to extensive use of advanced capabilities of the Linux networking stack (and the small fact that I don't run anything else). I doubt that I would accept patches to add Windows/MacOSX support, but you're certainly welcome to maintain them yourself. Once the main functionality set is complete (0.98 release), I'll add support for falling back to plain old PF_PACKET sockets without ringbuffers; that ought add support for any UNIX-based OS with a basic <tt>rtnetlink</tt> implementation.
Omphalos currently only runs or indeed builds on fairly recent Linux systems, due to extensive use of advanced capabilities of the Linux networking stack (and the small fact that I don't run anything else). I doubt that I would accept patches to add Windows/MacOSX support, but you're certainly welcome to maintain them yourself. Once the main functionality set is complete (0.98 release), I'll add support for falling back to plain old PF_PACKET sockets without ringbuffers; that ought add support for any UNIX-based OS with a basic <tt>rtnetlink</tt> implementation.
===User Interfaces===
===User Interfaces===
* <tt>omphalos-tty</tt>: line-based console output with readline-based input
* <tt>omphalos-tty</tt>: line-based console output with [[readline]]-based input
* <tt>omphalos-ncurses</tt>: screen-based terminal output with ncurses-based input
* <tt>omphalos-ncurses</tt>: screen-based terminal output with [[ncurses]]-based input
* GTK: I'd like to add a GTK UI, but it's not a major priority
* GTK: I'd like to add a GTK UI, but it's not a major priority
** If you'd like to contribute freely-licensed, original artwork to this effort, please contact me!
** If you'd like to contribute freely-licensed, original artwork to this effort, please contact me!
* WxWidgets, QT: Dubious that I'll add one, but I'd take patches.
* WxWidgets, QT: Dubious that I'll add one, but I'd take patches.
* Java: nope
* Java: nope
==Project documentation==
==Project documentation==
Transcluded from top of my git repository at GitHub.
Transcluded from top of my git repository at GitHub.