netleak - a network leak finder thingy Copyright (C) 2005 by Jonas Hansen ===================================================================== !! NOTE !! NOTE !! NOTE !! --------------------------- 'netleak' is in ALPHA stage. So many things are still untested, like how different routers & NAT-devices responds to the packets we generate. What is Network Leak Finder? ---------------------------- 'netleak' & 'netleakd' are two small perlscripts working together to detect rogue paths or "leaks" between different network segments. Imagine some large corporation which has an internal development LAN were all sorts of sensitive information is flowing around. This corporation would likely have some very strict rules as to how it's employees access the internet or other partner branches in order to protect its information. For the systemadinistrator this is a daunting task - as the corporate LAN grows keeping track of all the routes through the network becomes extremely difficult. Some routers might simply have been forgotten over time or an employee might have gone wise and connected his own adsl-router or something alike. Network Leak Finder tries to detect this in a centralized manner by sending out spoofed packets into the internal network and if any packets finds a way onto the external network, a "leak" has been detected. As an anology it works the same way you would find a hole in a bucket: fill it with water and see if anything leaks. In most scenarios the external network would be the Internet since everybody should be afraid of what their corporate LAN's are leaking to it! How can I use it? ----------------- You need one host on each network - a client and a server. The client (netleak) sends out packets on the internal network and the server (netleakd) is waiting for the packets on the external network. As soon as the server properly identifies a packet which was sent by the client it prints out the origin of the packet and the internal ip-address of the host that knew a route from the inside. This way you know exactly which internal host is leaking and where the packet emerged on the external net. Logging is also supported either to file or syslog. See the manpages for options and examples. How do I install it? ------------------- Use "make install" to install and "make uninstall" to uninstall. netleak needs the following Perl modules to operate: Getopt::Long IO::Socket::INET IO::Interface Net::RawIP NetAddr::IP Sys::Syslog Net::PcapUtils NetPacket::Ethernet NetPacket::IP NetPacket::UDP NetPacket::ICMP Mail::Sendmail By default netleak will be installed in /usr/local. Change the PREFIX in the Makefile to change this. *********************************************************************** NOTE: Net::RawIP module won't compile with gcc 3.4. Use the supplied patch until the author fixes Net::RawIP. *********************************************************************** Pitfalls -------- netleak might not detect all leaks on your network. One can easily imagine cases where this method won't be successful. Here's a list of scenarios that netleak won't detect: * Gateways that block ICMP. * A NAT-gateway somewhere on the internal network that overwrites the sender ip-address. * Gateways that uses network blocks outside the range you've imagined. Where can I get help? --------------------- Try the sourceforge page at http://sourceforge.net/projects/netleak/ A proper webpage is on its way. Final Notes ----------- Network Leak Finder is really simple! No, really. You can achieve the same outcome by using hping2 like this: on the client: #$ hping2 -2 -c 1 -a -e "MYSIG" and, on the server: #$ hping2 -9 "MYSIG" You can even provoke that precious ICMP Parameter Problem by using hping2's --icmp-iphlen option! Now you're probably asking why you should use netleak at all. Well, netleak is automated, has log/notify stuff, will craft raw ip-packets and was fun to write! ;) Acknowledgements ---------------- Ofir Arkin for writing the excellent paper "ICMP Usage in Scanning" which inspired this little project!