Network Vizualisation With SinFP3 And Ubigraph

One of the module shipping with SinFP3 uses Ubigraph to display results in 3D. That’s not the 3D with red and blue glasses, it’s the classic 3D (or 3D CGI).

Output::Ubigraph plugin is a bit different than other plugins shipping with SinFP3: you cannot use it directly as an output module. You have to go through an intermediate step before being able to display the network vizualisation.

The problem comes from Ubigraph that attributes an ID to every created node. To create an edge between two nodes, you have to know their respective node IDs. But SinFP3 is stateless (as of now). Each fingerprinted target runs in a specific process, and if you render it in Ubigraph, you will not be able to create an edge with another fingerprinted target by lack of knowing the other node ID.

A solution I once came up with was to create a convertion routine from an IP/port address to an ID. But Ubigraph does not allow the end-user to access the full 32-bits range of IDs, and even so, you only addressed the IPv4 range (IPv6 would require potentially much more IDs). So, I decided to create an output module to perform an intermediate step: Output::CSV. From that, you can use this CSV file to feed the final Output::Ubigraph module. The following describes how to proceed.

Scan your target

As root. Default CSV file will be named sinfp3-output.csv in current directory. To give it a different name, you can use -csv-file FILENAME.

# -target -port top10 -output-csv -verbose 1

Read CSV file and output to Ubigraph

You have to turn off every other modules, thus you use *-null plugin arguments.

$ cd ~/tools/UbiGraph-alpha-0.2.4-Linux32-Fedora-9
$ ./bin/ubigraph_server &

$ -input-null -mode-null -search-null -db-null -output-ubigraph
   -csv-file sinfp3-output.csv

Another possible option is to save the fingerprinting output to pcap files. It’s easy with SinFP3:

# -target -port top10 -output-pcap -verbose 1

Then, you can launch again the fingerprinting process by using the captured files, and save output as a CSV file:

$ -input-pcap -pcap-file 'sinfp4-*.pcap' -output-csv -csv-file pcap2csv.csv

And now, some screenshots

Each color corresponds to an operating system.

  • Yellow for MacOS
  • Violet for SunOS
  • Green for Linux (ecology?)
  • Red for BSD systems (because red is evil)
  • Blue for Windows (like the blue screen of death)

What is important to note, and that’s a real advantage of SinFP3 versus Nmap, each open port is fingerprinted. Thus, each open port on a target may have a different operating system (or color) displayed. This example spoke about IPv4, but you can do exactly the same with IPv6.

Leave a Reply

Your email address will not be published. Required fields are marked *