Identifying communicating network nodes in the same local network

US 10,440,044 B1
Filed: 09/12/2018
Issued: 10/08/2019
Est. Priority Date: 04/08/2018
Status: Active Grant

First Claim

Patent Images

1. A method for executing a computer-implemented penetration test of a networked system by a penetration testing system so as to determine a method by which an attacker could compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module installed on at least a first network node and a second network node of the networked system, the method for executing the computer-implemented penetration test comprising:

a. receiving, by the penetration testing software module and from the first network node, first information about a first data packet, the first data packet being one member of the group consisting of (i) a data packet received by the first network node from another network node sharing a common broadcast domain with the first network node, and (ii) a data packet sent by the first network node only to one or more other network nodes sharing a common broadcast domain with the first network node, wherein execution of computer code of the reconnaissance agent software module by one or more processors of the first network node causes the one or more processors of the first network node to send the first information;

b. receiving, by the penetration testing software module and from the second network node, second information about a second data packet, the second data packet being one member of the group consisting of (i) a data packet received by the second network node from another network node sharing a common broadcast domain with the second network node, and (ii) a data packet sent by the second network node only to one or more other network nodes sharing a common broadcast domain with the second network node, wherein execution of computer code of the reconnaissance agent software module by one or more processors of the second network node causes the one or more processors of the second network node to send the second information;

c. checking, by the penetration testing software module, whether the first information and the second information satisfy a matching condition;

d. in response to a determination by the checking that the first information and the second information satisfy a matching condition, carrying out the following steps;

i. concluding, by the penetration testing software module, that the first data packet and the second data packet are a same data packet, and that the first network node and the second network node share a common broadcast domain, andii. determining, by the penetration testing software module, the method by which the attacker could compromise the networked system, wherein the method by which the attacker could compromise includes a step that depends on the first network node and the second network node sharing the common broadcast domain; and

e. reporting, by the penetration testing software module, the method by which the attacker could compromise the networked system, wherein the reporting comprises at least one member of the group consisting of (i) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (ii) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for executing a penetration test of a networked system by a penetration testing system so as to determine a method by which an attacker could compromise the networked system, and/or for distributing common sets of data to nodes of a networked system. The methods and systems include identifying network nodes which have shared broadcast domains.

109 Citations

View as Search Results

19 Claims

1. A method for executing a computer-implemented penetration test of a networked system by a penetration testing system so as to determine a method by which an attacker could compromise the networked system, where the penetration testing system comprises (A) a penetration testing software module installed on a remote computing device and (B) a reconnaissance agent software module installed on at least a first network node and a second network node of the networked system, the method for executing the computer-implemented penetration test comprising:
- a. receiving, by the penetration testing software module and from the first network node, first information about a first data packet, the first data packet being one member of the group consisting of (i) a data packet received by the first network node from another network node sharing a common broadcast domain with the first network node, and (ii) a data packet sent by the first network node only to one or more other network nodes sharing a common broadcast domain with the first network node, wherein execution of computer code of the reconnaissance agent software module by one or more processors of the first network node causes the one or more processors of the first network node to send the first information;
  
  b. receiving, by the penetration testing software module and from the second network node, second information about a second data packet, the second data packet being one member of the group consisting of (i) a data packet received by the second network node from another network node sharing a common broadcast domain with the second network node, and (ii) a data packet sent by the second network node only to one or more other network nodes sharing a common broadcast domain with the second network node, wherein execution of computer code of the reconnaissance agent software module by one or more processors of the second network node causes the one or more processors of the second network node to send the second information;
  
  c. checking, by the penetration testing software module, whether the first information and the second information satisfy a matching condition;
  
  d. in response to a determination by the checking that the first information and the second information satisfy a matching condition, carrying out the following steps;
  
  i. concluding, by the penetration testing software module, that the first data packet and the second data packet are a same data packet, and that the first network node and the second network node share a common broadcast domain, andii. determining, by the penetration testing software module, the method by which the attacker could compromise the networked system, wherein the method by which the attacker could compromise includes a step that depends on the first network node and the second network node sharing the common broadcast domain; and
  
  e. reporting, by the penetration testing software module, the method by which the attacker could compromise the networked system, wherein the reporting comprises at least one member of the group consisting of (i) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (ii) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the first data packet is a member of the data packets group consisting of an Address Resolution Protocol (ARP) data packet, a Link-Local Multicast Name Resolution (LLMNR) data packet and a NetBIOS over TCP/IP Name service (NBNS) data packet.
  - 3. The method of claim 1, wherein the first data packet is an Internet Protocol (IP) data packet including an IP destination address that is an IP broadcast address.
  - 4. The method of claim 3, wherein the IP broadcast address is an IPv4 address that is an all-ones address.
  - 5. The method of claim 1, wherein the first data packet is an Internet Protocol (IP) data packet including an IP destination address that is a link-local address.
  - 6. The method of claim 5, wherein the link-local address is an IPv4 address that has a prefix of 169.254.
  - 7. The method of claim 5, wherein the link-local address is an IPv6 address that is in the address block fe80:
    - ;
      
      /10.
  - 8. The method of claim 1, wherein (i) the first information includes a first indication that indicates whether the first data packet is an inbound or an outbound data packet, (ii) the second information includes a second indication that indicates whether the second data packet is an inbound or an outbound data packet, and (iii) a necessary condition for the first information and the second information to satisfy the matching condition is that the first indication is different from the second indication.
  - 9. The method of claim 1, wherein (i) the first information includes a value of a given field in the first data packet, (ii) the second information includes a value of the given field in the second data packet, and (iii) a necessary condition for the first information and the second information to satisfy the matching condition is that the value of the given field in the first data packet equals the value of the given field in the second data packet.
  - 10. The method of claim 9, wherein the given field is a member of the group consisting of an Internet Protocol (IP) address field, a Media Access Control (MAC) address field, and a protocol type field.
  - 11. The method of claim 1, wherein (i) the first information includes respective values of multiple given fields in the first data packet, (ii) the second information includes respective values of the multiple given fields in the second data packet, and (iii) a necessary condition for the first information and the second information to satisfy the matching condition is that for each specific given field of the multiple given fields, the respective value in the first data packet equals the respective value in the second data packet.
  - 12. The method of claim 11, wherein the multiple given fields include an Internet Protocol (IP) address field and a Media Access Control (MAC) address field.
  - 13. The method of claim 1, wherein (i) the first information includes a first result of a first computation based on corresponding values of one or more given fields in the first data packet, (ii) the second information includes a second result of a second computation based on corresponding values of the one or more given fields in the second data packet, and (iii) a necessary condition for the first information and the second information to satisfy the matching condition is that the first result equals the second result.
  - 14. The method of claim 13, wherein the first computation is a computation of a hash function.
  - 15. The method of claim 13, wherein the first computation is a computation of an Exclusive OR (XOR) function.
  - 16. The method of claim 1, wherein a necessary condition for the first information and the second information to satisfy the matching condition is that an absolute value of a difference in time between the receiving of the first information and the receiving of the second information is lower than a given threshold.
  - 17. The method of claim 1, wherein a necessary condition for the first information and the second information to satisfy the matching condition is that an absolute value of a difference between a first time stamp included in the first information and a second time stamp included in the second information is lower than a given threshold.
  - 18. The method of claim 1, further comprising:
    - f. receiving, by the penetration testing software module and from the first network node, third information about a third data packet of the first network node, the third data packet being one member of the group consisting of (i) a data packet received by the first network node from another network node sharing a common broadcast domain with the first network node, and (ii) a data packet sent by the first network node only to one or more other network nodes sharing a common broadcast domain with the first network node, wherein execution of computer code of the reconnaissance agent software module by the one or more processors of the first network node causes the one or more processors of the first network node to send the third information;
      
      g. receiving, by the penetration testing software module and from the second network node, fourth information about a fourth data packet of the second network node, the fourth data packet being one member of the group consisting of (i) a data packet received by the second network node from another network node sharing a common broadcast domain with the second network node, and (ii) a data packet sent by the second network node only to one or more other network nodes sharing a common broadcast domain with the second network node, wherein execution of computer code of the reconnaissance agent software module by the one or more processors of the second network node causes the one or more processors of the second network node to send the second information;
      
      h. further checking, by the penetration testing software module, whether the third information and the fourth information satisfy the matching condition,wherein the concluding is performed in response to occurrence of both (A) a determination by the checking that the first information and the second information satisfy the matching condition and (B) a determination by the further checking that the third information and the fourth information satisfy the matching condition.

19. A system for executing a computer-implemented penetration test of a networked system so as to determine a method by which an attacker could compromise the networked system, the networked system comprising a plurality of network nodes interconnected by one or more networks, the system for executing the computer-implemented penetration test comprising:
- a. a first reconnaissance-agent non-transitory computer-readable storage medium for storage of instructions for execution by one or more processors of a first network node, the first network node being in electronic communication with a remote computing device, the first reconnaissance-agent non-transitory computer-readable storage medium having stored therein first instructions, that when executed by the one or more processors of the first network node, cause the one or more processors of the first network node to send, to the remote computing device, first information about a first data packet, the first data packet being one member of the group consisting of (i) a data packet received by the first network node from another network node sharing a common broadcast domain with the first network node, and (ii) a data packet sent by the first network node only to one or more other network nodes sharing a common broadcast domain with the first network node;
  
  b. a second reconnaissance-agent non-transitory computer-readable storage medium for storage of instructions for execution by one or more processors of a second network node, the second network node being in electronic communication with the remote computing device, the second reconnaissance-agent non-transitory computer-readable storage medium having stored therein second instructions, that when executed by the one or more processors of the second network node, cause the one or more processors of the second network node to send, to the remote computing device, second information about a second data packet, the second data packet being one member of the group consisting of (i) a data packet received by the second network node from another network node sharing a common broadcast domain with the second network node, and (ii) a data packet sent by the second network node only to one or more other network nodes sharing a common broadcast domain with the second network node;
  
  c. a penetration-testing non-transitory computer-readable storage medium for storage of instructions for execution by one or more processors of the remote computing device, the penetration-testing non-transitory computer-readable storage medium having stored therein;
  
  i. third instructions, that when executed by the one or more processors of the remote computing device, cause the one or more processors of the remote computing device to receive, from the first network node, the first information sent by the first network node,ii. fourth instructions, that when executed by the one or more processors of the remote computing device, cause the one or more processors of the remote computing device to receive, from the second network node, the second information sent by the second network node,iii. fifth instructions, that when executed by the one or more processors of the remote computing device, cause the one or more processors of the remote computing device to check whether the first information and the second information satisfy a matching condition,iv. sixth instructions, that when executed by the one or more processors of the remote computing device, cause the one or more processors of the remote computing device to carry out the following steps in response to a determination made by executing the fifth instructions that the first information and the second information satisfy a matching condition;
  
  A. concluding that the first data packet and the second data packet are a same data packet, and that the first network node and the second network node share a common broadcast domain, andB. determining the method by which the attacker could compromise the networked system, wherein the method by which the attacker could compromise includes a step that depends on the first network node and the second network node sharing the common broadcast domain, andv. seventh instructions, that when executed by the one or more processors of the remote computing device, cause the one or more processors of the remote computing device to report the determined method by which the attacker could compromise the networked system, wherein the reporting comprises at least one member of the group consisting of (i) causing a display device to display a report including information about the determined method by which the attacker could compromise the networked system, (ii) recording the report including the information about the determined method by which the attacker could compromise the networked system in a file, and (iii) electronically transmitting the report including the information about the determined method by which the attacker could compromise the networked system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Original Assignee
XM Cyber Ltd. (Schwarz Unternehmenskommunikation GmbH & Co. KG)
Inventors
Zini, Shahar, Lasser, Menahem
Primary Examiner(s)
Harris, Christopher C

Application Number

US16/128,718
Publication Number

US 20190312903A1
Time in Patent Office

391 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 61/103   across network layers, e.g....

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

H04L 67/10   in which an application is ...

Identifying communicating network nodes in the same local network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Identifying communicating network nodes in the same local network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others