Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/stanford-esrg/lzr

LZR quickly detects and fingerprints unexpected services running on unexpected ports.
https://github.com/stanford-esrg/lzr

go golang internet-wide-scanning ipv4 network port-scan port-scanner port-scanning scanning security security-tools zgrab zmap

Last synced: about 1 year ago
JSON representation

LZR quickly detects and fingerprints unexpected services running on unexpected ports.

Awesome Lists containing this project

README 

          
LZR

=========



LZR quickly detects and fingerprints unexpected services running on unexpected ports by working with [ZMap](https://github.com/zmap/zmap). LZR can detect up to 18 unique protocols simultaneously with just two extra packets and can fingerprint over 35 different protocols. 



To learn more about LZR's system and performance, check out the original [paper](https://lizizhikevich.github.io/assets/papers/lzr.pdf) appearing at [USENIX Security '21](https://www.usenix.org/conference/usenixsecurity21). To use LZR to fingerprint services across all 65K ports, check out [GPS](https://github.com/stanford-esrg/gps).  



## Building



Install and set up [ZMap](https://github.com/zmap/zmap). If also performing full L7 handshakes, set up [ZGrab](https://github.com/zmap/zgrab2).



Set up `$GOPATH` (see https://golang.org/doc/code.html).

```

$ go get github.com/stanford-esrg/lzr

$ cd $GOPATH/src/github.com/stanford-esrg/lzr

```



LZR intercepts connections which ZMap opens; in order to ensure that the kernel does not interfere with LZR, LZR requires a source-ip to be specified for which the kernel drops all RSTs for traffic targeted to the source-ip. The chosen source-ip—which both ZMap and LZR will use—should be passed in as a parameter to make, so the appropriate iptables rule can be set.

```

$ make all source-ip=256.256.256.256/32

```



## Usage



To fingerprint unexpected services on an random port (9002):



```

sudo zmap --target-port=9002 --output-filter="success = 1 && repeat = 0" \

-f "saddr,daddr,sport,dport,seqnum,acknum,window" -O json --source-ip=$source-ip | \

sudo ./lzr --handshakes http,tls

```



To complete full L7 handshakes of unexpected services on an random port (9002), substitute ``port=x`` in ``etc/all.ini`` with ``port=9002`` and run the following command:



```

sudo zmap --target-port=9002 --output-filter="success = 1 && repeat = 0" \

-f "saddr,daddr,sport,dport,seqnum,acknum,window" -O json --source-ip=$source-ip | \

sudo ./lzr --handshakes wait,http,tls -feedZGrab | \

zgrab multiple -c etc/all.ini 

```



To scan a custom list of IP:Port (i.e., using LZR rather than ZMap to open connections):



```

sudo ./lzr --handshakes http -sendSYNs -sourceIP $source-ip -gatewayMac $gateway -rate $PACKETS_PER_SECOND