1Switch Digger documentation - Russell Kroll <rkroll@exploits.org>
2=================================================================
3
4Released under the GNU GPL - See COPYING for details.
5
6First, see INSTALL for information on how to build and install it.
7
8This document details the configuration file's directives that apply
9to your network. It is important to understand how this thing works,
10so we'll cover that first.
11
12Purpose
13=======
14
15This program is designed to track down computers to the finest level of
16information available at the moment. Sometimes this can mean an exact
17description of a port in a building anywhere in an enterprise. Other
18times this may just be a vague notion of a distant network. The results
19are only as good as the data you feed to it.
20
21Requirements
22============
23
24You need at least the following things to do anything useful with this:
25
26 - Routers that keep ARP tables available via SNMP, along with access
27 to said routers. In other words, if you came here looking for a way
28 to annoy people who don't think you're 31337, keep on moving...
29
30 - Switches that keep maps of MAC addresses to port numbers, again via
31 SNMP. Hubs usually don't cut it here, since they have no need to
32 know where a given NIC is.
33
34Design
35======
36
37The Switch Digger relies on the premise that today's routers and switches
38are chock-full of information that very few people use. It puts that data
39to good use and cross-references what the network knows with what it knows
40to arrive at the closest possible location.
41
42First, it finds the IP address, using DNS (and optionally WINS) queries if
43necessary. The list of known networks from the config file is then
44searched to see if any match the target host. Assuming a match is found,
45the router(s) for that network are then queried for the MAC address
46associated with that IP address.
47
48If the router has that IP address in the ARP cache, it will return the
49last known MAC address of the system. That is all the router can give us,
50so we leave it alone at that point. The digger then turns back to the
51local configuration file and searches for switches that are part of that
52network. It asks each one in turn about their MAC to port tables,
53searching the results for the MAC address from the router.
54
55When a switch indicates a match for the MAC address, the digger then
56checks the list of links for the switch in question. If a port happens to
57be one that leads to another switch, the result is suppressed unless
58running in verbose mode. After all, the switch it leads to knows better.
59
60Finally, one of the results will be from a switch port that doesn't lead
61to another switch. This value is displayed, and the port info is sought,
62again from the config file. If anything is found, it is displayed. If
63you have populated that file with good data, it can be exactly what you
64need to track a system down to a real position somewhere.
65
66Setting it up
67=============
68
69First you need to get a list of all the networks that you want to monitor,
70and the addresses of the routers that inhabit them. You will also need
71the SNMP community strings for read-only access for each. Many routers
72require you to explicitly add the IP address of the station that will be
73doing the queries, so be sure you get it in there.
74
75For each router, add a line like this to your config file:
76
77ROUTER <network> <router/snmp ip> <SNMP community> <"description"> <routing interface IP>
78
79For a network 192.168.3.0/24 with a router 192.168.3.1 and a read-only
80community string of hackme in a high school, you might use this:
81
82ROUTER 192.168.3.0/24 192.168.3.1 hackme "Randomville High School"
83
84Note that Cisco IOS switches can have different SNMP community strings
85for different VLANs, defined as "basepwd@VLANnumber". For example,
86if the network above is in vlan 123 on a Cisco router, the definition
87will look like:
88
89ROUTER 192.168.3.0/24 192.168.3.1 hackme@123 "Randomville High School"
90
91Up till sdig-0.43, the router IP for SNMP queries had to be the same as
92the routing interface IP (within the defined network for a target host).
93This was not convenient for networks secured by firewalls (i.e. only
94one interface of the router can serve SNMP to your management station),
95and fixed in sdig-0.45.
96NOTE: now you can also use textual host names for "SNMP IP" as well as
97for the "routing interface IP". This allows to use the same sdig.conf
98file in various locations of your network, where different accessible
99"SNMP IP" addresses are resolved by customized /etc/hosts or DNS views.
100
101For a network 192.168.2.0/24 with another router with the "routing
102interface IP" in the target subnet being 192.168.2.1, but which
103is only accessible to your station over SNMP with a different
104interface, namely 192.168.1.254, you might use this:
105
106ROUTER 192.168.2.0/24 192.168.1.254 hackme "Randomville High School" 192.168.2.1
107
108Repeat as necessary to list everything you can.
109
110Now you need to do the same thing, but only for the switches. Again you
111need the same information, and this time you should get a little more
112specific with the location information.
113
114SWITCH <network> <switch ip> <SNMP community> <"description">
115
116SWITCH 192.168.3.0/24 192.168.3.10 hackme "RHS main data closet"
117SWITCH 192.168.3.0/24 192.168.3.11 hackme "RHS computer lab"
118SWITCH 192.168.3.0/24 192.168.3.12 hackme "RHS office"
119SWITCH 192.168.3.0/24 192.168.3.253 hackme@123 "RHS cisco backbone"
120
121You can also use textual host names for "switch ip" values.
122
123With the ROUTER and SWITCH directives set, you can take it for a test
124flight. It won't be much to look at, but it will let you know if
125everything is working. Feed it an IP address in a configured network,
126and you should see something like this:
127
128 Query: 192.168.3.30
129 Hostname: rhs-linux.example.edu (DNS)
130
131 Router: Randomville High School - 192.168.3.1
132 MAC: 0:90:27:c2:2c:e5 (INTEL CORPORATION)
133
134 Switch: RHS main data closet (RHS-Main) - 192.168.3.10
135 Port: 33 (RMON:10/100 Port 1 on Unit 2)
136
137 Switch: RHS computer lab (RHS-Lab) - 192.168.3.11
138 Port: 24 (24)
139
140 Switch: RHS office (RHS-Office) - 192.168.3.12
141 Port: 24 (24)
142
143Notice that it finds the system *everywhere* since we don't have any link
144data installed yet. That's the next thing to fix.
145
146Once you know this much works, start documenting your switch to switch
147connections. Basically, if port A on switch X connects to port B on
148switch Y, you need entries like this:
149
150LINKINFO X A "Link to switch Y"
151LINKINFO Y B "Link to switch A"
152
153This is used to keep ports which aggregate many other ports out of the
154normal display. Otherwise, you'd get a response from every switch on the
155network everytime you sdig something. It gets hard to filter out the
156noise by hand, so this does it for you. Use -v to turn it back on.
157
158For our example high school network, we'll use these links:
159
160LINKINFO 192.168.3.10 23 "Link to computer lab switch"
161LINKINFO 192.168.3.10 24 "Link to office switch"
162LINKINFO 192.168.3.11 24 "Link to main switch"
163LINKINFO 192.168.3.12 24 "Link to main switch"
164
165Run it again, and it should get a lot cleaner:
166
167 Query: 192.168.3.30
168 Hostname: rhs-linux.example.edu (DNS)
169
170 Router: Randomville High School - 192.168.3.1
171 MAC: 0:90:27:c2:2c:e5 (INTEL CORPORATION)
172
173 Switch: RHS main data closet (RHS-Main) - 192.168.3.10
174 Port: 33 (RMON:10/100 Port 1 on Unit 2)
175
176Much better. Obviously the other two switches "see" this system on their
177uplink ports, since it's plugged into the switch back there. By
178suppressing those ports in the findings, it's easy to see which switch
179really has the system.
180
181OK, so now let's say that RHS-LINUX really isn't in the data closet, and
182we need to document the fact that it's merely plugged into a patch panel
183port *in* that closet. That's where the PORTDESC comes in.
184
185PORTDESC 192.168.3.10 33 "Patch panel #314 - to RHS-LINUX"
186
187In this case, it's on a 3com SuperStack switch which has 32 units per
188virtual switch. There are two physical switches here, and it's plugged
189into the one with the "2" unit light illuminated.
190
191OK, so now that we have that plugged in, let's run it one more time.
192
193 Query: 192.168.3.30
194 Hostname: rhs-linux.example.edu (DNS)
195
196 Router: Randomville High School - 192.168.3.1
197 MAC: 0:90:27:c2:2c:e5 (INTEL CORPORATION)
198
199 Switch: RHS main data closet (RHS-Main) - 192.168.3.10
200 Port: 33 (RMON:10/100 Port 1 on Unit 2)
201 Info: Patch panel #314 - to RHS-LINUX
202
203That's about all you need to know to start tracking things with this
204software.
205
206Query forms
207===========
208
209You can run queries by IP addresses, DNS host names, or WINS host names.
210DNS trumps WINS, so if you have conflicting namespaces, fix it.
211
212Direct MAC queries
213==================
214
215If you know the MAC address of a host, you can run a query on it if you
216have some idea of which network will host it. From our above example,
217looking for "0:90:27:c2:2c:e5" yields something like this:
218
219 $ sdig -m 0:90:27:c2:2c:e5 192.168.3.1
220
221 Searching for 0:90:27:c2:2c:e5 in network 192.168.3.1
222
223 Router: Randomville High School - 192.168.3.1
224 MAC: 0:90:27:c2:2c:e5 (INTEL CORPORATION)
225
226 Switch: RHS main data closet (RHS-Main) - 192.168.3.10
227 Port: 33 (RMON:10/100 Port 1 on Unit 2)
228
229Here, the "query" is actually a helper to tell sdig where to look. You
230can provide a hostname of a neighboring system, since that will resolve
231to an IP address which will be used for router discovery.
232
233Since sdig-0.45 you can also query all configured switches for the specific
234MAC address, by providing no host name/ip. Each source will only be checked
235once (unique "switch IP x community string").
236