netbanner

netifera guide

Setup

Download the Netifera zip file from the web site and uncompress it in some directory. It should create a netifera/ directory. In both Linux and Mac OS X you will need to run backdoor_install.sh as root:

	 cd netifera
         sudo ./backdoor_install.sh

This will create a suid root file named 'backdoor' which is necesary for sniffing. If you dont do this, Netifera won't be able to sniff. Note that if your file system is nosuid (for example, /tmp and /home in some distributions) it wont work.

A detailed description of how the backdoor works and why it is necessary is available in our blog

Now you can start the application running the netifera executable file

	./netifera

notes

If you have created workspaces with old or beta versions of netifera remove the .netifera folder from your home directory.

On 64bit linux systems install the ia32-libs package. If you run netifera and the 32bit libraries are not installed the following error is displayed:

	bash: ./netifera: No such file or directory

User Interface Concepts

Entity

entities

An entity is an object of a particular type of information that has been collected. Entities appear in the user interface with an icon and a text label that describes the entity.

Workspace

The Workspace is an instance of the database where entities are stored. A workspace can be very large and contain thousands of entities. One of the primary goals of Netifera is to be able to handle large amounts of network information.

workspace_buttons

New workspaces can be created with the 'New Workspace' toolbar button and previously created workspaces can be opened with the 'Open Workspace' button.

Spaces

spaces

To manage the complexity and allow the user to organize the information they are collecting the information in a workspace in divided into spaces. A Space contains a subset of the information in the entire Workspace. Spaces help to avoid information cluttering, allowing the user to divide his work into smaller pieces. A space in the user interface is conceptually similar to a tab in a tabbed web browser. A new empty space can be opened with Control-T (Command-T on OS X) or the 'New Space' toolbar button.

Input Bar

inputbar

The input bar is used to manually add new entities to a space. Simply enter a description of the entity into the input bar and press enter or the add button. The new entity will appear in the current foreground space.

The input bar understands input in the following formats:

  • Hosts by IP address: 192.168.0.1
  • Netblocks in CIDR notation: 192.168.0.0/24
  • HTTP URLs: http://yahoo.com/
  • Email addresses: john@yahoo.com
  • Host names: www.yahoo.com
  • Domains: .yahoo.com

Perspectives

A perspective is a configuration of the UI for a particular task. Selecting a new perspective will change both the layout of the UI windows and the set of menu and toolbar actions that are available.

Currently netifera has two different perspectives:

  • Tools Perspective (for launching tools against entities)
  • Sniffing Perspective (for passively gathering information from the network)
switch_perspective

You can switch to another perspective via the menu Window -> Open Perspective -> Other, or with the set of buttons right side of the main toolbar.

Action Hover

hover

To run an action against an entity, move the mouse pointer over the name of any entity in the current space and in a moment a special hover dialog will appear with some information about the selected entity as well as a list of actions that are available to launch. Different entities will have different actions that can be launched against them. For example, the action hover for a host will include actions to port scan the host and the action hover for a domain will include actions to discover the name and mail servers for the domain. Pressing the space bar will also show the actions for the selected entity.

Tasks View

The Tasks View contains information about the actions that have been launched in the current Space. When an action is launched on an entity a new task will appear in this view. The progress of the task will be displayed as well as information which has been produced by the task.

tasks

Tags

Entities can be tagged with arbitrary tags. This, together with other information, is shown in the entity hover. For each tag in a Space, Netifera creates a virtual folder that contains all entities in the Space that have this tag. Entities can have more than one tag, so could be contained in more than one folder.

tags

Entering entities and running tools

When you start netifera for the first time, a new Workspace will be created with a new empty Space. Now, in order to be able to run tools, you need to add entities to the Space.

inputbar2

In the input bar you can enter IP addresses (192.168.1.1), netblocks (192.168.1.0/24), URLs (http://yahoo.com), email addresses (john@yahoo.com), hosts by name (www.yahoo.com), domains (.yahoo.com), etc.

Once you have entered new entities through the Input Bar, they will appear in the currently active Space. Then, you can select an entity in the Space and after a moment a Hover will appear showing the Actions available for that entity.

Try entering some netblock, for example 172.16.42.0/24. Then select the entity to get the hover, and start running actions on it.

Sniffing Service

After switching to the sniffing perspective, the toolbar will change and display actions for using the sniffing service. The sniffing service can be used to either capture live traffic from one or more network interfaces, or it can be used to parse a pcap format capture file.

Configuring the Sniffing Service

config_sniffing1

The "Configure Sniffing Service" toolbar button will open a dialog which can be used to configure the sniffing service before launching it. In this dialog you can select the interfaces you would like to sniff on during a live capture as well as enable and disable individual sniffing modules. The set of enabled modules that you select will be applied to both a live capture or a pcap capture file that you choose to open.

Backdoor

What is backdoor?

On Linux and OS X root privileges are required to capture packets from the network. To avoid the inconvenience of running netifera as root we have created a small native binary called backdoor which opens network interfaces for packet capture. If this binary is installed with suid root file ownership and permissions (ie: chown root backdoor; chmod 4755 backdoor) netifera will use it to open network devices for sniffing.

How does it work?

When netifera needs to open a privileged descriptor it creates a pair of unix domain sockets with socketpair() and executes the backdoor binary with one side of the socket pair bound to a known file descriptor value (0). The backdoor binary creates the requested descriptor, and passes it back to netifera using a unix feature for passing file descriptors between processes over a socket. The backdoor binary accepts a command line argument of a single integer.

On Linux this value can be either 0 or 1 and is interpreted as follows:

  • 0 - create socket with
    socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL))
  • 1 - create socket with
    socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))

On OS X only the value 0 is currently recognized:

  • 0 - Open a BPF capture device from /dev/bpf[0-9]