SlideShare una empresa de Scribd logo

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

44CON
44CON

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT. This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.

Tecnología
1 de 50
Descargar para leer sin conexión
Binary Protocol Analysis with CANAPE James Forshaw
Schedule 1.What is CANAPE? 2.Say Hello to SuperFunkyChat 3.Proxying and Capturing Traffic 4.NetGraphs 5.Modelling State Transitions 6.Removing SSL/Layers 7.Traffic Manipulation and Replay 8.Developing Network Clients 9.Wrap Up https://www.github.com/tyranid/44con_2014
Playing Along at Home •Pre-built binaries available at: •https://www.github.com/tyranid/44con_2014 •Example projects and slides will come later ASK QUESTIONS https://www.github.com/tyranid/44con_2014
What is CANAPE? •Arbitrary Network Protocol Capture Tool •Specifically designed for Binary Protocols •Windows focused (some Mono support) •Open source, GPLv3, written in C# •https://www.github.com/ctxis/canape https://www.github.com/tyranid/44con_2014
What Makes CANAPE Different? •Number of tools to generate or fuzz network traffic •Scapy, Peach, Sulleyetc. •Takes Web Application Testing Paradigm and applies to arbitrary protocols •GUI •Easy packet manipulation •Quick feedback https://www.github.com/tyranid/44con_2014
Workshop 0: Quick Tour of CANAPE https://www.github.com/tyranid/44con_2014
Say Hello to Super Funky Chat!!11! https://www.github.com/tyranid/44con_2014
SuperFunkyChat •Simple Windows IM Application •Written originally as a CTF and CANAPE tutorial •Uses a binary protocol •Supports SOCKS •Has a few “Undocumented” features •Sourcecodeavailable at https://www.github.com/tyranid/SuperFunkyChat •Don’t use as a real IM system  https://www.github.com/tyranid/44con_2014
Workshop 1: Quick Tour of SuperFunkyChat https://www.github.com/tyranid/44con_2014
Proxying and Capturing Traffic •CANAPE Supports Many Ways of Proxying Traffic: •TCP/UDP Port Forwarding •SOCKS v4/v5 Proxy •HTTP Forward and Reverse Proxies •Can develop your own extensions to support other types of networks (NamedPipes, COM ports) •Also supports Servers and Clients https://www.github.com/tyranid/44con_2014
Identifying Suitable Traffic •Need to work out what traffic to capture •Reverse Engineering •Wireshark/PCAP https://www.github.com/tyranid/44con_2014
Forcing Traffic Through CANAPE •CANAPE works at Application Level (TCP/UDP) not network •Traffic from Application needs to go through CANAPE •Proxy support •DNS redirecting •DNAT •SOCKSifyingtools (Proxifierfor example) https://www.github.com/tyranid/44con_2014
Services •CANAPE insolates your project into a set of services. •You define a template for your service: •Data flow •State model •Dynamic content •When a new connection is made an Instance is instantiated based on the template https://www.github.com/tyranid/44con_2014
Workshop 2: Capturing SuperFunkyChat https://www.github.com/tyranid/44con_2014
NetGraphs https://www.github.com/tyranid/44con_2014
NetGraphs •NetGraphsused to mode data flow and state •Specified as a directed graph •Standard graph nodes available •Can implement custom nodes in C#/IronPython https://www.github.com/tyranid/44con_2014
Specifying a NetGraph Select Default Graph https://www.github.com/tyranid/44con_2014
Netgraphin Service Context Client Application Server Application https://www.github.com/tyranid/44con_2014
Some Standard Nodes Name Description LogNode Logspackets as they traverse the node Decision Node Performs an IF condition on packets Switch Node Selecton output based on state Edit Node Displaysa dialog to allow manual packet editing Dynamic Node Scripted content Layer Section Graphcontainer and layer processing https://www.github.com/tyranid/44con_2014
Graph User Interface •Create a new graph by right clicking project explorer •Left Click to Select and Drag Nodes •Right Click to Add Nodes •Hold and Drag Middle Button to Add Edges •Can also hold left Control and use Left button •Nodes can be disabled from right click menu https://www.github.com/tyranid/44con_2014
Node Properties https://www.github.com/tyranid/44con_2014
Node Filters •Each node has a Filters property •Defines match rules for what packets the node will process https://www.github.com/tyranid/44con_2014
Workshop 3: Playing with Netgraphs https://www.github.com/tyranid/44con_2014
Traffic Analysis https://www.github.com/tyranid/44con_2014
Packet Logging •Only packets which traverse a log node in a graph end up being logged (well unless you do it manually) •Affected by node filters •Can specify a number of properties: •Colour •Logged Name https://www.github.com/tyranid/44con_2014
Workshop 4: Packet Logging Interface https://www.github.com/tyranid/44con_2014
Packet Tools •Analysis of traffic means looking at binary data •Many different tasks: •Comparing packets and sequences of packets •Importing and exporting data •Searching https://www.github.com/tyranid/44con_2014
Workshop 5: Packet Tools https://www.github.com/tyranid/44con_2014
Parsing Traffic •CANAPE’s data pipeline can be scripted using C# or Python •Not necessarily easy thing to do •Parser editor to the rescue https://www.github.com/tyranid/44con_2014
Parser Editor https://www.github.com/tyranid/44con_2014
Parser Editor •Build protocol structure in GUI •Defines 3 types: •Sequences •Enumerations •Parsers •Supports complex expressions, TLV, sub-sequences etc. •Compiles to C# parser script, can be exported and tweaked https://www.github.com/tyranid/44con_2014
Parsed Packet Format Root Key (/) Key A Value Y Key B Value X SelectionPath= /A/Y •Nodes and filtessupport a Selection Path •Uses an XPATH syntax to determine selection https://www.github.com/tyranid/44con_2014
SuperFunkyChatPacket Structure Length (4 bytes) Checksum (4 bytes) Data (Length bytes) Command (1 byte) Command Specific Data (Length-1 bytes) https://www.github.com/tyranid/44con_2014
Workshop 6: Parser Development https://www.github.com/tyranid/44con_2014
Removing TLS/Layers •One of the most common security protocols is TLS/SSL •CANAPE doesn’t assume it knows better than you whether a connection is TLS or not •Can wrap and decrypt entire connection https://www.github.com/tyranid/44con_2014
Workshop 7: Remove TLS Encryption https://www.github.com/tyranid/44con_2014
State Modelling https://www.github.com/tyranid/44con_2014
State Modelling •Most protocols aren’t simple streams of data •Need to deal with State •Main way of handling this in CANAPE is through the netgraphs •Also simpler interface using state graphs https://www.github.com/tyranid/44con_2014
Meta Data Storage Service 1 Instance Local Meta Service 1 Instance Global Meta Local Meta Service 2 Instance Local Meta Project Meta https://www.github.com/tyranid/44con_2014
Accessing Meta Data Storage •Local (Graph.Meta) •Global (Graph.GlobalMeta) •Project (CANAPEProject.CurrentProject.GlobalMeta) •Layers (this.Meta/this.GlobalMeta) https://www.github.com/tyranid/44con_2014
MetaSelection •Already seen XPATH SelectionPath •Filters can also select on MetaData •Examples: •#MetaName–Select the local meta value •$MetaName–Select the global meta value https://www.github.com/tyranid/44con_2014
Workshop 8: Developing XOR Decryption https://www.github.com/tyranid/44con_2014
Traffic Manipulation and Replay https://www.github.com/tyranid/44con_2014
Dealing with Checksums •Up to now we’ve only looked at packets, never changed and replayed them •Something prevents us doing this, the checksum •Could write a script to fix up checksum after modification •Parser editor also gives some basic functions to do this for us https://www.github.com/tyranid/44con_2014
Expressions •Parser editor supports a python-like syntax expression evaluator •Combine with calculated values to recalculate checksum •Can even use python snippets: DoChecksum.RunMe(Command, bytes(Payload)) https://www.github.com/tyranid/44con_2014
Workshop 9: Packet Replay and Injection https://www.github.com/tyranid/44con_2014
Developing Network Clients https://www.github.com/tyranid/44con_2014
Network Clients •CANAPE supports developing network clients •Designed to allow reuse of work developed through MitM(graphs/scripts) to be reused with the minimal of effort •Can be used for fuzzing or other automated tasks. https://www.github.com/tyranid/44con_2014
Workshop 10: Command Fuzzer https://www.github.com/tyranid/44con_2014
Wrap Up https://www.github.com/tyranid/44con_2014

Recomendados

DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)
Faisal Jatt
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
Martin Schütte
 
Basic Kong API Gateway
Basic Kong API GatewayBasic Kong API Gateway
Basic Kong API Gateway
SukoomPornsuksiri1
 
Nilesh Bosamiya Resume (CCNP R&S)
Nilesh Bosamiya Resume (CCNP R&S)Nilesh Bosamiya Resume (CCNP R&S)
Nilesh Bosamiya Resume (CCNP R&S)
nilesh bosmiya
 
Introduction to WebRTC
Introduction to WebRTCIntroduction to WebRTC
Introduction to WebRTC
Art Matsak
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
GLC Networks
 
Internet Society and Internet Engineering task Force.
Internet Society and Internet Engineering task Force.Internet Society and Internet Engineering task Force.
Internet Society and Internet Engineering task Force.
Bhanwar Singh Meena
 

Recomendados

DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)DHCP (Dynamic Host Configuration Protocol)
DHCP (Dynamic Host Configuration Protocol)
Faisal Jatt
 
IRR Tutorial and RPKI Demo
IRR Tutorial and RPKI DemoIRR Tutorial and RPKI Demo
IRR Tutorial and RPKI Demo
APNIC
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
Martin Schütte
 
Basic Kong API Gateway
Basic Kong API GatewayBasic Kong API Gateway
Basic Kong API Gateway
SukoomPornsuksiri1
 
Nilesh Bosamiya Resume (CCNP R&S)
Nilesh Bosamiya Resume (CCNP R&S)Nilesh Bosamiya Resume (CCNP R&S)
Nilesh Bosamiya Resume (CCNP R&S)
nilesh bosmiya
 
Introduction to WebRTC
Introduction to WebRTCIntroduction to WebRTC
Introduction to WebRTC
Art Matsak
 
Voice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIPVoice Services, From Circuit Switch to VoIP
Voice Services, From Circuit Switch to VoIP
GLC Networks
 
Internet Society and Internet Engineering task Force.
Internet Society and Internet Engineering task Force.Internet Society and Internet Engineering task Force.
Internet Society and Internet Engineering task Force.
Bhanwar Singh Meena
 
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
Irsandi Hasan
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
KISHOYIANKISH
 
Node.js Event Loop & EventEmitter
Node.js Event Loop & EventEmitterNode.js Event Loop & EventEmitter
Node.js Event Loop & EventEmitter
Simen Li
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
FIWARE
 
CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03
Irsandi Hasan
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
GLC Networks
 
Fortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdfFortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
Swapnil Kapate
 
JUNOS EX-Switching
JUNOS EX-SwitchingJUNOS EX-Switching
JUNOS EX-Switching
Zenith Networks
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTING
anilinvns
 
192.0.0.4 on android
192.0.0.4 on android192.0.0.4 on android
192.0.0.4 on android
@ otsuka752
 
Bandwidth control approach - Cisco vs Mikrotik on Multitenancy
Bandwidth control approach - Cisco vs Mikrotik on MultitenancyBandwidth control approach - Cisco vs Mikrotik on Multitenancy
Bandwidth control approach - Cisco vs Mikrotik on Multitenancy
Olaf Reitmaier Veracierta
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorial
dgoodell
 
Training Week: Introduction to Neo4j Bloom
Training Week: Introduction to Neo4j BloomTraining Week: Introduction to Neo4j Bloom
Training Week: Introduction to Neo4j Bloom
Neo4j
 
Chapter03
Chapter03Chapter03
Chapter03
Muhammad Ahad
 
Network design
Network designNetwork design
Network design
Amir Jafari
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
Irsandi Hasan
 
CCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the networkCCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the network
Muhd Mu'izuddin
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Nullbyte Security Conference
 
Protocolo IPv6 básico versión 2.0
Protocolo IPv6 básico versión 2.0Protocolo IPv6 básico versión 2.0
Protocolo IPv6 básico versión 2.0
Educática
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
 
CCNA Product Overview.pptx
CCNA Product Overview.pptxCCNA Product Overview.pptx
CCNA Product Overview.pptx
 
Node.js Event Loop & EventEmitter
Node.js Event Loop & EventEmitterNode.js Event Loop & EventEmitter
Node.js Event Loop & EventEmitter
 
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...Session 4 - Bringing the pieces together - Detailed review of a reference ex...
Session 4 - Bringing the pieces together - Detailed review of a reference ex...
 
CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03
 
Mikrotik Hotspot
Mikrotik HotspotMikrotik Hotspot
Mikrotik Hotspot
 
Fortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdfFortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdf
 
Ccnp workbook network bulls
Ccnp workbook network bullsCcnp workbook network bulls
Ccnp workbook network bulls
 
JUNOS EX-Switching
JUNOS EX-SwitchingJUNOS EX-Switching
JUNOS EX-Switching
 
Day 2 IP ROUTING
Day 2 IP ROUTINGDay 2 IP ROUTING
Day 2 IP ROUTING
 
192.0.0.4 on android
192.0.0.4 on android192.0.0.4 on android
192.0.0.4 on android
 
Bandwidth control approach - Cisco vs Mikrotik on Multitenancy
Bandwidth control approach - Cisco vs Mikrotik on MultitenancyBandwidth control approach - Cisco vs Mikrotik on Multitenancy
Bandwidth control approach - Cisco vs Mikrotik on Multitenancy
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorial
 
Training Week: Introduction to Neo4j Bloom
Training Week: Introduction to Neo4j BloomTraining Week: Introduction to Neo4j Bloom
Training Week: Introduction to Neo4j Bloom
 
Chapter03
Chapter03Chapter03
Chapter03
 
Network design
Network designNetwork design
Network design
 
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
 
CCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the networkCCNA 3 - Troubleshooting the network
CCNA 3 - Troubleshooting the network
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
 
Protocolo IPv6 básico versión 2.0
Protocolo IPv6 básico versión 2.0Protocolo IPv6 básico versión 2.0
Protocolo IPv6 básico versión 2.0
 

Destacado

44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 

Destacado (20)

44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 

Similar a 44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022
QAware GmbH
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Michael Noll
 
Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache Thrift
RX-M Enterprises LLC
 
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Timothy Spann
 

Similar a 44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw (20)

ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Xamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR clientXamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR client
 
from Docker to Moby and back. what changed ?
from Docker to Moby and back. what changed ?from Docker to Moby and back. what changed ?
from Docker to Moby and back. what changed ?
 
Staying Close to Experts with Executable Specifications
Staying Close to Experts with Executable SpecificationsStaying Close to Experts with Executable Specifications
Staying Close to Experts with Executable Specifications
 
P4_tutorial.pdf
P4_tutorial.pdfP4_tutorial.pdf
P4_tutorial.pdf
 
Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
Monitoring your API
Monitoring your APIMonitoring your API
Monitoring your API
 
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge AcademyWireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
 
PNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data AnalyticsPNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data Analytics
 
Logs aggregation and analysis
Logs aggregation and analysisLogs aggregation and analysis
Logs aggregation and analysis
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyser
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache Thrift
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensions
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
 
Infrastructure as Code Presentation v5.pptx
Infrastructure as Code Presentation v5.pptxInfrastructure as Code Presentation v5.pptx
Infrastructure as Code Presentation v5.pptx
 
Neo4j Data Loading with Kettle
Neo4j Data Loading with KettleNeo4j Data Loading with Kettle
Neo4j Data Loading with Kettle
 

Más de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 

Más de 44CON (20)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 

Último

How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
Srushith Repakula
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
UXDXConf
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
UXDXConf
 

Último (20)

Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdfLinux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
Linux Foundation Edge _ Overview of FDO Software Components _ Randy at Intel.pdf
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

  • 1. Binary Protocol Analysis with CANAPE James Forshaw
  • 2. Schedule 1.What is CANAPE? 2.Say Hello to SuperFunkyChat 3.Proxying and Capturing Traffic 4.NetGraphs 5.Modelling State Transitions 6.Removing SSL/Layers 7.Traffic Manipulation and Replay 8.Developing Network Clients 9.Wrap Up https://www.github.com/tyranid/44con_2014
  • 3. Playing Along at Home •Pre-built binaries available at: •https://www.github.com/tyranid/44con_2014 •Example projects and slides will come later ASK QUESTIONS https://www.github.com/tyranid/44con_2014
  • 4. What is CANAPE? •Arbitrary Network Protocol Capture Tool •Specifically designed for Binary Protocols •Windows focused (some Mono support) •Open source, GPLv3, written in C# •https://www.github.com/ctxis/canape https://www.github.com/tyranid/44con_2014
  • 5. What Makes CANAPE Different? •Number of tools to generate or fuzz network traffic •Scapy, Peach, Sulleyetc. •Takes Web Application Testing Paradigm and applies to arbitrary protocols •GUI •Easy packet manipulation •Quick feedback https://www.github.com/tyranid/44con_2014
  • 6. Workshop 0: Quick Tour of CANAPE https://www.github.com/tyranid/44con_2014
  • 7. Say Hello to Super Funky Chat!!11! https://www.github.com/tyranid/44con_2014
  • 8. SuperFunkyChat •Simple Windows IM Application •Written originally as a CTF and CANAPE tutorial •Uses a binary protocol •Supports SOCKS •Has a few “Undocumented” features •Sourcecodeavailable at https://www.github.com/tyranid/SuperFunkyChat •Don’t use as a real IM system  https://www.github.com/tyranid/44con_2014
  • 9. Workshop 1: Quick Tour of SuperFunkyChat https://www.github.com/tyranid/44con_2014
  • 10. Proxying and Capturing Traffic •CANAPE Supports Many Ways of Proxying Traffic: •TCP/UDP Port Forwarding •SOCKS v4/v5 Proxy •HTTP Forward and Reverse Proxies •Can develop your own extensions to support other types of networks (NamedPipes, COM ports) •Also supports Servers and Clients https://www.github.com/tyranid/44con_2014
  • 11. Identifying Suitable Traffic •Need to work out what traffic to capture •Reverse Engineering •Wireshark/PCAP https://www.github.com/tyranid/44con_2014
  • 12. Forcing Traffic Through CANAPE •CANAPE works at Application Level (TCP/UDP) not network •Traffic from Application needs to go through CANAPE •Proxy support •DNS redirecting •DNAT •SOCKSifyingtools (Proxifierfor example) https://www.github.com/tyranid/44con_2014
  • 13. Services •CANAPE insolates your project into a set of services. •You define a template for your service: •Data flow •State model •Dynamic content •When a new connection is made an Instance is instantiated based on the template https://www.github.com/tyranid/44con_2014
  • 14. Workshop 2: Capturing SuperFunkyChat https://www.github.com/tyranid/44con_2014
  • 16. NetGraphs •NetGraphsused to mode data flow and state •Specified as a directed graph •Standard graph nodes available •Can implement custom nodes in C#/IronPython https://www.github.com/tyranid/44con_2014
  • 17. Specifying a NetGraph Select Default Graph https://www.github.com/tyranid/44con_2014
  • 18. Netgraphin Service Context Client Application Server Application https://www.github.com/tyranid/44con_2014
  • 19. Some Standard Nodes Name Description LogNode Logspackets as they traverse the node Decision Node Performs an IF condition on packets Switch Node Selecton output based on state Edit Node Displaysa dialog to allow manual packet editing Dynamic Node Scripted content Layer Section Graphcontainer and layer processing https://www.github.com/tyranid/44con_2014
  • 20. Graph User Interface •Create a new graph by right clicking project explorer •Left Click to Select and Drag Nodes •Right Click to Add Nodes •Hold and Drag Middle Button to Add Edges •Can also hold left Control and use Left button •Nodes can be disabled from right click menu https://www.github.com/tyranid/44con_2014
  • 22. Node Filters •Each node has a Filters property •Defines match rules for what packets the node will process https://www.github.com/tyranid/44con_2014
  • 23. Workshop 3: Playing with Netgraphs https://www.github.com/tyranid/44con_2014
  • 25. Packet Logging •Only packets which traverse a log node in a graph end up being logged (well unless you do it manually) •Affected by node filters •Can specify a number of properties: •Colour •Logged Name https://www.github.com/tyranid/44con_2014
  • 26. Workshop 4: Packet Logging Interface https://www.github.com/tyranid/44con_2014
  • 27. Packet Tools •Analysis of traffic means looking at binary data •Many different tasks: •Comparing packets and sequences of packets •Importing and exporting data •Searching https://www.github.com/tyranid/44con_2014
  • 28. Workshop 5: Packet Tools https://www.github.com/tyranid/44con_2014
  • 29. Parsing Traffic •CANAPE’s data pipeline can be scripted using C# or Python •Not necessarily easy thing to do •Parser editor to the rescue https://www.github.com/tyranid/44con_2014
  • 31. Parser Editor •Build protocol structure in GUI •Defines 3 types: •Sequences •Enumerations •Parsers •Supports complex expressions, TLV, sub-sequences etc. •Compiles to C# parser script, can be exported and tweaked https://www.github.com/tyranid/44con_2014
  • 32. Parsed Packet Format Root Key (/) Key A Value Y Key B Value X SelectionPath= /A/Y •Nodes and filtessupport a Selection Path •Uses an XPATH syntax to determine selection https://www.github.com/tyranid/44con_2014
  • 33. SuperFunkyChatPacket Structure Length (4 bytes) Checksum (4 bytes) Data (Length bytes) Command (1 byte) Command Specific Data (Length-1 bytes) https://www.github.com/tyranid/44con_2014
  • 34. Workshop 6: Parser Development https://www.github.com/tyranid/44con_2014
  • 35. Removing TLS/Layers •One of the most common security protocols is TLS/SSL •CANAPE doesn’t assume it knows better than you whether a connection is TLS or not •Can wrap and decrypt entire connection https://www.github.com/tyranid/44con_2014
  • 36. Workshop 7: Remove TLS Encryption https://www.github.com/tyranid/44con_2014
  • 38. State Modelling •Most protocols aren’t simple streams of data •Need to deal with State •Main way of handling this in CANAPE is through the netgraphs •Also simpler interface using state graphs https://www.github.com/tyranid/44con_2014
  • 39. Meta Data Storage Service 1 Instance Local Meta Service 1 Instance Global Meta Local Meta Service 2 Instance Local Meta Project Meta https://www.github.com/tyranid/44con_2014
  • 40. Accessing Meta Data Storage •Local (Graph.Meta) •Global (Graph.GlobalMeta) •Project (CANAPEProject.CurrentProject.GlobalMeta) •Layers (this.Meta/this.GlobalMeta) https://www.github.com/tyranid/44con_2014
  • 41. MetaSelection •Already seen XPATH SelectionPath •Filters can also select on MetaData •Examples: •#MetaName–Select the local meta value •$MetaName–Select the global meta value https://www.github.com/tyranid/44con_2014
  • 42. Workshop 8: Developing XOR Decryption https://www.github.com/tyranid/44con_2014
  • 43. Traffic Manipulation and Replay https://www.github.com/tyranid/44con_2014
  • 44. Dealing with Checksums •Up to now we’ve only looked at packets, never changed and replayed them •Something prevents us doing this, the checksum •Could write a script to fix up checksum after modification •Parser editor also gives some basic functions to do this for us https://www.github.com/tyranid/44con_2014
  • 45. Expressions •Parser editor supports a python-like syntax expression evaluator •Combine with calculated values to recalculate checksum •Can even use python snippets: DoChecksum.RunMe(Command, bytes(Payload)) https://www.github.com/tyranid/44con_2014
  • 46. Workshop 9: Packet Replay and Injection https://www.github.com/tyranid/44con_2014
  • 47. Developing Network Clients https://www.github.com/tyranid/44con_2014
  • 48. Network Clients •CANAPE supports developing network clients •Designed to allow reuse of work developed through MitM(graphs/scripts) to be reused with the minimal of effort •Can be used for fuzzing or other automated tasks. https://www.github.com/tyranid/44con_2014
  • 49. Workshop 10: Command Fuzzer https://www.github.com/tyranid/44con_2014