SlideShare una empresa de Scribd logo

SniffJoke 0.4

Not In my Name
Not In my Name

This presentation has been used in PH-Neutral, 2011, Berlin. Would introduce the technical audience to the sniffjoke capabilities, low level technology and achievements. SniffJoke at the moment has been released in 0.4.1 release, and is not pretty much stable, stay update!

TecnologíaEmpresariales
1 de 46
Descargar para leer sin conexión
“Downgrade  mul7  gigabit Sn iffJoke  0.4   s  s n PH-­‐Neutral   iffers  to  mul7  kilobits”   –  may  2011   vecna@delirandom.net   1  
Agenda  –  SniffJoke  0.4   May/2011   45min  ETA   1.  Introduc7on,  target  defini7on   –  6   2.  Theory,  implementa7on  issue   –  4   3.  Anatomy  of  the  aUacks   –  8   4.  Implementa7on  in  SniffJoke  framework   –  14   5.  Impact,  considera7ons,  TODO     –  10   0/5  Agenda   2  
Hi!  I’m  vecna   •  Known  also  as  Claudio  Agos7   –  s0pj,  for  those  who  remember  what  it  was   •  Infoblah  securblah  hackblah   •  Anonymity,  cryptography,  privacy,  paranoid   technology,  kernel,  c++   My  english  sounds  like  a  google  transla7on,  when  the  network  is  down,  sorry!   ++++++++++[>+++++++>++++++++++>+++>+<<<<-­‐]>++.  >+.+++++++..+++.>++.<<+++++++++++++++.>.+++.-­‐-­‐-­‐-­‐-­‐-­‐.-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐.>+.>.   3  
Main  concepts   •  Target:  vital  algorithms  present  in  every   network  device  making  passive  traffic  analysis   •  Thesis:  they  haven’t  enough  informa7on  to   correctly  perform  flow  reassembly   •  A.ack:  (ab)using  this  network  capabili7es,  IP   sessions  would  be  (difficult|impossible)  to  be   reassembled   •  Effect:  business  and  security  based  on  passive   traffic  analysis  could  get  some  troubles  :)     1/5  Introduc7on,  target  defini7on   4  
Xplico  sniffer,  capturing  pkts  without  Sj   1/5  Introduc7on,  target  defini7on   5  
Xplico  sniffer,  same  search,  with  Sj   1/5  Introduc7on,  target  defini7on   6  
Mul7  gigabit  business   High  Performance  Traffic  Inspec7on,   Monitoring  and  Capture  at  10Gbps   The  SiNIC10  is  an  advanced  Network   Interface  Card  combining  FPGAs  and  state  of   the  art  support  soware.  The  NIC  provides  full   Deep  Packet  Inspec7on  (Layer  2-­‐7[…]  to   hUp://www.cybersi.net/hpns.html   operate  on  10Gbps  backbones  –  extending  the   life  of  soware  assets.   VANTAGE  is  a  mass  and  target  intercep7on  system   that  intercepts,  filters,  and  analyzes  voice,  data,   and  mul7media  for  intelligence  purposes.  Using   sophis7cated  probing  technology  and  Verint’s  real-­‐ Intelligence  Support  Systems  for  Lawful   7me  filtering  mechanisms,  VANTAGE  passively   IntercepAon,  Criminal  InvesAgaAons,   collects  maximum  communica7ons,  extracts  the   Intelligence  Gathering  and  InformaAon   most  important  informa7on,  and  uses  stored  data   Sharing  Conference  and  Expo   analysis  for  genera7ng  intelligence  from  data   hUp://www.telestrategies.com/ISS_WASH/index.htm   collected  over  7me.  hUp://verint.com/ communica7ons_intercep7on/   1/5  Introduc7on,  target  defini7on   7  
100  Gb  –  coming  soon   •  Mass  survelliance  will  sound  like  control  inside  na7onal   border   •  But  data,  packet,  travel  for  much  more  na7ons  than  source/ dest!   •  The  mass  survelliance  technology  some  years  ago  hasn’t   enough  computaAonal  power:  now  has  it     Around  the  world,  telcos,  financial  ins7tu7ons,  federal  agencies  and  large  digital   service  delivery  organisa7ons  are  ac7vely  deploying  40Gb/s  and  100Gb/s  networks  in     metro,  long-­‐haul  and  short-­‐hop  data  centre  /  cloud  environments.  The  market  for     ultra-­‐high  speed  networking  is  gathering  momentum.  […]  These  systems  are  expected     to  be  available  for  deployment  later  in  2011.   hUp://www.endace.com/endaceextreme.html   1/5  Introduc7on,  target  defini7on   8  
SniffJoke  Project  goals   • A  new  tool  against  mass   survelliance   •  Remember  that  control  doesn’t  necessarily  bring   security   •  Fun!!     •  Remember  that  an  organiza7on  based  on  the   network  is  efficent  and  rapid  in  evolving   •  Exploit  the  deepest  shadow  cone  in  the  TCP/IP     1/5  Introduc7on,  target  defini7on   9  
a  research  back  in  the  1998   •  First  7me  I  read  about,  was  in  phrack  #58   •  First  7me  I  tried  to  implement,  was  back  in  1999   •  A  research  that  seem  to  be  forgoUen  by  vendors   –  un7l  StoneSo’s  marke7ng  kick  out  AET  !   •  We’re  talking  about  a  technique  that’s  either   difficult  to  be  implemeted  and  difficult  to  be   tested  too.   1/5  Introduc7on,  target  defini7on   10  
Thesis:  informa7on  is  not  enough   •  In  the  middle  elements  will  not  know  what   happen  to  the  remote  peers   •  Hypothe7cally,  a  recorded  packets  will  never   have  reached  the  remote   •  Will  have  more  than  one  meanings,  and  the   IP/TCP  stack  choose  based  in  configura7on,   Opera7ng  System,  or  release  number   •  In  short:  Internet  was  engineered  for  2  peers,   not  for  the  third  passive  analyzer.   1/5  Introduc7on,  target  defini7on   11  
AUack:  injec7ng  is  not  so  simple   •  You  need  to  not  broke  the  session   •  You  need  to  fool  the  sniffer  wri7ng  only   plausible  packets  in  the  flow   •  You  need  to  guess  how  a  sniffer  works,   because  a  lot  of  them  are  not  open  source   •  You  need  to  cover  your  injec7on  paUern,  to   avoid  be  filtered  out   •  Sj  require  one  side  only   2/5  Theory,  implementa7on  issues   12  
Implementa7on  issue,  1/2   •  The  first  soware  tes7ng  this  vulns,  was  a   CASL  script     –  CASL  is  a  language  for  packet  forging   –  A  TCP  session  was  established  “by  hand”   •  A  daily  usage  will  require  a  transparent  layer     •  Only  in  kernel  space  is  possibile  ?     –  In  the  past,  YES,  with  a  lot  of  troubles   –  Firsts  research  goal  was  to  make  in  userland   2/5  Theory,  implementa7on  issues   13  
Implementa7on  issue,  2/2   •  How  to  intercept  outgoing  packets  ?     –  SniffJoke  use  a  /dev/tun  interface,  se|ng  himself   as  default  gateway   –  Receive  all  packets  since  IP  header   –  Forward  to  the  default  gw  ether  address   •  How  to  intercept  incoming  packets  ?   –  Filtering  rule  to  drop  packet  coming  from  the  gw   –  Reading  in  datalink  layer  and  resending  as  raw   2/5  Theory,  implementa7on  issues   14  
SniffJoke  network  injec7on   w/out  Sj   write() “AAAAA” read() “BBBBB” Kernel   remote   default gw User’s Box Host with a I/O Pkt ISP bind() Apps App I/O injected routers write() “AAAAA” read() “BBBBB” Kernel   remote   w/  Sj   2/5  Theory,  implementa7on  issues   15  
Anatomy  of  the  aUack   •  Thought  packet  reassembly  as  “black  box”   –  We  could  deduce  that  a  real7me  sniffer/IDS  will   try  to  be  faster  than  ever,  in  order  to  op7mize  the   hardware  following  the  bandwidth  growning   –  WireShark  is  the  best  reference:  the  top   community  driven,  non  real7me,  best  reassembly   available   •  The  aUacks  will  be  planned  versus  a  specific   target  (a  specific  sniffer  sw).     –  It  is  easyest,  not  an  0.4  goal   3/5  Anatomy  of  the  aUacks   16  
Goal  of  the  research   •  Found  some  RFC/stack  good  way  to  generate   some  packets  that  will:   –  Never  reach  the  des7na7on  host   –  Be  discarded  by  the  des7na7on  host   •  AND  be  accepted  by  the  sniffer,  or:   –  Be  accepted  by  the  des7na7on  host,  but  only  because   has  been  abused  of  some  weird  status   •  AND  discarded  by  the  sniffer   •  These  way  will:  cause  desynchronizaAon.   •  These  are  called  Scramble.   3/5  Anatomy  of  the  aUacks   17  
And..  when  the  desync  is  obtained   •  Insert  fake  payload   –  Will  cause  the  sniffer  to  parse/dump  fake  data   •  Give  fake  sequencing  flow   –  Will  cause  huge  dumps,  dele7ng  of  previous  segm     •  Inject  fake  signaling  (FIN,  RST,  SYN)   –  Close,  restart,  interrupt  an  ac7ve  flow   •  These  are  called  Hack,  and  are  implemented   in  the  Plugins   3/5  Anatomy  of  the  aUacks   18  
Simple  scramble:  checksum   •   A  packet  is  send  with  a  bad  TCP  checksum   •   the  remote  service  drop  it:  what  the  sniffer  do  ?   Eve  –  the  Sniffer   AAAAAAAAAAAAA   B4dB4dB4dB4dB4d   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  good  cksum   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]  bad  cksum   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  good  cksum   Discarded  packet    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   19  
Strong  scramble:  TTL  expire   •   A  packet  is  send  with  a  Ul  of  7   •   the  remote  service  never  get  it!    2  -­‐  TCP  seq  21-­‐40  [  B4dB4…]  TTL  0   Eve  –  the  Sniffer   AAAAAAAAAAAAA   B4dB4dB4dB4dB4d   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  TTL  10   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]  TTL  6   ICMP  .l  expire  [TCP  21-­‐40]   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  TTL  9    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   20  
New  scramble:  IP/TCP  op7ons   •   A  packet  get  an  uncommon*  IP/TCP  op7on   •   The  kernel  is  able  to  handle  it,  the  sniffer  does  ?   Eve  –  the  Sniffer   (?)  AAAAAAAAAAAAA   (?)  B4dB4dB4dB4dB4d   …   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  TCP  MD5  sum   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]   IP_TIMESTAMP,  NOP,  IP_TIMESTAMP   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  IP_RA,  TCP_SACK   Discarded  packet    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   21  
Scrambles,  strengths  and  weakness   •  TTL  expire  seem  the  strongest  one  (network)   –  Instable  in  asymmetric  link  dynamic  route   •  Checksum   –  Is  the  wrost  one,  easily  trapped     •  IP/TCP  op7ons   –  Exploit  the  slow  update  of  the  sniffer  soware   –  Exploit  the  ambiguity  of  the  protocols   –  Need  (!)  to  be  tested  for  each  des7na7on   –  Useful  for  mys7fyca7on  of  “good”  packets   3/5  Anatomy  of  the  aUacks   22  
Descyn  abuse:  the  plugins   •  The  Plugins  (or,  the  hack)  implement  the   damage  caused  to  the  desync  session   –  Plugins  has  ben  planned  to  be  flexible  at  most   •  Internal  cache,  internal  logging   •  Condi7onal  check   •  Verify,  mangle,  modify  packet  either  outgoing  and   ingoing  too.   •  I  hope/wish/dream  …  external  contrib!     3/5  Anatomy  of  the  aUacks   23  
Example  of  fake  close,  1/4          virtual  bool  condi7on(const  Packet  &origpkt,  uint8_t  availableScrambles)          {          if  (origpkt.chainflag  ==  FINALHACK)                          return  false;                  bool  ret  =  origpkt.fragment  ==  false  &&                                  origpkt.proto  ==  TCP  &&                                  !origpkt.tcp-­‐>syn  &&                                  !origpkt.tcp-­‐>rst  &&                                  !origpkt.tcp-­‐>fin;    /*  cache  checking    */    […]   4/5  Implementa7on  in  SniffJoke  framework   24  
Example  of  fake  close,  2/4          virtual  void  apply(const  Packet  &origpkt,  uint8_t  availableScrambles)          {                  Packet  *  const  pkt  =  new  Packet(origpkt);                  pkt-­‐>tcp-­‐>seq  =  htonl(ntohl(pkt-­‐>tcp-­‐>seq)  -­‐  pkt-­‐>tcppayloadlen  +  1);                                    pkt-­‐>tcp-­‐>psh  =  0;                  pkt-­‐>tcp-­‐>fin  =  1;                  pkt-­‐>tcppayloadResize(0);                  pkt-­‐>posi7on  =  ANTICIPATION;                  pkt-­‐>w‚  =  pktRandomDamage(availableScrambles,  supportedScrambles);                  pkt-­‐>chainflag  =  FINALHACK;                  pktVector.push_back(pkt);          }   4/5  Implementa7on  in  SniffJoke  framework   25  
Explain  of  fake  close,  3/4   •  Fact:  our  Packet  has  some  payload  (pkt-­‐>tcppayloadlen  >  0)  is   not  a    fragment  and  has  not  FIN,  RST,  SYN  flag   •  the  sniffer  trust  the  FIN  because  has  the  last  sequence   number  +  1   –  pkt-­‐>tcp-­‐>seq  =  htonl(ntohl(pkt-­‐>tcp-­‐>seq)  -­‐  pkt-­‐>tcppayloadlen  +  1);   Sn   Plugin  match   condi7on!   1   2   3   4   5   6   7   A:  ack_seq  100     FIN  seq  101     reject   P:  seq  200     recv  seq  200   A:  ack_seq  200     4/5  Implementa7on  in  SniffJoke  framework   26  
Explain  of  fake  close,  4/4   •  Fact:  our  Packet  has  some  payload  (pkt-­‐>tcppayloadlen  >  0)  is   not  a    fragment  and  has  not  FIN,  RST,  SYN  flag   •  CASE  2:  the  sniffer  trust  the  FIN  because  check  a  coherent   ack_seq  in  answer   •  ACK  and  TCP.ack_seq  is  never  touched.   Sn   Plugin  match   condi7on!   1   2   3   4   5   6   7   A:  ack_seq  100     P+F  seq  200     reject   P:  seq  200     recv  seq  200   A:  ack_seq  200     4/5  Implementa7on  in  SniffJoke  framework   27  
Fake  data  injec7on  (TCP/UDP)   •  Another  hack  that  expect  the  foregin  ACK   Data  500  byte  seq  600   Sn   1   2   3   4   5   6   7   1  -­‐  Drop  or  expired   1  –  Rand  payload   2  –  correct  payload   2  -­‐  Accepted   3  –  Rand  payload   3  -­‐  Drop  or  expired   4  –  ACK  600   4/5  Implementa7on  in  SniffJoke  framework   28  
Lists  of  plugin  combined   # cat plugins-enabled.conf fake_close_fin,PRESCRIPTION,MALFORMED,GUILTY fake_close_rst,PRESCRIPTION,MALFORMED,GUILTY fake_data,PRESCRIPTION,MALFORMED,GUILY fake_seq,PRESCRIPTION,MALFORMED,GUILTY fake_syn,PRESCRIPTION,MALFORMED,GUILTY fake_zero_window,INNOCENT fragmentation,INNOCENT segmentation,INNOCENT shift_ack,PRESCRIPTION,MALFORMED,GUILTY valid_rst_fake_seq,INNOCENT 4/5  Implementa7on  in  SniffJoke  framework   29  
Plugins  and  op7ons  autoprobe   •  Each  ISP,  gateway,  firewall,  may  implement   filter  of  different  kinds   –  sniffjoke-autotest  is  a  script  using  every   kind  of  possible  available  combina7ons,  aiming  to   select  the  working  combos  alone   –  Generate  two  loca7on  dependent  configura7on   file:  iptcp-­‐op7ons.conf  and  plugins-­‐enabled.conf   –  Every  loca7on  need  an  autotest,  using  the  wrong   parameters  will  cause  a  pletora  of  faults   4/5  Implementa7on  in  SniffJoke  framework   30  
Autotest  usage   •  Goal:  generate  config  files  for  the  loca7on   –  Use  a  service  doing  an  HTTP  ECHO  POST   •  Retrive  info,  message  and  urls  from  a  remote   server  (not  required,  everyone  could  setup   one)   –  Offer  to  submit  analysis  results   •  I’m  expec7ng  useful  analyze  with  IP/TCP  op7ons  are   supported  around  the  world   •  sniffjoke-autotest –l office –d /usr/local/var/sniffjoke –n 1 4/5  Implementa7on  in  SniffJoke  framework   31  
4/5  Implementa7on  in  SniffJoke  framework   32  
4/5  Implementa7on  in  SniffJoke  framework   33  
Randomiza7on  paUern,  1   •  Applica7on  of  the  plugins  must  not  be  linear,   to  avoid  any  kind  of  paUern  recogni7on  by   lazy  sniffers   –  Every  TCP  service  will  be  customized  in  a   configura7on  file   –  Every  plugins  contains  preferred  usage   •  Internal  selec7on  of  protocol,  service,  status,   des7na7on  is  possible   •  In  some  plugins  less  usage  is  beUer,  other  will  be  pland   as  permanent  usage,  depends  by  the  plugins   4/5  Implementa7on  in  SniffJoke  framework   34  
Randomiza7on  paUern,  2   $ cat /usr/local/var/sniffjoke/home/port-aggressivity.conf # this is always on the top of the port definition file, act as default 0:65535 RARE # follow the port rules 22 NONE # common unencrypted mail 25,110,143 LONGPEEK # Intensive in the web 80,8080,3128 PEEKATSTART # Windows service 135:139 PEEK10PKT # SQL.mysql 156,3306 LONGPEEK # edonkey 4662 VERYRARE,EVERY20SECONDS 4/5  Implementa7on  in  SniffJoke  framework   35  
Randomiza7on  paUern,  3   # NONE .................. never used the hack (0% probability) # VERYRARE .............. 5% # RARE .................. 15% # COMMON ................ 40% # HEAVY ................. 75% # ALWAYS ................ 100% # PEEK10PKT ............. packer number 9, 10, 11 = 80%, other 2% # PEEK30PKT ............. packet number 29, 30, 31, = 90%, other 2% # EVERY5SECONDS ......... if the number of seconds are divisible by 5= 90% # other moments, 2% # EVERY20SECONDS ........ if the number of seconds are divisible by 20= 90% # other moment, 2% # PEEKATSTART ........... the first 20 packets = 65%, up to the 40th= 20%, after 2% # LONGPEEK .............. the first 60 pkts = 65%, up to the 120th= 20%, after 2% 4/5  Implementa7on  in  SniffJoke  framework   36  
Other  features  (implemented)   •  -­‐-­‐chain   –  Every  plugin  define  if  an  injected/mangled  packet   will  be  hacked  again  (max  2  rounds)   •  -­‐-­‐no-­‐udp  –no-­‐tcp   •  ipwhitelist.conf  and  ipblacklist.conf   •  Mys7fyca7on   –  If  supported,  inject  always  IP/TCP  op7ons   4/5  Implementa7on  in  SniffJoke  framework   37  
Lacking  feature   •  Server  side  support   –  Will  be  able  to  protect  a  session  when  the   contacted  service  run  in  the  box  with  sni„oke   •  Passive  OS  fingerprint   –  And  usage  of  this  informa7on  as  a  scramble   selector   •  IP/TCP  op7ons  probe  to  each  single   des7na7on   5/5  Impact,  considera7ons,  TODO     38  
Under  study  aUack,  1   •  The  plugin  fake_zero_window  in  fact  don’t  do   anything  useful   –  Tcp.window  analysis  and  abuse  will  bring  a  packet   to  be  discarded  by  the  server   –  But  the  sniffer  will  know  this   •  SACK  abuse,  ECN,  ICMP  source  quench,  rfc1146   advanced  checksum  usage   5/5  Impact,  considera7ons,  TODO     39  
Under  study  scramble,  2   •  PAWS,  is  a  TCP  op7on  that  will  cause  a   discarding  of  a  packet  that  bring  an  internal   7mestamp  too  much  old   –  But  a  sniffer  will  know  this  7mings  difference,  how   to  fool  it  ?  How  much  will  go  in  deep  ?   5/5  Impact,  considera7ons,  TODO     40  
Some  SniffJoke  effects…   •  Dump  of  +100Mb  per  sessions!  :)   •  Decoding  of  en7rely  faked  data  (TX)   –  Mixing,  in  the  wrost  case   •  Cuts  and  loss  of  received  data  (RX)   •  Not  so  stable   –  MALFORMED  scramble  causes  seldom  session   break  (non  linux  target  hard  to  test,  weird  ISP   conf)   –  Remove  by  hand  in  plugins-­‐enabled.conf   5/5  Impact,  considera7ons,  TODO     41  
5/5  Impact,  considera7ons,  TODO     42  
5/5  Impact,  considera7ons,  TODO     43  
Effects  (hypothesis,  whishes,  etc…)   •  Massive  passive  sniffing  will  face  an  escala7on  of   complexity,  like  crpyography/cryptanalysis  does  ?   –  A  skilled  analyst  will  understand  the  meaning  of  the   packets,  anyway   •  Transparent  proxy,  relayed  traffic  and  non  passive   data  collector,  are  untouched  by  Sj   •  Pervasive  use  of  sni„oke,  with  all  feature   completed,  will  vanify  every  data  reten7on   strategy:  how  much  is  hard  to  communicate  ?   –  In  raw  data  collec7on,  almost   5/5  Impact,  considera7ons,  TODO     44  
Project  goals  for  0.5   •  Collect  evidence  of  defeated  sniffers   –  IDS  may  or  may  not  be  present   •  Found  some  $/€   •  Became  mul7pla‚orm  in  unix  based   –  Windows  client  +  openwrt  package   •  Be  stable  in  IP/TCP  op7ons  scramble   •  Support  server  side  connec7ons!   5/5  Impact,  considera7ons,  TODO     45  
Links   •  hUp://www.delirandom.net/sni„oke   –  hUp://www.delirandom.net/sni„oke/0.3-­‐release   –  Inser7on,  Evasion  and  Denial  of  Service:  Eluding  Network  Intrusion   Detec7ons  (Secure  Network  INC,  1998)   •  hUp://github.com/vecna/sni„oke   •  hUp://github.com/evilaliv3/sni„oke   •  hUp://www.mail-­‐archive.com/wireshark-­‐dev@wireshark.org/msg13474.html   •  hUp://en.roolz.org/trafscrambler.html   •  hUps://twiUer.com/sni„oke   6/5  Thanks!  Ques7ons  ?   46  

Recomendados

Sniffjoke 0.5 anticipation - hack.lu 2011
Sniffjoke 0.5 anticipation - hack.lu 2011Sniffjoke 0.5 anticipation - hack.lu 2011
Sniffjoke 0.5 anticipation - hack.lu 2011Not In my Name
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Lalad
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 

Recomendados

Sniffjoke 0.5 anticipation - hack.lu 2011
Sniffjoke 0.5 anticipation - hack.lu 2011Sniffjoke 0.5 anticipation - hack.lu 2011
Sniffjoke 0.5 anticipation - hack.lu 2011Not In my Name
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoringchrissanders88
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools iSyaiful Ahdan
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
 
Ariu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesAriu - Ph.D. Defense Slides
Ariu - Ph.D. Defense SlidesPluribus One
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Lalad
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
 
çIzgi romanlar
çIzgi romanlarçIzgi romanlar
çIzgi romanlaroastan
 
Maruti suzuki
Maruti suzukiMaruti suzuki
Maruti suzukiMohit Bhardwaj
 
5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleri5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleriserhatcakir
 
Animasyon ve çizgi film
Animasyon ve çizgi filmAnimasyon ve çizgi film
Animasyon ve çizgi filmHande Irmak Tanaltay
 
80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.com80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.comngt led
 
E27 9w led bulb in restaurant
E27 9w led bulb in restaurantE27 9w led bulb in restaurant
E27 9w led bulb in restaurantngt led
 
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향상도 박
 
20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.com20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.comngt led
 
HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES Helen_Thomas
 
Electric guitar solo
Electric guitar soloElectric guitar solo
Electric guitar soloDimas Junior
 
The islamic republic of iran
The islamic republic of iranThe islamic republic of iran
The islamic republic of iranDarliin Muriillo
 
Revista #PODER #UPSur Vol. 1
Revista #PODER #UPSur Vol. 1Revista #PODER #UPSur Vol. 1
Revista #PODER #UPSur Vol. 1Unión Peruana del Sur
 
150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEW150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEWngt led
 
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~devsumi2009
 
Main vat doc330491313059981
Main vat doc330491313059981Main vat doc330491313059981
Main vat doc330491313059981Anil Kumar
 
Adventists in South Africa I
Adventists in South Africa IAdventists in South Africa I
Adventists in South Africa IJeff Crocombe
 
Innovation By 10
Innovation By 10Innovation By 10
Innovation By 10frog
 
Smtp
SmtpSmtp
SmtpEri Alam
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Se connecter sur sa boite gmail
Se connecter sur sa boite gmailSe connecter sur sa boite gmail
Se connecter sur sa boite gmailEPN Gouvy
 
Ph.D Annual report II
Ph.D Annual report IIPh.D Annual report II
Ph.D Annual report IIMatteo Avalle
 
Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012Eleni Trouva
 

Más contenido relacionado

Destacado

çIzgi romanlar
çIzgi romanlarçIzgi romanlar
çIzgi romanlaroastan
 
5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleri5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleriserhatcakir
 
80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.com80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.comngt led
 
E27 9w led bulb in restaurant
E27 9w led bulb in restaurantE27 9w led bulb in restaurant
E27 9w led bulb in restaurantngt led
 
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향상도 박
 
20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.com20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.comngt led
 
HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES Helen_Thomas
 
Electric guitar solo
Electric guitar soloElectric guitar solo
Electric guitar soloDimas Junior
 
The islamic republic of iran
The islamic republic of iranThe islamic republic of iran
The islamic republic of iranDarliin Muriillo
 
150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEW150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEWngt led
 
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~devsumi2009
 
Main vat doc330491313059981
Main vat doc330491313059981Main vat doc330491313059981
Main vat doc330491313059981Anil Kumar
 
Adventists in South Africa I
Adventists in South Africa IAdventists in South Africa I
Adventists in South Africa IJeff Crocombe
 
Innovation By 10
Innovation By 10Innovation By 10
Innovation By 10frog
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
 
Se connecter sur sa boite gmail
Se connecter sur sa boite gmailSe connecter sur sa boite gmail
Se connecter sur sa boite gmailEPN Gouvy
 

Destacado (20)

çIzgi romanlar
çIzgi romanlarçIzgi romanlar
çIzgi romanlar
 
Maruti suzuki
Maruti suzukiMaruti suzuki
Maruti suzuki
 
5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleri5) Bilesik Ar Ge Ve Yenilik Gostergeleri
5) Bilesik Ar Ge Ve Yenilik Gostergeleri
 
Animasyon ve çizgi film
Animasyon ve çizgi filmAnimasyon ve çizgi film
Animasyon ve çizgi film
 
80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.com80W LED Street Light new - www.ngtlight.com
80W LED Street Light new - www.ngtlight.com
 
E27 9w led bulb in restaurant
E27 9w led bulb in restaurantE27 9w led bulb in restaurant
E27 9w led bulb in restaurant
 
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
2015년 12월 및 연간 소매판매 및 온라인쇼핑 동향
 
20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.com20W LED Corn Bulb - www.ngtlight.com
20W LED Corn Bulb - www.ngtlight.com
 
HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES HOW TO CHECK SNAPCHAT MESSAGES
HOW TO CHECK SNAPCHAT MESSAGES
 
Electric guitar solo
Electric guitar soloElectric guitar solo
Electric guitar solo
 
The islamic republic of iran
The islamic republic of iranThe islamic republic of iran
The islamic republic of iran
 
Revista #PODER #UPSur Vol. 1
Revista #PODER #UPSur Vol. 1Revista #PODER #UPSur Vol. 1
Revista #PODER #UPSur Vol. 1
 
150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEW150W LED RETROFIT KTIS NEW
150W LED RETROFIT KTIS NEW
 
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
【13-C-6】 帳票開発に時間かけすぎていませんか?~もっと簡単に「作る」現場、「使う」現場の最適解を探る~
 
Main vat doc330491313059981
Main vat doc330491313059981Main vat doc330491313059981
Main vat doc330491313059981
 
Adventists in South Africa I
Adventists in South Africa IAdventists in South Africa I
Adventists in South Africa I
 
Innovation By 10
Innovation By 10Innovation By 10
Innovation By 10
 
Smtp
SmtpSmtp
Smtp
 
MQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message QueueingMQTT - MQ Telemetry Transport for Message Queueing
MQTT - MQ Telemetry Transport for Message Queueing
 
Se connecter sur sa boite gmail
Se connecter sur sa boite gmailSe connecter sur sa boite gmail
Se connecter sur sa boite gmail
 

Similar a SniffJoke 0.4

Ph.D Annual report II
Ph.D Annual report IIPh.D Annual report II
Ph.D Annual report IIMatteo Avalle
 
Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012Eleni Trouva
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersAsep Sopyan
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
OSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkOSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkAntonio Di Cello
 
Ph.D Annual Report III
Ph.D Annual Report IIIPh.D Annual Report III
Ph.D Annual Report IIIMatteo Avalle
 
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntopIT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntopInfluxData
 
Future services on Janet
Future services on JanetFuture services on Janet
Future services on JanetJisc
 
Presentation11
Presentation11Presentation11
Presentation11KellyCheah
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVYoshihiro Nakajima
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
 
Handwritten Recognition using Deep Learning with R
Handwritten Recognition using Deep Learning with RHandwritten Recognition using Deep Learning with R
Handwritten Recognition using Deep Learning with RPoo Kuan Hoong
 
Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...RedHatTelco
 
What is SDN and how to approach it with Python
What is SDN and how to approach it with PythonWhat is SDN and how to approach it with Python
What is SDN and how to approach it with PythonJustin Park
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Disha Bedi
 
Network troubeshooting knowlege and guide
Network troubeshooting knowlege and guideNetwork troubeshooting knowlege and guide
Network troubeshooting knowlege and guide9f3a4i6z
 
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...gogo6
 

Similar a SniffJoke 0.4 (20)

Ph.D Annual report II
Ph.D Annual report IIPh.D Annual report II
Ph.D Annual report II
 
Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012Irati fire-engineering-workshop-nov2012
Irati fire-engineering-workshop-nov2012
 
Ceh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffersCeh v8 labs module 08 sniffers
Ceh v8 labs module 08 sniffers
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
OSNF - Open Sensor Network Framework
OSNF - Open Sensor Network FrameworkOSNF - Open Sensor Network Framework
OSNF - Open Sensor Network Framework
 
Ph.D Annual Report III
Ph.D Annual Report IIIPh.D Annual Report III
Ph.D Annual Report III
 
Session29 Arc
Session29 ArcSession29 Arc
Session29 Arc
 
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntopIT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntop
 
Future services on Janet
Future services on JanetFuture services on Janet
Future services on Janet
 
Presentation11
Presentation11Presentation11
Presentation11
 
Software Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFVSoftware Stacks to enable SDN and NFV
Software Stacks to enable SDN and NFV
 
12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton12.00 - Dr. Tim Chown - University of Southampton
12.00 - Dr. Tim Chown - University of Southampton
 
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
 
Handwritten Recognition using Deep Learning with R
Handwritten Recognition using Deep Learning with RHandwritten Recognition using Deep Learning with R
Handwritten Recognition using Deep Learning with R
 
Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...Using Software-Defined WAN implementation to turn on advanced connectivity se...
Using Software-Defined WAN implementation to turn on advanced connectivity se...
 
What is SDN and how to approach it with Python
What is SDN and how to approach it with PythonWhat is SDN and how to approach it with Python
What is SDN and how to approach it with Python
 
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...Engineering Internship Report - Network Intrusion Detection And Prevention Us...
Engineering Internship Report - Network Intrusion Detection And Prevention Us...
 
Clean Slate Design - O Que é?
Clean Slate Design - O Que é?Clean Slate Design - O Que é?
Clean Slate Design - O Que é?
 
Network troubeshooting knowlege and guide
Network troubeshooting knowlege and guideNetwork troubeshooting knowlege and guide
Network troubeshooting knowlege and guide
 
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...
 

Último

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Último (20)

CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

SniffJoke 0.4

  • 1. “Downgrade  mul7  gigabit Sn iffJoke  0.4   s  s n PH-­‐Neutral   iffers  to  mul7  kilobits”   –  may  2011   vecna@delirandom.net   1  
  • 2. Agenda  –  SniffJoke  0.4   May/2011   45min  ETA   1.  Introduc7on,  target  defini7on   –  6   2.  Theory,  implementa7on  issue   –  4   3.  Anatomy  of  the  aUacks   –  8   4.  Implementa7on  in  SniffJoke  framework   –  14   5.  Impact,  considera7ons,  TODO     –  10   0/5  Agenda   2  
  • 3. Hi!  I’m  vecna   •  Known  also  as  Claudio  Agos7   –  s0pj,  for  those  who  remember  what  it  was   •  Infoblah  securblah  hackblah   •  Anonymity,  cryptography,  privacy,  paranoid   technology,  kernel,  c++   My  english  sounds  like  a  google  transla7on,  when  the  network  is  down,  sorry!   ++++++++++[>+++++++>++++++++++>+++>+<<<<-­‐]>++.  >+.+++++++..+++.>++.<<+++++++++++++++.>.+++.-­‐-­‐-­‐-­‐-­‐-­‐.-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐.>+.>.   3  
  • 4. Main  concepts   •  Target:  vital  algorithms  present  in  every   network  device  making  passive  traffic  analysis   •  Thesis:  they  haven’t  enough  informa7on  to   correctly  perform  flow  reassembly   •  A.ack:  (ab)using  this  network  capabili7es,  IP   sessions  would  be  (difficult|impossible)  to  be   reassembled   •  Effect:  business  and  security  based  on  passive   traffic  analysis  could  get  some  troubles  :)     1/5  Introduc7on,  target  defini7on   4  
  • 5. Xplico  sniffer,  capturing  pkts  without  Sj   1/5  Introduc7on,  target  defini7on   5  
  • 6. Xplico  sniffer,  same  search,  with  Sj   1/5  Introduc7on,  target  defini7on   6  
  • 7. Mul7  gigabit  business   High  Performance  Traffic  Inspec7on,   Monitoring  and  Capture  at  10Gbps   The  SiNIC10  is  an  advanced  Network   Interface  Card  combining  FPGAs  and  state  of   the  art  support  soware.  The  NIC  provides  full   Deep  Packet  Inspec7on  (Layer  2-­‐7[…]  to   hUp://www.cybersi.net/hpns.html   operate  on  10Gbps  backbones  –  extending  the   life  of  soware  assets.   VANTAGE  is  a  mass  and  target  intercep7on  system   that  intercepts,  filters,  and  analyzes  voice,  data,   and  mul7media  for  intelligence  purposes.  Using   sophis7cated  probing  technology  and  Verint’s  real-­‐ Intelligence  Support  Systems  for  Lawful   7me  filtering  mechanisms,  VANTAGE  passively   IntercepAon,  Criminal  InvesAgaAons,   collects  maximum  communica7ons,  extracts  the   Intelligence  Gathering  and  InformaAon   most  important  informa7on,  and  uses  stored  data   Sharing  Conference  and  Expo   analysis  for  genera7ng  intelligence  from  data   hUp://www.telestrategies.com/ISS_WASH/index.htm   collected  over  7me.  hUp://verint.com/ communica7ons_intercep7on/   1/5  Introduc7on,  target  defini7on   7  
  • 8. 100  Gb  –  coming  soon   •  Mass  survelliance  will  sound  like  control  inside  na7onal   border   •  But  data,  packet,  travel  for  much  more  na7ons  than  source/ dest!   •  The  mass  survelliance  technology  some  years  ago  hasn’t   enough  computaAonal  power:  now  has  it     Around  the  world,  telcos,  financial  ins7tu7ons,  federal  agencies  and  large  digital   service  delivery  organisa7ons  are  ac7vely  deploying  40Gb/s  and  100Gb/s  networks  in     metro,  long-­‐haul  and  short-­‐hop  data  centre  /  cloud  environments.  The  market  for     ultra-­‐high  speed  networking  is  gathering  momentum.  […]  These  systems  are  expected     to  be  available  for  deployment  later  in  2011.   hUp://www.endace.com/endaceextreme.html   1/5  Introduc7on,  target  defini7on   8  
  • 9. SniffJoke  Project  goals   • A  new  tool  against  mass   survelliance   •  Remember  that  control  doesn’t  necessarily  bring   security   •  Fun!!     •  Remember  that  an  organiza7on  based  on  the   network  is  efficent  and  rapid  in  evolving   •  Exploit  the  deepest  shadow  cone  in  the  TCP/IP     1/5  Introduc7on,  target  defini7on   9  
  • 10. a  research  back  in  the  1998   •  First  7me  I  read  about,  was  in  phrack  #58   •  First  7me  I  tried  to  implement,  was  back  in  1999   •  A  research  that  seem  to  be  forgoUen  by  vendors   –  un7l  StoneSo’s  marke7ng  kick  out  AET  !   •  We’re  talking  about  a  technique  that’s  either   difficult  to  be  implemeted  and  difficult  to  be   tested  too.   1/5  Introduc7on,  target  defini7on   10  
  • 11. Thesis:  informa7on  is  not  enough   •  In  the  middle  elements  will  not  know  what   happen  to  the  remote  peers   •  Hypothe7cally,  a  recorded  packets  will  never   have  reached  the  remote   •  Will  have  more  than  one  meanings,  and  the   IP/TCP  stack  choose  based  in  configura7on,   Opera7ng  System,  or  release  number   •  In  short:  Internet  was  engineered  for  2  peers,   not  for  the  third  passive  analyzer.   1/5  Introduc7on,  target  defini7on   11  
  • 12. AUack:  injec7ng  is  not  so  simple   •  You  need  to  not  broke  the  session   •  You  need  to  fool  the  sniffer  wri7ng  only   plausible  packets  in  the  flow   •  You  need  to  guess  how  a  sniffer  works,   because  a  lot  of  them  are  not  open  source   •  You  need  to  cover  your  injec7on  paUern,  to   avoid  be  filtered  out   •  Sj  require  one  side  only   2/5  Theory,  implementa7on  issues   12  
  • 13. Implementa7on  issue,  1/2   •  The  first  soware  tes7ng  this  vulns,  was  a   CASL  script     –  CASL  is  a  language  for  packet  forging   –  A  TCP  session  was  established  “by  hand”   •  A  daily  usage  will  require  a  transparent  layer     •  Only  in  kernel  space  is  possibile  ?     –  In  the  past,  YES,  with  a  lot  of  troubles   –  Firsts  research  goal  was  to  make  in  userland   2/5  Theory,  implementa7on  issues   13  
  • 14. Implementa7on  issue,  2/2   •  How  to  intercept  outgoing  packets  ?     –  SniffJoke  use  a  /dev/tun  interface,  se|ng  himself   as  default  gateway   –  Receive  all  packets  since  IP  header   –  Forward  to  the  default  gw  ether  address   •  How  to  intercept  incoming  packets  ?   –  Filtering  rule  to  drop  packet  coming  from  the  gw   –  Reading  in  datalink  layer  and  resending  as  raw   2/5  Theory,  implementa7on  issues   14  
  • 15. SniffJoke  network  injec7on   w/out  Sj   write() “AAAAA” read() “BBBBB” Kernel   remote   default gw User’s Box Host with a I/O Pkt ISP bind() Apps App I/O injected routers write() “AAAAA” read() “BBBBB” Kernel   remote   w/  Sj   2/5  Theory,  implementa7on  issues   15  
  • 16. Anatomy  of  the  aUack   •  Thought  packet  reassembly  as  “black  box”   –  We  could  deduce  that  a  real7me  sniffer/IDS  will   try  to  be  faster  than  ever,  in  order  to  op7mize  the   hardware  following  the  bandwidth  growning   –  WireShark  is  the  best  reference:  the  top   community  driven,  non  real7me,  best  reassembly   available   •  The  aUacks  will  be  planned  versus  a  specific   target  (a  specific  sniffer  sw).     –  It  is  easyest,  not  an  0.4  goal   3/5  Anatomy  of  the  aUacks   16  
  • 17. Goal  of  the  research   •  Found  some  RFC/stack  good  way  to  generate   some  packets  that  will:   –  Never  reach  the  des7na7on  host   –  Be  discarded  by  the  des7na7on  host   •  AND  be  accepted  by  the  sniffer,  or:   –  Be  accepted  by  the  des7na7on  host,  but  only  because   has  been  abused  of  some  weird  status   •  AND  discarded  by  the  sniffer   •  These  way  will:  cause  desynchronizaAon.   •  These  are  called  Scramble.   3/5  Anatomy  of  the  aUacks   17  
  • 18. And..  when  the  desync  is  obtained   •  Insert  fake  payload   –  Will  cause  the  sniffer  to  parse/dump  fake  data   •  Give  fake  sequencing  flow   –  Will  cause  huge  dumps,  dele7ng  of  previous  segm     •  Inject  fake  signaling  (FIN,  RST,  SYN)   –  Close,  restart,  interrupt  an  ac7ve  flow   •  These  are  called  Hack,  and  are  implemented   in  the  Plugins   3/5  Anatomy  of  the  aUacks   18  
  • 19. Simple  scramble:  checksum   •   A  packet  is  send  with  a  bad  TCP  checksum   •   the  remote  service  drop  it:  what  the  sniffer  do  ?   Eve  –  the  Sniffer   AAAAAAAAAAAAA   B4dB4dB4dB4dB4d   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  good  cksum   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]  bad  cksum   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  good  cksum   Discarded  packet    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   19  
  • 20. Strong  scramble:  TTL  expire   •   A  packet  is  send  with  a  Ul  of  7   •   the  remote  service  never  get  it!    2  -­‐  TCP  seq  21-­‐40  [  B4dB4…]  TTL  0   Eve  –  the  Sniffer   AAAAAAAAAAAAA   B4dB4dB4dB4dB4d   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  TTL  10   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]  TTL  6   ICMP  .l  expire  [TCP  21-­‐40]   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  TTL  9    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   20  
  • 21. New  scramble:  IP/TCP  op7ons   •   A  packet  get  an  uncommon*  IP/TCP  op7on   •   The  kernel  is  able  to  handle  it,  the  sniffer  does  ?   Eve  –  the  Sniffer   (?)  AAAAAAAAAAAAA   (?)  B4dB4dB4dB4dB4d   …   Alice  with  SniffJoke   1   2   3   4   5   Bob  –  the  receiver   6   7    1  -­‐  TCP  seq  1-­‐20  [  AAAA…]  TCP  MD5  sum   8   AAAAAAAAAAAAA   BBBBBBBBBBBBBB    2  -­‐  TCP  ACK  seq  20    2  -­‐  TCP  seq  21-­‐40  [  B4dB4dB4d…]   IP_TIMESTAMP,  NOP,  IP_TIMESTAMP   3-­‐  TCP  seq  21-­‐40  [  BBBBBBBB…]  IP_RA,  TCP_SACK   Discarded  packet    4  -­‐  TCP  ACK  seq  40   3/5  Anatomy  of  the  aUacks   21  
  • 22. Scrambles,  strengths  and  weakness   •  TTL  expire  seem  the  strongest  one  (network)   –  Instable  in  asymmetric  link  dynamic  route   •  Checksum   –  Is  the  wrost  one,  easily  trapped     •  IP/TCP  op7ons   –  Exploit  the  slow  update  of  the  sniffer  soware   –  Exploit  the  ambiguity  of  the  protocols   –  Need  (!)  to  be  tested  for  each  des7na7on   –  Useful  for  mys7fyca7on  of  “good”  packets   3/5  Anatomy  of  the  aUacks   22  
  • 23. Descyn  abuse:  the  plugins   •  The  Plugins  (or,  the  hack)  implement  the   damage  caused  to  the  desync  session   –  Plugins  has  ben  planned  to  be  flexible  at  most   •  Internal  cache,  internal  logging   •  Condi7onal  check   •  Verify,  mangle,  modify  packet  either  outgoing  and   ingoing  too.   •  I  hope/wish/dream  …  external  contrib!     3/5  Anatomy  of  the  aUacks   23  
  • 24. Example  of  fake  close,  1/4          virtual  bool  condi7on(const  Packet  &origpkt,  uint8_t  availableScrambles)          {          if  (origpkt.chainflag  ==  FINALHACK)                          return  false;                  bool  ret  =  origpkt.fragment  ==  false  &&                                  origpkt.proto  ==  TCP  &&                                  !origpkt.tcp-­‐>syn  &&                                  !origpkt.tcp-­‐>rst  &&                                  !origpkt.tcp-­‐>fin;    /*  cache  checking    */    […]   4/5  Implementa7on  in  SniffJoke  framework   24  
  • 25. Example  of  fake  close,  2/4          virtual  void  apply(const  Packet  &origpkt,  uint8_t  availableScrambles)          {                  Packet  *  const  pkt  =  new  Packet(origpkt);                  pkt-­‐>tcp-­‐>seq  =  htonl(ntohl(pkt-­‐>tcp-­‐>seq)  -­‐  pkt-­‐>tcppayloadlen  +  1);                                    pkt-­‐>tcp-­‐>psh  =  0;                  pkt-­‐>tcp-­‐>fin  =  1;                  pkt-­‐>tcppayloadResize(0);                  pkt-­‐>posi7on  =  ANTICIPATION;                  pkt-­‐>w‚  =  pktRandomDamage(availableScrambles,  supportedScrambles);                  pkt-­‐>chainflag  =  FINALHACK;                  pktVector.push_back(pkt);          }   4/5  Implementa7on  in  SniffJoke  framework   25  
  • 26. Explain  of  fake  close,  3/4   •  Fact:  our  Packet  has  some  payload  (pkt-­‐>tcppayloadlen  >  0)  is   not  a    fragment  and  has  not  FIN,  RST,  SYN  flag   •  the  sniffer  trust  the  FIN  because  has  the  last  sequence   number  +  1   –  pkt-­‐>tcp-­‐>seq  =  htonl(ntohl(pkt-­‐>tcp-­‐>seq)  -­‐  pkt-­‐>tcppayloadlen  +  1);   Sn   Plugin  match   condi7on!   1   2   3   4   5   6   7   A:  ack_seq  100     FIN  seq  101     reject   P:  seq  200     recv  seq  200   A:  ack_seq  200     4/5  Implementa7on  in  SniffJoke  framework   26  
  • 27. Explain  of  fake  close,  4/4   •  Fact:  our  Packet  has  some  payload  (pkt-­‐>tcppayloadlen  >  0)  is   not  a    fragment  and  has  not  FIN,  RST,  SYN  flag   •  CASE  2:  the  sniffer  trust  the  FIN  because  check  a  coherent   ack_seq  in  answer   •  ACK  and  TCP.ack_seq  is  never  touched.   Sn   Plugin  match   condi7on!   1   2   3   4   5   6   7   A:  ack_seq  100     P+F  seq  200     reject   P:  seq  200     recv  seq  200   A:  ack_seq  200     4/5  Implementa7on  in  SniffJoke  framework   27  
  • 28. Fake  data  injec7on  (TCP/UDP)   •  Another  hack  that  expect  the  foregin  ACK   Data  500  byte  seq  600   Sn   1   2   3   4   5   6   7   1  -­‐  Drop  or  expired   1  –  Rand  payload   2  –  correct  payload   2  -­‐  Accepted   3  –  Rand  payload   3  -­‐  Drop  or  expired   4  –  ACK  600   4/5  Implementa7on  in  SniffJoke  framework   28  
  • 29. Lists  of  plugin  combined   # cat plugins-enabled.conf fake_close_fin,PRESCRIPTION,MALFORMED,GUILTY fake_close_rst,PRESCRIPTION,MALFORMED,GUILTY fake_data,PRESCRIPTION,MALFORMED,GUILY fake_seq,PRESCRIPTION,MALFORMED,GUILTY fake_syn,PRESCRIPTION,MALFORMED,GUILTY fake_zero_window,INNOCENT fragmentation,INNOCENT segmentation,INNOCENT shift_ack,PRESCRIPTION,MALFORMED,GUILTY valid_rst_fake_seq,INNOCENT 4/5  Implementa7on  in  SniffJoke  framework   29  
  • 30. Plugins  and  op7ons  autoprobe   •  Each  ISP,  gateway,  firewall,  may  implement   filter  of  different  kinds   –  sniffjoke-autotest  is  a  script  using  every   kind  of  possible  available  combina7ons,  aiming  to   select  the  working  combos  alone   –  Generate  two  loca7on  dependent  configura7on   file:  iptcp-­‐op7ons.conf  and  plugins-­‐enabled.conf   –  Every  loca7on  need  an  autotest,  using  the  wrong   parameters  will  cause  a  pletora  of  faults   4/5  Implementa7on  in  SniffJoke  framework   30  
  • 31. Autotest  usage   •  Goal:  generate  config  files  for  the  loca7on   –  Use  a  service  doing  an  HTTP  ECHO  POST   •  Retrive  info,  message  and  urls  from  a  remote   server  (not  required,  everyone  could  setup   one)   –  Offer  to  submit  analysis  results   •  I’m  expec7ng  useful  analyze  with  IP/TCP  op7ons  are   supported  around  the  world   •  sniffjoke-autotest –l office –d /usr/local/var/sniffjoke –n 1 4/5  Implementa7on  in  SniffJoke  framework   31  
  • 32. 4/5  Implementa7on  in  SniffJoke  framework   32  
  • 33. 4/5  Implementa7on  in  SniffJoke  framework   33  
  • 34. Randomiza7on  paUern,  1   •  Applica7on  of  the  plugins  must  not  be  linear,   to  avoid  any  kind  of  paUern  recogni7on  by   lazy  sniffers   –  Every  TCP  service  will  be  customized  in  a   configura7on  file   –  Every  plugins  contains  preferred  usage   •  Internal  selec7on  of  protocol,  service,  status,   des7na7on  is  possible   •  In  some  plugins  less  usage  is  beUer,  other  will  be  pland   as  permanent  usage,  depends  by  the  plugins   4/5  Implementa7on  in  SniffJoke  framework   34  
  • 35. Randomiza7on  paUern,  2   $ cat /usr/local/var/sniffjoke/home/port-aggressivity.conf # this is always on the top of the port definition file, act as default 0:65535 RARE # follow the port rules 22 NONE # common unencrypted mail 25,110,143 LONGPEEK # Intensive in the web 80,8080,3128 PEEKATSTART # Windows service 135:139 PEEK10PKT # SQL.mysql 156,3306 LONGPEEK # edonkey 4662 VERYRARE,EVERY20SECONDS 4/5  Implementa7on  in  SniffJoke  framework   35  
  • 36. Randomiza7on  paUern,  3   # NONE .................. never used the hack (0% probability) # VERYRARE .............. 5% # RARE .................. 15% # COMMON ................ 40% # HEAVY ................. 75% # ALWAYS ................ 100% # PEEK10PKT ............. packer number 9, 10, 11 = 80%, other 2% # PEEK30PKT ............. packet number 29, 30, 31, = 90%, other 2% # EVERY5SECONDS ......... if the number of seconds are divisible by 5= 90% # other moments, 2% # EVERY20SECONDS ........ if the number of seconds are divisible by 20= 90% # other moment, 2% # PEEKATSTART ........... the first 20 packets = 65%, up to the 40th= 20%, after 2% # LONGPEEK .............. the first 60 pkts = 65%, up to the 120th= 20%, after 2% 4/5  Implementa7on  in  SniffJoke  framework   36  
  • 37. Other  features  (implemented)   •  -­‐-­‐chain   –  Every  plugin  define  if  an  injected/mangled  packet   will  be  hacked  again  (max  2  rounds)   •  -­‐-­‐no-­‐udp  –no-­‐tcp   •  ipwhitelist.conf  and  ipblacklist.conf   •  Mys7fyca7on   –  If  supported,  inject  always  IP/TCP  op7ons   4/5  Implementa7on  in  SniffJoke  framework   37  
  • 38. Lacking  feature   •  Server  side  support   –  Will  be  able  to  protect  a  session  when  the   contacted  service  run  in  the  box  with  sni„oke   •  Passive  OS  fingerprint   –  And  usage  of  this  informa7on  as  a  scramble   selector   •  IP/TCP  op7ons  probe  to  each  single   des7na7on   5/5  Impact,  considera7ons,  TODO     38  
  • 39. Under  study  aUack,  1   •  The  plugin  fake_zero_window  in  fact  don’t  do   anything  useful   –  Tcp.window  analysis  and  abuse  will  bring  a  packet   to  be  discarded  by  the  server   –  But  the  sniffer  will  know  this   •  SACK  abuse,  ECN,  ICMP  source  quench,  rfc1146   advanced  checksum  usage   5/5  Impact,  considera7ons,  TODO     39  
  • 40. Under  study  scramble,  2   •  PAWS,  is  a  TCP  op7on  that  will  cause  a   discarding  of  a  packet  that  bring  an  internal   7mestamp  too  much  old   –  But  a  sniffer  will  know  this  7mings  difference,  how   to  fool  it  ?  How  much  will  go  in  deep  ?   5/5  Impact,  considera7ons,  TODO     40  
  • 41. Some  SniffJoke  effects…   •  Dump  of  +100Mb  per  sessions!  :)   •  Decoding  of  en7rely  faked  data  (TX)   –  Mixing,  in  the  wrost  case   •  Cuts  and  loss  of  received  data  (RX)   •  Not  so  stable   –  MALFORMED  scramble  causes  seldom  session   break  (non  linux  target  hard  to  test,  weird  ISP   conf)   –  Remove  by  hand  in  plugins-­‐enabled.conf   5/5  Impact,  considera7ons,  TODO     41  
  • 42. 5/5  Impact,  considera7ons,  TODO     42  
  • 43. 5/5  Impact,  considera7ons,  TODO     43  
  • 44. Effects  (hypothesis,  whishes,  etc…)   •  Massive  passive  sniffing  will  face  an  escala7on  of   complexity,  like  crpyography/cryptanalysis  does  ?   –  A  skilled  analyst  will  understand  the  meaning  of  the   packets,  anyway   •  Transparent  proxy,  relayed  traffic  and  non  passive   data  collector,  are  untouched  by  Sj   •  Pervasive  use  of  sni„oke,  with  all  feature   completed,  will  vanify  every  data  reten7on   strategy:  how  much  is  hard  to  communicate  ?   –  In  raw  data  collec7on,  almost   5/5  Impact,  considera7ons,  TODO     44  
  • 45. Project  goals  for  0.5   •  Collect  evidence  of  defeated  sniffers   –  IDS  may  or  may  not  be  present   •  Found  some  $/€   •  Became  mul7pla‚orm  in  unix  based   –  Windows  client  +  openwrt  package   •  Be  stable  in  IP/TCP  op7ons  scramble   •  Support  server  side  connec7ons!   5/5  Impact,  considera7ons,  TODO     45  
  • 46. Links   •  hUp://www.delirandom.net/sni„oke   –  hUp://www.delirandom.net/sni„oke/0.3-­‐release   –  Inser7on,  Evasion  and  Denial  of  Service:  Eluding  Network  Intrusion   Detec7ons  (Secure  Network  INC,  1998)   •  hUp://github.com/vecna/sni„oke   •  hUp://github.com/evilaliv3/sni„oke   •  hUp://www.mail-­‐archive.com/wireshark-­‐dev@wireshark.org/msg13474.html   •  hUp://en.roolz.org/trafscrambler.html   •  hUps://twiUer.com/sni„oke   6/5  Thanks!  Ques7ons  ?   46