SlideShare una empresa de Scribd logo

Sniffjoke 0.5 anticipation - hack.lu 2011

Descargar como KEY, PDF
Not In my Name
Not In my Name

A sniffer or a NIDS works collecting passively internet traffic. This traffic is grabbed as a series of packets, and these packets reassembled in session by the "reassembly engine". The reassembly engine is the target of SniffJoke project: injecting packets inside a live session, Sj don't damage the session, but bring the reassembly engine to do ambiguos choose. The bug exploited is not implementation dependent, instead is network and protocol dependent. Our issue is in found a security laboratory able to provide to us such kind of technology. We're looking for NIDS and sniffer to test in real network environment. SniffJoke project, near the 0.5 release, is now splitting in two parts: SniffJoke (modular mangler extremely configurable) and Janus, portable software able to divert kernel sessions to userspace or to a remote box. Our goal for the 0.5 is to make SniffJoke running under windows/macosx/linux and Janus divert sockets handled in your default gateway (eg: openwrt, lafonera) or from your local box (macosx, linux, bsd) In the research point of view, since the 1998, when a paper by Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", has been released, the NIDS/sniffer has know to be possibile of faults. Researcher has developed "Active Mapping" in the NIDS engine, aiming to better understad how manage an ambiguos packet. Active mapping, SHOULD works in NIDS (some kind of information will not be mapped so easily, expecially in high performange environments), but netherless, is not possibile use active mapping efforts in large sniffing. At the moment, national security issue somethime relays in these technology, therfore is a scientific issue make a demonstration that no security will be obtained by passive traffic analysis.

Tecnología
1 de 40
Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.5 growing process in Sniffer/NIDS evasion technology
Hack.LU - http://2011.hack.lu - SniffJoke The speaker • Claudio Agosti, vecna in Internet. • 12+ years of hacking and not in prison :) • idealistic contributor in various “projects” without a full time job. • http://www.delirandom.net vecna@delirandom.net
introduction Hack.LU - http://2011.hack.lu - SniffJoke Agenda • what’s sniffer evasion • which kind of vulnerabilities exist • patches, improvement and workaround • target selection: sniffers vs NIDS. • Sniffjoke goal for 0.5 release: defeat everything that passively eavesdrops traffic from the network.
introduction NIDS evasion, Hack.LU - http://2011.hack.lu - SniffJoke A forgotten lore ? • first and actual research released in 1998 • fragrouter (~2002) + libdnet (~2005) • innova 2001 • FTester - last release 2006 • StoneSoft 2009-2010 • but, the sniffing issue persists, the IDS market stands alive and healthy. Despite this, few tools exist able to perform a wide evasion test. • my goal: don’t produce (only) a security testing application, but also be usable and transparent in daily activities.
introduction Hack.LU - http://2011.hack.lu - SniffJoke memory refresh • An NIDS attack is the injection of forged packets. Those packets are captured by the passive third party. • Could be part of the active session, could be based on plausible packets, and allow the attacker to interfere with the flow reassembly logics. • it is really hard to develop techniques able to interfere with the sniffing activity without disrupting the real session • when an evasion is found, maybe really difficult to be patched
AAAAAAA BBBBBBBB memory refresh: TTL attack 1 Routers in ISP 3 Routers ISP 1 5 6 7 8 10 2 4 Routers in ISP 2 9 3 AAAAAAA 11 ˘˚ÓÙ∂©†∑ AAAAAAA 1-20 AA[...] TTL 64 BBBBBBBB ACK 21-40 ÓÙ∂[...] TTL 9 ICMP time exceeded 20 21-40 BB[...] TTL 31 ACK 40
introduction memory refresh: Hack.LU - http://2011.hack.lu - SniffJoke concepts • lack of Information on the wire • An NIDS evasion technique exploits the ambiguous meaning of such packets • A NIDS/Sniffer collects the packets but has not a mathematical certainty that the packet will be accepted by the remote host • By theory, the attacker has no way to know if the attacks has worked or not.
introduction Hack.LU - http://2011.hack.lu - SniffJoke 1998 attacks table fragroute Sj 0.4 Sj 0.5 (dev now!) Patch ? ip TTL fixed value # around, mist # around, mist enforcing & AM cksum Y Y Y normalization source route Y all IP opt all IP opt enforcing (dropped) frag policy fixed value dynamic dynamic enforcing & AM ip frag overlap dynamic dynamic dynamic enforcing & AM tcp options mss|wscale, fixed some TO, dynamic lot of TO, adaptive enforcing & AM PAWS fixed (anomaly) N adaptive don’t know! tcp overlap dynamic adaptive, chainable adaptive, chainable enforcing & AM RST off seq N Y Y enforcing & AM
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Attacks concepts • Ambiguity methods obtain the desynchronisation between the reassembled flow and the effective endpoint traffic • by exploiting this ambiguity, you can decide some kind of disruption to cause to a passive analyzer • data you are sending could be hidden from its analysis • the established session could appear closed • the flow could be broken
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Attack targets • NIDS and sniffers both base their workings on passive traffic collection • but NIDS work in a specified network, and could treat traffic with too much anomalies as malicious. • work in a contextual security • Sniffers cannot map a specific network, cannot drop traffic like an IPS does, and are sold by feature/performance instead of reliability.
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke patches thru the ages • Sanitization, restriction policy. keep anomaly counts in sessions and treat evasions. (usable in an IDS becoming single point of failure) • Active mapping, know the exploitable details of your network and use them inside the reassembly algorithm. (probably implemented in high level nids products) • Be sure: strong TCP check. don’t make any assumption, base the collected data on all the available informations. (this is what’s wireshark does)
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke ...this about NIDS network intrusion detection systems very different analysis has to be applied at the mass interception tool!
attacks logic differences Hack.LU - http://2011.hack.lu - SniffJoke NIDS Sniffer possible, but impossible: is forced sanitization became s.p.f. totally passive could apply could apply analysis anomaly detection statistical analysis but remains unable and trigger alert to reassemble a sniffer has not a could work in the active mapping single network to protected network control
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Multi gigabit business !"#$%&'&()'*%)"+',-++% 9'&:%;-3<43=(,6-%>3(?6%2,+@-6$4,7% !4,'*43',&%(,5%A(@*"3-%(*%/BC)@+% >:-%D'EF2A/B%'+%(,%(5G(,6-5%F-*H43I% 2,*-3<(6-%A(35%64=)',',&%J;CK+%(,5%+*(*-%4<% *:-%(3*%+"@@43*%+4EH(3-L%>:-%F2A%@34G'5-+%<"##% M--@%;(6I-*%2,+@-6$4,%NO(P-3%QR.STU%!"# :X@Y00HHHL6P)-3+'EL,-*0:@,+L:*=#% "$%&'!%#"(#)*+,$-#,'./,"(%-#V%-W*-,5',&%*:-% #'<-%4<%+4EH(3-%(++-*+L% KF>KC]%'+%(%=(++%(,5%*(3&-*%',*-36-@$4,%+P+*-=% *:(*%',*-36-@*+7%8#*-3+7%(,5%(,(#P^-+%G4'6-7%5(*(7% (,5%="#$=-5'(%<43%',*-##'&-,6-%@"3@4+-+L%_+',&% +4@:'+$6(*-5%@34)',&%*-6:,4#4&P%(,5%-3',*`+%3-(#R 0(!%1123%(.%#45$$"&!#46-!%7-#8"&#9':851# $=-%8#*-3',&%=-6:(,'+=+7%KF>KC]%@(++'G-#P% 0(!%&.%$;"(<#=&272('1#0(>%-;3';"(-<# 64##-6*+%=(W'="=%64==",'6($4,+7%-W*3(6*+%*:-% 0(!%1123%(.%#+'!?%&2(3#'(@#0(8"&7';"(# =4+*%'=@43*(,*%',<43=($4,7%(,5%"+-+%+*43-5%5(*(% 4?'&2(3#="(8%&%(.%#'(@#AB$"# (,(#P+'+%<43%&-,-3($,&%',*-##'&-,6-%<34=%5(*(% :X@Y00HHHL*-#-+*3(*-&'-+L64=02DDZ[KD90',5-WL:*=% 64##-6*-5%4G-3%$=-L%:X@Y00G-3',*L64=0 64==",'6($4,+Z',*-36-@$4,0% /01%2,*345"6$4,7%*(3&-*%5-8,'$4,% .%
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke 100 gb/sec sniffers coming soon on... http://www.endace.com/endaceextreme.html • Mass survelliance will sound like control inside national border • But data, packets, travel for much more nations than source & destination! • Some years ago the mass survelliance technology hadn't enough computational power: now it has.
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke final goal • SniffJoke have a cultural goal beside of a technical one • Want to make clear that “people security could not be obtained by massive sniffing”
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke downgrade multi gigabit sniffers to multi kilobits • This is the official Sniffjoke’s payoff • a multi gigabit probe needs to make assumptions in high speed traffic analysis. • could it check every checksum ? could it keep track of every data-ack? could it be updated with the most recent header options ? could it manage packet loss ? needs to have strict timeout inside, because it requires to clean the huge connections table about the tracked packets. • every assumption is an exploitable vulnerability by Sniffjoke.
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke checked vulnerability fragroute SniffJoke 0.2 SniffJoke 0.3 SniffJoke 0.4 dsniff N (?) N N Y evasion xplico N/A (Y ?) Y Y detection snort old releases N N Y (lab only) wireshark N/A (Y ?) N Y Y sniffjoke 0.5 is not aiming to exploit new sniffers/IDS, but be stable in a real case scenario against professional products.
attacks logic Hack.LU - http://2011.hack.lu - SniffJoke various kind of damage • Denial of service: huge file dump (sequence number shifting) • Invalid data recorded instead of the real one (fake payload) • Incoming connection desync and override (invalid ack-ing) • premature closing of currently running session (fin, rst and syn flags acceptance) • creating hole of data inside the session (drop packets, fragment or sections of payload)
wireshark try to reassembly an e-mail captured
x-plico, capturing traffic without sniffjoke protection
x-plico, same request, incoming traffic protected by sniffjoke
state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke base research • An attack is composed by two factor • the Scramble: is the technique used to obtain desyncronization • the Injection: is the packet assumes as real, accepted in the reassembled flow, and source of the damage
state of the project Hack.LU - http://2011.hack.lu - SniffJoke Scrambles in SniffJoke 0.4 status 0.5 goal TCP opt few exploit every possible abuse :) TCP md5 working, but need remote app working, but need remote app integrate passive OS OS dependent trick only RST+FIN P.o.C. fingerprint IP opt policy silent drop check them at the last hop Congestion based attacks not implemented under development IP timestamp expire not implemented under development
state of the project Hack.LU - http://2011.hack.lu - SniffJoke scramble examples • TCP MD5 signature check has been developed to avoid BPG spoofing • a multi gigabit sniffer could not perform MD5 checks for performance reason, but avoiding this check, is victim of packets ambiguity!
state of the project IP/TCP options Hack.LU - http://2011.hack.lu - SniffJoke scramble • when an host receives a packet with a unsupported IP-option, drop the packet (and the sniffer could not know) • when a new IP option is implemented, the reassembly device is not updated • some TCP-option, need to be interpreted because interfere strongly with the packets acceptance or dropping
state of the project Congestion based Hack.LU - http://2011.hack.lu - SniffJoke attacks • TCP plain is ACK dependent (sessions with high packet loss and high bandwidth have bad performances) • SACK has been developed to detect packet loss and perform selective packet retransmissions. • RFCs: SACK 1996, NewReno 2003, D-SACK 2000, ECN... these extensions produce a lot of congestion avoidance algorithms.
state of the project Congestion algorithm Hack.LU - http://2011.hack.lu - SniffJoke injection logic • The sender doesn’t know how many algorithms are supported by the receiver • Different OSes have different boundaries (eg: Windows CTCP): the ambiguity! • SACK-block validation is based on internal value of the stack (OS dependent vars, session max- window, timings) unknown by the sniffer.
state of the project Hack.LU - http://2011.hack.lu - SniffJoke Injection each implemented in a different loadable plugin bad fake seq invalid window invalid ack syncronization payload overlap fake payload fragmentation segmentation breaking segments valid rst off forced closing fake syn fake fin fake rst window
state of the project Hack.LU - http://2011.hack.lu - SniffJoke congestion abuse + fake data SniffJoke had a packet in the first packets of every session, it is useful to split data in to mangle chunks in order to apply as many attacks as possible packet data 1-1500 eg: split in chunks drop 1 bad sack chunk #1 [fake data] 500 byte each accept 2 valid chunk #1 [good data] #1 #2 #3 drop 3 bad sack chunk #1 [fake data] ack ack 500 receiver sniffer sniffer will not understand which chunk is accepted by the receiver, and by the queue design, will keep the first or the last packet only.
state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.4.x feat • Location based adaptive combinations • sniffjoke-autotest has been revealed to be the limitation in real case scenarios. • Configurable ports aggressiveness • Avoid signature based detection • injection chaining
state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.4 issues • it was a single monolithic software • it included OS dependent commands, operations and calls, reducing the portability
0.5 architecture SniffJoke 0.5 portability solution Hack.LU - http://2011.hack.lu - SniffJoke janus TCP plain Other box janus socket pkt D2 Linux, OSX, pkt D1 home router modified D1 Window tun(pkt D1,A1, D2) gateway pkt A1 SniffJoke tun(modified D1,A1, D2) janus modified D2 modified A1 Janus could run in the same box of Sniffjoke or in the gateway.
0.5 architecture janus portability Hack.LU - http://2011.hack.lu - SniffJoke achievements • janus goal: be an application able to mangle kernel managed IP sessions. • intercept and modify the incoming traffic before the kernel does, and modify, drop, delay the outgoing traffic after the TCP/IP stack has send them. • janus is written in plain C, and required SOCK_PACKET datalink access • janus portability is based on a configuration file containing commands usable in almost every operating system
0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke janus logic • set a static arp overriding the default gateway • sniff your traffic, forward to a TCP port if attached this is the outgoing traffic divert • drop the traffic coming from the default gateway • read at interface layer the outgoing traffic and forward to another TCP port, if attached this is the incoming traffic divert • reinject the traffic received to the proper destination. this allows to have a portable application able to run on OpenWRT, lafonera, Linux, MacOSX, *BSD...
0.5 architecture SniffJoke 0.5 feat Hack.LU - http://2011.hack.lu - SniffJoke continuos probe • in 0.4 release, the attacks set was defined by a configuration file different for each location (plugin- enabled.conf) • it’s required, because your own nat device could be fooled by injected packet and close the session. • in 0.5, a continuos check of usable combinations is performed and results are cached. To every destination host is assigned a complete map of IP/TCP options reaching the destination, Operating System detected, hop distance, overlapping behaviour.
0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke release status • in github two branches are present: master (the not-really-“stable” 0.4.2) and devel, 0.5 under development. • gentoo, backtrack, .deb and .rpm packages of 0.4.2 has been done • 0.5 aim to work in iPhone, Android, *BSD, windows. • sniffjokectl was the client name, we’re planning to use a JSON library to manage sniffjoke and janus administration.
0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke next goals • found a laboratory and test professional IDS and Sniffer (we have only theoretical hints!) • write report, advisory: push the security market to face with the possibility that a security device could be bypassed. • and in those two points: I couldn’t do without a partnership. I’m looking for security companies that want to focus on evasion research and countermeasures.
Thanks! Questions ? https://twitter.com/#!/sniffjoke vecna@delirandom.net pub 1024D/C6765430 2009-08-25 [expires: 2012-10-03] Key fingerprint = 341F 1A8C E2B4 F4F4 174D 7C21 B842 093D C676 5430 sniffjoke@sikurezza.org mailing list https://www.sikurezza.org/lists/listinfo/sniffjoke http://www.delirandom.net/sniffjoke http://github.com/vecna/sniffjoke http://github.com/evilaliv3/janus
out of band slide: some useful documents The one: http://insecure.org/stf/secnet_ids/secnet_ids.html https://tools.ietf.org/html/rfc4614 A Roadmap for Transmission Control Protocol (TCP) Specification Documents revisited: http://www.symantec.com/connect/articles/evading-nids-revisited https://www.ietf.org/html/rfc6274 Security Assessment of the Internet Protocol Version 4 http://www.cnsr.info/Download/PDF/a4b.pdf Verifying TCP Implementation

Recomendados

SniffJoke 0.4
SniffJoke 0.4SniffJoke 0.4
SniffJoke 0.4
Not In my Name
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
IOSR Journals
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1
Lalad
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
📡 Sebastien Dudek
 
I psec
I psecI psec
I psec
ahmad1986jor
 

Recomendados

SniffJoke 0.4
SniffJoke 0.4SniffJoke 0.4
SniffJoke 0.4
Not In my Name
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Security Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration NetworksSecurity Issues in Next Generation IP and Migration Networks
Security Issues in Next Generation IP and Migration Networks
IOSR Journals
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1
Lalad
 
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam testsSecurity PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests
📡 Sebastien Dudek
 
I psec
I psecI psec
I psec
ahmad1986jor
 
SNIFFER FOR DETECTING LOST MOBILES
SNIFFER FOR DETECTING LOST MOBILESSNIFFER FOR DETECTING LOST MOBILES
SNIFFER FOR DETECTING LOST MOBILES
Chaitanya Ram
 
Mobile Sniffer
Mobile SnifferMobile Sniffer
Mobile Sniffer
Mohit Khatri
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
IJERD Editor
 
Sniffer For Detecting Lost Mobiles
Sniffer For Detecting Lost MobilesSniffer For Detecting Lost Mobiles
Sniffer For Detecting Lost Mobiles
Sumaiya Arjumand
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
home
 
Outes
OutesOutes
Outes
nandu_kishor
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
Abhishek Abhi
 
Sniffer
SnifferSniffer
Sniffer
Stelcy Jose
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
akhila immadisetty
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
Kunal Thakur
 
MINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTORMINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTOR
Prannoy Chakravarthi
 
Sniffer for the mobile phones
Sniffer for the mobile phonesSniffer for the mobile phones
Sniffer for the mobile phones
Upender Upr
 
Sniffer for Detecting Lost Mobile
Sniffer for Detecting Lost MobileSniffer for Detecting Lost Mobile
Sniffer for Detecting Lost Mobile
Seminar Links
 
I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025
itsuki810
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
APNIC
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
intertelinvestigations
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
ssuserfcf43f
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
Vietnam Open Infrastructure User Group
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
manikainth
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 

Más contenido relacionado

Destacado

Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
akhila immadisetty
 
MINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTORMINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTOR
Prannoy Chakravarthi
 

Destacado (13)

SNIFFER FOR DETECTING LOST MOBILES
SNIFFER FOR DETECTING LOST MOBILESSNIFFER FOR DETECTING LOST MOBILES
SNIFFER FOR DETECTING LOST MOBILES
 
Mobile Sniffer
Mobile SnifferMobile Sniffer
Mobile Sniffer
 
International Journal of Engineering Research and Development
International Journal of Engineering Research and DevelopmentInternational Journal of Engineering Research and Development
International Journal of Engineering Research and Development
 
Sniffer For Detecting Lost Mobiles
Sniffer For Detecting Lost MobilesSniffer For Detecting Lost Mobiles
Sniffer For Detecting Lost Mobiles
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
 
Outes
OutesOutes
Outes
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
 
Sniffer
SnifferSniffer
Sniffer
 
Sniffer for detecting lost mobiles
Sniffer for detecting lost mobilesSniffer for detecting lost mobiles
Sniffer for detecting lost mobiles
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
MINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTORMINI PROJECT ON CELLPHONE DETECTOR
MINI PROJECT ON CELLPHONE DETECTOR
 
Sniffer for the mobile phones
Sniffer for the mobile phonesSniffer for the mobile phones
Sniffer for the mobile phones
 
Sniffer for Detecting Lost Mobile
Sniffer for Detecting Lost MobileSniffer for Detecting Lost Mobile
Sniffer for Detecting Lost Mobile
 

Similar a Sniffjoke 0.5 anticipation - hack.lu 2011

The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
Raffael Marty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
grecsl
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
virtualabs
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
Ryan Breed
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
Aleksandr Timorin
 

Similar a Sniffjoke 0.5 anticipation - hack.lu 2011 (20)

I pv6 mrtg_20111025
I pv6 mrtg_20111025I pv6 mrtg_20111025
I pv6 mrtg_20111025
 
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
InfoSec Taiwan 2023: APNIC Community Honeynet Project — Observations and Insi...
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Reverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical GuideReverse Engineering Malware - A Practical Guide
Reverse Engineering Malware - A Practical Guide
 
hacking-embedded-devices.pptx
hacking-embedded-devices.pptxhacking-embedded-devices.pptx
hacking-embedded-devices.pptx
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
 
Tos tutorial
Tos tutorialTos tutorial
Tos tutorial
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
 
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
Monitoring & Analysis 101 - N00b to Ninja in 60 Minutes at ISSW on April 9, 2016
 
From printed circuit boards to exploits
From printed circuit boards to exploitsFrom printed circuit boards to exploits
From printed circuit boards to exploits
 
breed_python_tx_redacted
breed_python_tx_redactedbreed_python_tx_redacted
breed_python_tx_redacted
 
Having Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security AnalysisHaving Honeypot for Better Network Security Analysis
Having Honeypot for Better Network Security Analysis
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
PLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yoursPLMCE - Security and why you need to review yours
PLMCE - Security and why you need to review yours
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 

Sniffjoke 0.5 anticipation - hack.lu 2011

  • 1. Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.5 growing process in Sniffer/NIDS evasion technology
  • 2. Hack.LU - http://2011.hack.lu - SniffJoke The speaker • Claudio Agosti, vecna in Internet. • 12+ years of hacking and not in prison :) • idealistic contributor in various “projects” without a full time job. • http://www.delirandom.net vecna@delirandom.net
  • 3. introduction Hack.LU - http://2011.hack.lu - SniffJoke Agenda • what’s sniffer evasion • which kind of vulnerabilities exist • patches, improvement and workaround • target selection: sniffers vs NIDS. • Sniffjoke goal for 0.5 release: defeat everything that passively eavesdrops traffic from the network.
  • 4. introduction NIDS evasion, Hack.LU - http://2011.hack.lu - SniffJoke A forgotten lore ? • first and actual research released in 1998 • fragrouter (~2002) + libdnet (~2005) • innova 2001 • FTester - last release 2006 • StoneSoft 2009-2010 • but, the sniffing issue persists, the IDS market stands alive and healthy. Despite this, few tools exist able to perform a wide evasion test. • my goal: don’t produce (only) a security testing application, but also be usable and transparent in daily activities.
  • 5. introduction Hack.LU - http://2011.hack.lu - SniffJoke memory refresh • An NIDS attack is the injection of forged packets. Those packets are captured by the passive third party. • Could be part of the active session, could be based on plausible packets, and allow the attacker to interfere with the flow reassembly logics. • it is really hard to develop techniques able to interfere with the sniffing activity without disrupting the real session • when an evasion is found, maybe really difficult to be patched
  • 6. AAAAAAA BBBBBBBB memory refresh: TTL attack 1 Routers in ISP 3 Routers ISP 1 5 6 7 8 10 2 4 Routers in ISP 2 9 3 AAAAAAA 11 ˘˚ÓÙ∂©†∑ AAAAAAA 1-20 AA[...] TTL 64 BBBBBBBB ACK 21-40 ÓÙ∂[...] TTL 9 ICMP time exceeded 20 21-40 BB[...] TTL 31 ACK 40
  • 7. introduction memory refresh: Hack.LU - http://2011.hack.lu - SniffJoke concepts • lack of Information on the wire • An NIDS evasion technique exploits the ambiguous meaning of such packets • A NIDS/Sniffer collects the packets but has not a mathematical certainty that the packet will be accepted by the remote host • By theory, the attacker has no way to know if the attacks has worked or not.
  • 8. introduction Hack.LU - http://2011.hack.lu - SniffJoke 1998 attacks table fragroute Sj 0.4 Sj 0.5 (dev now!) Patch ? ip TTL fixed value # around, mist # around, mist enforcing & AM cksum Y Y Y normalization source route Y all IP opt all IP opt enforcing (dropped) frag policy fixed value dynamic dynamic enforcing & AM ip frag overlap dynamic dynamic dynamic enforcing & AM tcp options mss|wscale, fixed some TO, dynamic lot of TO, adaptive enforcing & AM PAWS fixed (anomaly) N adaptive don’t know! tcp overlap dynamic adaptive, chainable adaptive, chainable enforcing & AM RST off seq N Y Y enforcing & AM
  • 9. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Attacks concepts • Ambiguity methods obtain the desynchronisation between the reassembled flow and the effective endpoint traffic • by exploiting this ambiguity, you can decide some kind of disruption to cause to a passive analyzer • data you are sending could be hidden from its analysis • the established session could appear closed • the flow could be broken
  • 10. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Attack targets • NIDS and sniffers both base their workings on passive traffic collection • but NIDS work in a specified network, and could treat traffic with too much anomalies as malicious. • work in a contextual security • Sniffers cannot map a specific network, cannot drop traffic like an IPS does, and are sold by feature/performance instead of reliability.
  • 11. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke patches thru the ages • Sanitization, restriction policy. keep anomaly counts in sessions and treat evasions. (usable in an IDS becoming single point of failure) • Active mapping, know the exploitable details of your network and use them inside the reassembly algorithm. (probably implemented in high level nids products) • Be sure: strong TCP check. don’t make any assumption, base the collected data on all the available informations. (this is what’s wireshark does)
  • 12. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke ...this about NIDS network intrusion detection systems very different analysis has to be applied at the mass interception tool!
  • 13. attacks logic differences Hack.LU - http://2011.hack.lu - SniffJoke NIDS Sniffer possible, but impossible: is forced sanitization became s.p.f. totally passive could apply could apply analysis anomaly detection statistical analysis but remains unable and trigger alert to reassemble a sniffer has not a could work in the active mapping single network to protected network control
  • 14. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke Multi gigabit business !"#$%&'&()'*%)"+',-++% 9'&:%;-3<43=(,6-%>3(?6%2,+@-6$4,7% !4,'*43',&%(,5%A(@*"3-%(*%/BC)@+% >:-%D'EF2A/B%'+%(,%(5G(,6-5%F-*H43I% 2,*-3<(6-%A(35%64=)',',&%J;CK+%(,5%+*(*-%4<% *:-%(3*%+"@@43*%+4EH(3-L%>:-%F2A%@34G'5-+%<"##% M--@%;(6I-*%2,+@-6$4,%NO(P-3%QR.STU%!"# :X@Y00HHHL6P)-3+'EL,-*0:@,+L:*=#% "$%&'!%#"(#)*+,$-#,'./,"(%-#V%-W*-,5',&%*:-% #'<-%4<%+4EH(3-%(++-*+L% KF>KC]%'+%(%=(++%(,5%*(3&-*%',*-36-@$4,%+P+*-=% *:(*%',*-36-@*+7%8#*-3+7%(,5%(,(#P^-+%G4'6-7%5(*(7% (,5%="#$=-5'(%<43%',*-##'&-,6-%@"3@4+-+L%_+',&% +4@:'+$6(*-5%@34)',&%*-6:,4#4&P%(,5%-3',*`+%3-(#R 0(!%1123%(.%#45$$"&!#46-!%7-#8"&#9':851# $=-%8#*-3',&%=-6:(,'+=+7%KF>KC]%@(++'G-#P% 0(!%&.%$;"(<#=&272('1#0(>%-;3';"(-<# 64##-6*+%=(W'="=%64==",'6($4,+7%-W*3(6*+%*:-% 0(!%1123%(.%#+'!?%&2(3#'(@#0(8"&7';"(# =4+*%'=@43*(,*%',<43=($4,7%(,5%"+-+%+*43-5%5(*(% 4?'&2(3#="(8%&%(.%#'(@#AB$"# (,(#P+'+%<43%&-,-3($,&%',*-##'&-,6-%<34=%5(*(% :X@Y00HHHL*-#-+*3(*-&'-+L64=02DDZ[KD90',5-WL:*=% 64##-6*-5%4G-3%$=-L%:X@Y00G-3',*L64=0 64==",'6($4,+Z',*-36-@$4,0% /01%2,*345"6$4,7%*(3&-*%5-8,'$4,% .%
  • 15. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke 100 gb/sec sniffers coming soon on... http://www.endace.com/endaceextreme.html • Mass survelliance will sound like control inside national border • But data, packets, travel for much more nations than source & destination! • Some years ago the mass survelliance technology hadn't enough computational power: now it has.
  • 16. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke final goal • SniffJoke have a cultural goal beside of a technical one • Want to make clear that “people security could not be obtained by massive sniffing”
  • 17. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke downgrade multi gigabit sniffers to multi kilobits • This is the official Sniffjoke’s payoff • a multi gigabit probe needs to make assumptions in high speed traffic analysis. • could it check every checksum ? could it keep track of every data-ack? could it be updated with the most recent header options ? could it manage packet loss ? needs to have strict timeout inside, because it requires to clean the huge connections table about the tracked packets. • every assumption is an exploitable vulnerability by Sniffjoke.
  • 18. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke checked vulnerability fragroute SniffJoke 0.2 SniffJoke 0.3 SniffJoke 0.4 dsniff N (?) N N Y evasion xplico N/A (Y ?) Y Y detection snort old releases N N Y (lab only) wireshark N/A (Y ?) N Y Y sniffjoke 0.5 is not aiming to exploit new sniffers/IDS, but be stable in a real case scenario against professional products.
  • 19. attacks logic Hack.LU - http://2011.hack.lu - SniffJoke various kind of damage • Denial of service: huge file dump (sequence number shifting) • Invalid data recorded instead of the real one (fake payload) • Incoming connection desync and override (invalid ack-ing) • premature closing of currently running session (fin, rst and syn flags acceptance) • creating hole of data inside the session (drop packets, fragment or sections of payload)
  • 20. wireshark try to reassembly an e-mail captured
  • 21. x-plico, capturing traffic without sniffjoke protection
  • 22. x-plico, same request, incoming traffic protected by sniffjoke
  • 23. state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke base research • An attack is composed by two factor • the Scramble: is the technique used to obtain desyncronization • the Injection: is the packet assumes as real, accepted in the reassembled flow, and source of the damage
  • 24. state of the project Hack.LU - http://2011.hack.lu - SniffJoke Scrambles in SniffJoke 0.4 status 0.5 goal TCP opt few exploit every possible abuse :) TCP md5 working, but need remote app working, but need remote app integrate passive OS OS dependent trick only RST+FIN P.o.C. fingerprint IP opt policy silent drop check them at the last hop Congestion based attacks not implemented under development IP timestamp expire not implemented under development
  • 25. state of the project Hack.LU - http://2011.hack.lu - SniffJoke scramble examples • TCP MD5 signature check has been developed to avoid BPG spoofing • a multi gigabit sniffer could not perform MD5 checks for performance reason, but avoiding this check, is victim of packets ambiguity!
  • 26. state of the project IP/TCP options Hack.LU - http://2011.hack.lu - SniffJoke scramble • when an host receives a packet with a unsupported IP-option, drop the packet (and the sniffer could not know) • when a new IP option is implemented, the reassembly device is not updated • some TCP-option, need to be interpreted because interfere strongly with the packets acceptance or dropping
  • 27. state of the project Congestion based Hack.LU - http://2011.hack.lu - SniffJoke attacks • TCP plain is ACK dependent (sessions with high packet loss and high bandwidth have bad performances) • SACK has been developed to detect packet loss and perform selective packet retransmissions. • RFCs: SACK 1996, NewReno 2003, D-SACK 2000, ECN... these extensions produce a lot of congestion avoidance algorithms.
  • 28. state of the project Congestion algorithm Hack.LU - http://2011.hack.lu - SniffJoke injection logic • The sender doesn’t know how many algorithms are supported by the receiver • Different OSes have different boundaries (eg: Windows CTCP): the ambiguity! • SACK-block validation is based on internal value of the stack (OS dependent vars, session max- window, timings) unknown by the sniffer.
  • 29. state of the project Hack.LU - http://2011.hack.lu - SniffJoke Injection each implemented in a different loadable plugin bad fake seq invalid window invalid ack syncronization payload overlap fake payload fragmentation segmentation breaking segments valid rst off forced closing fake syn fake fin fake rst window
  • 30. state of the project Hack.LU - http://2011.hack.lu - SniffJoke congestion abuse + fake data SniffJoke had a packet in the first packets of every session, it is useful to split data in to mangle chunks in order to apply as many attacks as possible packet data 1-1500 eg: split in chunks drop 1 bad sack chunk #1 [fake data] 500 byte each accept 2 valid chunk #1 [good data] #1 #2 #3 drop 3 bad sack chunk #1 [fake data] ack ack 500 receiver sniffer sniffer will not understand which chunk is accepted by the receiver, and by the queue design, will keep the first or the last packet only.
  • 31. state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.4.x feat • Location based adaptive combinations • sniffjoke-autotest has been revealed to be the limitation in real case scenarios. • Configurable ports aggressiveness • Avoid signature based detection • injection chaining
  • 32. state of the project Hack.LU - http://2011.hack.lu - SniffJoke SniffJoke 0.4 issues • it was a single monolithic software • it included OS dependent commands, operations and calls, reducing the portability
  • 33. 0.5 architecture SniffJoke 0.5 portability solution Hack.LU - http://2011.hack.lu - SniffJoke janus TCP plain Other box janus socket pkt D2 Linux, OSX, pkt D1 home router modified D1 Window tun(pkt D1,A1, D2) gateway pkt A1 SniffJoke tun(modified D1,A1, D2) janus modified D2 modified A1 Janus could run in the same box of Sniffjoke or in the gateway.
  • 34. 0.5 architecture janus portability Hack.LU - http://2011.hack.lu - SniffJoke achievements • janus goal: be an application able to mangle kernel managed IP sessions. • intercept and modify the incoming traffic before the kernel does, and modify, drop, delay the outgoing traffic after the TCP/IP stack has send them. • janus is written in plain C, and required SOCK_PACKET datalink access • janus portability is based on a configuration file containing commands usable in almost every operating system
  • 35. 0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke janus logic • set a static arp overriding the default gateway • sniff your traffic, forward to a TCP port if attached this is the outgoing traffic divert • drop the traffic coming from the default gateway • read at interface layer the outgoing traffic and forward to another TCP port, if attached this is the incoming traffic divert • reinject the traffic received to the proper destination. this allows to have a portable application able to run on OpenWRT, lafonera, Linux, MacOSX, *BSD...
  • 36. 0.5 architecture SniffJoke 0.5 feat Hack.LU - http://2011.hack.lu - SniffJoke continuos probe • in 0.4 release, the attacks set was defined by a configuration file different for each location (plugin- enabled.conf) • it’s required, because your own nat device could be fooled by injected packet and close the session. • in 0.5, a continuos check of usable combinations is performed and results are cached. To every destination host is assigned a complete map of IP/TCP options reaching the destination, Operating System detected, hop distance, overlapping behaviour.
  • 37. 0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke release status • in github two branches are present: master (the not-really-“stable” 0.4.2) and devel, 0.5 under development. • gentoo, backtrack, .deb and .rpm packages of 0.4.2 has been done • 0.5 aim to work in iPhone, Android, *BSD, windows. • sniffjokectl was the client name, we’re planning to use a JSON library to manage sniffjoke and janus administration.
  • 38. 0.5 architecture Hack.LU - http://2011.hack.lu - SniffJoke next goals • found a laboratory and test professional IDS and Sniffer (we have only theoretical hints!) • write report, advisory: push the security market to face with the possibility that a security device could be bypassed. • and in those two points: I couldn’t do without a partnership. I’m looking for security companies that want to focus on evasion research and countermeasures.
  • 39. Thanks! Questions ? https://twitter.com/#!/sniffjoke vecna@delirandom.net pub 1024D/C6765430 2009-08-25 [expires: 2012-10-03] Key fingerprint = 341F 1A8C E2B4 F4F4 174D 7C21 B842 093D C676 5430 sniffjoke@sikurezza.org mailing list https://www.sikurezza.org/lists/listinfo/sniffjoke http://www.delirandom.net/sniffjoke http://github.com/vecna/sniffjoke http://github.com/evilaliv3/janus
  • 40. out of band slide: some useful documents The one: http://insecure.org/stf/secnet_ids/secnet_ids.html https://tools.ietf.org/html/rfc4614 A Roadmap for Transmission Control Protocol (TCP) Specification Documents revisited: http://www.symantec.com/connect/articles/evading-nids-revisited https://www.ietf.org/html/rfc6274 Security Assessment of the Internet Protocol Version 4 http://www.cnsr.info/Download/PDF/a4b.pdf Verifying TCP Implementation

Notas del editor

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n
  23. \n
  24. \n
  25. \n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n