Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
FROM KERNEL SPACE
TO USER HEAVEN
JAIME SÁNCHEZ
@SEGOFENSIVA
NUIT DU HACK 2013
$	
  WHO	
  I	
  AM
	
  
§	
  Security	
  researcher	
  specialized	
  in	
  network	
  
protocols	
  and	
  technologies...
FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN
3
- Cyberwar is upon us. APT is very common nowadays
and ...
§	
  Cyber	
  Warfare	
  and	
  Hack/vism
§	
  Several	
  companies	
  a8acked,	
  like	
  Facebook,	
  Apple,	
  Twi7er...
FROM KERNEL SPACE TO USER HEAVEN
5
The	
   most	
   important	
   phases	
   are	
   RECONNAISSANCE	
   and	
  
SCANNING.
...
A	
  BRIEF	
  OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
6 NUIT DU HACK 2013
Devices
Devices
Devices
Kernel
Ring	
  0
Ring	
  1
Ring	
  2
Ring	
  3
Less
Privileged
More
Privileged
§	
  Computer	
  o...
KERNEL	
  vs	
  USER	
  SPACE
KERNEL	
  SPACE USER	
  SPACE
KERNEL	
  SPACE	
  is	
  strictly	
  reserved	
  for	
  runnin...
WTF	
  !?
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
9
FROM KERNEL SPACE TO USER HEA...
10
How Imet your
packets
NIC	
  Memory
DMA	
  EngineInterrupt
Incoming	
  Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet	
  Data
IP	
...
TARGET	
  EXTENSIONS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
	
  A	
  target	
  e...
QUEUE
§	
  QUEUE	
  is	
  an	
  iptables	
  and	
  ip6tables	
  target	
  which	
  which	
  queues	
  the	
  packet	
  fo...
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
SHOW	
  ME	
  SOME	
  EXAMPLES!
14
How	
 ...
FAKE	
  SSH	
  SOURCE
ATTACKER
$	
  _
-­‐	
  We	
  will	
  hide	
  our	
  source	
  IP	
  and	
  will	
  modify	
  it	
  w...
TRACEROUTE	
  FAKING
UDP	
  TTL=1ICMP	
  TIME	
  
EXCEEDED
ICMP	
  TIME	
  
EXCEEDED
UDP	
  TTL=2
ICMP	
  TIME	
  
EXCEEDE...
REMOTE	
  OS
FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
17
How	
  i	
...
CLASSIC	
  TECHNIQUES
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
18
How	
  i	
  met	...
§	
  Or	
  we	
  could	
  just	
  use	
  Shodan,	
  a	
  search	
  engine	
  that	
  lets	
  you	
  find	
  specific	
  com...
NMAP
	
   -­‐	
  Device	
  Type	
   	
   	
   -­‐	
  Network	
  Distance
	
   -­‐	
  Running	
   	
   	
   -­‐	
  TCP	
  S...
How	
  i	
  met	
  your	
  packet
-­‐	
  I	
  looked	
  for	
  jailbroken	
  iPhones	
  with	
  a	
  custom	
  Perl	
  scr...
NMAP	
  METHODS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
22
How	
  i	
  met	
  you...
Although	
  there	
  are	
  others:
§	
  TCP	
  ISN	
  counter	
  rate	
  (ISR)
§	
  ICMP	
  IP	
  ID	
  sequence	
  gen...
OTHER	
  TOOLS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
24
How	
  i	
  met	
  your...
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
25
How	
  i	
  met	
  your	
  packetFrom	...
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
26
How	
  i	
  met	
  your	
  packetFrom	...
PASSIVE	
  OS	
  FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
27
How	
 ...
SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera/ng	
  System
	
  	
  -­‐	
  Family
	
  	
  -­‐	
  Version
Quirks
	
  	...
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
29
How	
  i	
  met	
  your	
  packetFrom	...
COMMERCIAL	
  ENGINES
This	
  techniques	
  can	
  be	
  used	
  to	
  avoid	
  commercial	
  implementa:ons.	
  We	
  hid...
(	
  WE’RE	
  RUNNING	
  OUR	
  PROGRAM	
  IN	
  
BACKGROUND	
  TO	
  CHANGE	
  ALL	
  
OUTBOUND	
  CONNECTIONS	
  )
From	...
SPOOF	
  NON	
  EXISTING	
  
HOSTS	
  AND	
  CONSUME	
  RNA	
  
ENGINE
HOST	
  CREATED	
  WITH	
  OUR
NEW	
  TOOL	
  :)
Fr...
Long	
  	
  story	
  	
  short:
SYN ACK FIN
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heav...
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
34
How	
  i	
  met	
  your	
  packetFrom	...
Próximo SlideShare
Cargando en…5
×

de

From Kernel Space to User Heaven #NDH2k13 Slide 1 From Kernel Space to User Heaven #NDH2k13 Slide 2 From Kernel Space to User Heaven #NDH2k13 Slide 3 From Kernel Space to User Heaven #NDH2k13 Slide 4 From Kernel Space to User Heaven #NDH2k13 Slide 5 From Kernel Space to User Heaven #NDH2k13 Slide 6 From Kernel Space to User Heaven #NDH2k13 Slide 7 From Kernel Space to User Heaven #NDH2k13 Slide 8 From Kernel Space to User Heaven #NDH2k13 Slide 9 From Kernel Space to User Heaven #NDH2k13 Slide 10 From Kernel Space to User Heaven #NDH2k13 Slide 11 From Kernel Space to User Heaven #NDH2k13 Slide 12 From Kernel Space to User Heaven #NDH2k13 Slide 13 From Kernel Space to User Heaven #NDH2k13 Slide 14

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

From Kernel Space to User Heaven #NDH2k13 Slide 18 From Kernel Space to User Heaven #NDH2k13 Slide 19 From Kernel Space to User Heaven #NDH2k13 Slide 20 From Kernel Space to User Heaven #NDH2k13 Slide 21

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

From Kernel Space to User Heaven #NDH2k13 Slide 23

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

From Kernel Space to User Heaven #NDH2k13 Slide 25

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

From Kernel Space to User Heaven #NDH2k13 Slide 28 From Kernel Space to User Heaven #NDH2k13 Slide 29

SlideShare ya no admite vídeos de YouTube

Ver el vídeo original en YouTube

From Kernel Space to User Heaven #NDH2k13 Slide 31 From Kernel Space to User Heaven #NDH2k13 Slide 32 From Kernel Space to User Heaven #NDH2k13 Slide 33 From Kernel Space to User Heaven #NDH2k13 Slide 34 From Kernel Space to User Heaven #NDH2k13 Slide 35 From Kernel Space to User Heaven #NDH2k13 Slide 36 From Kernel Space to User Heaven #NDH2k13 Slide 37 From Kernel Space to User Heaven #NDH2k13 Slide 38 From Kernel Space to User Heaven #NDH2k13 Slide 39 From Kernel Space to User Heaven #NDH2k13 Slide 40 From Kernel Space to User Heaven #NDH2k13 Slide 41 From Kernel Space to User Heaven #NDH2k13 Slide 42
Próximo SlideShare
From Kernel Space to User Heaven
Siguiente
Descargar para leer sin conexión y ver en pantalla completa.

1 recomendación

Compartir

Descargar para leer sin conexión

From Kernel Space to User Heaven #NDH2k13

Descargar para leer sin conexión

FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ

More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com

What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.

Libros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

Audiolibros relacionados

Gratis con una prueba de 30 días de Scribd

Ver todo

From Kernel Space to User Heaven #NDH2k13

  1. 1. FROM KERNEL SPACE TO USER HEAVEN JAIME SÁNCHEZ @SEGOFENSIVA NUIT DU HACK 2013
  2. 2. $  WHO  I  AM   §  Security  researcher  specialized  in  network   protocols  and  technologies,  with  over  ten  years  of   experience  in  posi:ons  of  consul:ng,  risk   management,  secure  networks  or  ethical  hacking §I  work  in  the  Security  Opera:ons  Center  (SOC)  of  a   mul:na:onal  telecommunica:ons  company §  I’m  sexy  and  I  know  it §  You  can  find  my  blog  and  adventures  www.seguridadofensiva.com §  Contact @segofensiva 2 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  3. 3. FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN 3 - Cyberwar is upon us. APT is very common nowadays and we need to think about new tricks to be one step ahead to keep the system secure. - With this technique you can provide that step in order to defend your servers against the first phase in all APT operations: FINGERPRINTING. NUIT DU HACK 2013
  4. 4. §  Cyber  Warfare  and  Hack/vism §  Several  companies  a8acked,  like  Facebook,  Apple,  Twi7er,  New  York  Times §  APT1,  Stuxnet,  OperaDon  Hangover,  etc. 4 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  5. 5. FROM KERNEL SPACE TO USER HEAVEN 5 The   most   important   phases   are   RECONNAISSANCE   and   SCANNING. The  less  information  the  attacker  has  the  better  for  our  security. If   we   can  fool   all   network   tools   he’ll   be  using,   we’ll  be  able   to   prevent  some  attacks  attempts NUIT DU HACK 2013
  6. 6. A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 6 NUIT DU HACK 2013
  7. 7. Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera/ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera/ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  8. 8. KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica/ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term   USER  LAND   refers   to  all  applica/on   soNware  that   runs   in   user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera/ng  system  uses   to  interact  with   the  kernel:  soNware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 8 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  9. 9. WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 9 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  10. 10. 10 How Imet your packets
  11. 11. NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so_irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des:ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  12. 12. TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op/onal  extension  to  iptables  to   provide  new  command  line  op/ons. There  are  several  extensions  in  the  default  NeTilter  distribu/on: 12 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  13. 13. QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un/l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013
  14. 14. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven SHOW  ME  SOME  EXAMPLES! 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  15. 15. FAKE  SSH  SOURCE ATTACKER $  _ -­‐  We  will  hide  our  source  IP  and  will  modify  it  with  any  other  value  we  want  in   our  compromised  SSH  server   -­‐  Useful  to  avoid  filters  and  not  modifying  files  like  /etc/hosts.deny How  i  met  your  packetFrom  kernel  Space  to  user  Heaven INNOCENT 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN SSH  SERVER NUIT DU HACK 2013
  16. 16. TRACEROUTE  FAKING UDP  TTL=1ICMP  TIME   EXCEEDED ICMP  TIME   EXCEEDED UDP  TTL=2 ICMP  TIME   EXCEEDED UDP  TTL=3 ICMP  PORT UNREACHABLE UDP  TTL=4 Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop DESTINATIONSOURCE SOURCE SOURCE SOURCE If  the  internet  packet  has  a  TTL  of  0   aNer  decrement,  that  packet   must   not   be   passed   on   and   a   Internet   Control  Messaging  Protocol  (ICMP)   Time   Exceeded   in   transit   is   returned  to  the  packets  origin.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  17. 17. REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  18. 18. CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  19. 19. §  Or  we  could  just  use  Shodan,  a  search  engine  that  lets  you  find  specific  computers   (routers,  servers,  etc.)  using  a  variety  of  filters. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  20. 20. NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  PredicDon   -­‐  OS  Details       -­‐  IP  ID  Sequence  GeneraDon   -­‐  UpDme  Guess Device  Type:  general  purpose Running:  MicrosoN  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoN_7::professional OS  details:  MicrosoN  Windows  7  Professional,  MicrosoN   Windows  Vista  SP0  or  SP1 UpDme  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  PredicDon:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  GeneraDon:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoN:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  21. 21. How  i  met  your  packet -­‐  I  looked  for  jailbroken  iPhones  with  a  custom  Perl  script:                    -­‐  Scan  network  ranges                    -­‐  For  each  host,  scan  62078  port.                    -­‐  If  open  62078  port,  then  try  with  SSH                    -­‐  If  open  SSH  port,  try  to  log  in  with  credentials:  root/alpine From  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  22. 22. NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports:
  23. 23. Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera:on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges:on  no:fica:on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera:on  alg  (TI) §  TCP  :mestamp  op:on  alg  (TS) §  TCP  Op:ons  (O,  O1-­‐O6) §  TCP  ini:al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini:al  :me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  24. 24. OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels   of  version  2.4.,  that   modifies  characteris:cs   of  network  traffic IP  PERSONALITY Simple  TCP  packets   iden:fica:on  solu:on  as   a  Kenel 2.2-­‐2.4  core  module   patch,  allowing  ignore   some  kind  of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of   version  2.2.  that  also  tries   to  hide  the  original  OS   and  act  as  a  different   one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op:ons,  allowing   to  respec:vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  so_ware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013
  25. 25. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !!
  26. 26. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN BITCH PLEASE ... NUIT DU HACK 2013
  27. 27. PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐  p0f  is  a  tool  that  u:lizes  an  array  of  sophis:cated,  purely  passive,  traffic  fingerprin:ng   mechanisms  to  iden:fy  the  players  behind  any  iniDal  TCP/IP  communicaDon  (o_en  as   lille  as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Elercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐  Passive  fingerprin:ng  is  like  a  packet  sniffer.  Examines   network  traffic,  making  a  copy  of  the  data   but   without   redirec:ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.  As  stealthy  fingerprinDng,  bypassing  the  need  for   using  an  ac:ve  tool  that  can  be  detected  by  various   IDS  systems. 2.  To  idenDfy  remote  proxy  firewalls.   3.  Organiza:ons  can  use  it  to  idenDfy  rogue  systems   on  their  network. NUIT DU HACK 2013 Sniffer
  28. 28. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera/ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op:ons  a_er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op:ons  decode TCP  op/ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul:ple      -­‐  Sxx  MSS  Mul:ple      -­‐  Txx  MTU  Mul:ple      -­‐  xxx  Constant  value Ini/al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  29. 29. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !!
  30. 30. COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa:ons.  We  hide  our  machine,  faking   the   detector   engine   and   recognizing   us   like   another   OS,   to   alack   another   host   and   leading   administrator  to  think  it  may  be  a  false  posi:ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example:   key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip:on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085 937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b 7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22f e666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  :me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen  so  far.   I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the  desired  TCP/IP   header  values. NUIT DU HACK 2013
  31. 31. (  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL   OUTBOUND  CONNECTIONS  ) From  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE
  32. 32. SPOOF  NON  EXISTING   HOSTS  AND  CONSUME  RNA   ENGINE HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 32 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013
  33. 33. Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 33 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  34. 34. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 34 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA
  • jordiibcn

    Jul. 5, 2013

FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ More information at: Twitter: @segofensiva Website: http://www.seguridadofensiva.com What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.

Vistas

Total de vistas

6.160

En Slideshare

0

De embebidos

0

Número de embebidos

2.564

Acciones

Descargas

34

Compartidos

0

Comentarios

0

Me gusta

1

×