From Kernel Space to User Heaven #NDH2k13
Upcoming SlideShare
Loading in...5
×
 

From Kernel Space to User Heaven #NDH2k13

on

  • 3,467 views

FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ ...

FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ

More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com

What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.

Statistics

Views

Total Views
3,467
Views on SlideShare
2,046
Embed Views
1,421

Actions

Likes
1
Downloads
14
Comments
0

16 Embeds 1,421

http://www.seguridadofensiva.com 1177
https://twitter.com 67
http://8212444198868605578_7826c2a494a941e8cf07898b84a2af82751c4527.blogspot.com 57
http://74.220.219.72 45
http://feeds.feedburner.com 29
http://translate.googleusercontent.com 16
http://cloud.feedly.com 12
http://www.linkedin.com 4
https://www.linkedin.com 4
http://www.feedspot.com 3
http://digg.com 2
http://feedly.com 1
http://webcache.googleusercontent.com 1
http://feeds2.feedburner.com 1
https://www.google.com 1
https://translate.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

From Kernel Space to User Heaven #NDH2k13 From Kernel Space to User Heaven #NDH2k13 Presentation Transcript

  • FROM KERNEL SPACETO USER HEAVENJAIME SÁNCHEZ@SEGOFENSIVANUIT DU HACK 2013
  • $  WHO  I  AM  §  Security  researcher  specialized  in  network  protocols  and  technologies,  with  over  ten  years  of  experience  in  posi:ons  of  consul:ng,  risk  management,  secure  networks  or  ethical  hacking§I  work  in  the  Security  Opera:ons  Center  (SOC)  of  a  mul:na:onal  telecommunica:ons  company§  I’m  sexy  and  I  know  it§  You  can  find  my  blog  and  adventures  www.seguridadofensiva.com§  Contact@segofensiva2FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN3- Cyberwar is upon us. APT is very common nowadaysand we need to think about new tricks to be one stepahead to keep the system secure.- With this technique you can provide that step in order todefend your servers against the first phase in all APToperations: FINGERPRINTING.NUIT DU HACK 2013 View slide
  • §  Cyber  Warfare  and  Hack/vism§  Several  companies  a8acked,  like  Facebook,  Apple,  Twi7er,  New  York  Times§  APT1,  Stuxnet,  OperaDon  Hangover,  etc.4FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013 View slide
  • FROM KERNEL SPACE TO USER HEAVEN5The   most   important   phases   are   RECONNAISSANCE   and  SCANNING.The  less  information  the  attacker  has  the  better  for  our  security.If   we   can  fool   all   network   tools   he’ll   be  using,   we’ll  be  able   to  prevent  some  attacks  attemptsNUIT DU HACK 2013
  • A  BRIEF  OVERVIEWFROM KERNEL SPACE TO USER HEAVEN6 NUIT DU HACK 2013
  • DevicesDevicesDevicesKernelRing  0Ring  1Ring  2Ring  3LessPrivilegedMorePrivileged§  Computer  opera/ng  systems  provide  different  levels  of  access  to  resources.§  This  is  generally  hardware-­‐enforced  by  some  CPU  architectures  hat  provide  different  CPU  modes  at  the  hardware  or  microcode  level.§  Rings  are  arranged  in  a  hierarchy  from  most  privileged  (most  trusted,  usually  numbered  zero)  to  least  privileged  (least  trusted,  usually  with  the  highest  ring  number).§  On  most  opera/ng  systems,  RING  0  is  the  level  with  the  most  privileges  and  interacts  most  directly  with  the  physical  hardware  such  as  the  CPU  and  memory.ARCHITECTUREHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven7FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • KERNEL  vs  USER  SPACEKERNEL  SPACE USER  SPACEKERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device  drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica/ons  work  and  this  memory  can  be  swapped  out  when  necessary.Similarly,   the  term   USER  LAND   refers   to  all  applica/on   soNware  that   runs   in   user   space.  Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera/ng  system  uses  to  interact  with   the  kernel:  soNware  that  performs  input/output,  manipulates  file  system,  objects,  etc.How  i  met  your  packetFrom  kernel  Space  to  user  Heaven8FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • WTF  !?How  i  met  your  packetFrom  kernel  Space  to  user  Heaven9FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • 10How Imet yourpackets
  • NIC  MemoryDMA  EngineInterruptIncoming  PacketRingBufferInterruptHandlerNICMemoryKernelPacket  DataIP  LayerTCP  ProcessTCP  recv  BufferAPPLICATIONDEVICE  DRIVERKERNEL  SPACEUSER  SPACEPoll  Listso_irqtcp_v4_rcv()Pointer  toDeviceSocketBacklogip_rcv()read()locally  des:ned  packets  must  pass  the  INPUT  chains  to  reach  listening  socketsINPUTFORWARDPREROUTINGMANGLECONNTRACK FILTERforwarded  and  accepted  packetsInbound  Packetsforwarded  packetslocalpacketsHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven11FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • TARGET  EXTENSIONSHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op/onal  extension  to  iptables  to  provide  new  command  line  op/ons.There  are  several  extensions  in  the  default  NeTilter  distribu/on:12FROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • QUEUE§  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace  processing.§  For  this  to  be  useful,  two  further  components  are  required:• a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between  the  kernel  and  userspace;  and• a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on  packets.§  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new  packets  will  be  dropped  un/l  the  length  of  the  queue  falls  below  the  limit  again.  How  i  met  your  packetFrom  kernel  Space  to  user  Heaven13FROM KERNEL SPACE TO USER HEAVEN13$ iptables -A INPUT -j NFQUEUE --queue-num 0NUIT DU HACK 2013
  • How  i  met  your  packetFrom  kernel  Space  to  user  HeavenSHOW  ME  SOME  EXAMPLES!14How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • FAKE  SSH  SOURCEATTACKER$  _-­‐  We  will  hide  our  source  IP  and  will  modify  it  with  any  other  value  we  want  in  our  compromised  SSH  server  -­‐  Useful  to  avoid  filters  and  not  modifying  files  like  /etc/hosts.denyHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenINNOCENT15How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENSSH  SERVERNUIT DU HACK 2013
  • TRACEROUTE  FAKINGUDP  TTL=1ICMP  TIME  EXCEEDEDICMP  TIME  EXCEEDEDUDP  TTL=2ICMP  TIME  EXCEEDEDUDP  TTL=3ICMP  PORTUNREACHABLEUDP  TTL=4Router  HopRouter  Hop Router  HopRouter  Hop Router  Hop Router  HopRouter  Hop Router  Hop Router  Hop DESTINATIONSOURCESOURCESOURCESOURCEIf  the  internet  packet  has  a  TTL  of  0  aNer  decrement,  that  packet   must  not   be   passed   on   and   a   Internet  Control  Messaging  Protocol  (ICMP)  Time   Exceeded   in   transit   is  returned  to  the  packets  origin.  How  i  met  your  packetFrom  kernel  Space  to  user  Heaven16How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • REMOTE  OSFINGERPRINTINGHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven17How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • CLASSIC  TECHNIQUESHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven18How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • §  Or  we  could  just  use  Shodan,  a  search  engine  that  lets  you  find  specific  computers  (routers,  servers,  etc.)  using  a  variety  of  filters.How  i  met  your  packetFrom  kernel  Space  to  user  Heaven19How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  PredicDon   -­‐  OS  Details       -­‐  IP  ID  Sequence  GeneraDon   -­‐  UpDme  GuessDevice  Type:  general  purposeRunning:  MicrosoN  Windows  7|Vista|2000OS  CPE:  cpe:/o:microsoN_7::professionalOS  details:  MicrosoN  Windows  7  Professional,  MicrosoN  Windows  Vista  SP0  or  SP1UpDme  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013)Network  Distance:  1  hopTCP  Sequence  PredicDon:  Difficulty=262  (Good  Luck!)IP  ID  Sequence  GeneraDon:  IncrementalService  Info:  OS:  Windows;  CPE:  cpe:/o:microsoN:windowsHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven20How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • How  i  met  your  packet-­‐  I  looked  for  jailbroken  iPhones  with  a  custom  Perl  script:                    -­‐  Scan  network  ranges                    -­‐  For  each  host,  scan  62078  port.                    -­‐  If  open  62078  port,  then  try  with  SSH                    -­‐  If  open  SSH  port,  try  to  log  in  with  credentials:  root/alpineFrom  kernel  Space  to  user  Heaven21How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • NMAP  METHODSHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven22How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1)ICMP  ECHO  (IE)TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN)TCP  T2-­‐T7UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports:
  • Although  there  are  others:§  TCP  ISN  counter  rate  (ISR)§  ICMP  IP  ID  sequence  genera:on  alg  (II)§  Shared  IP  ID  sequence  Boolean  (SS)§  Don’t  Fragment  ICMP  (DFI)§  Explicit  conges:on  no:fica:on  (C)§  TCP  miscellaneous  quirks  (Q)§  TCP  sequence  number  (S)§  etc.NMAP  INTERNAL  PROBESMost  important:§  TCP  ISN  greatest  common  divisor  (GDC)§  TCP  IP  ID  sequence  genera:on  alg  (TI)§  TCP  :mestamp  op:on  alg  (TS)§  TCP  Op:ons  (O,  O1-­‐O6)§  TCP  ini:al  Window  Size  (W,  W1-­‐W6)§  Responsiveness  (R)§  IP  don’t  fragment  bit  (DF)§  IP  ini:al  :me-­‐to-­‐live  guess  (TG)Fingerprint Linux 2.6.17 - 2.6.24Class Linux | Linux | 2.6.X | general purposeSEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(DFI=N%T=3B-45%TG=40%CD=S)How  i  met  your  packetFrom  kernel  Space  to  user  Heaven23How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • OTHER  TOOLSHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven24How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENA  patch  for  Linux  kernels  of  version  2.4.,  that  modifies  characteris:cs  of  network  trafficIP  PERSONALITYSimple  TCP  packets  iden:fica:on  solu:on  as  a  Kenel2.2-­‐2.4  core  module  patch,  allowing  ignore  some  kind  of  packets.STEALTH  PATCHA  kernel  module  available  for  Linux  kernel  of  version  2.2.  that  also  tries  to  hide  the  original  OS  and  act  as  a  different  one.FINGERPRINT  FUCKERTCP  and  UDP  packets  filtering  op:ons,  allowing  to  respec:vely  block  RST  and  ICMP  answers  on  closed  portsBLACKHOLEHoneyd  isable  to  simulate  Xprobe2  and  Nmap  (previous  version)  signatures  for  itsvirtual  hosts.HONEYDWindows  so_ware  that  modifies  keys  in  the  register,  tochange  some  TCP/IP  parameters.OSFUSCATENUIT DU HACK 2013
  • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven25How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013!! LET’S CAMOUFLAGE !!
  • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven26How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENBITCH PLEASE ...NUIT DU HACK 2013
  • PASSIVE  OS  FINGERPRINTINGHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven27How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN-­‐  p0f  is  a  tool  that  u:lizes  an  array  of  sophis:cated,  purely  passive,  traffic  fingerprin:ng  mechanisms  to  iden:fy  the  players  behind  any  iniDal  TCP/IP  communicaDon  (o_en  as  lille  as  a  single  normal  SYN)  without  interfering  in  any  way.-­‐  There  are  other  tools  like  Elercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence.-­‐  Passive  fingerprin:ng  is  like  a  packet  sniffer.  Examines  network  traffic,  making  a  copy  of  the  data   but   without  redirec:ng  or  altering  it.-­‐  Can  be  used  for  several  purposes:1.  As  stealthy  fingerprinDng,  bypassing  the  need  for  using  an  ac:ve  tool  that  can  be  detected  by  various  IDS  systems.2.  To  idenDfy  remote  proxy  firewalls.  3.  Organiza:ons  can  use  it  to  idenDfy  rogue  systems  on  their  network.NUIT DU HACK 2013Sniffer
  • SIGNATURES8192:32:1:48:M*,N,N,S:.:Windows:98Opera/ng  System    -­‐  Family    -­‐  VersionQuirks      -­‐  Data  in  SYN  packets      -­‐  Op:ons  a_er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op:ons  decodeTCP  op/ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?nWindow  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul:ple      -­‐  Sxx  MSS  Mul:ple      -­‐  Txx  MTU  Mul:ple      -­‐  xxx  Constant  valueIni/al  TTLDF  Bit  Packet  SizeHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven28How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven29How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013!! LET’S CAMOUFLAGE !!
  • COMMERCIAL  ENGINESThis  techniques  can  be  used  to  avoid  commercial  implementa:ons.  We  hide  our  machine,  faking  the   detector   engine   and   recognizing   us   like   another   OS,   to   alack   another   host   and   leading  administrator  to  think  it  may  be  a  false  posi:ve.How  i  met  your  packetFrom  kernel  Space  to  user  Heaven30How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENFingerprint  value  example:  key=fp_id;value=100000key=rna_fingerprint_type_id;value=9key=rna_fingerprint_descrip:on;value=iPhonekey=rna_fingerprint_vendor_str;value=Applekey=rna_fingerprint_product_str;value=iOSkey=rna_fingerprint_version_str;value=NULLkey=val1;value=340e4d28c315390dkey=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22fe666cb1dc115309eb77key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706bI  had  no  :me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen  so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the  desired  TCP/IP  header  values.NUIT DU HACK 2013
  • (  WE’RE  RUNNING  OUR  PROGRAM  IN  BACKGROUND  TO  CHANGE  ALL  OUTBOUND  CONNECTIONS  )From  kernel  Space  to  user  Heaven31How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      ||      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |NUIT DU HACK 2013OS  FOOLED!  NOW  OUT  LINUX  IS  AN  IOS  DEVICE
  • SPOOF  NON  EXISTING  HOSTS  AND  CONSUME  RNA  ENGINEHOST  CREATED  WITH  OURNEW  TOOL  :)From  kernel  Space  to  user  Heaven32How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      ||      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |NUIT DU HACK 2013
  • Long    story    short:SYN ACK FINHow  i  met  your  packetFrom  kernel  Space  to  user  Heaven33How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013
  • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven34How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENNUIT DU HACK 2013SEGURIDADOFENSIVA.COM@SEGOFENSIVA