SlideShare a Scribd company logo
1 of 34
Download to read offline
FROM KERNEL SPACE
TO USER HEAVEN
JAIME SÁNCHEZ
@SEGOFENSIVA
NUIT DU HACK 2013
$	
  WHO	
  I	
  AM
	
  
§	
  Security	
  researcher	
  specialized	
  in	
  network	
  
protocols	
  and	
  technologies,	
  with	
  over	
  ten	
  years	
  of	
  
experience	
  in	
  posi:ons	
  of	
  consul:ng,	
  risk	
  
management,	
  secure	
  networks	
  or	
  ethical	
  hacking
§I	
  work	
  in	
  the	
  Security	
  Opera:ons	
  Center	
  (SOC)	
  of	
  a	
  
mul:na:onal	
  telecommunica:ons	
  company
§	
  I’m	
  sexy	
  and	
  I	
  know	
  it
§	
  You	
  can	
  find	
  my	
  blog	
  and	
  adventures
	
  www.seguridadofensiva.com
§	
  Contact
@segofensiva
2
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN
3
- Cyberwar is upon us. APT is very common nowadays
and we need to think about new tricks to be one step
ahead to keep the system secure.
- With this technique you can provide that step in order to
defend your servers against the first phase in all APT
operations: FINGERPRINTING.
NUIT DU HACK 2013
§	
  Cyber	
  Warfare	
  and	
  Hack/vism
§	
  Several	
  companies	
  a8acked,	
  like	
  Facebook,	
  Apple,	
  Twi7er,	
  New	
  York	
  Times
§	
  APT1,	
  Stuxnet,	
  OperaDon	
  Hangover,	
  etc.
4
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FROM KERNEL SPACE TO USER HEAVEN
5
The	
   most	
   important	
   phases	
   are	
   RECONNAISSANCE	
   and	
  
SCANNING.
The	
  less	
  information	
  the	
  attacker	
  has	
  the	
  better	
  for	
  our	
  security.
If	
   we	
   can	
  fool	
   all	
   network	
   tools	
   he’ll	
   be	
  using,	
   we’ll	
  be	
  able	
   to	
  
prevent	
  some	
  attacks	
  attempts
NUIT DU HACK 2013
A	
  BRIEF	
  OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
6 NUIT DU HACK 2013
Devices
Devices
Devices
Kernel
Ring	
  0
Ring	
  1
Ring	
  2
Ring	
  3
Less
Privileged
More
Privileged
§	
  Computer	
  opera/ng	
  systems	
  provide	
  different	
  
levels	
  of	
  access	
  to	
  resources.
§	
  This	
  is	
  generally	
  hardware-­‐enforced	
  by	
  some	
  
CPU	
  architectures	
  hat	
  provide	
  different	
  CPU	
  
modes	
  at	
  the	
  hardware	
  or	
  microcode	
  level.
§	
  Rings	
  are	
  arranged	
  in	
  a	
  hierarchy	
  from	
  most	
  
privileged	
  (most	
  trusted,	
  usually	
  numbered	
  zero)	
  
to	
  least	
  privileged	
  (least	
  trusted,	
  usually	
  with	
  the	
  
highest	
  ring	
  number).
§	
  On	
  most	
  opera/ng	
  systems,	
  RING	
  0	
  is	
  the	
  level	
  
with	
  the	
  most	
  privileges	
  and	
  interacts	
  most	
  
directly	
  with	
  the	
  physical	
  hardware	
  such	
  as	
  the	
  
CPU	
  and	
  memory.
ARCHITECTURE
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
KERNEL	
  vs	
  USER	
  SPACE
KERNEL	
  SPACE USER	
  SPACE
KERNEL	
  SPACE	
  is	
  strictly	
  reserved	
  for	
  running	
  the	
  kernel,	
  kernel	
  extensions,	
  and	
  most	
  device	
  
drivers.	
  In	
  contrast,	
  user	
  space	
  is	
  the	
  memory	
  area	
  where	
  all	
  user	
  mode	
  applica/ons	
  work	
  
and	
  this	
  memory	
  can	
  be	
  swapped	
  out	
  when	
  necessary.
Similarly,	
   the	
  term	
   USER	
  LAND	
   refers	
   to	
  all	
  applica/on	
   soNware	
  that	
   runs	
   in	
   user	
   space.	
  
Userland	
  usually	
  refers	
  to	
  the	
  various	
  programs	
  and	
  libraries	
  that	
  the	
  opera/ng	
  system	
  uses	
  
to	
  interact	
  with	
   the	
  kernel:	
  soNware	
  that	
  performs	
  input/output,	
  manipulates	
  file	
  system,	
  
objects,	
  etc.
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
8
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
WTF	
  !?
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
9
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
10
How Imet your
packets
NIC	
  Memory
DMA	
  EngineInterrupt
Incoming	
  Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet	
  Data
IP	
  Layer
TCP	
  Process
TCP	
  recv	
  Buffer
APPLICATION
DEVICE	
  DRIVER
KERNEL	
  SPACE
USER	
  SPACE
Poll	
  List
so_irq
tcp_v4_rcv()
Pointer	
  to
Device
Socket
Backlog
ip_rcv()
read()
locally	
  des:ned	
  packets	
  must	
  pass	
  the	
  
INPUT	
  chains	
  to	
  reach	
  listening	
  sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded	
  and	
  accepted	
  packets
Inbound	
  Packets
forwarded	
  
packets
local
packets
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
TARGET	
  EXTENSIONS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
	
  A	
  target	
  extension	
  consists	
  of	
  a	
  KERNEL	
  MODULE,	
  and	
  an	
  op/onal	
  extension	
  to	
  iptables	
  to	
  
provide	
  new	
  command	
  line	
  op/ons.
There	
  are	
  several	
  extensions	
  in	
  the	
  default	
  NeTilter	
  distribu/on:
12
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
QUEUE
§	
  QUEUE	
  is	
  an	
  iptables	
  and	
  ip6tables	
  target	
  which	
  which	
  queues	
  the	
  packet	
  for	
  userspace	
  
processing.
§	
  For	
  this	
  to	
  be	
  useful,	
  two	
  further	
  components	
  are	
  required:
• a	
  QUEUE	
  HANDLER	
  which	
  deals	
  with	
  the	
  actual	
  mechanics	
  of	
  passing	
  packets	
  between	
  
the	
  kernel	
  and	
  userspace;	
  and
• a	
  USERSPACE	
  APPLICATION	
  to	
  receive,	
  possibly	
  manipulate,	
  and	
  issue	
  verdicts	
  on	
  
packets.
§	
  The	
  default	
  value	
  for	
  the	
  maximum	
  queue	
  length	
  is	
  1024.	
  Once	
  this	
  limit	
  is	
  reached,	
  new	
  
packets	
  will	
  be	
  dropped	
  un/l	
  the	
  length	
  of	
  the	
  queue	
  falls	
  below	
  the	
  limit	
  again.	
  
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
13
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
SHOW	
  ME	
  SOME	
  EXAMPLES!
14
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FAKE	
  SSH	
  SOURCE
ATTACKER
$	
  _
-­‐	
  We	
  will	
  hide	
  our	
  source	
  IP	
  and	
  will	
  modify	
  it	
  with	
  any	
  other	
  value	
  we	
  want	
  in	
  
our	
  compromised	
  SSH	
  server
	
  
-­‐	
  Useful	
  to	
  avoid	
  filters	
  and	
  not	
  modifying	
  files	
  like	
  /etc/hosts.deny
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
INNOCENT
15
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
SSH	
  SERVER
NUIT DU HACK 2013
TRACEROUTE	
  FAKING
UDP	
  TTL=1ICMP	
  TIME	
  
EXCEEDED
ICMP	
  TIME	
  
EXCEEDED
UDP	
  TTL=2
ICMP	
  TIME	
  
EXCEEDED
UDP	
  TTL=3
ICMP	
  PORT
UNREACHABLE
UDP	
  TTL=4
Router	
  Hop
Router	
  Hop Router	
  Hop
Router	
  Hop Router	
  Hop Router	
  Hop
Router	
  Hop Router	
  Hop Router	
  Hop DESTINATIONSOURCE
SOURCE
SOURCE
SOURCE
If	
  the	
  internet	
  packet	
  has	
  a	
  TTL	
  of	
  0	
  
aNer	
  decrement,	
  that	
  packet	
   must	
  
not	
   be	
   passed	
   on	
   and	
   a	
   Internet	
  
Control	
  Messaging	
  Protocol	
  (ICMP)	
  
Time	
   Exceeded	
   in	
   transit	
   is	
  
returned	
  to	
  the	
  packets	
  origin.	
  
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
16
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
REMOTE	
  OS
FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
17
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
CLASSIC	
  TECHNIQUES
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
18
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
§	
  Or	
  we	
  could	
  just	
  use	
  Shodan,	
  a	
  search	
  engine	
  that	
  lets	
  you	
  find	
  specific	
  computers	
  
(routers,	
  servers,	
  etc.)	
  using	
  a	
  variety	
  of	
  filters.
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
19
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
NMAP
	
   -­‐	
  Device	
  Type	
   	
   	
   -­‐	
  Network	
  Distance
	
   -­‐	
  Running	
   	
   	
   -­‐	
  TCP	
  Sequence	
  PredicDon
	
   -­‐	
  OS	
  Details	
   	
   	
   -­‐	
  IP	
  ID	
  Sequence	
  GeneraDon
	
   -­‐	
  UpDme	
  Guess
Device	
  Type:	
  general	
  purpose
Running:	
  MicrosoN	
  Windows	
  7|Vista|2000
OS	
  CPE:	
  cpe:/o:microsoN_7::professional
OS	
  details:	
  MicrosoN	
  Windows	
  7	
  Professional,	
  MicrosoN	
  
Windows	
  Vista	
  SP0	
  or	
  SP1
UpDme	
  guess:	
  2.196	
  days	
  (since	
  Mon	
  Feb	
  4	
  12:14:01	
  2013)
Network	
  Distance:	
  1	
  hop
TCP	
  Sequence	
  PredicDon:	
  Difficulty=262	
  (Good	
  Luck!)
IP	
  ID	
  Sequence	
  GeneraDon:	
  Incremental
Service	
  Info:	
  OS:	
  Windows;	
  CPE:	
  cpe:/o:microsoN:windows
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
20
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packet
-­‐	
  I	
  looked	
  for	
  jailbroken	
  iPhones	
  with	
  a	
  custom	
  Perl	
  script:
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐	
  Scan	
  network	
  ranges
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐	
  For	
  each	
  host,	
  scan	
  62078	
  port.
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐	
  If	
  open	
  62078	
  port,	
  then	
  try	
  with	
  SSH
	
  	
  	
  	
  	
  	
  	
  	
  	
  	
  -­‐	
  If	
  open	
  SSH	
  port,	
  try	
  to	
  log	
  in	
  with	
  credentials:	
  root/alpine
From	
  kernel	
  Space	
  to	
  user	
  Heaven
21
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
NMAP	
  METHODS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
22
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE	
  GENERATION	
  (SEQ,	
  OPS,	
  WIN	
  &	
  T1)
ICMP	
  ECHO	
  (IE)
TCP	
  EXPLICIT	
  CONGESTION	
  NOTIFICATION	
  (ECN)
TCP	
  T2-­‐T7
UDP
	
  -­‐	
  Nmap	
  sends	
  15	
  TCP,	
  UDP	
  and	
  ICMP	
  tests,	
  to	
  open	
  and	
  closed	
  system	
  ports:
Although	
  there	
  are	
  others:
§	
  TCP	
  ISN	
  counter	
  rate	
  (ISR)
§	
  ICMP	
  IP	
  ID	
  sequence	
  genera:on	
  alg	
  (II)
§	
  Shared	
  IP	
  ID	
  sequence	
  Boolean	
  (SS)
§	
  Don’t	
  Fragment	
  ICMP	
  (DFI)
§	
  Explicit	
  conges:on	
  no:fica:on	
  (C)
§	
  TCP	
  miscellaneous	
  quirks	
  (Q)
§	
  TCP	
  sequence	
  number	
  (S)
§	
  etc.
NMAP	
  INTERNAL	
  PROBES
Most	
  important:
§	
  TCP	
  ISN	
  greatest	
  common	
  divisor	
  (GDC)
§	
  TCP	
  IP	
  ID	
  sequence	
  genera:on	
  alg	
  (TI)
§	
  TCP	
  :mestamp	
  op:on	
  alg	
  (TS)
§	
  TCP	
  Op:ons	
  (O,	
  O1-­‐O6)
§	
  TCP	
  ini:al	
  Window	
  Size	
  (W,	
  W1-­‐W6)
§	
  Responsiveness	
  (R)
§	
  IP	
  don’t	
  fragment	
  bit	
  (DF)
§	
  IP	
  ini:al	
  :me-­‐to-­‐live	
  guess	
  (TG)
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
23
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OTHER	
  TOOLS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
24
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
A	
  patch	
  for	
  Linux	
  kernels	
  
of	
  version	
  2.4.,	
  that	
  
modifies	
  characteris:cs	
  
of	
  network	
  traffic
IP	
  PERSONALITY
Simple	
  TCP	
  packets	
  
iden:fica:on	
  solu:on	
  as	
  
a	
  Kenel
2.2-­‐2.4	
  core	
  module	
  
patch,	
  allowing	
  ignore	
  
some	
  kind	
  of	
  packets.
STEALTH	
  PATCH
A	
  kernel	
  module	
  available	
  
for	
  Linux	
  kernel	
  of	
  
version	
  2.2.	
  that	
  also	
  tries	
  
to	
  hide	
  the	
  original	
  OS	
  
and	
  act	
  as	
  a	
  different	
  
one.
FINGERPRINT	
  FUCKER
TCP	
  and	
  UDP	
  packets	
  
filtering	
  op:ons,	
  allowing	
  
to	
  respec:vely	
  block	
  RST	
  
and	
  ICMP	
  answers	
  on	
  
closed	
  ports
BLACKHOLE
Honeyd	
  is
able	
  to	
  simulate	
  Xprobe2	
  
and	
  Nmap	
  (previous	
  
version)	
  signatures	
  for	
  its
virtual	
  hosts.
HONEYD
Windows	
  so_ware	
  that	
  
modifies	
  keys	
  in	
  the	
  
register,	
  to
change	
  some	
  TCP/IP	
  
parameters.
OSFUSCATE
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
25
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
26
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
BITCH PLEASE ...
NUIT DU HACK 2013
PASSIVE	
  OS	
  FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
27
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
-­‐	
  p0f	
  is	
  a	
  tool	
  that	
  u:lizes	
  an	
  array	
  of	
  sophis:cated,	
  purely	
  passive,	
  traffic	
  fingerprin:ng	
  
mechanisms	
  to	
  iden:fy	
  the	
  players	
  behind	
  any	
  iniDal	
  TCP/IP	
  communicaDon	
  (o_en	
  as	
  
lille	
  as	
  a	
  single	
  normal	
  SYN)	
  without	
  interfering	
  in	
  any	
  way.
-­‐	
  There	
  are	
  other	
  tools	
  like	
  Elercap,	
  NetworkMiner,	
  PRADS,	
  Satori	
  or	
  PacketFence.
-­‐	
  Passive	
  fingerprin:ng	
  is	
  like	
  a	
  packet	
  sniffer.	
  Examines	
  
network	
  traffic,	
  making	
  a	
  copy	
  of	
  the	
  data	
   but	
   without	
  
redirec:ng	
  or	
  altering	
  it.
-­‐	
  Can	
  be	
  used	
  for	
  several	
  purposes:
1.	
  As	
  stealthy	
  fingerprinDng,	
  bypassing	
  the	
  need	
  for	
  
using	
  an	
  ac:ve	
  tool	
  that	
  can	
  be	
  detected	
  by	
  various	
  
IDS	
  systems.
2.	
  To	
  idenDfy	
  remote	
  proxy	
  firewalls.	
  
3.	
  Organiza:ons	
  can	
  use	
  it	
  to	
  idenDfy	
  rogue	
  systems	
  
on	
  their	
  network.
NUIT DU HACK 2013
Sniffer
SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera/ng	
  System
	
  	
  -­‐	
  Family
	
  	
  -­‐	
  Version
Quirks
	
  	
  	
  -­‐	
  Data	
  in	
  SYN	
  packets
	
  	
  	
  -­‐	
  Op:ons	
  a_er	
  EOL
	
  	
  	
  -­‐	
  IP	
  ID	
  Field	
  =	
  0
	
  	
  	
  -­‐	
  ACK	
  different	
  to	
  0
	
  	
  	
  -­‐	
  Unusual	
  flags
	
  	
  	
  -­‐	
  Incorrect	
  op:ons	
  decode
TCP	
  op/ons	
  and	
  order
	
  	
  	
  -­‐	
  N:	
  NOP
	
  	
  	
  -­‐	
  E:	
  EOL
	
  	
  	
  -­‐	
  Wnnn:	
  WS
	
  	
  	
  -­‐	
  Mnnn:	
  MSS
	
  	
  	
  -­‐	
  S:	
  SACK
	
  	
  	
  -­‐	
  T	
  /	
  T0:	
  Timestamp	
  	
  
	
  	
  	
  -­‐	
  ?n
Window	
  Size
	
  	
  	
  -­‐	
  *	
  Any	
  value
	
  	
  	
  -­‐	
  %nnn	
  nnn	
  Mul:ple
	
  	
  	
  -­‐	
  Sxx	
  MSS	
  Mul:ple
	
  	
  	
  -­‐	
  Txx	
  MTU	
  Mul:ple
	
  	
  	
  -­‐	
  xxx	
  Constant	
  value
Ini/al	
  TTL
DF	
  Bit	
  
Packet	
  
Size
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
28
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
29
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
COMMERCIAL	
  ENGINES
This	
  techniques	
  can	
  be	
  used	
  to	
  avoid	
  commercial	
  implementa:ons.	
  We	
  hide	
  our	
  machine,	
  faking	
  
the	
   detector	
   engine	
   and	
   recognizing	
   us	
   like	
   another	
   OS,	
   to	
   alack	
   another	
   host	
   and	
   leading	
  
administrator	
  to	
  think	
  it	
  may	
  be	
  a	
  false	
  posi:ve.
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
30
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint	
  value	
  example:
	
  
key=fp_id;value=100000
key=rna_fingerprint_type_id;value=9
key=rna_fingerprint_descrip:on;value=iPhone
key=rna_fingerprint_vendor_str;value=Apple
key=rna_fingerprint_product_str;value=iOS
key=rna_fingerprint_version_str;value=NULL
key=val1;value=340e4d28c315390d
key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085
937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b
7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22f
e666cb1dc115309eb77
key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b
I	
  had	
  no	
  :me	
  to	
  figure	
  out	
  what	
  each	
  field	
  means	
  in	
  all	
  the	
  commercial	
  appliances	
  I’ve	
  seen	
  so	
  far.	
  
I	
  decided	
  to	
  cross	
  the	
  data	
  available	
  with	
  default	
  Nmap	
  and	
  p0f	
  database	
  to	
  get	
  the	
  desired	
  TCP/IP	
  
header	
  values.
NUIT DU HACK 2013
(	
  WE’RE	
  RUNNING	
  OUR	
  PROGRAM	
  IN	
  
BACKGROUND	
  TO	
  CHANGE	
  ALL	
  
OUTBOUND	
  CONNECTIONS	
  )
From	
  kernel	
  Space	
  to	
  user	
  Heaven
31
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
NUIT DU HACK 2013
OS	
  FOOLED!	
  NOW	
  OUT	
  
LINUX	
  IS	
  AN	
  IOS	
  DEVICE
SPOOF	
  NON	
  EXISTING	
  
HOSTS	
  AND	
  CONSUME	
  RNA	
  
ENGINE
HOST	
  CREATED	
  WITH	
  OUR
NEW	
  TOOL	
  :)
From	
  kernel	
  Space	
  to	
  user	
  Heaven
32
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
NUIT DU HACK 2013
Long	
  	
  story	
  	
  short:
SYN ACK FIN
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
33
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
34
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA

More Related Content

What's hot

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиPositive Hack Days
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsSiena Perry
 
Nagios Conference 2011 - Mike Weber - Training: Choosing Nagios Plugins To Use
Nagios Conference 2011 - Mike Weber  - Training: Choosing Nagios Plugins To UseNagios Conference 2011 - Mike Weber  - Training: Choosing Nagios Plugins To Use
Nagios Conference 2011 - Mike Weber - Training: Choosing Nagios Plugins To UseNagios
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 

What's hot (20)

Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTU
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
Tech f42
Tech f42Tech f42
Tech f42
 
Wireshark
WiresharkWireshark
Wireshark
 
05 06 ike
05   06 ike05   06 ike
05 06 ike
 
Network commands
Network commandsNetwork commands
Network commands
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisonsAPNIC Hackathon IPv4 & IPv6 security & threat comparisons
APNIC Hackathon IPv4 & IPv6 security & threat comparisons
 
Nagios Conference 2011 - Mike Weber - Training: Choosing Nagios Plugins To Use
Nagios Conference 2011 - Mike Weber  - Training: Choosing Nagios Plugins To UseNagios Conference 2011 - Mike Weber  - Training: Choosing Nagios Plugins To Use
Nagios Conference 2011 - Mike Weber - Training: Choosing Nagios Plugins To Use
 
IPSec VPN
IPSec VPNIPSec VPN
IPSec VPN
 
DMVPN
DMVPNDMVPN
DMVPN
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 

Viewers also liked

From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedJaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
Preparing for the Future of Education. Take A Look Around You.
Preparing for the Future of Education. Take A Look Around You.Preparing for the Future of Education. Take A Look Around You.
Preparing for the Future of Education. Take A Look Around You.Silvia Rosenthal Tolisano
 

Viewers also liked (8)

From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User Heaven
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsApp
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security Reloaded
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
Preparing for the Future of Education. Take A Look Around You.
Preparing for the Future of Education. Take A Look Around You.Preparing for the Future of Education. Take A Look Around You.
Preparing for the Future of Education. Take A Look Around You.
 

Similar to From Kernel Space to User Heaven #NDH2k13

Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkRiyaj Shamsudeen
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Finalmasoodnt10
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksMartin Holovský
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones HijackingPriyanka Aash
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
04-post-connection-attacks.pdf
04-post-connection-attacks.pdf04-post-connection-attacks.pdf
04-post-connection-attacks.pdfxasako1838
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 

Similar to From Kernel Space to User Heaven #NDH2k13 (20)

Advanced RAC troubleshooting: Network
Advanced RAC troubleshooting: NetworkAdvanced RAC troubleshooting: Network
Advanced RAC troubleshooting: Network
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Netcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army KnifeNetcat - 101 Swiss Army Knife
Netcat - 101 Swiss Army Knife
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Parrot Drones Hijacking
Parrot Drones HijackingParrot Drones Hijacking
Parrot Drones Hijacking
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
04-post-connection-attacks.pdf
04-post-connection-attacks.pdf04-post-connection-attacks.pdf
04-post-connection-attacks.pdf
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
111
111111
111
 
111
111111
111
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container Networks
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 

Recently uploaded

Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Juan Carlos Gonzalez
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Recently uploaded (20)

Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?Governance in SharePoint Premium:What's in the box?
Governance in SharePoint Premium:What's in the box?
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
UiPath Clipboard AI: "A TIME Magazine Best Invention of 2023 Unveiled"
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

From Kernel Space to User Heaven #NDH2k13

  • 1. FROM KERNEL SPACE TO USER HEAVEN JAIME SÁNCHEZ @SEGOFENSIVA NUIT DU HACK 2013
  • 2. $  WHO  I  AM   §  Security  researcher  specialized  in  network   protocols  and  technologies,  with  over  ten  years  of   experience  in  posi:ons  of  consul:ng,  risk   management,  secure  networks  or  ethical  hacking §I  work  in  the  Security  Opera:ons  Center  (SOC)  of  a   mul:na:onal  telecommunica:ons  company §  I’m  sexy  and  I  know  it §  You  can  find  my  blog  and  adventures  www.seguridadofensiva.com §  Contact @segofensiva 2 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 3. FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN 3 - Cyberwar is upon us. APT is very common nowadays and we need to think about new tricks to be one step ahead to keep the system secure. - With this technique you can provide that step in order to defend your servers against the first phase in all APT operations: FINGERPRINTING. NUIT DU HACK 2013
  • 4. §  Cyber  Warfare  and  Hack/vism §  Several  companies  a8acked,  like  Facebook,  Apple,  Twi7er,  New  York  Times §  APT1,  Stuxnet,  OperaDon  Hangover,  etc. 4 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 5. FROM KERNEL SPACE TO USER HEAVEN 5 The   most   important   phases   are   RECONNAISSANCE   and   SCANNING. The  less  information  the  attacker  has  the  better  for  our  security. If   we   can  fool   all   network   tools   he’ll   be  using,   we’ll  be  able   to   prevent  some  attacks  attempts NUIT DU HACK 2013
  • 6. A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 6 NUIT DU HACK 2013
  • 7. Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera/ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera/ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 8. KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica/ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term   USER  LAND   refers   to  all  applica/on   soNware  that   runs   in   user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera/ng  system  uses   to  interact  with   the  kernel:  soNware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 8 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 9. WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 9 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 11. NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so_irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des:ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 12. TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op/onal  extension  to  iptables  to   provide  new  command  line  op/ons. There  are  several  extensions  in  the  default  NeTilter  distribu/on: 12 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 13. QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un/l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013
  • 14. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven SHOW  ME  SOME  EXAMPLES! 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 15. FAKE  SSH  SOURCE ATTACKER $  _ -­‐  We  will  hide  our  source  IP  and  will  modify  it  with  any  other  value  we  want  in   our  compromised  SSH  server   -­‐  Useful  to  avoid  filters  and  not  modifying  files  like  /etc/hosts.deny How  i  met  your  packetFrom  kernel  Space  to  user  Heaven INNOCENT 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN SSH  SERVER NUIT DU HACK 2013
  • 16. TRACEROUTE  FAKING UDP  TTL=1ICMP  TIME   EXCEEDED ICMP  TIME   EXCEEDED UDP  TTL=2 ICMP  TIME   EXCEEDED UDP  TTL=3 ICMP  PORT UNREACHABLE UDP  TTL=4 Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop Router  Hop DESTINATIONSOURCE SOURCE SOURCE SOURCE If  the  internet  packet  has  a  TTL  of  0   aNer  decrement,  that  packet   must   not   be   passed   on   and   a   Internet   Control  Messaging  Protocol  (ICMP)   Time   Exceeded   in   transit   is   returned  to  the  packets  origin.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 17. REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 18. CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 19. §  Or  we  could  just  use  Shodan,  a  search  engine  that  lets  you  find  specific  computers   (routers,  servers,  etc.)  using  a  variety  of  filters. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 20. NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  PredicDon   -­‐  OS  Details       -­‐  IP  ID  Sequence  GeneraDon   -­‐  UpDme  Guess Device  Type:  general  purpose Running:  MicrosoN  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoN_7::professional OS  details:  MicrosoN  Windows  7  Professional,  MicrosoN   Windows  Vista  SP0  or  SP1 UpDme  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  PredicDon:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  GeneraDon:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoN:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 21. How  i  met  your  packet -­‐  I  looked  for  jailbroken  iPhones  with  a  custom  Perl  script:                    -­‐  Scan  network  ranges                    -­‐  For  each  host,  scan  62078  port.                    -­‐  If  open  62078  port,  then  try  with  SSH                    -­‐  If  open  SSH  port,  try  to  log  in  with  credentials:  root/alpine From  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 22. NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports:
  • 23. Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera:on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges:on  no:fica:on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera:on  alg  (TI) §  TCP  :mestamp  op:on  alg  (TS) §  TCP  Op:ons  (O,  O1-­‐O6) §  TCP  ini:al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini:al  :me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 24. OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels   of  version  2.4.,  that   modifies  characteris:cs   of  network  traffic IP  PERSONALITY Simple  TCP  packets   iden:fica:on  solu:on  as   a  Kenel 2.2-­‐2.4  core  module   patch,  allowing  ignore   some  kind  of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of   version  2.2.  that  also  tries   to  hide  the  original  OS   and  act  as  a  different   one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op:ons,  allowing   to  respec:vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  so_ware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013
  • 25. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !!
  • 26. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN BITCH PLEASE ... NUIT DU HACK 2013
  • 27. PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐  p0f  is  a  tool  that  u:lizes  an  array  of  sophis:cated,  purely  passive,  traffic  fingerprin:ng   mechanisms  to  iden:fy  the  players  behind  any  iniDal  TCP/IP  communicaDon  (o_en  as   lille  as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Elercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐  Passive  fingerprin:ng  is  like  a  packet  sniffer.  Examines   network  traffic,  making  a  copy  of  the  data   but   without   redirec:ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.  As  stealthy  fingerprinDng,  bypassing  the  need  for   using  an  ac:ve  tool  that  can  be  detected  by  various   IDS  systems. 2.  To  idenDfy  remote  proxy  firewalls.   3.  Organiza:ons  can  use  it  to  idenDfy  rogue  systems   on  their  network. NUIT DU HACK 2013 Sniffer
  • 28. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera/ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op:ons  a_er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op:ons  decode TCP  op/ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul:ple      -­‐  Sxx  MSS  Mul:ple      -­‐  Txx  MTU  Mul:ple      -­‐  xxx  Constant  value Ini/al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 29. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !!
  • 30. COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa:ons.  We  hide  our  machine,  faking   the   detector   engine   and   recognizing   us   like   another   OS,   to   alack   another   host   and   leading   administrator  to  think  it  may  be  a  false  posi:ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example:   key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip:on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085 937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b 7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22f e666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  :me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen  so  far.   I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the  desired  TCP/IP   header  values. NUIT DU HACK 2013
  • 31. (  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL   OUTBOUND  CONNECTIONS  ) From  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE
  • 32. SPOOF  NON  EXISTING   HOSTS  AND  CONSUME  RNA   ENGINE HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 32 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013
  • 33. Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 33 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013
  • 34. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 34 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA