FROM KERNEL SPACE TO USER HEAVEN at NUIT DU HACK 2013 by JAIME SANCHEZ
More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com
What if you could enqueue from kernel space to user space all your incoming and outgoing network connections? Maybe you could develop some offensive/defensive applications to modify headers and payloads in real time, to detect unauthorized traffic like dns tunneling connections or to fool some well known network tools. This will be showed in Linux-powered devices. It will be explained too some remote OS fingerprinting techniques, both active and passive, implemented in tools like nmap, p0f, or vendor appliances, and a how to defeat them. This technique doesn't need virtual machines or kernel patches, and is highly portable to other platforms.
2. $
WHO
I
AM
§
Security
researcher
specialized
in
network
protocols
and
technologies,
with
over
ten
years
of
experience
in
posi:ons
of
consul:ng,
risk
management,
secure
networks
or
ethical
hacking
§I
work
in
the
Security
Opera:ons
Center
(SOC)
of
a
mul:na:onal
telecommunica:ons
company
§
I’m
sexy
and
I
know
it
§
You
can
find
my
blog
and
adventures
www.seguridadofensiva.com
§
Contact
@segofensiva
2
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
3. FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN
3
- Cyberwar is upon us. APT is very common nowadays
and we need to think about new tricks to be one step
ahead to keep the system secure.
- With this technique you can provide that step in order to
defend your servers against the first phase in all APT
operations: FINGERPRINTING.
NUIT DU HACK 2013
4. §
Cyber
Warfare
and
Hack/vism
§
Several
companies
a8acked,
like
Facebook,
Apple,
Twi7er,
New
York
Times
§
APT1,
Stuxnet,
OperaDon
Hangover,
etc.
4
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
5. FROM KERNEL SPACE TO USER HEAVEN
5
The
most
important
phases
are
RECONNAISSANCE
and
SCANNING.
The
less
information
the
attacker
has
the
better
for
our
security.
If
we
can
fool
all
network
tools
he’ll
be
using,
we’ll
be
able
to
prevent
some
attacks
attempts
NUIT DU HACK 2013
7. Devices
Devices
Devices
Kernel
Ring
0
Ring
1
Ring
2
Ring
3
Less
Privileged
More
Privileged
§
Computer
opera/ng
systems
provide
different
levels
of
access
to
resources.
§
This
is
generally
hardware-‐enforced
by
some
CPU
architectures
hat
provide
different
CPU
modes
at
the
hardware
or
microcode
level.
§
Rings
are
arranged
in
a
hierarchy
from
most
privileged
(most
trusted,
usually
numbered
zero)
to
least
privileged
(least
trusted,
usually
with
the
highest
ring
number).
§
On
most
opera/ng
systems,
RING
0
is
the
level
with
the
most
privileges
and
interacts
most
directly
with
the
physical
hardware
such
as
the
CPU
and
memory.
ARCHITECTURE
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
8. KERNEL
vs
USER
SPACE
KERNEL
SPACE USER
SPACE
KERNEL
SPACE
is
strictly
reserved
for
running
the
kernel,
kernel
extensions,
and
most
device
drivers.
In
contrast,
user
space
is
the
memory
area
where
all
user
mode
applica/ons
work
and
this
memory
can
be
swapped
out
when
necessary.
Similarly,
the
term
USER
LAND
refers
to
all
applica/on
soNware
that
runs
in
user
space.
Userland
usually
refers
to
the
various
programs
and
libraries
that
the
opera/ng
system
uses
to
interact
with
the
kernel:
soNware
that
performs
input/output,
manipulates
file
system,
objects,
etc.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
8
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
9. WTF
!?
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
9
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
11. NIC
Memory
DMA
EngineInterrupt
Incoming
Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet
Data
IP
Layer
TCP
Process
TCP
recv
Buffer
APPLICATION
DEVICE
DRIVER
KERNEL
SPACE
USER
SPACE
Poll
List
so_irq
tcp_v4_rcv()
Pointer
to
Device
Socket
Backlog
ip_rcv()
read()
locally
des:ned
packets
must
pass
the
INPUT
chains
to
reach
listening
sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded
and
accepted
packets
Inbound
Packets
forwarded
packets
local
packets
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
12. TARGET
EXTENSIONS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
A
target
extension
consists
of
a
KERNEL
MODULE,
and
an
op/onal
extension
to
iptables
to
provide
new
command
line
op/ons.
There
are
several
extensions
in
the
default
NeTilter
distribu/on:
12
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
13. QUEUE
§
QUEUE
is
an
iptables
and
ip6tables
target
which
which
queues
the
packet
for
userspace
processing.
§
For
this
to
be
useful,
two
further
components
are
required:
• a
QUEUE
HANDLER
which
deals
with
the
actual
mechanics
of
passing
packets
between
the
kernel
and
userspace;
and
• a
USERSPACE
APPLICATION
to
receive,
possibly
manipulate,
and
issue
verdicts
on
packets.
§
The
default
value
for
the
maximum
queue
length
is
1024.
Once
this
limit
is
reached,
new
packets
will
be
dropped
un/l
the
length
of
the
queue
falls
below
the
limit
again.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
13
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
14. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
SHOW
ME
SOME
EXAMPLES!
14
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
15. FAKE
SSH
SOURCE
ATTACKER
$
_
-‐
We
will
hide
our
source
IP
and
will
modify
it
with
any
other
value
we
want
in
our
compromised
SSH
server
-‐
Useful
to
avoid
filters
and
not
modifying
files
like
/etc/hosts.deny
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
INNOCENT
15
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
SSH
SERVER
NUIT DU HACK 2013
16. TRACEROUTE
FAKING
UDP
TTL=1ICMP
TIME
EXCEEDED
ICMP
TIME
EXCEEDED
UDP
TTL=2
ICMP
TIME
EXCEEDED
UDP
TTL=3
ICMP
PORT
UNREACHABLE
UDP
TTL=4
Router
Hop
Router
Hop Router
Hop
Router
Hop Router
Hop Router
Hop
Router
Hop Router
Hop Router
Hop DESTINATIONSOURCE
SOURCE
SOURCE
SOURCE
If
the
internet
packet
has
a
TTL
of
0
aNer
decrement,
that
packet
must
not
be
passed
on
and
a
Internet
Control
Messaging
Protocol
(ICMP)
Time
Exceeded
in
transit
is
returned
to
the
packets
origin.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
16
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
17. REMOTE
OS
FINGERPRINTING
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
17
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
18. CLASSIC
TECHNIQUES
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
18
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
19. §
Or
we
could
just
use
Shodan,
a
search
engine
that
lets
you
find
specific
computers
(routers,
servers,
etc.)
using
a
variety
of
filters.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
19
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
20. NMAP
-‐
Device
Type
-‐
Network
Distance
-‐
Running
-‐
TCP
Sequence
PredicDon
-‐
OS
Details
-‐
IP
ID
Sequence
GeneraDon
-‐
UpDme
Guess
Device
Type:
general
purpose
Running:
MicrosoN
Windows
7|Vista|2000
OS
CPE:
cpe:/o:microsoN_7::professional
OS
details:
MicrosoN
Windows
7
Professional,
MicrosoN
Windows
Vista
SP0
or
SP1
UpDme
guess:
2.196
days
(since
Mon
Feb
4
12:14:01
2013)
Network
Distance:
1
hop
TCP
Sequence
PredicDon:
Difficulty=262
(Good
Luck!)
IP
ID
Sequence
GeneraDon:
Incremental
Service
Info:
OS:
Windows;
CPE:
cpe:/o:microsoN:windows
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
20
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
21. How
i
met
your
packet
-‐
I
looked
for
jailbroken
iPhones
with
a
custom
Perl
script:
-‐
Scan
network
ranges
-‐
For
each
host,
scan
62078
port.
-‐
If
open
62078
port,
then
try
with
SSH
-‐
If
open
SSH
port,
try
to
log
in
with
credentials:
root/alpine
From
kernel
Space
to
user
Heaven
21
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
22. NMAP
METHODS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
22
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE
GENERATION
(SEQ,
OPS,
WIN
&
T1)
ICMP
ECHO
(IE)
TCP
EXPLICIT
CONGESTION
NOTIFICATION
(ECN)
TCP
T2-‐T7
UDP
-‐
Nmap
sends
15
TCP,
UDP
and
ICMP
tests,
to
open
and
closed
system
ports:
23. Although
there
are
others:
§
TCP
ISN
counter
rate
(ISR)
§
ICMP
IP
ID
sequence
genera:on
alg
(II)
§
Shared
IP
ID
sequence
Boolean
(SS)
§
Don’t
Fragment
ICMP
(DFI)
§
Explicit
conges:on
no:fica:on
(C)
§
TCP
miscellaneous
quirks
(Q)
§
TCP
sequence
number
(S)
§
etc.
NMAP
INTERNAL
PROBES
Most
important:
§
TCP
ISN
greatest
common
divisor
(GDC)
§
TCP
IP
ID
sequence
genera:on
alg
(TI)
§
TCP
:mestamp
op:on
alg
(TS)
§
TCP
Op:ons
(O,
O1-‐O6)
§
TCP
ini:al
Window
Size
(W,
W1-‐W6)
§
Responsiveness
(R)
§
IP
don’t
fragment
bit
(DF)
§
IP
ini:al
:me-‐to-‐live
guess
(TG)
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
23
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
24. OTHER
TOOLS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
24
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
A
patch
for
Linux
kernels
of
version
2.4.,
that
modifies
characteris:cs
of
network
traffic
IP
PERSONALITY
Simple
TCP
packets
iden:fica:on
solu:on
as
a
Kenel
2.2-‐2.4
core
module
patch,
allowing
ignore
some
kind
of
packets.
STEALTH
PATCH
A
kernel
module
available
for
Linux
kernel
of
version
2.2.
that
also
tries
to
hide
the
original
OS
and
act
as
a
different
one.
FINGERPRINT
FUCKER
TCP
and
UDP
packets
filtering
op:ons,
allowing
to
respec:vely
block
RST
and
ICMP
answers
on
closed
ports
BLACKHOLE
Honeyd
is
able
to
simulate
Xprobe2
and
Nmap
(previous
version)
signatures
for
its
virtual
hosts.
HONEYD
Windows
so_ware
that
modifies
keys
in
the
register,
to
change
some
TCP/IP
parameters.
OSFUSCATE
NUIT DU HACK 2013
25. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
25
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
26. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
26
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
BITCH PLEASE ...
NUIT DU HACK 2013
27. PASSIVE
OS
FINGERPRINTING
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
27
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
-‐
p0f
is
a
tool
that
u:lizes
an
array
of
sophis:cated,
purely
passive,
traffic
fingerprin:ng
mechanisms
to
iden:fy
the
players
behind
any
iniDal
TCP/IP
communicaDon
(o_en
as
lille
as
a
single
normal
SYN)
without
interfering
in
any
way.
-‐
There
are
other
tools
like
Elercap,
NetworkMiner,
PRADS,
Satori
or
PacketFence.
-‐
Passive
fingerprin:ng
is
like
a
packet
sniffer.
Examines
network
traffic,
making
a
copy
of
the
data
but
without
redirec:ng
or
altering
it.
-‐
Can
be
used
for
several
purposes:
1.
As
stealthy
fingerprinDng,
bypassing
the
need
for
using
an
ac:ve
tool
that
can
be
detected
by
various
IDS
systems.
2.
To
idenDfy
remote
proxy
firewalls.
3.
Organiza:ons
can
use
it
to
idenDfy
rogue
systems
on
their
network.
NUIT DU HACK 2013
Sniffer
28. SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera/ng
System
-‐
Family
-‐
Version
Quirks
-‐
Data
in
SYN
packets
-‐
Op:ons
a_er
EOL
-‐
IP
ID
Field
=
0
-‐
ACK
different
to
0
-‐
Unusual
flags
-‐
Incorrect
op:ons
decode
TCP
op/ons
and
order
-‐
N:
NOP
-‐
E:
EOL
-‐
Wnnn:
WS
-‐
Mnnn:
MSS
-‐
S:
SACK
-‐
T
/
T0:
Timestamp
-‐
?n
Window
Size
-‐
*
Any
value
-‐
%nnn
nnn
Mul:ple
-‐
Sxx
MSS
Mul:ple
-‐
Txx
MTU
Mul:ple
-‐
xxx
Constant
value
Ini/al
TTL
DF
Bit
Packet
Size
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
28
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
29. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
29
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
30. COMMERCIAL
ENGINES
This
techniques
can
be
used
to
avoid
commercial
implementa:ons.
We
hide
our
machine,
faking
the
detector
engine
and
recognizing
us
like
another
OS,
to
alack
another
host
and
leading
administrator
to
think
it
may
be
a
false
posi:ve.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
30
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint
value
example:
key=fp_id;value=100000
key=rna_fingerprint_type_id;value=9
key=rna_fingerprint_descrip:on;value=iPhone
key=rna_fingerprint_vendor_str;value=Apple
key=rna_fingerprint_product_str;value=iOS
key=rna_fingerprint_version_str;value=NULL
key=val1;value=340e4d28c315390d
key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085
937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b
7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22f
e666cb1dc115309eb77
key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b
I
had
no
:me
to
figure
out
what
each
field
means
in
all
the
commercial
appliances
I’ve
seen
so
far.
I
decided
to
cross
the
data
available
with
default
Nmap
and
p0f
database
to
get
the
desired
TCP/IP
header
values.
NUIT DU HACK 2013
31. (
WE’RE
RUNNING
OUR
PROGRAM
IN
BACKGROUND
TO
CHANGE
ALL
OUTBOUND
CONNECTIONS
)
From
kernel
Space
to
user
Heaven
31
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
NUIT DU HACK 2013
OS
FOOLED!
NOW
OUT
LINUX
IS
AN
IOS
DEVICE
32. SPOOF
NON
EXISTING
HOSTS
AND
CONSUME
RNA
ENGINE
HOST
CREATED
WITH
OUR
NEW
TOOL
:)
From
kernel
Space
to
user
Heaven
32
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
NUIT DU HACK 2013
33. Long
story
short:
SYN ACK FIN
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
33
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
34. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
34
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA