This presentation has been used in PH-Neutral, 2011, Berlin. Would introduce the technical audience to the sniffjoke capabilities, low level technology and achievements.
SniffJoke at the moment has been released in 0.4.1 release, and is not pretty much stable, stay update!
A sniffer or a NIDS works collecting passively internet traffic. This traffic is grabbed as a series of packets, and these packets reassembled in session by the "reassembly engine". The reassembly engine is the target of SniffJoke project: injecting packets inside a live session, Sj don't damage the session, but bring the reassembly engine to do ambiguos choose. The bug exploited is not implementation dependent, instead is network and protocol dependent. Our issue is in found a security laboratory able to provide to us such kind of technology. We're looking for NIDS and sniffer to test in real network environment. SniffJoke project, near the 0.5 release, is now splitting in two parts: SniffJoke (modular mangler extremely configurable) and Janus, portable software able to divert kernel sessions to userspace or to a remote box.
Our goal for the 0.5 is to make SniffJoke running under windows/macosx/linux and Janus divert sockets handled in your default gateway (eg: openwrt, lafonera) or from your local box (macosx, linux, bsd)
In the research point of view, since the 1998, when a paper by Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", has been released, the NIDS/sniffer has know to be possibile of faults. Researcher has developed "Active Mapping" in the NIDS engine, aiming to better understad how manage an ambiguos packet. Active mapping, SHOULD works in NIDS (some kind of information will not be mapped so easily, expecially in high performange environments), but netherless, is not possibile use active mapping efforts in large sniffing. At the moment, national security issue somethime relays in these technology, therfore is a scientific issue make a demonstration that no security will be obtained by passive traffic analysis.
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
This document provides a summary of the top 18 security tools as voted on by over 3,000 respondents to a survey conducted by Insecure.org. The top tools included Nmap, Nessus, Wireshark, Snort, Netcat, Metasploit Framework, and others. For each tool, a brief 1-2 sentence description of its functionality is provided. The document shows that while many new tools have emerged, some older standards like tcpdump, SSH, and John the Ripper remain very popular.
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
This document discusses security issues related to the migration from IPv4 to IPv6 networks. It analyzes common network attacks in IPv4 and how they may impact IPv6 networks. These attacks include reconnaissance attacks, host initialization attacks, broadcast amplification attacks, header manipulation attacks, routing attacks, and firewall evasion through fragmentation. The document provides guidelines to mitigate each of these attacks, such as using random node IDs, securing neighbor discovery protocols, ingress filtering of packets, and deep packet inspection. It addresses that while IPv6 aims to improve security over IPv4, vulnerabilities will still exist and many attacks will continue in a polymorphic manner during the migration process when both protocols must coexist.
This document describes a PhD thesis that focuses on developing host-based and network-based anomaly detectors for HTTP attacks. Specifically, it presents three contributions: (1) McPAD, a multiple classifier system for network-based payload anomaly detection; (2) HMMPayl, which uses hidden Markov models for payload analysis; and (3) HMM-Web, which analyzes request URIs for host-based anomaly detection. The thesis evaluates the performance of these approaches on detection rate, false positive rate, and area under the ROC curve.
The document discusses the DARPA Inference Cheking Kludge Scanner, an extension of the Nmap scanner that enables permanent remote compromise of the scanned computer. It demonstrates exploiting a Windows 8 kernel pool overflow to punch microcode updates to the CPU, backdooring the system. The tool is shown scanning a target system, identifying the CPU details, and implying the ability to remotely update the microcode.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
A sniffer or a NIDS works collecting passively internet traffic. This traffic is grabbed as a series of packets, and these packets reassembled in session by the "reassembly engine". The reassembly engine is the target of SniffJoke project: injecting packets inside a live session, Sj don't damage the session, but bring the reassembly engine to do ambiguos choose. The bug exploited is not implementation dependent, instead is network and protocol dependent. Our issue is in found a security laboratory able to provide to us such kind of technology. We're looking for NIDS and sniffer to test in real network environment. SniffJoke project, near the 0.5 release, is now splitting in two parts: SniffJoke (modular mangler extremely configurable) and Janus, portable software able to divert kernel sessions to userspace or to a remote box.
Our goal for the 0.5 is to make SniffJoke running under windows/macosx/linux and Janus divert sockets handled in your default gateway (eg: openwrt, lafonera) or from your local box (macosx, linux, bsd)
In the research point of view, since the 1998, when a paper by Ptacek, T. and T. Newsham, "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection", has been released, the NIDS/sniffer has know to be possibile of faults. Researcher has developed "Active Mapping" in the NIDS engine, aiming to better understad how manage an ambiguos packet. Active mapping, SHOULD works in NIDS (some kind of information will not be mapped so easily, expecially in high performange environments), but netherless, is not possibile use active mapping efforts in large sniffing. At the moment, national security issue somethime relays in these technology, therfore is a scientific issue make a demonstration that no security will be obtained by passive traffic analysis.
Using Canary Honeypots for Network Security Monitoringchrissanders88
In this presentation I talk about how honeypots that have more traditionally been used for research purposes can also be used as an effective part of a network security monitoring strategy.
This document provides a summary of the top 18 security tools as voted on by over 3,000 respondents to a survey conducted by Insecure.org. The top tools included Nmap, Nessus, Wireshark, Snort, Netcat, Metasploit Framework, and others. For each tool, a brief 1-2 sentence description of its functionality is provided. The document shows that while many new tools have emerged, some older standards like tcpdump, SSH, and John the Ripper remain very popular.
Security Issues in Next Generation IP and Migration NetworksIOSR Journals
This document discusses security issues related to the migration from IPv4 to IPv6 networks. It analyzes common network attacks in IPv4 and how they may impact IPv6 networks. These attacks include reconnaissance attacks, host initialization attacks, broadcast amplification attacks, header manipulation attacks, routing attacks, and firewall evasion through fragmentation. The document provides guidelines to mitigate each of these attacks, such as using random node IDs, securing neighbor discovery protocols, ingress filtering of packets, and deep packet inspection. It addresses that while IPv6 aims to improve security over IPv4, vulnerabilities will still exist and many attacks will continue in a polymorphic manner during the migration process when both protocols must coexist.
This document describes a PhD thesis that focuses on developing host-based and network-based anomaly detectors for HTTP attacks. Specifically, it presents three contributions: (1) McPAD, a multiple classifier system for network-based payload anomaly detection; (2) HMMPayl, which uses hidden Markov models for payload analysis; and (3) HMM-Web, which analyzes request URIs for host-based anomaly detection. The thesis evaluates the performance of these approaches on detection rate, false positive rate, and area under the ROC curve.
The document discusses the DARPA Inference Cheking Kludge Scanner, an extension of the Nmap scanner that enables permanent remote compromise of the scanned computer. It demonstrates exploiting a Windows 8 kernel pool overflow to punch microcode updates to the CPU, backdooring the system. The tool is shown scanning a target system, identifying the CPU details, and implying the ability to remotely update the microcode.
Security PWNing 2018 - Penthertz: The use of radio attacks during redteam tests📡 Sebastien Dudek
Presentation made at SecurityPWNing 2018 explaining how to intrude a company using radio attacks and real cases scenarios we encountered during our tests.
This document provides the price list for various vehicle models from VIPUL MOTORS PVT. LTD. It lists the ex-showroom price, taxes, registration and insurance fees, and other charges to arrive at the total on-road price for each model. The models listed include Omni, EECo, Alto 800, New Wagon R, Stingray, Estilo and A-Star in multiple variants. The on-road prices range from around Rs. 2.45 lakhs for the basic Omni to over Rs. 5.22 lakhs for top-end Stingray VXI variants. A zero down payment option is also listed for each variant showing the price difference with
This document provides information about an E27 9W LED bulb for use in a restaurant located in Shenzhen, China. The bulb uses an internal driver with a rubycon capacitor and produces 13442 lumens with a high efficiency of 135Lm/W. It has a plastic cover and 180 degree beam angle. Wattages from 3W to 18W are available, and the bulb comes with a 3 year warranty. Contact information is provided for the manufacturer NGT if support is needed.
This document advertises 1TopSpy cell phone tracking software and describes how it can be used to check Snapchat messages. It claims the software allows users to track locations, read texts, calls logs, social media messages and more from another phone. The document provides instructions on downloading 1TopSpy to a target phone, logging into an online account to see monitored phone activity. It includes quotes praising how 1TopSpy allows monitoring employees and children.
An electric guitar uses a pickup to convert the vibration of its strings into electrical signals. The most common pickup works through electromagnetic induction. The electric guitar's weak signal needs amplification before being sent to a loudspeaker. Since it produces an electric signal, the sound can be altered electronically using effects like reverb and distortion.
The Islamic Republic of Iran has a theocratic government with Teheran as its capital. It has a population of over 78 million people and is located in Southwest Asia, bordering Iraq, Saudi Arabia, and other countries. The current Supreme Leader is Ali Khamenei, who holds the highest political and religious authority in Iran following the 1979 Islamic Revolution that overthrew the Shah and established Iran as an Islamic republic under Supreme Leader Ayatollah Khomeini.
Este documento presenta el plan "Poder" de la Iglesia Adventista en la Unión Peruana del Sur para el año 2014, con el objetivo de hacer discípulos a través de la comunión, el relacionamiento y la misión. El plan se centra en cinco metas: 1) Establecer pequeños grupos, 2) Aumentar el número de ofrendantes y diezmantes, 3) Ganar nuevos discípulos, 4) Establecer nuevas iglesias, y 5) Mantener a los miembros reavivados diariamente a través del Espírit
The document provides configuration documentation for Value Added Tax (VAT) in India for the year 2005. It outlines various settings that need to be defined in SAP such as new tax condition types for sales and purchases, transaction keys for accounting, and changes to the TAXINJ tax procedure to incorporate the new condition types and transaction keys. The details of the TAXINJ procedure and the new condition types and keys that have been added are also documented.
The early history of the Seventh-day Adventist church in Southern Africa began in the 1870s when William Hunt, an American gold prospector, shared SDA beliefs with others in South Africa. In the 1880s, Pieter Wessels and others in Kimberley began observing the Sabbath and contacted the General Conference for assistance. In 1887, the first SDA missionaries arrived from America and established the first SDA church in South Africa in Beaconsfield with 21 members. Wealthy donations from the Wessels family allowed for several SDA institutions like schools and hospitals to be established in the 1890s, enabling growth of the denomination in Southern Africa.
Ten observations, provocations, and questions on design and innovation - presentation by Tim Leberecht, frog design, at Re:Publica, Berlin, April 15, 2010
SMTP is the standard protocol for sending email over the Internet. It defines the message format and how messages are transferred between mail servers. When a client wants to send a message, it establishes a connection to an SMTP server and issues commands like MAIL, RCPT, and DATA to specify the sender, recipients, and transmit the message content. While simple to implement, basic SMTP has limitations like lacking authentication that allow issues like spam. Extensions to SMTP like ESMTP aim to address such problems.
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
Description of message queueing (MQ) protocol for the transport of telemetry data (MQTT - MQ Telemetry Transport).
MQTT is a protocol designed to fit the needs of Internet of Things scenarios. It is lightweight and efficient, but still affords all the features required for reliable messaging between wireless sensor / actor nodes and applications. MQTT decouples producer and consumer of data (sensors, actors and applications) through message brokers with publish / subscribe message queues called topics. MQTT supports different levels of quality of service thus providing the flexibility to adapt to the different needs of applications.
Further features like will and retain messages make MQTT well suited for sensor network scenarios as well as for lightweight enterprise messaging applications.
Open source implementations like Eclipse paho provide ample code for integrating MQTT in your own applications.
The document summarizes Matteo Avalle's annual oral presentation for his Ph.D evaluation. It discusses his main research topic of regexp-based packet processing using non-deterministic finite automata (NFAs) and his development of faster multi-stride and multi-map multi-stride algorithms to further increase processing throughput. It also covers his secondary topic of designing security protocols using the JavaSPI framework and results including developing a case study on the SSL 3.0 handshake protocol and surveys on applying formal methods to security protocols. Future work discussed finishing papers in progress and implementing new GPU optimizations.
This document provides an overview of the IRATI project which aims to advance the RINA (Recursive Internet Architecture) model and specifications through the design and implementation of a prototype. The goals are to validate RINA theory through experimentation, produce requirements for RINA, and compare it to TCP/IP. A key focus is implementing RINA over Ethernet and validating functionality on UNIX-like operating systems and Juniper JunOS. Experiments will be conducted using the OFELIA open network testbed.
This document provides the price list for various vehicle models from VIPUL MOTORS PVT. LTD. It lists the ex-showroom price, taxes, registration and insurance fees, and other charges to arrive at the total on-road price for each model. The models listed include Omni, EECo, Alto 800, New Wagon R, Stingray, Estilo and A-Star in multiple variants. The on-road prices range from around Rs. 2.45 lakhs for the basic Omni to over Rs. 5.22 lakhs for top-end Stingray VXI variants. A zero down payment option is also listed for each variant showing the price difference with
This document provides information about an E27 9W LED bulb for use in a restaurant located in Shenzhen, China. The bulb uses an internal driver with a rubycon capacitor and produces 13442 lumens with a high efficiency of 135Lm/W. It has a plastic cover and 180 degree beam angle. Wattages from 3W to 18W are available, and the bulb comes with a 3 year warranty. Contact information is provided for the manufacturer NGT if support is needed.
This document advertises 1TopSpy cell phone tracking software and describes how it can be used to check Snapchat messages. It claims the software allows users to track locations, read texts, calls logs, social media messages and more from another phone. The document provides instructions on downloading 1TopSpy to a target phone, logging into an online account to see monitored phone activity. It includes quotes praising how 1TopSpy allows monitoring employees and children.
An electric guitar uses a pickup to convert the vibration of its strings into electrical signals. The most common pickup works through electromagnetic induction. The electric guitar's weak signal needs amplification before being sent to a loudspeaker. Since it produces an electric signal, the sound can be altered electronically using effects like reverb and distortion.
The Islamic Republic of Iran has a theocratic government with Teheran as its capital. It has a population of over 78 million people and is located in Southwest Asia, bordering Iraq, Saudi Arabia, and other countries. The current Supreme Leader is Ali Khamenei, who holds the highest political and religious authority in Iran following the 1979 Islamic Revolution that overthrew the Shah and established Iran as an Islamic republic under Supreme Leader Ayatollah Khomeini.
Este documento presenta el plan "Poder" de la Iglesia Adventista en la Unión Peruana del Sur para el año 2014, con el objetivo de hacer discípulos a través de la comunión, el relacionamiento y la misión. El plan se centra en cinco metas: 1) Establecer pequeños grupos, 2) Aumentar el número de ofrendantes y diezmantes, 3) Ganar nuevos discípulos, 4) Establecer nuevas iglesias, y 5) Mantener a los miembros reavivados diariamente a través del Espírit
The document provides configuration documentation for Value Added Tax (VAT) in India for the year 2005. It outlines various settings that need to be defined in SAP such as new tax condition types for sales and purchases, transaction keys for accounting, and changes to the TAXINJ tax procedure to incorporate the new condition types and transaction keys. The details of the TAXINJ procedure and the new condition types and keys that have been added are also documented.
The early history of the Seventh-day Adventist church in Southern Africa began in the 1870s when William Hunt, an American gold prospector, shared SDA beliefs with others in South Africa. In the 1880s, Pieter Wessels and others in Kimberley began observing the Sabbath and contacted the General Conference for assistance. In 1887, the first SDA missionaries arrived from America and established the first SDA church in South Africa in Beaconsfield with 21 members. Wealthy donations from the Wessels family allowed for several SDA institutions like schools and hospitals to be established in the 1890s, enabling growth of the denomination in Southern Africa.
Ten observations, provocations, and questions on design and innovation - presentation by Tim Leberecht, frog design, at Re:Publica, Berlin, April 15, 2010
SMTP is the standard protocol for sending email over the Internet. It defines the message format and how messages are transferred between mail servers. When a client wants to send a message, it establishes a connection to an SMTP server and issues commands like MAIL, RCPT, and DATA to specify the sender, recipients, and transmit the message content. While simple to implement, basic SMTP has limitations like lacking authentication that allow issues like spam. Extensions to SMTP like ESMTP aim to address such problems.
MQTT - MQ Telemetry Transport for Message QueueingPeter R. Egli
Description of message queueing (MQ) protocol for the transport of telemetry data (MQTT - MQ Telemetry Transport).
MQTT is a protocol designed to fit the needs of Internet of Things scenarios. It is lightweight and efficient, but still affords all the features required for reliable messaging between wireless sensor / actor nodes and applications. MQTT decouples producer and consumer of data (sensors, actors and applications) through message brokers with publish / subscribe message queues called topics. MQTT supports different levels of quality of service thus providing the flexibility to adapt to the different needs of applications.
Further features like will and retain messages make MQTT well suited for sensor network scenarios as well as for lightweight enterprise messaging applications.
Open source implementations like Eclipse paho provide ample code for integrating MQTT in your own applications.
The document summarizes Matteo Avalle's annual oral presentation for his Ph.D evaluation. It discusses his main research topic of regexp-based packet processing using non-deterministic finite automata (NFAs) and his development of faster multi-stride and multi-map multi-stride algorithms to further increase processing throughput. It also covers his secondary topic of designing security protocols using the JavaSPI framework and results including developing a case study on the SSL 3.0 handshake protocol and surveys on applying formal methods to security protocols. Future work discussed finishing papers in progress and implementing new GPU optimizations.
This document provides an overview of the IRATI project which aims to advance the RINA (Recursive Internet Architecture) model and specifications through the design and implementation of a prototype. The goals are to validate RINA theory through experimentation, produce requirements for RINA, and compare it to TCP/IP. A key focus is implementing RINA over Ethernet and validating functionality on UNIX-like operating systems and Juniper JunOS. Experiments will be conducted using the OFELIA open network testbed.
Sniffing tools can capture network traffic to analyze packets and view sensitive information like usernames and passwords transmitted in cleartext. Network administrators can use these same tools legitimately to monitor network traffic and troubleshoot issues. This lab will demonstrate how to install and use the OmniPeek Network Analyzer to sniff network traffic between a host Windows Server 2012 machine and a Windows 8 virtual machine. The objectives are to familiarize students with network sniffing, packet analysis, and securing the network from attacks.
This document discusses the development of an IPv6 plugin for the Snort intrusion detection system. It provides context on IPv6 security issues and attacks. It then describes how the plugin was implemented to add IPv6-specific rule options and decode/process IPv6 traffic. A neighbor discovery preprocessor was also created to monitor network changes using ICMPv6 messages. The plugin allows Snort to better detect IPv6 attacks and anomalies.
This document presents an open source sensor network framework developed by NTT DATA Italia S.p.A. The framework allows for building sensor networks using Arduino and Raspberry Pi hardware. Sensor data is collected by Arduinos and sent to Raspberry Pis via serial communication using a standard protocol. The data is stored in a MongoDB database and made available via web services. A web interface and mobile apps allow users to interact with and analyze the sensor data. Examples applications mentioned include environmental monitoring, manufacturing, automotive, energy, and healthcare.
This document provides an introduction to the ARC middleware, including:
- An overview of the NorduGrid collaboration and the ARC middleware.
- Steps for getting started with ARC such as installing the client, requesting and installing certificates, and logging into the grid.
- Examples of writing job descriptions, submitting jobs, monitoring jobs, and fetching results.
- Additional topics covered include using storage elements, runtime environments, and examples of real-life applications on the grid.
IT Monitoring in the Era of Containers | Luca Deri Founder & Project Lead | ntopInfluxData
Network traffic monitoring tools are traditionally based on the packet paradigm where tools need to analyse each incoming and outgoing packet. As systems are moving towards a micro-service oriented architecture based on containers, the packet paradigm is no longer enough to provide IT visibility as services interact inside a system and not over a network where it is possible to install network sensors. This talk will explain how open source tools designed by ntop on top of InfluxDB allow packet monitoring tools to be complemented with container monitoring and thus implement a lightweight visibility solution for modern IT infrastructures.
- James Blessing is the Deputy Director of Network Architecture at Future Services. He discussed Ciena's MCP network management software, the need for automation of network provisioning through APIs, and the JiscMail NETWORK-AUTOMATION mailing list as a resource.
- The document then covered topics like Netpath services, layer 2 and 3 VPNs, network function virtualization, IPv6 adoption, the Janet end-to-end performance initiative, science DMZ principles, network performance monitoring with perfSONAR, and working with the GÉANT project.
The document discusses the history and progress of OpenFlow and SDN. It traces OpenFlow from its origins in academia in 2007 to its growing adoption by major tech companies and standardization through the Open Networking Foundation by 2011. It outlines how OpenFlow allows centralized control of network traffic through software-defined controllers that programmatically configure flow-based forwarding using the OpenFlow protocol in switches.
Yoshihiro Nakajima presented on software stacks that enable software-defined networking (SDN) and network functions virtualization (NFV). He discussed trends in SDN and NFV, introduced the Lagopus SDN software switch project, and described how Data Plane Development Kit (DPDK) helps optimize packet processing performance. The goal of his talk was to provide an NFV/SDN-aware software stack capable of 100Gbps switching through high-performance packet processing.
12.00 - Dr. Tim Chown - University of SouthamptonIPv6 Summit 2010
1) The university deployed IPv6 in a phased approach over many years, first running it in 1997 and now having a large dual-stack production network.
2) They took a dual-stack approach to allow existing IPv4 systems while gaining experience with IPv6. Managing the complexity of dual-stack has been the main challenge.
3) Early experiences included getting IPv6 connectivity, enabling core services like DNS and web servers, and porting internal software. Harder aspects involved multi-addressing, some application support, and security issues like rogue routers.
Oasis Communication Technologies is an expert in IPv6 deployment based on their experience implementing IPv6 networks for various clients over many years. They discuss three case studies: an early dual-stack deployment for IGLD, a global IPv6 rollout for PCCW Global using 6PE, and a customer deployment for Xfone 018. They also discuss lessons learned, including that the core network is simple but access networks are complex, addressing design is challenging, and that lack of IPv6-enabled content and customer equipment readiness are major barriers to adoption.
Handwritten Recognition using Deep Learning with RPoo Kuan Hoong
R User Group Malaysia Meet Up - Handwritten Recognition using Deep Learning with R
Source code available at: https://github.com/kuanhoong/myRUG_DeepLearning
Using Software-Defined WAN implementation to turn on advanced connectivity se...RedHatTelco
This document summarizes a presentation on enabling advanced connectivity services in OpenStack using software-defined WAN implementation. The presentation discusses Red Hat and Juniper Networks and how their products augment OpenStack Neutron networking with Contrail SDN to enable features like service chaining, analytics, and support for physical and virtual network functions. It also presents a case study of a tier 1 telco using Contrail and OpenStack to offer a network-as-a-service solution for multi-national enterprise customers.
What is SDN and how to approach it with PythonJustin Park
This talk is about understanding software defined networking (SDN) and recent trends in computer networking through networking tools built in Python. We aim to provide a perspective on computer networking in the era of Internet of Things (IoT) and how to cope with changing environments as developers, programmers, and Python users. This talk requires basic knowledge equivalent of first-year-computer-science-major undergraduates. However, for the latter half of the talk, we recommend you experience the basics of Python beforehand to fully understand the contents concerning Python-based tools such as Ryu (an OpenFlow controller) and Mininet (a virtual switch environment). We hope through this talk Python users would gain a better perspective and understanding about SDN and computer networking.
본 발표는 최근 네트워킹 분야에 불고 있는 소프트웨어정의 네트워킹 (SDN)에 관한 것으로 사물인터넷의 시대에서 더욱 증가되는 네트워크의 중요성과 SDN의 의미에 대해서 바르게 이해하고 앞으로 변화할 네트워킹 환경에 개발자, 프로그래머, 파이썬 유저로써 어떻게 준비하고 대처해야할지 함께 생각해보는 기회를 제공하는데 그 목적이 있다. 본 발표를 이해하기 위해서는 컴퓨터공학 전공 1학년 수준의 컴퓨터 구조와 컴퓨터 네트워크의 지식만 있다면 충분히 이해하고 즐길수 있다. 다만 후반에 나오는 파이썬툴들에 대하여 이해하기 위해서는 파이썬의 기초를 미리 공부하기를 권장한다. 발표의 초반 20분은 컴퓨터 네트워크의 역사와 발전방향에 대하여 이야기하고 SDN이 무엇인지 발표자의 생각을 나눈다. 그리고 발표의 후반 약 20분은 SDN 환경에서 여러가지 형태로 사용되는 파이썬으로 제작된 툴 (Ryu 컨트롤러와 Mininet 가상 스위치)을 소개하고 사용하는 방법을 소개한다. 이번 발표를 통해 파이썬 사용자들의 SDN에 대한 이해가 높아지기를 기대한다.
Reference source codes
Mininet: https://github.com/mininet
Ryu: https://github.com/osrg/ryu
This document describes the software requirements and specifications for building network intrusion detection and prevention systems using Snort and Iptables. It outlines the system requirements including the operating system, firewall, and servers needed. It then describes the key tools used - Snort for intrusion detection, BASE for analyzing Snort alerts, Wireshark for packet analysis, Iptables for firewall rules, and scripting for automation. Finally, it provides an overview of the web development tools used to create interfaces for managing rule sets.
The document discusses various clean-slate design efforts to redesign networking architectures from scratch to address current problems. It describes projects from NICT/AKARI to design a new architecture for next-generation networks, Stanford's Open Platform Switch to allow experimental code, and the GENI project to create a global experimental network available to researchers. It notes there is diversity in clean-slate approaches but consensus that more radical changes are needed to further progress network technologies.
Troubleshooting Dual-Protocol Networks and Systems by Scott Hogg at gogoNET L...gogo6
gogo6 IPv6 Video Series. Event, presentation and speaker details below:
EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp
PRESENTATION
Troubleshooting Dual-Protocol Networks and Systems
Abstract: http://www.gogo6.com/profiles/blogs/my-presentation-at-gogonet-live-3-troubleshooting-in-a-dual-stack
Presentation video: http://www.gogo6.com/video/troubleshooting-dual-protocol-networks-and-systems-by-scott-hogg
Interview video: http://www.gogo6.com/video/interview-with-scott-hogg-at-gogonet-live-3-ipv6-conference
SPEAKER
Scott Hogg - Director of Advanced Technology Services, GTRI
Bio/Profile: http://www.gogo6.com/profile/ScottHogg986
MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Dive into the realm of operating systems (OS) with Pravash Chandra Das, a seasoned Digital Forensic Analyst, as your guide. 🚀 This comprehensive presentation illuminates the core concepts, types, and evolution of OS, essential for understanding modern computing landscapes.
Beginning with the foundational definition, Das clarifies the pivotal role of OS as system software orchestrating hardware resources, software applications, and user interactions. Through succinct descriptions, he delineates the diverse types of OS, from single-user, single-task environments like early MS-DOS iterations, to multi-user, multi-tasking systems exemplified by modern Linux distributions.
Crucial components like the kernel and shell are dissected, highlighting their indispensable functions in resource management and user interface interaction. Das elucidates how the kernel acts as the central nervous system, orchestrating process scheduling, memory allocation, and device management. Meanwhile, the shell serves as the gateway for user commands, bridging the gap between human input and machine execution. 💻
The narrative then shifts to a captivating exploration of prominent desktop OSs, Windows, macOS, and Linux. Windows, with its globally ubiquitous presence and user-friendly interface, emerges as a cornerstone in personal computing history. macOS, lauded for its sleek design and seamless integration with Apple's ecosystem, stands as a beacon of stability and creativity. Linux, an open-source marvel, offers unparalleled flexibility and security, revolutionizing the computing landscape. 🖥️
Moving to the realm of mobile devices, Das unravels the dominance of Android and iOS. Android's open-source ethos fosters a vibrant ecosystem of customization and innovation, while iOS boasts a seamless user experience and robust security infrastructure. Meanwhile, discontinued platforms like Symbian and Palm OS evoke nostalgia for their pioneering roles in the smartphone revolution.
The journey concludes with a reflection on the ever-evolving landscape of OS, underscored by the emergence of real-time operating systems (RTOS) and the persistent quest for innovation and efficiency. As technology continues to shape our world, understanding the foundations and evolution of operating systems remains paramount. Join Pravash Chandra Das on this illuminating journey through the heart of computing. 🌟
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Choosing The Best AWS Service For Your Website + API.pptx
SniffJoke 0.4
1. “Downgrade
mul7
gigabit Sn iffJoke
0.4
s
s
n
PH-‐Neutral
iffers
to
mul7
kilobits”
–
may
2011
vecna@delirandom.net
1
2. Agenda
–
SniffJoke
0.4
May/2011
45min
ETA
1. Introduc7on,
target
defini7on
– 6
2. Theory,
implementa7on
issue
– 4
3. Anatomy
of
the
aUacks
– 8
4. Implementa7on
in
SniffJoke
framework
– 14
5. Impact,
considera7ons,
TODO
– 10
0/5
Agenda
2
3. Hi!
I’m
vecna
• Known
also
as
Claudio
Agos7
– s0pj,
for
those
who
remember
what
it
was
• Infoblah
securblah
hackblah
• Anonymity,
cryptography,
privacy,
paranoid
technology,
kernel,
c++
My
english
sounds
like
a
google
transla7on,
when
the
network
is
down,
sorry!
++++++++++[>+++++++>++++++++++>+++>+<<<<-‐]>++.
>+.+++++++..+++.>++.<<+++++++++++++++.>.+++.-‐-‐-‐-‐-‐-‐.-‐-‐-‐-‐-‐-‐-‐-‐.>+.>.
3
4. Main
concepts
• Target:
vital
algorithms
present
in
every
network
device
making
passive
traffic
analysis
• Thesis:
they
haven’t
enough
informa7on
to
correctly
perform
flow
reassembly
• A.ack:
(ab)using
this
network
capabili7es,
IP
sessions
would
be
(difficult|impossible)
to
be
reassembled
• Effect:
business
and
security
based
on
passive
traffic
analysis
could
get
some
troubles
:)
1/5
Introduc7on,
target
defini7on
4
7. Mul7
gigabit
business
High
Performance
Traffic
Inspec7on,
Monitoring
and
Capture
at
10Gbps
The
SiNIC10
is
an
advanced
Network
Interface
Card
combining
FPGAs
and
state
of
the
art
support
soware.
The
NIC
provides
full
Deep
Packet
Inspec7on
(Layer
2-‐7[…]
to
hUp://www.cybersi.net/hpns.html
operate
on
10Gbps
backbones
–
extending
the
life
of
soware
assets.
VANTAGE
is
a
mass
and
target
intercep7on
system
that
intercepts,
filters,
and
analyzes
voice,
data,
and
mul7media
for
intelligence
purposes.
Using
sophis7cated
probing
technology
and
Verint’s
real-‐
Intelligence
Support
Systems
for
Lawful
7me
filtering
mechanisms,
VANTAGE
passively
IntercepAon,
Criminal
InvesAgaAons,
collects
maximum
communica7ons,
extracts
the
Intelligence
Gathering
and
InformaAon
most
important
informa7on,
and
uses
stored
data
Sharing
Conference
and
Expo
analysis
for
genera7ng
intelligence
from
data
hUp://www.telestrategies.com/ISS_WASH/index.htm
collected
over
7me.
hUp://verint.com/
communica7ons_intercep7on/
1/5
Introduc7on,
target
defini7on
7
8. 100
Gb
–
coming
soon
• Mass
survelliance
will
sound
like
control
inside
na7onal
border
• But
data,
packet,
travel
for
much
more
na7ons
than
source/
dest!
• The
mass
survelliance
technology
some
years
ago
hasn’t
enough
computaAonal
power:
now
has
it
Around
the
world,
telcos,
financial
ins7tu7ons,
federal
agencies
and
large
digital
service
delivery
organisa7ons
are
ac7vely
deploying
40Gb/s
and
100Gb/s
networks
in
metro,
long-‐haul
and
short-‐hop
data
centre
/
cloud
environments.
The
market
for
ultra-‐high
speed
networking
is
gathering
momentum.
[…]
These
systems
are
expected
to
be
available
for
deployment
later
in
2011.
hUp://www.endace.com/endaceextreme.html
1/5
Introduc7on,
target
defini7on
8
9. SniffJoke
Project
goals
• A
new
tool
against
mass
survelliance
• Remember
that
control
doesn’t
necessarily
bring
security
• Fun!!
• Remember
that
an
organiza7on
based
on
the
network
is
efficent
and
rapid
in
evolving
• Exploit
the
deepest
shadow
cone
in
the
TCP/IP
1/5
Introduc7on,
target
defini7on
9
10. a
research
back
in
the
1998
• First
7me
I
read
about,
was
in
phrack
#58
• First
7me
I
tried
to
implement,
was
back
in
1999
• A
research
that
seem
to
be
forgoUen
by
vendors
– un7l
StoneSo’s
marke7ng
kick
out
AET
!
• We’re
talking
about
a
technique
that’s
either
difficult
to
be
implemeted
and
difficult
to
be
tested
too.
1/5
Introduc7on,
target
defini7on
10
11. Thesis:
informa7on
is
not
enough
• In
the
middle
elements
will
not
know
what
happen
to
the
remote
peers
• Hypothe7cally,
a
recorded
packets
will
never
have
reached
the
remote
• Will
have
more
than
one
meanings,
and
the
IP/TCP
stack
choose
based
in
configura7on,
Opera7ng
System,
or
release
number
• In
short:
Internet
was
engineered
for
2
peers,
not
for
the
third
passive
analyzer.
1/5
Introduc7on,
target
defini7on
11
12. AUack:
injec7ng
is
not
so
simple
• You
need
to
not
broke
the
session
• You
need
to
fool
the
sniffer
wri7ng
only
plausible
packets
in
the
flow
• You
need
to
guess
how
a
sniffer
works,
because
a
lot
of
them
are
not
open
source
• You
need
to
cover
your
injec7on
paUern,
to
avoid
be
filtered
out
• Sj
require
one
side
only
2/5
Theory,
implementa7on
issues
12
13. Implementa7on
issue,
1/2
• The
first
soware
tes7ng
this
vulns,
was
a
CASL
script
– CASL
is
a
language
for
packet
forging
– A
TCP
session
was
established
“by
hand”
• A
daily
usage
will
require
a
transparent
layer
• Only
in
kernel
space
is
possibile
?
– In
the
past,
YES,
with
a
lot
of
troubles
– Firsts
research
goal
was
to
make
in
userland
2/5
Theory,
implementa7on
issues
13
14. Implementa7on
issue,
2/2
• How
to
intercept
outgoing
packets
?
– SniffJoke
use
a
/dev/tun
interface,
se|ng
himself
as
default
gateway
– Receive
all
packets
since
IP
header
– Forward
to
the
default
gw
ether
address
• How
to
intercept
incoming
packets
?
– Filtering
rule
to
drop
packet
coming
from
the
gw
– Reading
in
datalink
layer
and
resending
as
raw
2/5
Theory,
implementa7on
issues
14
16. Anatomy
of
the
aUack
• Thought
packet
reassembly
as
“black
box”
– We
could
deduce
that
a
real7me
sniffer/IDS
will
try
to
be
faster
than
ever,
in
order
to
op7mize
the
hardware
following
the
bandwidth
growning
– WireShark
is
the
best
reference:
the
top
community
driven,
non
real7me,
best
reassembly
available
• The
aUacks
will
be
planned
versus
a
specific
target
(a
specific
sniffer
sw).
– It
is
easyest,
not
an
0.4
goal
3/5
Anatomy
of
the
aUacks
16
17. Goal
of
the
research
• Found
some
RFC/stack
good
way
to
generate
some
packets
that
will:
– Never
reach
the
des7na7on
host
– Be
discarded
by
the
des7na7on
host
• AND
be
accepted
by
the
sniffer,
or:
– Be
accepted
by
the
des7na7on
host,
but
only
because
has
been
abused
of
some
weird
status
• AND
discarded
by
the
sniffer
• These
way
will:
cause
desynchronizaAon.
• These
are
called
Scramble.
3/5
Anatomy
of
the
aUacks
17
18. And..
when
the
desync
is
obtained
• Insert
fake
payload
– Will
cause
the
sniffer
to
parse/dump
fake
data
• Give
fake
sequencing
flow
– Will
cause
huge
dumps,
dele7ng
of
previous
segm
• Inject
fake
signaling
(FIN,
RST,
SYN)
– Close,
restart,
interrupt
an
ac7ve
flow
• These
are
called
Hack,
and
are
implemented
in
the
Plugins
3/5
Anatomy
of
the
aUacks
18
19. Simple
scramble:
checksum
•
A
packet
is
send
with
a
bad
TCP
checksum
•
the
remote
service
drop
it:
what
the
sniffer
do
?
Eve
–
the
Sniffer
AAAAAAAAAAAAA
B4dB4dB4dB4dB4d
Alice
with
SniffJoke
1
2
3
4
5
Bob
–
the
receiver
6
7
1
-‐
TCP
seq
1-‐20
[
AAAA…]
good
cksum
8
AAAAAAAAAAAAA
BBBBBBBBBBBBBB
2
-‐
TCP
ACK
seq
20
2
-‐
TCP
seq
21-‐40
[
B4dB4dB4d…]
bad
cksum
3-‐
TCP
seq
21-‐40
[
BBBBBBBB…]
good
cksum
Discarded
packet
4
-‐
TCP
ACK
seq
40
3/5
Anatomy
of
the
aUacks
19
20. Strong
scramble:
TTL
expire
•
A
packet
is
send
with
a
Ul
of
7
•
the
remote
service
never
get
it!
2
-‐
TCP
seq
21-‐40
[
B4dB4…]
TTL
0
Eve
–
the
Sniffer
AAAAAAAAAAAAA
B4dB4dB4dB4dB4d
Alice
with
SniffJoke
1
2
3
4
5
Bob
–
the
receiver
6
7
1
-‐
TCP
seq
1-‐20
[
AAAA…]
TTL
10
8
AAAAAAAAAAAAA
BBBBBBBBBBBBBB
2
-‐
TCP
ACK
seq
20
2
-‐
TCP
seq
21-‐40
[
B4dB4dB4d…]
TTL
6
ICMP
.l
expire
[TCP
21-‐40]
3-‐
TCP
seq
21-‐40
[
BBBBBBBB…]
TTL
9
4
-‐
TCP
ACK
seq
40
3/5
Anatomy
of
the
aUacks
20
21. New
scramble:
IP/TCP
op7ons
•
A
packet
get
an
uncommon*
IP/TCP
op7on
•
The
kernel
is
able
to
handle
it,
the
sniffer
does
?
Eve
–
the
Sniffer
(?)
AAAAAAAAAAAAA
(?)
B4dB4dB4dB4dB4d
…
Alice
with
SniffJoke
1
2
3
4
5
Bob
–
the
receiver
6
7
1
-‐
TCP
seq
1-‐20
[
AAAA…]
TCP
MD5
sum
8
AAAAAAAAAAAAA
BBBBBBBBBBBBBB
2
-‐
TCP
ACK
seq
20
2
-‐
TCP
seq
21-‐40
[
B4dB4dB4d…]
IP_TIMESTAMP,
NOP,
IP_TIMESTAMP
3-‐
TCP
seq
21-‐40
[
BBBBBBBB…]
IP_RA,
TCP_SACK
Discarded
packet
4
-‐
TCP
ACK
seq
40
3/5
Anatomy
of
the
aUacks
21
22. Scrambles,
strengths
and
weakness
• TTL
expire
seem
the
strongest
one
(network)
– Instable
in
asymmetric
link
dynamic
route
• Checksum
– Is
the
wrost
one,
easily
trapped
• IP/TCP
op7ons
– Exploit
the
slow
update
of
the
sniffer
soware
– Exploit
the
ambiguity
of
the
protocols
– Need
(!)
to
be
tested
for
each
des7na7on
– Useful
for
mys7fyca7on
of
“good”
packets
3/5
Anatomy
of
the
aUacks
22
23. Descyn
abuse:
the
plugins
• The
Plugins
(or,
the
hack)
implement
the
damage
caused
to
the
desync
session
– Plugins
has
ben
planned
to
be
flexible
at
most
• Internal
cache,
internal
logging
• Condi7onal
check
• Verify,
mangle,
modify
packet
either
outgoing
and
ingoing
too.
• I
hope/wish/dream
…
external
contrib!
3/5
Anatomy
of
the
aUacks
23
24. Example
of
fake
close,
1/4
virtual
bool
condi7on(const
Packet
&origpkt,
uint8_t
availableScrambles)
{
if
(origpkt.chainflag
==
FINALHACK)
return
false;
bool
ret
=
origpkt.fragment
==
false
&&
origpkt.proto
==
TCP
&&
!origpkt.tcp-‐>syn
&&
!origpkt.tcp-‐>rst
&&
!origpkt.tcp-‐>fin;
/*
cache
checking
*/
[…]
4/5
Implementa7on
in
SniffJoke
framework
24
26. Explain
of
fake
close,
3/4
• Fact:
our
Packet
has
some
payload
(pkt-‐>tcppayloadlen
>
0)
is
not
a
fragment
and
has
not
FIN,
RST,
SYN
flag
• the
sniffer
trust
the
FIN
because
has
the
last
sequence
number
+
1
– pkt-‐>tcp-‐>seq
=
htonl(ntohl(pkt-‐>tcp-‐>seq)
-‐
pkt-‐>tcppayloadlen
+
1);
Sn
Plugin
match
condi7on!
1
2
3
4
5
6
7
A:
ack_seq
100
FIN
seq
101
reject
P:
seq
200
recv
seq
200
A:
ack_seq
200
4/5
Implementa7on
in
SniffJoke
framework
26
27. Explain
of
fake
close,
4/4
• Fact:
our
Packet
has
some
payload
(pkt-‐>tcppayloadlen
>
0)
is
not
a
fragment
and
has
not
FIN,
RST,
SYN
flag
• CASE
2:
the
sniffer
trust
the
FIN
because
check
a
coherent
ack_seq
in
answer
• ACK
and
TCP.ack_seq
is
never
touched.
Sn
Plugin
match
condi7on!
1
2
3
4
5
6
7
A:
ack_seq
100
P+F
seq
200
reject
P:
seq
200
recv
seq
200
A:
ack_seq
200
4/5
Implementa7on
in
SniffJoke
framework
27
28. Fake
data
injec7on
(TCP/UDP)
• Another
hack
that
expect
the
foregin
ACK
Data
500
byte
seq
600
Sn
1
2
3
4
5
6
7
1
-‐
Drop
or
expired
1
–
Rand
payload
2
–
correct
payload
2
-‐
Accepted
3
–
Rand
payload
3
-‐
Drop
or
expired
4
–
ACK
600
4/5
Implementa7on
in
SniffJoke
framework
28
30. Plugins
and
op7ons
autoprobe
• Each
ISP,
gateway,
firewall,
may
implement
filter
of
different
kinds
– sniffjoke-autotest
is
a
script
using
every
kind
of
possible
available
combina7ons,
aiming
to
select
the
working
combos
alone
– Generate
two
loca7on
dependent
configura7on
file:
iptcp-‐op7ons.conf
and
plugins-‐enabled.conf
– Every
loca7on
need
an
autotest,
using
the
wrong
parameters
will
cause
a
pletora
of
faults
4/5
Implementa7on
in
SniffJoke
framework
30
31. Autotest
usage
• Goal:
generate
config
files
for
the
loca7on
– Use
a
service
doing
an
HTTP
ECHO
POST
• Retrive
info,
message
and
urls
from
a
remote
server
(not
required,
everyone
could
setup
one)
– Offer
to
submit
analysis
results
• I’m
expec7ng
useful
analyze
with
IP/TCP
op7ons
are
supported
around
the
world
• sniffjoke-autotest –l office –d /usr/local/var/sniffjoke –n 1
4/5
Implementa7on
in
SniffJoke
framework
31
34. Randomiza7on
paUern,
1
• Applica7on
of
the
plugins
must
not
be
linear,
to
avoid
any
kind
of
paUern
recogni7on
by
lazy
sniffers
– Every
TCP
service
will
be
customized
in
a
configura7on
file
– Every
plugins
contains
preferred
usage
• Internal
selec7on
of
protocol,
service,
status,
des7na7on
is
possible
• In
some
plugins
less
usage
is
beUer,
other
will
be
pland
as
permanent
usage,
depends
by
the
plugins
4/5
Implementa7on
in
SniffJoke
framework
34
35. Randomiza7on
paUern,
2
$ cat /usr/local/var/sniffjoke/home/port-aggressivity.conf
# this is always on the top of the port definition file, act as
default
0:65535 RARE
# follow the port rules
22 NONE
# common unencrypted mail
25,110,143 LONGPEEK
# Intensive in the web
80,8080,3128 PEEKATSTART
# Windows service
135:139 PEEK10PKT
# SQL.mysql
156,3306 LONGPEEK
# edonkey
4662 VERYRARE,EVERY20SECONDS
4/5
Implementa7on
in
SniffJoke
framework
35
36. Randomiza7on
paUern,
3
# NONE .................. never used the hack (0% probability)
# VERYRARE .............. 5%
# RARE .................. 15%
# COMMON ................ 40%
# HEAVY ................. 75%
# ALWAYS ................ 100%
# PEEK10PKT ............. packer number 9, 10, 11 = 80%, other 2%
# PEEK30PKT ............. packet number 29, 30, 31, = 90%, other 2%
# EVERY5SECONDS ......... if the number of seconds are divisible by
5= 90%
# other moments, 2%
# EVERY20SECONDS ........ if the number of seconds are divisible by
20= 90%
# other moment, 2%
# PEEKATSTART ........... the first 20 packets = 65%, up to the 40th=
20%, after 2%
# LONGPEEK .............. the first 60 pkts = 65%, up to the 120th=
20%, after 2%
4/5
Implementa7on
in
SniffJoke
framework
36
37. Other
features
(implemented)
• -‐-‐chain
– Every
plugin
define
if
an
injected/mangled
packet
will
be
hacked
again
(max
2
rounds)
• -‐-‐no-‐udp
–no-‐tcp
• ipwhitelist.conf
and
ipblacklist.conf
• Mys7fyca7on
– If
supported,
inject
always
IP/TCP
op7ons
4/5
Implementa7on
in
SniffJoke
framework
37
38. Lacking
feature
• Server
side
support
– Will
be
able
to
protect
a
session
when
the
contacted
service
run
in
the
box
with
sni„oke
• Passive
OS
fingerprint
– And
usage
of
this
informa7on
as
a
scramble
selector
• IP/TCP
op7ons
probe
to
each
single
des7na7on
5/5
Impact,
considera7ons,
TODO
38
39. Under
study
aUack,
1
• The
plugin
fake_zero_window
in
fact
don’t
do
anything
useful
– Tcp.window
analysis
and
abuse
will
bring
a
packet
to
be
discarded
by
the
server
– But
the
sniffer
will
know
this
• SACK
abuse,
ECN,
ICMP
source
quench,
rfc1146
advanced
checksum
usage
5/5
Impact,
considera7ons,
TODO
39
40. Under
study
scramble,
2
• PAWS,
is
a
TCP
op7on
that
will
cause
a
discarding
of
a
packet
that
bring
an
internal
7mestamp
too
much
old
– But
a
sniffer
will
know
this
7mings
difference,
how
to
fool
it
?
How
much
will
go
in
deep
?
5/5
Impact,
considera7ons,
TODO
40
41. Some
SniffJoke
effects…
• Dump
of
+100Mb
per
sessions!
:)
• Decoding
of
en7rely
faked
data
(TX)
– Mixing,
in
the
wrost
case
• Cuts
and
loss
of
received
data
(RX)
• Not
so
stable
– MALFORMED
scramble
causes
seldom
session
break
(non
linux
target
hard
to
test,
weird
ISP
conf)
– Remove
by
hand
in
plugins-‐enabled.conf
5/5
Impact,
considera7ons,
TODO
41
44. Effects
(hypothesis,
whishes,
etc…)
• Massive
passive
sniffing
will
face
an
escala7on
of
complexity,
like
crpyography/cryptanalysis
does
?
– A
skilled
analyst
will
understand
the
meaning
of
the
packets,
anyway
• Transparent
proxy,
relayed
traffic
and
non
passive
data
collector,
are
untouched
by
Sj
• Pervasive
use
of
sni„oke,
with
all
feature
completed,
will
vanify
every
data
reten7on
strategy:
how
much
is
hard
to
communicate
?
– In
raw
data
collec7on,
almost
5/5
Impact,
considera7ons,
TODO
44
45. Project
goals
for
0.5
• Collect
evidence
of
defeated
sniffers
– IDS
may
or
may
not
be
present
• Found
some
$/€
• Became
mul7pla‚orm
in
unix
based
– Windows
client
+
openwrt
package
• Be
stable
in
IP/TCP
op7ons
scramble
• Support
server
side
connec7ons!
5/5
Impact,
considera7ons,
TODO
45