From Kernel Space to User Heaven #NDH2k13
-
Upload
jaime-sanchez -
Category
Technology
-
view
3.675 -
download
0
description
Transcript of From Kernel Space to User Heaven #NDH2k13
FROM KERNEL SPACE
TO USER HEAVEN
JAIME SÁNCHEZ
@SEGOFENSIVA
NUIT DU HACK 2013
$ WHO I AM
§ Security researcher specialized in network protocols and technologies, with over ten years of experience in posi:ons of consul:ng, risk management, secure networks or ethical hacking
§I work in the Security Opera:ons Center (SOC) of a mul:na:onal telecommunica:ons company
§ I’m sexy and I know it
§ You can find my blog and adventures www.seguridadofensiva.com
§ Contact@segofensiva
2
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN
3
- Cyberwar is upon us. APT is very common nowadays and we need to think about new tricks to be one step ahead to keep the system secure.
- With this technique you can provide that step in order to defend your servers against the first phase in all APT operations: FINGERPRINTING.
NUIT DU HACK 2013
§ Cyber Warfare and Hack/vism§ Several companies a8acked, like Facebook, Apple, Twi7er, New York Times§ APT1, Stuxnet, OperaDon Hangover, etc.
4
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FROM KERNEL SPACE TO USER HEAVEN
5
The most important phases are RECONNAISSANCE and SCANNING.
The less information the attacker has the better for our security.
If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts
NUIT DU HACK 2013
A BRIEF OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
6 NUIT DU HACK 2013
Devices
Devices
Devices
Kernel
Ring 0
Ring 1
Ring 2
Ring 3
LessPrivileged
MorePrivileged
§ Computer opera/ng systems provide different levels of access to resources.
§ This is generally hardware-‐enforced by some CPU architectures hat provide different CPU modes at the hardware or microcode level.
§ Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number).
§ On most opera/ng systems, RING 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
ARCHITECTURE
How i met your packetFrom kernel Space to user Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
KERNEL vs USER SPACE
KERNEL SPACE USER SPACEKERNEL SPACE is strictly reserved for running the kernel, kernel extensions, and most device drivers. In contrast, user space is the memory area where all user mode applica/ons work and this memory can be swapped out when necessary.Similarly, the term USER LAND refers to all applica/on soNware that runs in user space. Userland usually refers to the various programs and libraries that the opera/ng system uses to interact with the kernel: soNware that performs input/output, manipulates file system, objects, etc.
How i met your packetFrom kernel Space to user Heaven
8
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
WTF !?
How i met your packetFrom kernel Space to user Heaven
9
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
10
How Imet your
packets
NIC Memory
DMA EngineInterrupt
Incoming Packet
RingBuffer
InterruptHandler
NIC
MemoryKernel
Packet Data
IP Layer
TCP Process
TCP recv Buffer
APPLICATION
DEVICE DRIVER
KERNEL SPACE
USER SPACE
Poll List
so_irq
tcp_v4_rcv()
Pointer toDevice
SocketBacklog
ip_rcv()
read()
locally des:ned packets must pass the INPUT chains to reach listening sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded and accepted packets
Inbound Packets
forwarded packets
localpackets
How i met your packetFrom kernel Space to user Heaven
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
TARGET EXTENSIONS
How i met your packetFrom kernel Space to user Heaven
A target extension consists of a KERNEL MODULE, and an op/onal extension to iptables to provide new command line op/ons.
There are several extensions in the default NeTilter distribu/on:
12
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
QUEUE§ QUEUE is an iptables and ip6tables target which which queues the packet for userspace processing.
§ For this to be useful, two further components are required:• a QUEUE HANDLER which deals with the actual mechanics of passing packets between
the kernel and userspace; and• a USERSPACE APPLICATION to receive, possibly manipulate, and issue verdicts on
packets.
§ The default value for the maximum queue length is 1024. Once this limit is reached, new packets will be dropped un/l the length of the queue falls below the limit again.
How i met your packetFrom kernel Space to user Heaven
13
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
How i met your packetFrom kernel Space to user Heaven
SHOW ME SOME EXAMPLES!
14
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
FAKE SSH SOURCE
ATTACKER
$ _
-‐ We will hide our source IP and will modify it with any other value we want in our compromised SSH server
-‐ Useful to avoid filters and not modifying files like /etc/hosts.deny
How i met your packetFrom kernel Space to user Heaven
INNOCENT
15
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
SSH SERVER
NUIT DU HACK 2013
TRACEROUTE FAKING
UDP TTL=1ICMP TIME EXCEEDED
ICMP TIME EXCEEDEDUDP TTL=2
ICMP TIME EXCEEDEDUDP TTL=3
ICMP PORTUNREACHABLEUDP TTL=4
Router Hop
Router Hop Router Hop
Router Hop Router Hop Router Hop
Router Hop Router Hop Router Hop DESTINATIONSOURCE
SOURCE
SOURCE
SOURCE
If the internet packet has a TTL of 0 aNer decrement, that packet must not be passed on and a Internet Control Messaging Protocol (ICMP) Time Exceeded in transit is returned to the packets origin.
How i met your packetFrom kernel Space to user Heaven
16
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
REMOTE OSFINGERPRINTING
How i met your packetFrom kernel Space to user Heaven
17
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
CLASSIC TECHNIQUES
How i met your packetFrom kernel Space to user Heaven
18
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
§ Or we could just use Shodan, a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.
How i met your packetFrom kernel Space to user Heaven
19
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
NMAP
-‐ Device Type -‐ Network Distance -‐ Running -‐ TCP Sequence PredicDon -‐ OS Details -‐ IP ID Sequence GeneraDon -‐ UpDme Guess
Device Type: general purposeRunning: MicrosoN Windows 7|Vista|2000OS CPE: cpe:/o:microsoN_7::professionalOS details: MicrosoN Windows 7 Professional, MicrosoN Windows Vista SP0 or SP1UpDme guess: 2.196 days (since Mon Feb 4 12:14:01 2013)Network Distance: 1 hopTCP Sequence PredicDon: Difficulty=262 (Good Luck!)IP ID Sequence GeneraDon: IncrementalService Info: OS: Windows; CPE: cpe:/o:microsoN:windows
How i met your packetFrom kernel Space to user Heaven
20
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How i met your packet
-‐ I looked for jailbroken iPhones with a custom Perl script: -‐ Scan network ranges -‐ For each host, scan 62078 port. -‐ If open 62078 port, then try with SSH -‐ If open SSH port, try to log in with credentials: root/alpine
From kernel Space to user Heaven
21
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
NMAP METHODS
How i met your packetFrom kernel Space to user Heaven
22
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE GENERATION (SEQ, OPS, WIN & T1)
ICMP ECHO (IE)
TCP EXPLICIT CONGESTION NOTIFICATION (ECN)
TCP T2-‐T7
UDP
-‐ Nmap sends 15 TCP, UDP and ICMP tests, to open and closed system ports:
Although there are others:§ TCP ISN counter rate (ISR)§ ICMP IP ID sequence genera:on alg (II)§ Shared IP ID sequence Boolean (SS)§ Don’t Fragment ICMP (DFI)§ Explicit conges:on no:fica:on (C)§ TCP miscellaneous quirks (Q)§ TCP sequence number (S)§ etc.
NMAP INTERNAL PROBES
Most important:§ TCP ISN greatest common divisor (GDC)§ TCP IP ID sequence genera:on alg (TI)§ TCP :mestamp op:on alg (TS)§ TCP Op:ons (O, O1-‐O6)§ TCP ini:al Window Size (W, W1-‐W6)§ Responsiveness (R)§ IP don’t fragment bit (DF)§ IP ini:al :me-‐to-‐live guess (TG)
Fingerprint Linux 2.6.17 - 2.6.24Class Linux | Linux | 2.6.X | general purposeSEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(DFI=N%T=3B-45%TG=40%CD=S)
How i met your packetFrom kernel Space to user Heaven
23
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OTHER TOOLS
How i met your packetFrom kernel Space to user Heaven
24
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
A patch for Linux kernels of version 2.4., that
modifies characteris:cs of network traffic
IP PERSONALITY
Simple TCP packets iden:fica:on solu:on as
a Kenel2.2-‐2.4 core module patch, allowing ignore some kind of packets.
STEALTH PATCH
A kernel module available for Linux kernel of
version 2.2. that also tries to hide the original OS and act as a different
one.
FINGERPRINT FUCKER
TCP and UDP packets filtering op:ons, allowing to respec:vely block RST and ICMP answers on
closed ports
BLACKHOLE
Honeyd isable to simulate Xprobe2 and Nmap (previous
version) signatures for itsvirtual hosts.
HONEYD
Windows so_ware that modifies keys in the
register, tochange some TCP/IP
parameters.
OSFUSCATE
NUIT DU HACK 2013
How i met your packetFrom kernel Space to user Heaven
25
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
How i met your packetFrom kernel Space to user Heaven
26
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
BITCH PLEASE ...NUIT DU HACK 2013
PASSIVE OS FINGERPRINTING
How i met your packetFrom kernel Space to user Heaven
27
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
-‐ p0f is a tool that u:lizes an array of sophis:cated, purely passive, traffic fingerprin:ng mechanisms to iden:fy the players behind any iniDal TCP/IP communicaDon (o_en as lille as a single normal SYN) without interfering in any way.
-‐ There are other tools like Elercap, NetworkMiner, PRADS, Satori or PacketFence.
-‐ Passive fingerprin:ng is like a packet sniffer. Examines network traffic, making a copy of the data but without redirec:ng or altering it.
-‐ Can be used for several purposes:1. As stealthy fingerprinDng, bypassing the need for using an ac:ve tool that can be detected by various IDS systems.2. To idenDfy remote proxy firewalls. 3. Organiza:ons can use it to idenDfy rogue systems on their network.
NUIT DU HACK 2013
Sniffer
SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98Opera/ng System -‐ Family -‐ Version
Quirks -‐ Data in SYN packets -‐ Op:ons a_er EOL -‐ IP ID Field = 0 -‐ ACK different to 0 -‐ Unusual flags -‐ Incorrect op:ons decode
TCP op/ons and order -‐ N: NOP -‐ E: EOL -‐ Wnnn: WS -‐ Mnnn: MSS -‐ S: SACK -‐ T / T0: Timestamp -‐ ?n
Window Size -‐ * Any value -‐ %nnn nnn Mul:ple -‐ Sxx MSS Mul:ple -‐ Txx MTU Mul:ple -‐ xxx Constant value
Ini/al TTL
DF Bit
Packet Size
How i met your packetFrom kernel Space to user Heaven
28
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How i met your packetFrom kernel Space to user Heaven
29
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
COMMERCIAL ENGINESThis techniques can be used to avoid commercial implementa:ons. We hide our machine, faking the detector engine and recognizing us like another OS, to alack another host and leading administrator to think it may be a false posi:ve.
How i met your packetFrom kernel Space to user Heaven
30
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint value example:
key=fp_id;value=100000key=rna_fingerprint_type_id;value=9key=rna_fingerprint_descrip:on;value=iPhonekey=rna_fingerprint_vendor_str;value=Applekey=rna_fingerprint_product_str;value=iOSkey=rna_fingerprint_version_str;value=NULLkey=val1;value=340e4d28c315390dkey=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22fe666cb1dc115309eb77key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b
I had no :me to figure out what each field means in all the commercial appliances I’ve seen so far. I decided to cross the data available with default Nmap and p0f database to get the desired TCP/IP header values.
NUIT DU HACK 2013
( WE’RE RUNNING OUR PROGRAM IN BACKGROUND TO CHANGE ALL OUTBOUND CONNECTIONS )
From kernel Space to user Heaven
31
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |NUIT DU HACK 2013
OS FOOLED! NOW OUT LINUX IS AN IOS DEVICE
SPOOF NON EXISTING HOSTS AND CONSUME RNA
ENGINE
HOST CREATED WITH OURNEW TOOL :)
From kernel Space to user Heaven
32
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
NUIT DU HACK 2013
Long story short:SYN ACK FIN
How i met your packetFrom kernel Space to user Heaven
33
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
How i met your packetFrom kernel Space to user Heaven
34
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA