What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing.

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 5 Port Scanning.

System Security Scanning and Discovery Chapter 14.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Background Info The UK Mirror Service provides mirror copies of data and programs from many sources all over the world. This enables users in the UK to.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

COS 420 DAY 24. Agenda Assignment 5 posted Chap Due May 4 Final exam will be take home and handed out May 4 and Due May 10 Student evaluations Latest.

1 Enabling Secure Internet Access with ISA Server.

Telnet/SSH: Connecting to Hosts Internet Technology1.

OpenSSH: A Telnet Replacement Presented by Aaron Grothe Heimdall Linux, Inc.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Overview: Identify the Internet protocols and standards Identify common vulnerabilities and countermeasures Identify specific IIS/WWW/FTP concerns Identify.

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

TELE 301 Lecture 17: FTP … 1 Overview Last Lecture –Remote Terminal Services (SSH) This Lecture –File transfer and web caching Next Lecture –Directory.

Outline Overview Video Format Conversion Connection with An authentication Streaming media Transferring media.

AE6382 Secure Shell Usually referred to as ssh, the name refers to both a program and a protocol. The program ssh is one of the most useful networking.

Directory and File transfer Services By Jothi. Two key resources Lightweight Directory Access Protocol (LDAP) File Transfer protocol Secure file transfer.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Verified Network Configuration. Verinec Goals Device independent network configuration Automated testing of configuration Automated distribution of configuration.

Department of Computer Science & Engineering San Jose State University

Remote Controller & Presenter Make education more efficiently

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.

Integrating and Troubleshooting Citrix Access Gateway.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Module 7: Advanced Application and Web Filtering.

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

XWN740 X-Windows Configuring and Using Remote Access (Chapter 13: Pages )‏

SOCKS By BITSnBYTES (Bhargavi, Maya, Priya, Rajini and Shruti)

Networking Network Classification, by there: 3 Security And Communications software.

(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

How to make an Interactive Voice Response (IVR) using an OzML script This slideshow is intended to be a great explanation on how to develop an Interactive.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Remote Display solutions for mobile cloud computing Remote Display solutions for mobile cloud computing.

Working at a Small-to-Medium Business or ISP – Chapter 8

A Comprehensive Security Assessment of the Westminster College Unix Lab Jacob Shodd.

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

CITA 352 Chapter 5 Port Scanning.

Module 4 Remote Login.

Introduction to SQL Server 2000 Security

XWN740 X-Windows Configuring and Using Remote Access

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

Packet Sniffing.

Telnet/SSH Connecting to Hosts Internet Technology.

Topic 5: Communication and the Internet

Alan Chalker and Eric Franz Ohio Supercomputer Center

Working at a Small-to-Medium Business or ISP – Chapter 7

Firewalls By conventional definition, a firewall is a partition made

Radoslaw Jedynak, PhD Poland, Technical University of Radom

TELNET BY , S.AISHWARYA III-IT.

FTP AND COMMAND PROCESSING IN FTP

HACKIN G CITRIX.

Chapter 7 Network Applications

Designing IIS Security (IIS – Internet Information Service)

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

What we are going to talk about? New Version of Canape Released at Ruxcon What is the VMware ESXi management protocol? In Canape: – MitM – Traffic Parsing – Traffic Injection – Fuzzing – Extending Canape Finding 0 days

What is Canape? Network Protocol Testing Tool Existing Tools: – HTTP Proxies (e.g. CAT) – Echo Mirage – Python Libraries – Wireshark Why a new tool? – Has these features and more – All driven through a GUI And it’s free!

The old way

The Canape way GUI driven IDE for protocol analysis Focus on data rather than code Large number of built in modules to parse / modify / fuzz traffic Large number of supported languages for when coding is necessary – C#, Python, Ruby, Visual Basic, Jscript.NET – Even F# (if you really want)

How does it Capture Traffic? MitM support – SOCKS – Port Forwarding Network protocol support – TCP, UDP, Broadcast traffic Application level proxy – HTTP, SSL

What is the VMware ESXi protocol? Protocol used for network management of VMware virtualisation products Actually numerous protocols – Remote desktop – File transfer – Etc. Requires a bespoke client

VMware vSphere Client

The protocol(s) Actually multiple protocols over one connection – Authentication – Remote Desktop – Network File Copy – VMware Database Each time the protocol transitions a new SSL encrypted or plain text stream is initiated on the same connection

MitM Traffic

State handling The ESXi protocol traverses a number of protocol states Or BannerSSL Auth SSL VNC BannerSSL AuthNFC

Handling State Transitions

Authentication protocol Text based protocol Simple commands – BANNER – USER – PASS / XPAS – SESSION – PROXY / CONNECT Allows for Username/Password, Ticket and Session authentication

Basic Network Clients

Remote desktop Based on the VNC protocol Includes VMware specific extensions Commands – Hello – Negotiation – User Input – Screen redraw – Etc.

Key press 0x000x300x010x00 0x300x000x0 a ?Scan Code?Flags

Mouse movement 0x5F3F00000x7FA900000x X CoordinateY Coordinate 0xFFFFFFFF0x Button State 0x – No Buttons 0x – Press Left 0x – Press Middle 0x – Press Right 0x – Scroll Down 0xFFFF0000 – Scroll Up ? ? Flags

Parsing User Input

Traffic Injection

NFC protocol Simple file transfer protocol Unencrypted by default(!) Allows for – File upload – File download – File move – File copy – File delete

Fuzzing Standard everyday fuzzing – But from within in the protocol stream Built in modules for – Simple byte fuzzing – Integer fuzzing – Pattern fuzzing – Etc. Custom fuzzers written in code

Fuzzing

What did we find? 5 Heap Memory Exhaustion Panics 2 Unhandled Exceptions 2 Null Pointer Dereferences 1 Use After Free Vulnerability Context are currently working closely with the VMware Security Response Center to fix the identified issues

Mitigating the risk Restrict access to management services to management IP Addresses Don’t use the NFC file transfer to transfer sensitive files Enable SSH

Sulley Protocol Informatics Extending Canape

Thanks Thanks to the following people: – James Forshaw, Canape author and implementer of many requested features and bug fixes – Michael Jordon, for continued support and pushing me to do this talk!

References

Questions ?