1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007.

Slides:



Advertisements
Similar presentations
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
Advertisements

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
(4.4) Internet Protocols Layered approach to Internet Software 1.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
CCNA 1 v3.1 Module 11 Review.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.
CSEE W4140 Networking Laboratory Lecture 6: TCP and UDP Jong Yul Kim
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Circuit & Application Level Gateways CS-431 Dick Steflik.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Chapter 2 Networking Overview. Figure 2.1 Generic protocol layers move data between systems.
Chapter 4 OSI Transport Layer
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.
Chapter 6: Packet Filtering
Chapter 13 – Network Security
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Chapter 5 Transport layer With special emphasis on Transmission Control Protocol (TCP)
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Internet and Intranet Fundamentals Class 9 Session A.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
TCP/IP Transport and Application (Topic 6)
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Transport Layer: UDP, TCP
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
TCP/IP Protocols Contains Five Layers
Covert Channels Thomas Arnold CSCI 5235/Summer /12/2010.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Module 10: How Middleboxes Impact Performance
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Module 7: Advanced Application and Web Filtering.
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Covert Channels.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
1 CNLab/University of Ulsan Chapter 19 Firewalls  Packet Filtering Firewall  Application Gateway Firewall  Firewall Architecture.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.
Application Layer Functionality and Protocols Abdul Hadi Alaidi
CompTIA Security+ Study Guide (SY0-401)
Chapter 5 Network and Transport Layers
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
Network Address Translation (NAT)
Chapter 18 IP Security  IP Security (IPSec)
Prepared By : Pina Chhatrala
Network Address Translation (NAT)
Configuring TMG as a Firewall
CompTIA Security+ Study Guide (SY0-401)
Firewalls (March 2, 2016) © Abdou Illia – Spring 2016.
Firewalls.
Firewalls Chapter 8.
Network Address Translation (NAT)
Presentation transcript:

1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007

2 Introduction Perspective from a researcher focused on protecting hosts from malware Perspective from a researcher focused on protecting hosts from malware Implementing kernel-based protection mechanisms Implementing kernel-based protection mechanisms Insight into a potential class of network driver malware Insight into a potential class of network driver malware

3 The Rise of Silent Malware Three main areas of interest in malware R&D: Three main areas of interest in malware R&D: Delivery and activation Delivery and activation Hiding presence - rootkit techniques Hiding presence - rootkit techniques Evasion - Minimize operating noise Evasion - Minimize operating noise Show no signs of activity on the infected system Show no signs of activity on the infected system Show no traces of network activity on the wire Show no traces of network activity on the wire

4 Operational Challenges Operate on wire data Operate on wire data Active at a layer that guarantees transparency to the host Active at a layer that guarantees transparency to the host Correctly perform inline IP reassembly and TCP stream reassembly Correctly perform inline IP reassembly and TCP stream reassembly Allow for arbitrary injection/removal of data in TCP sessions Allow for arbitrary injection/removal of data in TCP sessions

5 Operational Challenges…part deux Maintain silence on the host: Maintain silence on the host: Never initiate TCP sessions Never initiate TCP sessions Never receive TCP open-session requests Never receive TCP open-session requests Do not rely on TCP port splicing if the infected host is a server Do not rely on TCP port splicing if the infected host is a server Do not rely on static motherships if the infected host is a workstation Do not rely on static motherships if the infected host is a workstation Packet modifications should not be easily visible in local network traces Packet modifications should not be easily visible in local network traces

6 Operational Challenges…part trois Maintain silence on the wire Maintain silence on the wire Only make use of legitimate TCP sessions Only make use of legitimate TCP sessions Do not alter protocol semantics - resistance to network anomaly detection engines Do not alter protocol semantics - resistance to network anomaly detection engines Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data transfers

7 Miniport driver NDISNDIS.SYS Intermediate driver PF hook FW hook TDI User Land TCP/IP Driver Implementation Pre-Vista Never Access to data stream, not packets Some interesting areas No guaranteed access to outbound payload NDIS hooking - Some delivery challenges - Most flexibility - Driver signing issues - Complete control over hardware drivers to transport protocol communications

8 Rogue Network Driver Framework Firewall hook kernel module for basic packet header operations Firewall hook kernel module for basic packet header operations IM Filter driver: IM Filter driver: Inline IP reassembly Inline IP reassembly Inline TCP stream reassembly Inline TCP stream reassembly TCP session normalization TCP session normalization

9 Packet Header Modifications

10 Infected Workstation BOB ALICE server DNAT – DstIP_server -> DstIP_Bob SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server Translated request reaches server

11 Infected Workstation BOB ALICE server DNAT – DstIP_server -> DstIP_Bob SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server Translated request reaches server

12 Infected Server ALICE Server https request served telnet server:80 Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

13 Infected Server ALICE Server https request served telnet server:80 Selective DN(P)AT: SrcIP_Alice  SrcIP_server Dst_Port_443  DstPort_135

14 Packet Header Opportunities Passive covert channels Passive covert channels Port splicing Port splicing Most significant; communicating the original intent: Most significant; communicating the original intent: DNAT on outgoing SYN – change destination address to that of the MIM DNAT on outgoing SYN – change destination address to that of the MIM Insert original dstIP in header fields Insert original dstIP in header fields MIM double NAT MIM double NAT

15 Why Payload Injection? Access to packet data Access to packet data High bandwidth channel High bandwidth channel Bypass application proxies Bypass application proxies Altering TCP data length on the wire is not trivial! Altering TCP data length on the wire is not trivial!

16 Inline Injection Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things Support for TCP stream reassembly – datagram reordering, injection of acknowledgements and resets, among other things

17 Inline TCP Reassembly Maintain two edges (pre and post modification): Maintain two edges (pre and post modification): ISN ISN MaxSeq MaxSeq MaxAck MaxAck Window Window Maximum SeqNo of Filtered Data Maximum SeqNo of Filtered Data Maximum AckNo of Filtered Data Maximum AckNo of Filtered Data Queue/counter for non Ack-ed datagrams Queue/counter for non Ack-ed datagrams Queue/counter for not sent datagrams Queue/counter for not sent datagrams Needed Window Scale Needed Window Scale Actual Window Scale Actual Window Scale

18 SMTP Injection – Eliminating Bob from the Equation Reduces the complexity of MIM and random redirection Reduces the complexity of MIM and random redirection Works with application level proxies Works with application level proxies Replace RCPT TO argument or inject additional RCPT TO (BCC) Replace RCPT TO argument or inject additional RCPT TO (BCC) Increases the probability detection – SMTP server logs Increases the probability detection – SMTP server logs

19 SMTP Injection BOB SMTP Server Alice Sends Bob message Driver injects BCC to Eva Eva So does Eva Bob receives original message

20 SMTP Injection Demo Vid1

21

22

23 HTTP Injection TCP Headers useless – need to find workaround TCP Headers useless – need to find workaround Easy workaround but we need to be careful: Easy workaround but we need to be careful: Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) Transparent proxies (Initial HTTP request looks normal, so we’ll always assume we may be transparently “proxied”) Direct proxies – easy to spot in HTTP(s) requests Direct proxies – easy to spot in HTTP(s) requests URI & Headers will help us redirect/leak data URI & Headers will help us redirect/leak data Make use of Authorization, Cookies headers – they won’t be scrubbed Make use of Authorization, Cookies headers – they won’t be scrubbed POST data also presents injection opportunities POST data also presents injection opportunities

24 HTTP Injection BOB ALICE Web Proxy – Content Filtering Change request; Inject Data google.com

25 HTTP Injection BOB ALICE Web Proxy – Content Filtering Change request; Inject Data google.com

26 BOB SSL Injection Demo Perimeter Security Inject Data somebank.com ALICE

27 BOB SSL Injection Demo Perimeter Security Inject Data somebank.com ALICE

28 SSL Alice – browser video

29 Detecting Network Driver Malware Conventional detection mechanisms Conventional detection mechanisms AV, AS signatures; configuration mgmt AV, AS signatures; configuration mgmt New detection mechanisms New detection mechanisms Traffic based detection? Traffic based detection? Malicious destinations, ISN analysis Malicious destinations, ISN analysis Network trace diff – local vs. remote Network trace diff – local vs. remote NDIS based sniffer for better visibility? NDIS based sniffer for better visibility? Other Other Host based application control ineffective Host based application control ineffective DLP? DLP? …

30 Conclusions Passive kernel malware difficult to spot Passive kernel malware difficult to spot There are significant implementation challenges for coders There are significant implementation challenges for coders Prevention remains key approach Prevention remains key approach

31 Thank You

32 Infected Workstation

33 Alice – Browser Capture

34 Alice-Bob Network Traces

35 Alice Driver_SNAT

36 Alice_SNAT

37 Back to Infected Workstation

38 Bob_Double_NAT

39 Bob_Double_NAT

40 Bob_Double_NAT

41 Bob_Double_NAT

42 Back to Infected Workstation

43 Infected Server

44 Server network trace

45 Server SNAT&DPAT

46 Back to Infected Server

47 HTTP Injection

48 Alice – browser video

49 Alice – network trace

50 Alice - original data

51 Alice – driver work

52 Alice – driver work

53 Alice – driver work

54 Alice – driver work

55 Back to HTTP Injection

56 Bob – driver work

57 Bob – modified request

58 Bob – driver work

59 Bob – driver work

60 Back to HTTP Injection

61 SSL Injection

62 Alice – original data

63 Post Insert – Wire Noise!

64 Alice – SSL clean

65 Back to SSL Injection

66 Bob – Post modification. Clean!!

67 Back to SSL Injection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.