Presentation is loading. Please wait.

Presentation is loading. Please wait.

Challenges and  Goal: remove critical stuff remove critical stuff but: keep enough info to stay useful but: keep enough info to stay.

Published byNathan Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "Challenges and  Goal: remove critical stuff remove critical stuff but: keep enough info to stay useful but: keep enough info to stay."— Presentation transcript:

1 Challenges and Wins

2 @packetjay  Goal: remove critical stuff remove critical stuff but: keep enough info to stay useful but: keep enough info to stay useful  The original-to-sanitized ratio may vary based on share goal

3 @packetjay  Similar to editing packets for packet replay  Removing sensitive details User Credentials User Credentials Network topology (IP addresses etc.) Network topology (IP addresses etc.) Device & software version information Device & software version information Vulnerable protocols Vulnerable protocols Payloads Payloads

4 @packetjay

5 @packetjay  Network analysts often require to keep packet content only up to the TCP layer often require to keep packet content only up to the TCP layer look at packet loss, timings, TCP being messed up by obscure middle boxes look at packet loss, timings, TCP being messed up by obscure middle boxes sometimes need higher layer details like FQDNs or URLs sometimes need higher layer details like FQDNs or URLs

6 @packetjay  Security Analysts/Researchers usually don't care that much about Ethernet / ARP / IPv4 / TCP / UDP headers usually don't care that much about Ethernet / ARP / IPv4 / TCP / UDP headers Need to keep the malware / exploit delivery process intact: FQDNs, URLs, binary payloads Need to keep the malware / exploit delivery process intact: FQDNs, URLs, binary payloads

7 @packetjay  Hex Editors  Wireshark Edit Feature only in GTK at this time only in GTK at this time  WireEdit can do bulk search/replace can do bulk search/replace If you choose manual editing, better be stuck in a time loop to get things done...

8 @packetjay  Balance between removing details and remaining usefulness  One packet vs. many  Protocol complexity  Procotol dependencies  Defensive Transformation

9 @packetjay  bittwiste, tcprewrite  pktanon http://www.tm.uka.de/software/pktanon/ http://www.tm.uka.de/software/pktanon/ http://www.tm.uka.de/software/pktanon/  pcaplib http://sourceforge.net/projects/pcaplib/ http://sourceforge.net/projects/pcaplib/ http://sourceforge.net/projects/pcaplib/  TraceWrangler https://www.tracewrangler.com https://www.tracewrangler.com https://www.tracewrangler.com

10 @packetjay  Parse/Dissect all packet layers from layer 2 up from layer 2 up  Sanitize extracted values  Rebuild the packet layer by layer using sanitized values only! from the top layer down from the top layer down

11 @packetjay 33 33 ff 02 6e a5 00 10 5a aa 20 a2 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 02 10 5a ff fe aa 20 a2 ff 02 00 00 00 00 00 00 00 00 00 01 ff 02 6e a5 87 00 0f 35 00 00 00 00 fe 80 00 00 00 00 00 00 02 60 97 ff fe 02 6e a5 01 01 00 10 5a aa 20 a2 Ethernet Details parsed: Destination MAC: 33 33 ff 02 6e a5 Source MAC:00 10 5a aa 20 a2 EtherType:86dd

12 @packetjay 33 33 ff 02 6e a5 00 10 5a aa 20 a2 86 dd 60 00 00 00 00 20 3a ff fe 80 00 00 00 00 00 00 02 10 5a ff fe aa 20 a2 ff 02 00 00 00 00 00 00 00 00 00 01 ff 02 6e a5 87 00 0f 35 00 00 00 00 fe 80 00 00 00 00 00 00 02 60 97 ff fe 02 6e a5 01 01 00 10 5a aa 20 a2 IPv6 Details parsed: IP Version:6Flowlabel: 0 Payload Len:32Next Hdr:58 Hop Limit:255 Source IP:fe80:0000:0000:0000:0210:5aff:feaa:20a2 Dest IP:ff02:0000:0000:0000:0000:0001:ff02:6ea5

13 @packetjay  With IPv4, subnets are a problem can‘t tell from a PCAP what the masks are can‘t tell from a PCAP what the masks are is 192.168.1.1 in the same subnet as 192.168.20.20? is 192.168.1.1 in the same subnet as 192.168.20.20?  Prefix for IPv6 makes it much easier: same original prefix, same replacement prefix same original prefix, same replacement prefix

14 @packetjay  Some possible rules: black marker (zero out all bytes) black marker (zero out all bytes) Full IP address randomization (prefix + ID) Full IP address randomization (prefix + ID) original:replacement preset original:replacement preset Prefix aware replacement Prefix aware replacement ○ randomize Interface ID ○ keep Interface ID

15 @packetjay  Handling special IP addresses All Zero All Zero Loopback Loopback Multicast Multicast  Documentation IPs  Mapping different original IPs to the same replacement IP

16 @packetjay  Address dependencies: MAC MAC IPv6 IPv6 Multicast Multicast  Checksums

17

18 @packetjay  Mail:jasper@packet-foo.com jasper@packet-foo.com  Web:blog.packet-foo.com  Twitter:@packetjay

Download ppt "Challenges and  Goal: remove critical stuff remove critical stuff but: keep enough info to stay useful but: keep enough info to stay."

Similar presentations

The subnet 192.168.32.16/28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.

The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.

1 Features of IPv6 Larger Address Extended Address Hierarchy Flexible Header Format Improved Options Provision For Protocol Extension Support for Auto-configuration.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Socket Programming with IPv6. Why IPv6? Addressing and routing scalability Address space exhaustion Host autoconfiguration QoS of flow using flowlabel.

Socket Programming with IPv6. Why IPv6? Addressing and routing scalability Address space exhaustion Host autoconfiguration QoS of flow using flowlabel.
IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.
4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation 0000110000100010.

4 IP Address (IPv4)  A unique 32-bit number  Identifies an interface (on a host, on a router, …)  Represented in dotted-quad notation
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
IPv6 Network Security.

IPv6 Network Security.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
IP Protocol - Introduction Dr. Farid Farahmand. Introduction TDM transport networks are not sufficient for data communications Low utilization TDM networks.

IP Protocol - Introduction Dr. Farid Farahmand. Introduction TDM transport networks are not sufficient for data communications Low utilization TDM networks.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 5-1 Internet Protocol (IP): Packet Format, Fragmentation, Options Shivkumar Kalyanaraman Rensselaer.
Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn 2004-2005.

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.

Chapter 19 Binding Protocol Addresses (ARP) Chapter 20 IP Datagrams and Datagram Forwarding.
Chapter 3 Review of Protocols And Packet Formats

Chapter 3 Review of Protocols And Packet Formats

Similar presentations

Ads by Google