Download presentation
Presentation is loading. Please wait.
Published byMarcos Strowbridge Modified over 9 years ago
1
Tactics to Discover “Passive” Monitoring Devices Mudge@atstake.com
2
The Problem at Hand Local ether segments behave like party-line phone systems A B C D E F G H A-B : CDEFGH can listen in A-H : BCDEFG can listen in Etc. etc. Without encryption there are no secrets
3
How Systems Know What to Listen To … Ether headerpayloadEther headerpayload Read a packet from the network Is the dest ether header my MAC address? Make a copy of the packet and hand it to the OS stack yes no Network Interface Card decision flow Systems are courteous largely for performance. Hardware filtering at the NIC hands up only the packets the system is supposed to receive. Promiscuous mode tells the NIC that all packets should be handed to the OS stack. Not just the ones with the matching MAC destination address.
4
Ether and IP Headers Destination AddressSource Addresstype 6 bytes 2 bytes Ether IP verslenTOSTotal length (bytes) identificationflagsfragment offset TTLprotocolchecksum Source IP Address Destination IP Address 44816 313 8816 32 Application Transport Network Link Telnet, SMTP, etc TCP, UDP IP, ICMP Device Driver, Interface card 4 layers of TCP/IP protocol suite
5
The Disconnect Physical Data Network Transport Session Presentation Application
6
DNS Method Definition The Domain Naming System maps IP addresses to names and vice-versa. DNS allows hierarchical grouping of domain DNS is a necessity for human convenience % telnet foo.bar.baz Trying 10.10.12.132 … Connected to foo.bar.baz. Q: Who is foo.bar.baz? A: foo.bar.baz is 10.10.12.132 (follow up by initiating TCP connection to port 23)
7
DNS Method 1 Sniffing the Sniffer Spoofed packets are sent out on the local network The network is sniffed looking for reverse DNS lookups on spoofed packet Any systems asking about the fictitious systems is in promiscuous mode Src 10.0.0.5 -> Dst 10.0.0.6 10.0.0.5 10.0.0.6 192.168.1.10 Sniffer Bogus System 1Bogus System 2 Who is 10.0.0.5?
8
DNS Method 2 Queries to DNS Server The DNS server is under our control Spoofed packets with addresses handled by the DNS server are sent out on the local network Any requests that the DNS server receives for the spoofed machines are from machines in promiscuous mode Src 10.0.0.5 -> Dst 10.0.0.6 10.0.0.5 10.0.0.6 192.168.1.10 Sniffer Bogus System 1Bogus System 2 Net 192.168.1 Net 10 DNS Server Whois 10.0.0.5? router
9
DNS Method Pros and Cons Can work across multiple networks Names of machines are very telling and as such, many malicious sniffers will do the reverse lookups Does not saturate the local network High reliability – minimal false positives Sniffing systems do not have to perform reverse lookups Sniffing systems can do batch reverse lookups later on – this defeats method 1 but not method 2 ProsCons
10
Ether Tricks Definition Ether tricks work by intentionally mis- mapping layer 2 and layer 3 addresses 08:00:20:10:22:e0 192.168.1.10 66:66:66:66:66:66 192.168.1.10 !=
11
Ether Tricks 1 Linux Classic When in promiscuous mode the NIC does not filter the ether address. The kernel must filter the ether address on its own. ICMP – Echo Request Correct ether address Correct IP address ICMP – Echo Reply Normal behavior for non-promiscuous mode
12
Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address No response as NIC did not pass the packet to the stack Normal behavior for non-promiscuous mode
13
Ether Tricks 1 linux (cont) ICMP – Echo Request In-correct ether address Correct IP address Older linux behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP
14
Ether Tricks 2 BSD Style Problems ICMP – Echo Request In-correct ether address Broadcast IP address Older BSD behavior for promiscuous mode ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP (took a different path for broadcast)
15
Ether Tricks 3 Microsoft Shortcut Ether Address What the NIC filters on 6 bytes 4 bytes Word What many MS software drivers check when in promisc ff:ff:ff:ff:00:00|IP|ICMP echo request Equivalent to be ff:ff:ff:ff:ff:ff on many promisc NT systems
16
Ether Tricks Pros and Cons High reliability, low false positives Limited to local ether segment Dependent upon particular OS/Kernel “nuances” Pros Cons
17
Machine Latency defined Hardware filtering Discards packets not addressed to correct MAC address Handled by on-card logic Minimal impact on system performance as few interrupts Kernel not called in to process unless really needed Match criteria == MAC, broadcast, multicast Software filtering All packets must be copied and handed over to OS On-card logic bypassed Severe impact on system performance due to maximum interrupts Kernel must process packets Malicious sniffing often happens in user space – context shift from Kernel to User space is expensive
18
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14
19
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 1 2 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 2 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 Latency == 3 ms
20
Machine Latency example A B C A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 1 2 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 4 ms 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 Latency == 300 ms 3 3 – ICMP Echo Request Ether Src: 66:66:66:66:66:67 Ether Dst: 66:66:66:66:66:66 IP Source: 192.168.1.30 IP Dest: 192.168.1.33
21
Machine Latency Methods for increasing end-node processing Fake entire three way handshake Fake connections to well known sniffed ports Use “legitimate” ether addresses that still have no physical presence Fake huge numbers of sessions Fake huge numbers of SYN recv’d states The trick is to make the sniffing application process as much as possible in user space
22
Machine Latency Pros and Cons Cross platform Often times crashes sniffing programs Confined to local segment High accuracy in watching deltas for a particular machine over time Pros Limited to local ether segment Assumptions must be made about systems response under load Network and regular machine load assumptions must be made Network congestion Cons
23
Spotting the curious Create fictitious connections to a real machine Use a ‘trap’ account Watch and log on the legitimate machine for anyone attempting to log on with the ‘trap’ account
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.