Presentation is loading. Please wait.

Presentation is loading. Please wait.

Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke.

Published byJulianna Ward Modified over 9 years ago

Similar presentations

Presentation on theme: "Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke."— Presentation transcript:

1 Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

2 Goal This presentation covers creating hidden tunnels to bypass firewalls and IDS as well as possible techniques perhaps used for industrial espionage. The goal is to inform and open a discussion on how to secure your network against this threat.

3 Contents Tunneling Covert tunneling –Simple examples: HTTP, DNS –Live traffic hijacking Proof of concept: Tentun –Plug-ins

4 What is tunneling?

5 Mailbox Example Tunneling is similar to sending internal mail between two branches of a company. Internal mail is re-packaged at branch A to reach branch B. This is the tunnel. Once package has reached branch B, it is opened and the internal mail is then routed to its intended address.

6 Mailbox Example LA N Internal mail Public mail Tunnel

7 Legitimate Tunneling L2TP SSL, VPN, IPv6 PPTP, IPSec …

8 What they don’t show about tunneling Hacking the network stack for fun and profit

9 Covert Tunnels 101 Legitimate tunnel: encapsulating data with a protocol meant to bypass a public network for functional or private reasons Covert tunnel: hiding data within other data meant to bypass all notice

10 Covert Tunnels 101 Part I: Generate your own traffic –Create data to hide your information Part II: Hijacking live traffic –Use existing data to hide your information Two types of covert tunnels

11 Part I Generate Your Own Traffic Covert Tunneling for DUMMIES

12 Covert Tunneling Setup client/server endpoints Generate your own traffic to create tunnels Hide data in: –Fake HTTP requests/answers –Fake DNS requests/answers –Etc.

13 Testing the Tunnel Two hosts –Core1: 192.168.211.2 and 192.168.146.2 –Hive: 192.168.211.3 and 192.168.146.3 Pinging the other host through different covert tunnels

14 Covert HTTP Tunnels.qHTTP/1.1 200 OK Server: Apache/1.3.12 (Unix) mod_perl/1.23^M Accept-Ranges: bytes Content-Length: 216 Connection: close Content-Type: image/jpeg E%00%00TB%a6%00%00%40%01%10%ac%c0%a8%d3%02%c0%a8%d3%03%00%00%09%0e%9c%07%0 0%01K%d4%b8B_%cf%0c%00%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18% 19%1a%1b%1c%1d%1e%1f+%21%22%23%24%25%26%27%28%29*%2b%2c-.%2f01234567..GET /cgi- bin/db_query?param1=foo&param2=bar&encap_data=E%00%00T%00%00%40%00%40%01%1 3R%c0%a8%d3%03%c0%a8%d3%02%08%00%83%eb%9c%07%00%02L%d4%b8B%db%f0%0c%00%08% 09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f+%21%2 2%23%24%25%26%27%28%29*%2b%2c-.%2f01234567 HTTP/1.0 Connection: Keep-Alive User-Agent: Mozilla (X11; I; Linux 2.0.32 i586) Host: www.google.ca Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept-Encoding: gzip Accept-Charset: iso-8859-1,*,utf-8 HTTP Reply HTTP Get Ping request Ping reply

15 Covert HTTP Tunnels No attempt to hide data: append after the HTTP header Minimal hiding: include data within HTTP header with bogus data ‘Invisible’: use your imagination, ie. Steganography using a GIF for HTTP

16 Covert DNS Tunnels DNS Query –DNS Header –DNS Message DNS Answer –DNS Header –Query –Answer

17 Covert DNS Tunnels 0000 00 66 00 00 01 00 00 01 00 00 00 00 00 00 54 45.f............TE 0010 00 00 54 3f 96 00 00 40 01 13 bc c0 a8 d3 03 c0..T?...@........ 0020 a8 d3 02 00 00 23 8d 3b 06 00 01 c5 b1 01 43 ed.....#.;......C. 0030 73 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 s............... 0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24........... !"#$ 0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234 0060 35 36 37 00 00 01 00 01 567..... DNS QUERY ICMP echo request DNS Header DNS Tail

18 Covert DNS Tunnels DNS ANSWER 0000 00 76 00 00 85 80 00 01 00 01 00 00 00 00 54 45.v............TE 0010 00 00 54 00 00 40 00 40 01 13 52 c0 a8 d3 02 c0..T..@.@..R..... 0020 a8 d3 03 08 00 4c d6 3b 06 00 03 c7 b1 01 43 b9.....L.;......C. 0030 28 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 (............... 0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24........... !"#$ 0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234 0060 35 36 37 00 00 01 00 01 c0 0c 00 01 00 01 00 00 567............. 0070 09 60 00 04 d8 ef 33 64.`....3d DNS Header DNS Tail ICMP echo reply

19 Covert ICMP Tunnels Append data at the end of ICMP packets Firewall traversal if ICMP allowed

20 Part II Hijacking Live Traffic Covert Tunneling for SMARTER DUMMIES

21 Comparison 98% of covert tunnels will most likely be generated (part I) 2% of covert tunnels might go to the trouble of piggybacking on legitimate traffic, in my humble opinion (part II)

22 What SMARTER DUMMIES might do Live traffic hijacking Packet interception/modification methods TCP tunnel Other possible tunnels

23 Live Traffic Hijacking Close quarters: the rootkit In the neighbourhood: ARP cache poisoning Man in the middle: Router takeover On the victim’s side

24 Live Traffic Hijacking ARP cache poisoning Router Victim You Switched LAN

25 Packet Interception Route target traffic to loopback, sniff with your app, re-transmit on public lan –Thanks to Dug Song TUN/TAP device –Thanks to Max Krasnyanski Network stack filters –Kernel sniffer –Linux netfilter

26 Packet Modification Don’t break the packet… or do we? –Creating duplicate packets Preserving original data stream

27 TCP Tunnel End of option list –Fill in the padding Rowland –The IP packet identification field –The TCP initial sequence number field –The TCP acknowledged sequence number field

28 TCP Tunnel 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Acknowledgment Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | |U|A|P|R|S|F| | | Offset| Reserved |R|C|S|S|Y|I| Window | | | |G|K|H|T|N|N| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Checksum | Urgent Pointer | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Options | Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Data | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

29 Other Possible Tunnels V6 protocols –IPv6 Destination Field –ICMPv6 UDP Tunnel

30 Hidden Tunnels Are An Art Steganography –Higher bandwidth required Traffic shaping Encryption –Performance hit Randomization –Randomizing HTTP requests

31 Proof of Concept Tentun

32 Tentun Engine Plugins Current Features Planned Features https://sourceforge.net/projects/tentun/

33 Proposed Solutions

34 Stateless investigation of packets at IDS and firewall level Routers and O/S should zero padding areas Focus more on IDS and firewall cooperation

35 Thank you

Download ppt "Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.

Module A.  This is a module that some teachers will cover while others will not  This module is a refresher on networking concepts, which are important.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.

1 Application TCPUDP IPICMPARPRARP Physical network Application TCP/IP Protocol Suite.
ITIS 6167/8167: Network and Information Security Weichao Wang.

ITIS 6167/8167: Network and Information Security Weichao Wang.
Instructor & Todd Lammle

Instructor & Todd Lammle
Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.

Institute of Technology Sligo - Dept of Computing Semester 2 Chapter 9 The TCP/IP Protocol Suite Paul Flynn.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CS 356 Systems Security Spring 2015 Dr. Indrajit Ray

CS 356 Systems Security Spring Dr. Indrajit Ray
Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.

Wireshark and TCP/IP Basics ACM SIG-Security Lance Pendergrass.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.

Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

ITIS 6167/8167: Network Security Weichao Wang. 2 Contents ICMP protocol and attacks UDP protocol and attacks TCP protocol and attacks.

Similar presentations

Ads by Google