Applied Black Op Applied Black Op Networking onNetworking on

Windows XPWindows XPDan Kaminsky, CISSPDan Kaminsky, CISSP

DoxPara ResearchDoxPara Research

http://www.doxpara.comhttp://www.doxpara.com

OverviewOverview Paketto KeiretsuPaketto Keiretsu

The “Packet System”The “Packet System” A suite of only slightly interrelated network tools A suite of only slightly interrelated network tools

that nonetheless manage to work together in that nonetheless manage to work together in peculiar wayspeculiar ways

1.0 Unveiled: October 2002, Black Hat Asia1.0 Unveiled: October 2002, Black Hat Asia 2.0 Unveiled: February 2003, Black Hat Windows2.0 Unveiled: February 2003, Black Hat Windows

What’s New?What’s New? Welcome to Black Hat Welcome to Black Hat WindowsWindows LibpakettoLibpaketto SSL vs. IDSSSL vs. IDS Much, much moreMuch, much more

ScanrandScanrand

High Speed TCP Scanner and High Speed TCP Scanner and Network TracerNetwork Tracer Most well known statistic:Most well known statistic:

65,536 Addresses Scanned on 80/tcp65,536 Addresses Scanned on 80/tcp 8,000 Replies Received8,000 Replies Received Time Elapsed: 4 SecondsTime Elapsed: 4 Seconds

Experiment in Secure Stateless Experiment in Secure Stateless Manipulation of Stateful NetworksManipulation of Stateful Networks Performance wasn’t actually the goalPerformance wasn’t actually the goal

Secure Stateless Secure Stateless OperationOperation

““Find a Mirror. Recognize Yourself.”Find a Mirror. Recognize Yourself.” Find components of your outgoing Find components of your outgoing

messages that by nature of the protocol messages that by nature of the protocol being used, will be reflected back to being used, will be reflected back to you. Embed a signature that only you you. Embed a signature that only you could generate, irrevocably linked to could generate, irrevocably linked to the security-sensitive information you the security-sensitive information you are being provided.are being provided. HTTP CookiesHTTP Cookies Drivers LicensesDrivers Licenses

TCP ReflectorsTCP Reflectors

Scans begin with a TCP SYNScans begin with a TCP SYN Components of reply known and Components of reply known and

controlled by sender:controlled by sender: Source IP and Destination IPSource IP and Destination IP Source Port and Destination PortSource Port and Destination Port Initial Sequence Number (SEQ#)Initial Sequence Number (SEQ#)

Source IP, Destination IP, and Destination Source IP, Destination IP, and Destination Port are fixedPort are fixed

Leaves Source Port and SEQ#Leaves Source Port and SEQ# 48 bits worth of reflected capacity48 bits worth of reflected capacity

Scanrand’s ReflectorsScanrand’s Reflectors 1.x: Inverse SYN Cookies in the SEQ#1.x: Inverse SYN Cookies in the SEQ#

HMAC-SHA1 truncated to 32 bits in the outgoing SEQHMAC-SHA1 truncated to 32 bits in the outgoing SEQ Valid reponses – SYN|ACK (Up) or RST|ACK (Down) – return the Valid reponses – SYN|ACK (Up) or RST|ACK (Down) – return the

SEQ# in the ACK#SEQ# in the ACK# We HMAC all that we know the legitimate party must reflect – We HMAC all that we know the legitimate party must reflect –

including the IP’s and Ports we couldn’t meaningfully mungeincluding the IP’s and Ports we couldn’t meaningfully munge

Coming in 2.x: Timestamps in the Port #Coming in 2.x: Timestamps in the Port # 1.x uses absolute latency from beginning scan – 1.x uses absolute latency from beginning scan –

limitation!limitation! Bandwidth limitation, strange modes of packet handlingBandwidth limitation, strange modes of packet handling

Firewalls have trouble with multiple connections from the Firewalls have trouble with multiple connections from the same port to the same host/portsame port to the same host/port

We can tap that – 16 bits provides 65K “timeslots”We can tap that – 16 bits provides 65K “timeslots” 1ms resolution gives us 65s window1ms resolution gives us 65s window

Stamp authenticated by seedStamp authenticated by seed Wraparound preventable by mixing time with HMAC seedWraparound preventable by mixing time with HMAC seed

Basic FeaturesBasic Features

Port and Range Parsing: 1.2.3-4.5-6,8-Port and Range Parsing: 1.2.3-4.5-6,8-50:22,8050:22,80

TracerouteTraceroute Port Aliases: quick, squick, knownPort Aliases: quick, squick, known Bandwidth LimitationBandwidth Limitation Read Targets From A FileRead Targets From A File New in 2.xNew in 2.x

Single-Threaded Mode w/ SR_NONBLOCKSingle-Threaded Mode w/ SR_NONBLOCK API – API – everythingeverything trivially embeddable trivially embeddable

Basic Demo 1: ScanBasic Demo 1: Scan # Quick scan of local network# Quick scan of local network bash-2.05a# scanrand 10.0.1.1-254:quickbash-2.05a# scanrand 10.0.1.1-254:quick UP: 10.0.1.38:80 [01] 0.003sUP: 10.0.1.38:80 [01] 0.003s UP: 10.0.1.110:443 [01] 0.017sUP: 10.0.1.110:443 [01] 0.017s UP: 10.0.1.254:443 [01] 0.021sUP: 10.0.1.254:443 [01] 0.021s UP: 10.0.1.57:445 [01] 0.024sUP: 10.0.1.57:445 [01] 0.024s UP: 10.0.1.59:445 [01] 0.024sUP: 10.0.1.59:445 [01] 0.024s UP: 10.0.1.38:22 [01] 0.047sUP: 10.0.1.38:22 [01] 0.047s UP: 10.0.1.110:22 [01] 0.058sUP: 10.0.1.110:22 [01] 0.058s UP: 10.0.1.110:23 [01] 0.058sUP: 10.0.1.110:23 [01] 0.058s UP: 10.0.1.254:22 [01] 0.077sUP: 10.0.1.254:22 [01] 0.077s UP: 10.0.1.254:23 [01] 0.077sUP: 10.0.1.254:23 [01] 0.077s UP: 10.0.1.25:135 [01] 0.088sUP: 10.0.1.25:135 [01] 0.088s

Basic Demo 2: Basic Demo 2: TracerouteTraceroute

bash-2.05a# scanrand -b2m -l1-13 www.slashdot.orgbash-2.05a# scanrand -b2m -l1-13 www.slashdot.org 002 = 63.251.53.219|80 [02] 0.018s( 10.0.1.11 -> 66.35.250.150 )002 = 63.251.53.219|80 [02] 0.018s( 10.0.1.11 -> 66.35.250.150 ) 001 = 64.81.64.1|80 [01] 0.031s( 10.0.1.11 -> 66.35.250.150 )001 = 64.81.64.1|80 [01] 0.031s( 10.0.1.11 -> 66.35.250.150 ) 003 = 63.251.63.79|80 [03] 0.044s( 10.0.1.11 -> 66.35.250.150 )003 = 63.251.63.79|80 [03] 0.044s( 10.0.1.11 -> 66.35.250.150 ) 004 = 63.211.143.17|80 [04] 0.066s( 10.0.1.11 -> 66.35.250.150 )004 = 63.211.143.17|80 [04] 0.066s( 10.0.1.11 -> 66.35.250.150 ) 005 = 209.244.14.193|80 [05] 0.084s( 10.0.1.11 -> 66.35.250.150 )005 = 209.244.14.193|80 [05] 0.084s( 10.0.1.11 -> 66.35.250.150 ) 006 = 208.172.147.201|80 [08] 0.099s( 10.0.1.11 -> 66.35.250.150 )006 = 208.172.147.201|80 [08] 0.099s( 10.0.1.11 -> 66.35.250.150 ) 007 = 208.172.146.104|80 [06] 0.119s( 10.0.1.11 -> 66.35.250.150 )007 = 208.172.146.104|80 [06] 0.119s( 10.0.1.11 -> 66.35.250.150 ) 008 = 208.172.156.157|80 [08] 0.140s( 10.0.1.11 -> 66.35.250.150 )008 = 208.172.156.157|80 [08] 0.140s( 10.0.1.11 -> 66.35.250.150 ) 009 = 208.172.156.198|80 [08] 0.167s( 10.0.1.11 -> 66.35.250.150 )009 = 208.172.156.198|80 [08] 0.167s( 10.0.1.11 -> 66.35.250.150 ) 010 = 66.35.194.196|80 [09] 0.187s( 10.0.1.11 -> 66.35.250.150 )010 = 66.35.194.196|80 [09] 0.187s( 10.0.1.11 -> 66.35.250.150 ) 011 = 66.35.194.58|80 [09] 0.208s( 10.0.1.11 -> 66.35.250.150 )011 = 66.35.194.58|80 [09] 0.208s( 10.0.1.11 -> 66.35.250.150 ) 012 = 66.35.212.174|80 [10] 0.229s( 10.0.1.11 -> 66.35.250.150 )012 = 66.35.212.174|80 [10] 0.229s( 10.0.1.11 -> 66.35.250.150 ) UP: 66.35.250.150:80 [12] 0.241sUP: 66.35.250.150:80 [12] 0.241s

Hopcount DesyncHopcount Desync root@arachnadox:~# scanrand -b1k -e root@arachnadox:~# scanrand -b1k -e

local.doxpara.com:80,21,443,465,139,8000,31337local.doxpara.com:80,21,443,465,139,8000,31337 UP: 64.81.64.164:80 [11] 0.477sUP: 64.81.64.164:80 [11] 0.477s DOWN: 64.81.64.164:21 [12] 0.478sDOWN: 64.81.64.164:21 [12] 0.478s UP: 64.81.64.164:443 UP: 64.81.64.164:443 [11][11] 0.478s 0.478s DOWN: 64.81.64.164:465 DOWN: 64.81.64.164:465 [12][12] 0.478s 0.478s DOWN: 64.81.64.164:139 DOWN: 64.81.64.164:139 [22][22] 0.488s 0.488s DOWN: 64.81.64.164:8000 [22] 0.570sDOWN: 64.81.64.164:8000 [22] 0.570s DOWN: 64.81.64.164:31337 [22] 0.636sDOWN: 64.81.64.164:31337 [22] 0.636s

What’s going on:

The host is genuinely 11 or 12 hops away. All of the up ports reflect that, but only a few of the downed ports. The rest are showing double the remote distance. This is due to the a PIX firewall interspersed between myself and the target. It’s (too) quickly reflecting the SYN I sent to it right back to me as a RST|ACK, without resetting values like the TTL. Thus, the same source value decrements twice across the network – 22 = 11*2 – and we can detect the filter.

ACK/RST AnalysisACK/RST Analysis root@arachnadox:~/talk# scanrand -D -vv www.cisco.com:80root@arachnadox:~/talk# scanrand -D -vv www.cisco.com:80 Stat|=====IP_Address==|Port=|Hops|==Time==|=============Details============|Stat|=====IP_Address==|Port=|Hops|==Time==|=============Details============| SENT: 198.133.219.25:80 [00] 0.000sSENT: 198.133.219.25:80 [00] 0.000s Sent 40 on eth0:Sent 40 on eth0: IP: i=192.168.11.29->198.133.219.25 v=4 hl=5 s=0 id=216 o=64 ttl=216 pay=20IP: i=192.168.11.29->198.133.219.25 v=4 hl=5 s=0 id=216 o=64 ttl=216 pay=20 TCP: p=8621->80, s/a=2785760401 -> 2785760401 o=5 f=16 w=4096 u=0 optl=0TCP: p=8621->80, s/a=2785760401 -> 2785760401 o=5 f=16 w=4096 u=0 optl=0 Got 60 on eth0:Got 60 on eth0: IP: i=198.133.219.25->192.168.11.29 v=4 hl=5 s=0 id=216 o=0 ttl=189 pay=20IP: i=198.133.219.25->192.168.11.29 v=4 hl=5 s=0 id=216 o=0 ttl=189 pay=20 TCP: p=80->8621, s/a=2785760401 -> 2785760401 o=5 f=4 w=4096 u=0 optl=0TCP: p=80->8621, s/a=2785760401 -> 2785760401 o=5 f=4 w=4096 u=0 optl=0 DSCO: 198.133.219.25:80 [14] 0.204sDSCO: 198.133.219.25:80 [14] 0.204s

What’s going on:

This time, we’re intentionally sending a completely bogus packet – an ACK utterly disassociated from any known stream. (Since it’s disassociated, nothing prevents us from using an Inverse SYN Cookie.) Standard operating procedure is to respond with a RST, since it’s usually from some rather broken remote host. But notice – the incoming RST has a TTL of 189. The TTL range from around 129 to 216 rarely sees legitimate traffic – programmers usually start from powers of two. We, however, didn’t. Also note the duplicated IPID.

Expected BehaviorExpected Behavior TCP Repairs Broken ConnectionsTCP Repairs Broken Connections

If a packet is dropped, it will retryIf a packet is dropped, it will retry ““Hello? … Hellllo? … … … Hello?” Hello? … Hellllo? … … … Hello?” <CLICK><CLICK>

How many Hellos? How long inbetween them?How many Hellos? How long inbetween them? It varies from person to person, and from TCP/IP stack to It varies from person to person, and from TCP/IP stack to

TCP/IP stackTCP/IP stack Discovered by Franck Veysset et al.Discovered by Franck Veysset et al.

RING is their toolRING is their tool Can we do this with Scanrand?Can we do this with Scanrand?

Scanrand uses the kernel to RST incoming replies, so they stop Scanrand uses the kernel to RST incoming replies, so they stop comingcoming

Usually this is good – cut off the floodUsually this is good – cut off the flood Well now we want the flood…but we don’t want to interface Well now we want the flood…but we don’t want to interface

with some firewall rules.with some firewall rules. Solution: Use a different IP. But have the kernel serve the Solution: Use a different IP. But have the kernel serve the

MAC!MAC!

Temporal Fingerprinting Temporal Fingerprinting DemoDemo

root@bsd:~# arp -s 10.0.1.190 00:e0:18:02:91:9f pubroot@bsd:~# arp -s 10.0.1.190 00:e0:18:02:91:9f pub

root@bsd:~# arp -an | grep 10.0.1.190root@bsd:~# arp -an | grep 10.0.1.190 ? (10.0.1.190) at 0:e0:18:2:91:9f permanent published [ethernet]? (10.0.1.190) at 0:e0:18:2:91:9f permanent published [ethernet] root@bsd:~# scanrand -i 10.0.1.190 -t0 -b100k 10.0.1.1-254:139root@bsd:~# scanrand -i 10.0.1.190 -t0 -b100k 10.0.1.1-254:139 (OUTPUT SORTED)(OUTPUT SORTED) UP: 10.0.1.12:139 [01] 0.235sUP: 10.0.1.12:139 [01] 0.235s UP: 10.0.1.12:139 [01] 3.191sUP: 10.0.1.12:139 [01] 3.191s UP: 10.0.1.12:139 [01] 9.109sUP: 10.0.1.12:139 [01] 9.109s (+3+6)(+3+6) UP: 10.0.1.36:139 [01] 0.715sUP: 10.0.1.36:139 [01] 0.715s UP: 10.0.1.36:139 [01] 3.624sUP: 10.0.1.36:139 [01] 3.624s UP: 10.0.1.36:139 [01] 9.639sUP: 10.0.1.36:139 [01] 9.639s (+3+6)(+3+6) UP: 10.0.1.38:139 [01] 0.755sUP: 10.0.1.38:139 [01] 0.755s UP: 10.0.1.38:139 [01] 4.560sUP: 10.0.1.38:139 [01] 4.560s UP: 10.0.1.38:139 [01] 10.560sUP: 10.0.1.38:139 [01] 10.560s UP: 10.0.1.38:139 [01] 22.758sUP: 10.0.1.38:139 [01] 22.758s UP: 10.0.1.38:139 [01] 46.756sUP: 10.0.1.38:139 [01] 46.756s (+4+6+12+24)(+4+6+12+24)

What About Traceroute?What About Traceroute?

Traceroute’s as stateless and fast as Traceroute’s as stateless and fast as port scanningport scanning Traceroute provides active route metrics Traceroute provides active route metrics

by issuing commands to the network by issuing commands to the network infrastructure itselfinfrastructure itself

Where are weWhere are we What’s going onWhat’s going on What could we possibly tryWhat could we possibly try Did it work?Did it work?

What stunts can we pull?What stunts can we pull?

Parasitic TracerouteParasitic Traceroute bash-2.05a# paratrace -b1m www.slashdot.orgbash-2.05a# paratrace -b1m www.slashdot.org Waiting to detect attachable TCP connection to host/net: www.slashdot.orgWaiting to detect attachable TCP connection to host/net: www.slashdot.org 66.35.250.150:80/32 1-1666.35.250.150:80/32 1-16 002 = 63.251.53.219|80 [02] 5.170s( 10.0.1.11 -> 66.35.250.150 )002 = 63.251.53.219|80 [02] 5.170s( 10.0.1.11 -> 66.35.250.150 ) 001 = 64.81.64.1|80 [01] 5.171s( 10.0.1.11 -> 66.35.250.150 )001 = 64.81.64.1|80 [01] 5.171s( 10.0.1.11 -> 66.35.250.150 ) 003 = 63.251.63.14|80 [03] 5.195s( 10.0.1.11 -> 66.35.250.150 )003 = 63.251.63.14|80 [03] 5.195s( 10.0.1.11 -> 66.35.250.150 ) UP: 66.35.250.150:80 [12] 5.208sUP: 66.35.250.150:80 [12] 5.208s 004 = 63.211.143.17|80 [04] 5.219s( 10.0.1.11 -> 66.35.250.150 )004 = 63.211.143.17|80 [04] 5.219s( 10.0.1.11 -> 66.35.250.150 ) 005 = 209.244.14.193|80 [05] 5.235s( 10.0.1.11 -> 66.35.250.150 )005 = 209.244.14.193|80 [05] 5.235s( 10.0.1.11 -> 66.35.250.150 ) 006 = 208.172.147.201|80 [08] 5.273s( 10.0.1.11 -> 66.35.250.150 )006 = 208.172.147.201|80 [08] 5.273s( 10.0.1.11 -> 66.35.250.150 ) 007 = 208.172.146.104|80 [06] 5.277s( 10.0.1.11 -> 66.35.250.150 )007 = 208.172.146.104|80 [06] 5.277s( 10.0.1.11 -> 66.35.250.150 ) 008 = 208.172.156.157|80 [08] 5.314s( 10.0.1.11 -> 66.35.250.150 )008 = 208.172.156.157|80 [08] 5.314s( 10.0.1.11 -> 66.35.250.150 ) 009 = 208.172.156.198|80 [08] 5.315s( 10.0.1.11 -> 66.35.250.150 )009 = 208.172.156.198|80 [08] 5.315s( 10.0.1.11 -> 66.35.250.150 ) 010 = 66.35.194.196|80 [09] 5.337s( 10.0.1.11 -> 66.35.250.150 )010 = 66.35.194.196|80 [09] 5.337s( 10.0.1.11 -> 66.35.250.150 ) 011 = 66.35.194.58|80 [09] 5.356s( 10.0.1.11 -> 66.35.250.150 )011 = 66.35.194.58|80 [09] 5.356s( 10.0.1.11 -> 66.35.250.150 ) 012 = 66.35.212.174|80 [10] 5.379s( 10.0.1.11 -> 66.35.250.150 )012 = 66.35.212.174|80 [10] 5.379s( 10.0.1.11 -> 66.35.250.150 )

Traceroute is a Layer 3 Process – given a message, repeat it any number of times with a different number of hops through the network it’s allowed to take. TCP is a Layer 4 protocol, capable of recognizing and silently dropping repeated packets. So we can always safely trace at Layer 3 without interfering with communications in TCP’s Layer 4, thus getting a more accurate view of a given session through potentially stateful routers and other devices.

Other Potential UsesOther Potential Uses

Peer To Peer NetworksPeer To Peer Networks Path optimization – n hosts can communicate Path optimization – n hosts can communicate

with eachother and determine not just latency with eachother and determine not just latency but network complexity separating thembut network complexity separating them While similar IP space works well for direct While similar IP space works well for direct

matches, as soon as you traverse a single matches, as soon as you traverse a single autonomous network it’s hard to realize your autonomous network it’s hard to realize your neighborsneighbors

Custom protocols could allow high resolution Custom protocols could allow high resolution timestamps to be used to further measure statetimestamps to be used to further measure state TCP Timestamps may also be extensible for this TCP Timestamps may also be extensible for this

purposepurpose

LibPakettoLibPaketto

Cross-Platform TCP/IP Manipulation Cross-Platform TCP/IP Manipulation LibraryLibrary

Easy to use – built for cross-Easy to use – built for cross-disclipinary integrationdisclipinary integration ScanVizScanViz

API Demo1API Demo1#include "libpaketto.h"

int main(int argc, char **argv)

{

pk_scanrand(“10.0.1.11:80,22”, NULL, NULL, NULL, NULL);

}

What’s going on:

No initializations – this scans 10.0.1.11 and collects the responses. Not particularly tweakable.

API Demo2API Demo2#include "libpaketto.h"

pcap_handler main(int argc, char **argv)

{

struct scanrand_config *conf = pk_build_sr_conf(NULL);

conf->verbose=1;

conf->bandwidth="10k";

pk_scanrand(argv[1], NULL, conf, NULL, NULL);

}

What’s going on:

Now we can actually tweak the method by which this scan will operate. Given the conf structure, we can switch in traceroutes, bandwidth limiters, and much more. But we’re still just running scanrand…

API Demo3API Demo3#include "libpaketto.h"

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet);

int main(int argc, char **argv)

{

struct scanrand_config *conf = pk_build_sr_conf(NULL);

conf->verbose=0;

conf->bandwidth="10k";

pk_scanrand(argv[1], NULL, conf, jump_for_joy, stdout);

}

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet) {

fprintf(stream, "Whee, we got a %i byte packet!\n", pkthdr->caplen);}

What’s going on:

Instead of just running the standard scanrand reporter, now we’re running a user provided callback. Note, this callback isn’t called directly – first, the packet is verified using a callback specific in conf->fullscan_verifier . Only if the verifier is satisfied does the programmer’s function need to worry about parsing the packet.

But then, why should the programmer have to suffer through that?

API Demo4API Demo4#include "libpaketto.h"

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet);

int main(int argc, char **argv)

{

struct scanrand_config *conf = pk_build_sr_conf(NULL);

conf->verbose=0;

conf->ttlrange="1-20";

conf->bandwidth="10k";

pk_scanrand(argv[1], NULL, conf, jump_for_joy, stdout);

}

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet){

struct frame x, ic;

pk_parse_layers(packet, pkthdr->caplen, &x, 2, DLT_EN10MB, 0);

fprintf(stream, "Whee, we got a %i byte packet from %s\n", pkthdr->caplen, inet_ntoa(x.ip->ip_src));}

What’s going on:

Pk_parse_layers takes an arbitrary packet and configures a set of libnet structures to overlay upon it a manageable and modifiable packet structure. It’s quite feasible to modify such a parsed packet, and (after pk_recalc_checksums is run) resend it out the very interface it came in on. Of course, that can create certain reflection bugs…

API Demo5API Demo5#include "libpaketto.h"

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet);

int main(int argc, char **argv) {

struct scanrand_config *conf = pk_build_sr_conf(NULL);

conf->ttlrange="1-20";

pk_scanrand(argv[1], NULL, conf, jump_for_joy, stdout);

}

pcap_handler jump_for_joy(FILE *stream, struct pcap_pkthdr *pkthdr, char *packet) {

struct frame x, ic;

pk_parse_layers(packet, pkthdr->caplen, &x, 2, DLT_EN10MB, 0);

if(x.icmp && pk_parse_icmp(&x, &ic)){

fprintf(stream, "Trace to %s stopped at %s\n", inet_ntoa(x.ip->ip_src), inet_ntoa(ic.ip->ip_src));

} else if(x.tcp) {

fprintf(stream, "Response from %s, flag vals %i\n", inet_ntoa(x.ip->ip_src), x.tcp->th_flags);

}

}

What’s going on:

ICMP errors contain large swaths of the errors that spawned them – if only something existed to read them! Pk_parse_icmp will take a source “master frame” and fill into a destination frame what can be gleaned from the ICMP payload. This lets us run stateless traceroutes quite trivially.

PhentropyPhentropy How random is random?How random is random?

““Eyeballing the numbers“Eyeballing the numbers“ Statistical tests a la DiehardStatistical tests a la Diehard

Visualization of entropy can be a Visualization of entropy can be a powerful toolpowerful tool "Management buy in" -- undeniable results"Management buy in" -- undeniable results "You can show a system to be buggy, but not "You can show a system to be buggy, but not

bug free“bug free“ Zalewski showed “Strange Attractors” Zalewski showed “Strange Attractors”

effectively visualize many forms of effectively visualize many forms of entropyentropy

OpenQVISOpenQVIS Genuinely revolutionary volumetric rendererGenuinely revolutionary volumetric renderer Uses GPU resources to gain order of Uses GPU resources to gain order of

magnitude improvements in 3D volume magnitude improvements in 3D volume rendering speedsrendering speeds

Trivial to program forTrivial to program for Stream your matrix to disk, write a trivial metafileStream your matrix to disk, write a trivial metafile

Open SourceOpen Source PhentropyPhentropy

1.x: Exclusively OpenQVIS1.x: Exclusively OpenQVIS 2.x: Received patch for PovRAY2.x: Received patch for PovRAY 3.x: Mmmmm…mayascript3.x: Mmmmm…mayascript

VisualizationVisualization

1: Select arbitrary data stream1: Select arbitrary data stream 2: Choose arbitrary character size(byte, 2: Choose arbitrary character size(byte,

dword, etc).dword, etc). 3: Read four "characters" as integers3: Read four "characters" as integers 4: Calculate the three differences between 4: Calculate the three differences between

the four values(A,B,C,D)the four values(A,B,C,D) Yes, these are first order differentialsYes, these are first order differentials

5: Treat the first value as X, second as Y, 5: Treat the first value as X, second as Y, third as Z. Plot a point.third as Z. Plot a point.

6: Return to Step 36: Return to Step 3

Extracting InformationExtracting Information 1) Select data stream whose past we have a strange 1) Select data stream whose past we have a strange

attractor graph against. Use same basic “settings” as attractor graph against. Use same basic “settings” as before.before.

2) Read three characters as integers(A,B,C).2) Read three characters as integers(A,B,C). 3) Calculate the two differences between these three 3) Calculate the two differences between these three

values. (X,Y)values. (X,Y) 4) X and Y are fixed, leaving one dimension of freedom 4) X and Y are fixed, leaving one dimension of freedom

– Z. Draw a line.– Z. Draw a line. 5) Wherever the line intersects with an attractor, at 5) Wherever the line intersects with an attractor, at

some point there has been a collision at this some point there has been a collision at this differencedifference in the past.in the past.

6) Add the difference to C. This is the predicted value 6) Add the difference to C. This is the predicted value of D.of D.

SSL vs. IDS: The Eternal SSL vs. IDS: The Eternal ConflictConflict

SSL Annoys Me.SSL Annoys Me. Certificate compromise is extraordinarily Certificate compromise is extraordinarily

damaging – all past data lost, all future damaging – all past data lost, all future data lost, attacker only needs to passively data lost, attacker only needs to passively monitor or sniffmonitor or sniff

IDS Annoys Me.IDS Annoys Me. ““We’re under attack!” “That’s nice, dear.”We’re under attack!” “That’s nice, dear.”

I respect those who have faith in bothI respect those who have faith in both The conflict between the two annoys me The conflict between the two annoys me

most!most!

Some ChoiceSome Choice

IDS monitors the network traffic between IDS monitors the network traffic between the trusted and the untrusted, watching for the trusted and the untrusted, watching for attacksattacks

SSL encrypts the network traffic between SSL encrypts the network traffic between the trusted and the untrusted, blinding all the trusted and the untrusted, blinding all watchers except for the presumably watchers except for the presumably vulnerable endpointvulnerable endpoint

Choice: Suppress passive and suffer active, Choice: Suppress passive and suffer active, or suppress active and suffer passive.or suppress active and suffer passive.

Ouch.Ouch.

Auditing SSLAuditing SSL Like most PKI systems, SSL uses Like most PKI systems, SSL uses

asymmetric crypto to securely transmit a asymmetric crypto to securely transmit a small amount of data for symmetric small amount of data for symmetric cryptosystemscryptosystems

The amount is small, but not minimalThe amount is small, but not minimal The negotiated master secret is segmented The negotiated master secret is segmented

into no less than four and possibly up to six into no less than four and possibly up to six independent crypto keysindependent crypto keys "Very very bad if master secret gets "Very very bad if master secret gets

compromised -- all is lost!"compromised -- all is lost!" No, all is lost if the certificate is lost :-)No, all is lost if the certificate is lost :-) Master secret is not atomicMaster secret is not atomic

Selective Security Selective Security Centralization for SSL-Centralization for SSL-

Encrypted TrafficEncrypted Traffic Master Secret serves six keys:Master Secret serves six keys:

Two handle encryption from client to server and vice versaTwo handle encryption from client to server and vice versa Two handle authentication from client to server and vice versaTwo handle authentication from client to server and vice versa Two handle initialization vectors from client to server and vice versaTwo handle initialization vectors from client to server and vice versa

3DES-CBC3DES-CBC These keys are These keys are completely independentcompletely independent

Selective Centralized Monitoring of SSL-Encrypted TrafficSelective Centralized Monitoring of SSL-Encrypted Traffic Since we have independent keys for independent traffic, we can Since we have independent keys for independent traffic, we can

transfer just the encryption key from the client to the server to the transfer just the encryption key from the client to the server to the IDS -- it'll pick up the traffic from the insecure side of the network, IDS -- it'll pick up the traffic from the insecure side of the network, without being able to intercept presumably secure (or at least without being able to intercept presumably secure (or at least mandatorily unshareable) content.mandatorily unshareable) content.

IDS doesn't need to do RSA -- just pick up keys on an encrypted IDS doesn't need to do RSA -- just pick up keys on an encrypted channelchannel

Key transfer occurs before data transfer -- can disauthorize trafficKey transfer occurs before data transfer -- can disauthorize traffic IV IV may may introduce interesting capability -- read traffic *after* highly introduce interesting capability -- read traffic *after* highly

sensitive exchange (authentication credentials)sensitive exchange (authentication credentials)

Alternative ApproachesAlternative Approaches

Certificate TransferCertificate Transfer IDS gets a copy of the certIDS gets a copy of the cert

Violates 1st Law of Private Keys: Thou Violates 1st Law of Private Keys: Thou Shalt Not Transport Thy Private KeyShalt Not Transport Thy Private Key

Adds RSA decryption load to IDS, which Adds RSA decryption load to IDS, which is already scrounging for cyclesis already scrounging for cycles

ssldump can be pressed into service ssldump can be pressed into service today to support this for SSL3today to support this for SSL3 Attack: Switch to SSL2Attack: Switch to SSL2

Alternative Alternative Approaches(2)Approaches(2)

Mix IDS w/ Inline SSL AcceleratorsMix IDS w/ Inline SSL Accelerators IDS lives between accel and server farmIDS lives between accel and server farm

IDS’s are famously DoSable – use hubbed IDS’s are famously DoSable – use hubbed netnet

Servers never see cryptography (can’t Servers never see cryptography (can’t make any decisions based on it)make any decisions based on it)

Issues with HTTP rewritingIssues with HTTP rewriting Puts plaintext on a wirePuts plaintext on a wire

Alternative Alternative Approaches(3)Approaches(3)

Plaintext ForwardingPlaintext Forwarding ““I got this message from a user…”I got this message from a user…”

Optionally: “Should I respond?”Optionally: “Should I respond?” Adds latency if each message needs to be authenticatedAdds latency if each message needs to be authenticated

Relatively high bandwidthRelatively high bandwidth Doesn’t require interfacing with crypto engine, Doesn’t require interfacing with crypto engine,

or even web serveror even web server Can be built into web applications, which are Can be built into web applications, which are

necessarily passed the web request of the clientnecessarily passed the web request of the client Totally Totally immune to dissynchronyimmune to dissynchrony Can be even more selective about what traffic to expose Can be even more selective about what traffic to expose

/ verify/ verify

QuestionsQuestions

What’s needed?What’s needed? What’s What’s ununneeded?needed?