35
Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Embed Size (px)

Citation preview

Page 1: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert Tunnels in your Network

Next Generation Network Warfare

David Gordon

Gabriel GirardUniversite de Sherbrooke

Page 2: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Goal

• This presentation covers creating hidden tunnels to bypass firewalls and IDS as well as possible techniques perhaps used for industrial espionage. The goal is to inform and open a discussion on how to secure your network against this threat.

Page 3: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Contents• Tunneling

• Covert tunneling– Simple examples: HTTP, DNS– Live traffic hijacking

• Proof of concept: Tentun– Plug-ins

Page 4: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

What is tunneling?

Page 5: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Mailbox ExampleTunneling is similar to sending internal mail between two branches of a company.

Internal mail is re-packaged at branch A to reach branch B. This is the tunnel.

Once package has reached branch B, it is opened and the internal mail is then routed to its intended address.

Page 6: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Mailbox Example

LAN

LAN

Internal mail

Internal mail

Public mail

Tunnel

Page 7: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Legitimate Tunneling

L2TP

SSL, VPN, IPv6

PPTP, IPSec

Page 8: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

What they don’t show about tunneling

Hacking the network stack for fun and profit

Page 9: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert Tunnels 101

• Legitimate tunnel: encapsulating data with a protocol meant to bypass a public network for functional or private reasons

• Covert tunnel: hiding data within other data meant to bypass all notice

Page 10: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert Tunnels 101

• Part I: Generate your own traffic– Create data to hide

your information

• Part II: Hijacking live traffic– Use existing data to

hide your information

Two types of covert tunnels

Page 11: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Part IGenerate Your Own Traffic

Covert Tunneling for DUMMIES

Page 12: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert Tunneling

• Setup client/server endpoints

• Generate your own traffic to create tunnels

• Hide data in:– Fake HTTP requests/answers– Fake DNS requests/answers– Etc.

Page 13: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Testing the Tunnel

• Two hosts– Core1: 192.168.211.2 and 192.168.146.2– Hive: 192.168.211.3 and 192.168.146.3

• Pinging the other host through different covert tunnels

Page 14: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert HTTP Tunnels.qHTTP/1.1 200 OK

Server: Apache/1.3.12 (Unix) mod_perl/1.23^M

Accept-Ranges: bytes

Content-Length: 216

Connection: close

Content-Type: image/jpeg

E%00%00TB%a6%00%00%40%01%10%ac%c0%a8%d3%02%c0%a8%d3%03%00%00%09%0e%9c%07%00%01K%d4%b8B_%cf%0c%00%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f+%21%22%23%24%25%26%27%28%29*%2b%2c-.%2f01234567

..GET /cgi-bin/db_query?param1=foo&param2=bar&encap_data=E%00%00T%00%00%40%00%40%01%13R%c0%a8%d3%03%c0%a8%d3%02%08%00%83%eb%9c%07%00%02L%d4%b8B%db%f0%0c%00%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f+%21%22%23%24%25%26%27%28%29*%2b%2c-.%2f01234567 HTTP/1.0

Connection: Keep-Alive

User-Agent: Mozilla (X11; I; Linux 2.0.32 i586)

Host: www.google.ca

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*

Accept-Encoding: gzip

Accept-Charset: iso-8859-1,*,utf-8

HTTP Reply

HTTP Get

Ping request

Ping reply

Page 15: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert HTTP Tunnels

• No attempt to hide data: append after the HTTP header

• Minimal hiding: include data within HTTP header with bogus data

• ‘Invisible’: use your imagination, ie. Steganography using a GIF for HTTP

Page 16: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert DNS Tunnels

• DNS Query– DNS Header

– DNS Message

• DNS Answer– DNS Header

– Query

– Answer

Page 17: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert DNS Tunnels

0000 00 66 00 00 01 00 00 01 00 00 00 00 00 00 54 45 .f............TE

0010 00 00 54 3f 96 00 00 40 01 13 bc c0 a8 d3 03 c0 ..T?...@........

0020 a8 d3 02 00 00 23 8d 3b 06 00 01 c5 b1 01 43 ed .....#.;......C.

0030 73 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 s...............

0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 ........... !"#$

0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234

0060 35 36 37 00 00 01 00 01 567.....

DNS QUERYICMP echo requestDNS Header

DNS Tail

Page 18: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert DNS TunnelsDNS ANSWER

0000 00 76 00 00 85 80 00 01 00 01 00 00 00 00 54 45 .v............TE

0010 00 00 54 00 00 40 00 40 01 13 52 c0 a8 d3 02 c0 ..T..@[email protected].....

0020 a8 d3 03 08 00 4c d6 3b 06 00 03 c7 b1 01 43 b9 .....L.;......C.

0030 28 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 (...............

0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 ........... !"#$

0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234

0060 35 36 37 00 00 01 00 01 c0 0c 00 01 00 01 00 00 567.............

0070 09 60 00 04 d8 ef 33 64 .`....3d

DNS Header

DNS Tail

ICMP echo reply

Page 19: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Covert ICMP Tunnels

• Append data at the end of ICMP packets

• Firewall traversal if ICMP allowed

Page 20: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Part IIHijacking Live Traffic

Covert Tunneling for SMARTER DUMMIES

Page 21: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Comparison

• 98% of covert tunnels will most likely be generated (part I)

• 2% of covert tunnels might go to the trouble of piggybacking on legitimate traffic, in my humble opinion (part II)

Page 22: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

What SMARTER DUMMIES might do

• Live traffic hijacking

• Packet interception/modification methods

• TCP tunnel

• Other possible tunnels

Page 23: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Live Traffic Hijacking

• Close quarters: the rootkit

• In the neighbourhood: ARP cache poisoning

• Man in the middle: Router takeover

On the victim’s side

Page 24: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Live Traffic HijackingARP cache poisoning

Router

Victim You

Switched LAN

Page 25: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Packet Interception

• Route target traffic to loopback, sniff with your app, re-transmit on public lan– Thanks to Dug Song

• TUN/TAP device– Thanks to Max Krasnyanski

• Network stack filters– Kernel sniffer

– Linux netfilter

Page 26: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Packet Modification

• Don’t break the packet… or do we?– Creating duplicate packets

• Preserving original data stream

Page 27: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

TCP Tunnel

• End of option list– Fill in the padding

• Rowland– The IP packet identification field– The TCP initial sequence number field– The TCP acknowledged sequence number

field

Page 28: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

TCP Tunnel 0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Source Port | Destination Port |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Sequence Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Acknowledgment Number |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data | |U|A|P|R|S|F| |

| Offset| Reserved |R|C|S|S|Y|I| Window |

| | |G|K|H|T|N|N| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Checksum | Urgent Pointer |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Options | Padding |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Data |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Page 29: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Other Possible Tunnels

• V6 protocols– IPv6 Destination Field– ICMPv6

• UDP Tunnel

Page 30: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Hidden Tunnels Are An Art

• Steganography– Higher bandwidth required

• Traffic shaping

• Encryption– Performance hit

• Randomization– Randomizing HTTP requests

Page 31: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Proof of Concept

Tentun

Page 32: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Tentun

• Engine

• Plugins

• Current Features

• Planned Features

• https://sourceforge.net/projects/tentun/

Page 33: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Proposed Solutions

Page 34: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Proposed Solutions

• Stateless investigation of packets at IDS and firewall level

• Routers and O/S should zero padding areas

• Focus more on IDS and firewall cooperation

Page 35: Covert Tunnels in your Network Next Generation Network Warfare David Gordon Gabriel Girard Universite de Sherbrooke

Thank you