Upload
julianna-ward
View
222
Download
0
Embed Size (px)
Citation preview
Covert Tunnels in your Network
Next Generation Network Warfare
David Gordon
Gabriel GirardUniversite de Sherbrooke
Goal
• This presentation covers creating hidden tunnels to bypass firewalls and IDS as well as possible techniques perhaps used for industrial espionage. The goal is to inform and open a discussion on how to secure your network against this threat.
Contents• Tunneling
• Covert tunneling– Simple examples: HTTP, DNS– Live traffic hijacking
• Proof of concept: Tentun– Plug-ins
What is tunneling?
Mailbox ExampleTunneling is similar to sending internal mail between two branches of a company.
Internal mail is re-packaged at branch A to reach branch B. This is the tunnel.
Once package has reached branch B, it is opened and the internal mail is then routed to its intended address.
Mailbox Example
LAN
LAN
Internal mail
Internal mail
Public mail
Tunnel
Legitimate Tunneling
L2TP
SSL, VPN, IPv6
PPTP, IPSec
…
What they don’t show about tunneling
Hacking the network stack for fun and profit
Covert Tunnels 101
• Legitimate tunnel: encapsulating data with a protocol meant to bypass a public network for functional or private reasons
• Covert tunnel: hiding data within other data meant to bypass all notice
Covert Tunnels 101
• Part I: Generate your own traffic– Create data to hide
your information
• Part II: Hijacking live traffic– Use existing data to
hide your information
Two types of covert tunnels
Part IGenerate Your Own Traffic
Covert Tunneling for DUMMIES
Covert Tunneling
• Setup client/server endpoints
• Generate your own traffic to create tunnels
• Hide data in:– Fake HTTP requests/answers– Fake DNS requests/answers– Etc.
Testing the Tunnel
• Two hosts– Core1: 192.168.211.2 and 192.168.146.2– Hive: 192.168.211.3 and 192.168.146.3
• Pinging the other host through different covert tunnels
Covert HTTP Tunnels.qHTTP/1.1 200 OK
Server: Apache/1.3.12 (Unix) mod_perl/1.23^M
Accept-Ranges: bytes
Content-Length: 216
Connection: close
Content-Type: image/jpeg
E%00%00TB%a6%00%00%40%01%10%ac%c0%a8%d3%02%c0%a8%d3%03%00%00%09%0e%9c%07%00%01K%d4%b8B_%cf%0c%00%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f+%21%22%23%24%25%26%27%28%29*%2b%2c-.%2f01234567
..GET /cgi-bin/db_query?param1=foo¶m2=bar&encap_data=E%00%00T%00%00%40%00%40%01%13R%c0%a8%d3%03%c0%a8%d3%02%08%00%83%eb%9c%07%00%02L%d4%b8B%db%f0%0c%00%08%09%0a%0b%0c%0d%0e%0f%10%11%12%13%14%15%16%17%18%19%1a%1b%1c%1d%1e%1f+%21%22%23%24%25%26%27%28%29*%2b%2c-.%2f01234567 HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla (X11; I; Linux 2.0.32 i586)
Host: www.google.ca
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Charset: iso-8859-1,*,utf-8
HTTP Reply
HTTP Get
Ping request
Ping reply
Covert HTTP Tunnels
• No attempt to hide data: append after the HTTP header
• Minimal hiding: include data within HTTP header with bogus data
• ‘Invisible’: use your imagination, ie. Steganography using a GIF for HTTP
Covert DNS Tunnels
• DNS Query– DNS Header
– DNS Message
• DNS Answer– DNS Header
– Query
– Answer
Covert DNS Tunnels
0000 00 66 00 00 01 00 00 01 00 00 00 00 00 00 54 45 .f............TE
0010 00 00 54 3f 96 00 00 40 01 13 bc c0 a8 d3 03 c0 ..T?...@........
0020 a8 d3 02 00 00 23 8d 3b 06 00 01 c5 b1 01 43 ed .....#.;......C.
0030 73 02 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 s...............
0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 ........... !"#$
0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234
0060 35 36 37 00 00 01 00 01 567.....
DNS QUERYICMP echo requestDNS Header
DNS Tail
Covert DNS TunnelsDNS ANSWER
0000 00 76 00 00 85 80 00 01 00 01 00 00 00 00 54 45 .v............TE
0010 00 00 54 00 00 40 00 40 01 13 52 c0 a8 d3 02 c0 ..T..@[email protected].....
0020 a8 d3 03 08 00 4c d6 3b 06 00 03 c7 b1 01 43 b9 .....L.;......C.
0030 28 03 00 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 (...............
0040 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 23 24 ........... !"#$
0050 25 26 27 28 29 2a 2b 2c 2d 2e 2f 30 31 32 33 34 %&'()*+,-./01234
0060 35 36 37 00 00 01 00 01 c0 0c 00 01 00 01 00 00 567.............
0070 09 60 00 04 d8 ef 33 64 .`....3d
DNS Header
DNS Tail
ICMP echo reply
Covert ICMP Tunnels
• Append data at the end of ICMP packets
• Firewall traversal if ICMP allowed
Part IIHijacking Live Traffic
Covert Tunneling for SMARTER DUMMIES
Comparison
• 98% of covert tunnels will most likely be generated (part I)
• 2% of covert tunnels might go to the trouble of piggybacking on legitimate traffic, in my humble opinion (part II)
What SMARTER DUMMIES might do
• Live traffic hijacking
• Packet interception/modification methods
• TCP tunnel
• Other possible tunnels
Live Traffic Hijacking
• Close quarters: the rootkit
• In the neighbourhood: ARP cache poisoning
• Man in the middle: Router takeover
On the victim’s side
Live Traffic HijackingARP cache poisoning
Router
Victim You
Switched LAN
Packet Interception
• Route target traffic to loopback, sniff with your app, re-transmit on public lan– Thanks to Dug Song
• TUN/TAP device– Thanks to Max Krasnyanski
• Network stack filters– Kernel sniffer
– Linux netfilter
Packet Modification
• Don’t break the packet… or do we?– Creating duplicate packets
• Preserving original data stream
TCP Tunnel
• End of option list– Fill in the padding
• Rowland– The IP packet identification field– The TCP initial sequence number field– The TCP acknowledged sequence number
field
TCP Tunnel 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Port | Destination Port |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| Offset| Reserved |R|C|S|S|Y|I| Window |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Checksum | Urgent Pointer |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Other Possible Tunnels
• V6 protocols– IPv6 Destination Field– ICMPv6
• UDP Tunnel
Hidden Tunnels Are An Art
• Steganography– Higher bandwidth required
• Traffic shaping
• Encryption– Performance hit
• Randomization– Randomizing HTTP requests
Proof of Concept
Tentun
Tentun
• Engine
• Plugins
• Current Features
• Planned Features
• https://sourceforge.net/projects/tentun/
Proposed Solutions
Proposed Solutions
• Stateless investigation of packets at IDS and firewall level
• Routers and O/S should zero padding areas
• Focus more on IDS and firewall cooperation
Thank you