Post on 28-Jul-2015
The Cynical Trust Model
James Arlen - @myrcurial Lee Brotherston - @synackpse
no disclaimer necessary (for a change)
TRUST
TRUST
IS
EASY
Networks
Providers
SaaS
IaaS
*aaS
Hardware
Software
Staff
Consultants
Regulators
Auditors
MITM
Detection
How, what, why, when?
Capture all the Packets
PCAP Toolstcpdump wireshark
tshark
mergecap tcpsplice tcptrace captcp
ntop pcapdiff tcpflow snort
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
More Data……
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
?
??
HTTP/1.1 200 OKContent-Type: text/html; charset=ISO-8859-1Content-Script-Type: text/javascriptConnection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cache
<html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http://64.71.251.10";</script><script type="text/javascript" src="http://64.71.251.10/ByteCap-075-EO-English/index.js"></script></head><noscript><frameset><frame src="http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></frameset></noscript><body style="margin:0;"><script type="text/javascript">Bulletin("policy=72&category=ByteCap-075&");</script></body></html>
Packet Headers
TCPDUMPip[6] = 0 and tcp[14:2] = 1
Wire/TSharktcp.window_size_value eq 1
and ip.flags.df == 0
Snortalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION
suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
Fun with Firewalls
But wait, there’s more….
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
Data
HTTP/1.1 200 OKContent-Type: text/html; charset=ISO-8859-1Content-Script-Type: text/HTMLConnection: close
Tests
Retention Timerewrite ^(.*)$ /index.php;
OoB Indexingrewrite ^(.*)$ /index.php;
+/etc/hosts
+.htaccess
Document Format<html><head><title>Oh Hai</title></head>
Document Format<!doctype html><html><head><title>Oh Hai</title></head>
Mapping the Network
Traceroute 8bits of magic
ttl=1
ttl expiry
ttl=2
ttl expiry
ttl=1
reply
ttl=2 ttl=1ttl=3
2 7.40.72.1 3 209.148.241.61 4 66.185.81.221 5 69.63.251.242 6 69.63.249.26 7 *
2 7.40.72.1 3 209.148.241.61 4 * 5 * 6 69.63.249.26 7 *
tcptraceroute
Intercept Portscanningfor i in `jot 65535 1`do tcptraceroute -f4 -m5 host $idone >> $i.log
2 7.11.164.41 3 66.185.90.37 4 209.148.224.205 5 209.148.224.242
6 4.31.208.129
2 7.11.164.41 3 66.185.90.37 4 209.148.224.214 5 209.148.224.209 6 209.148.228.218 7 209.148.228.217 8 209.148.224.254 9 4.31.208.129
tcptraceroute redux
Intercept Portscanning Reduxnmap -sS —-ttl 64 host
Which Interface?
My Server
TargetMe
Scapysendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/TCP(sport=3125, dport=80, flags="S"), iface="en1")
So, that network…
Internal Management LAN
extWebServer = "http://64.71.255.194";intWebServer = “http://172.19.11.72";
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
TTL = 1
TTL = 2
TTL = 3
6 31.55.164.187 7 31.55.164.107 8 109.159.248.69 9 109.159.248.1010 62.172.103.187
6 31.55.164.187 7 31.55.164.107 8 109.159.248.104 9 109.159.248.14210 194.71.107.15
Great Firewall of Cameron
4 98.0.3.14 5 98.0.3.3 6 107.14.19.106 7 107.14.17.194 8 64.86.79.97 9 64.86.79.2
4 98.0.3.14 5 98.0.3.3 6 66.109.6.72 7 107.14.17.192 8 64.86.79.97 9 64.86.79.2
RoadRunner
What?
HTTP/1.1 200 OKDate: Thu, 22 May 2014 14:29:09 GMTServer: PerfTechLast-Modified: Thu, 17 Apr 2014 14:42:01 GMTAccept-Ranges: bytesContent-Length: 2387Connection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cacheContent-Type: application/x-javascript
HTTP/1.0 404 Not FoundDate: Fri, 23 May 2014 14:00:05 GMTServer: PerfTechContent-Length: 25Connection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cacheContent-Type: text/html; charset=iso-8859-1
Hints in Scripts// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.
extWebServer = "http://64.71.255.194";intWebServer = “http://172.19.11.72";
displayUrl = "http://www.perftech.com/console/original.html";
Attribution: cat NULL planet - @skalnik
Why So Bothered?
Why Metadata Matters• They know you rang a phone sex service at 2:24 am and spoke
for 18 minutes. But they don't know what you talked about.
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
GET / HTTP/1.1Host: squarelemon.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: _pk_ses.4.9b83=*Connection: keep-aliveIf-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMTCache-Control: max-age=0
What could possibly go
wrong?Photo Attribution: Tom - @tdawks
Demonstration
Which won’t work.
Not because we tempted
the demogods
But because MTCC doesn’t
networking
MTCC DEMO
ORIGINAL DEMO
Cynical Trust
Step 1:
Working Presumption
Step 2:
TANSTAAFL
Step 3:
Trust but Verify
Step 4:
Plan for Resilience
YOU
WILL
LOSE
DATA
What do you do about it…
Trust?
Thank you!James Arlen - @myrcurial
Lee Brotherston - @synackpse