from kernel space to user heaven #ndh2k13

FROM KERNEL SPACE

TO USER HEAVEN

JAIME SÁNCHEZ

@SEGOFENSIVA

NUIT DU HACK 2013

$ WHO I AM

§ Security researcher specialized in network protocols and technologies, with over ten years of experience in posi:ons of consul:ng, risk management, secure networks or ethical hacking

§I work in the Security Opera:ons Center (SOC) of a mul:na:onal telecommunica:ons company

§ I’m sexy and I know it

§ You can find my blog and adventures www.seguridadofensiva.com

§ Contact@segofensiva

2

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

http://www.seguridadofensiva.com/

http://www.seguridadofensiva.com/

FROM KERNEL SPACE TO USER HEAVENFROM KERNEL SPACE TO USER HEAVEN

3

- Cyberwar is upon us. APT is very common nowadays and we need to think about new tricks to be one step ahead to keep the system secure.

- With this technique you can provide that step in order to defend your servers against the first phase in all APT operations: FINGERPRINTING.

NUIT DU HACK 2013

§ Cyber Warfare and Hack/vism§ Several companies a8acked, like Facebook, Apple, Twi7er, New York Times§ APT1, Stuxnet, OperaDon Hangover, etc.

4


NUIT DU HACK 2013


5

The most important phases are RECONNAISSANCE and SCANNING.

The less information the attacker has the better for our security.

If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts

NUIT DU HACK 2013

A BRIEF OVERVIEW


6 NUIT DU HACK 2013

Devices

Devices

Devices

Kernel

Ring 0

Ring 1

Ring 2

Ring 3

LessPrivileged

MorePrivileged

§ Computer opera/ng systems provide different levels of access to resources.

§ This is generally hardware-‐enforced by some CPU architectures hat provide different CPU modes at the hardware or microcode level.

§ Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number).

§ On most opera/ng systems, RING 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.

ARCHITECTURE

How i met your packetFrom kernel Space to user Heaven

7


NUIT DU HACK 2013

KERNEL vs USER SPACE

KERNEL SPACE USER SPACEKERNEL SPACE is strictly reserved for running the kernel, kernel extensions, and most device drivers. In contrast, user space is the memory area where all user mode applica/ons work and this memory can be swapped out when necessary.Similarly, the term USER LAND refers to all applica/on soNware that runs in user space. Userland usually refers to the various programs and libraries that the opera/ng system uses to interact with the kernel: soNware that performs input/output, manipulates file system, objects, etc.


8


NUIT DU HACK 2013

WTF !?


9


NUIT DU HACK 2013

10

How Imet your

packets

NIC Memory

DMA EngineInterrupt

Incoming Packet

RingBuffer

InterruptHandler

NIC

MemoryKernel

Packet Data

IP Layer

TCP Process

TCP recv Buffer

APPLICATION

DEVICE DRIVER

KERNEL SPACE

USER SPACE

Poll List

so_irq

tcp_v4_rcv()

Pointer toDevice

SocketBacklog

ip_rcv()

read()

locally des:ned packets must pass the INPUT chains to reach listening sockets

INPUT

FORWARD

PREROUTING

MANGLECONNTRACK FILTER

forwarded and accepted packets

Inbound Packets

forwarded packets

localpackets


11


NUIT DU HACK 2013

TARGET EXTENSIONS


A target extension consists of a KERNEL MODULE, and an op/onal extension to iptables to provide new command line op/ons.

There are several extensions in the default NeTilter distribu/on:

12


NUIT DU HACK 2013

QUEUE§ QUEUE is an iptables and ip6tables target which which queues the packet for userspace processing.

§ For this to be useful, two further components are required:• a QUEUE HANDLER which deals with the actual mechanics of passing packets between

the kernel and userspace; and• a USERSPACE APPLICATION to receive, possibly manipulate, and issue verdicts on

packets.

§ The default value for the maximum queue length is 1024. Once this limit is reached, new packets will be dropped un/l the length of the queue falls below the limit again.


13


13

$ iptables -A INPUT -j NFQUEUE --queue-num 0

NUIT DU HACK 2013


SHOW ME SOME EXAMPLES!

14

How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

FAKE SSH SOURCE

ATTACKER

$ _

-‐ We will hide our source IP and will modify it with any other value we want in our compromised SSH server

-‐ Useful to avoid filters and not modifying files like /etc/hosts.deny


INNOCENT

15


SSH SERVER

NUIT DU HACK 2013

TRACEROUTE FAKING

UDP TTL=1ICMP TIME EXCEEDED

ICMP TIME EXCEEDEDUDP TTL=2

ICMP TIME EXCEEDEDUDP TTL=3

ICMP PORTUNREACHABLEUDP TTL=4

Router Hop

Router Hop Router Hop

Router Hop Router Hop Router Hop

Router Hop Router Hop Router Hop DESTINATIONSOURCE

SOURCE

SOURCE

SOURCE

If the internet packet has a TTL of 0 aNer decrement, that packet must not be passed on and a Internet Control Messaging Protocol (ICMP) Time Exceeded in transit is returned to the packets origin.


16


NUIT DU HACK 2013

REMOTE OSFINGERPRINTING


17


NUIT DU HACK 2013

CLASSIC TECHNIQUES


18


NUIT DU HACK 2013

§ Or we could just use Shodan, a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters.


19


NUIT DU HACK 2013

NMAP

-‐ Device Type -‐ Network Distance -‐ Running -‐ TCP Sequence PredicDon -‐ OS Details -‐ IP ID Sequence GeneraDon -‐ UpDme Guess

Device Type: general purposeRunning: MicrosoN Windows 7|Vista|2000OS CPE: cpe:/o:microsoN_7::professionalOS details: MicrosoN Windows 7 Professional, MicrosoN Windows Vista SP0 or SP1UpDme guess: 2.196 days (since Mon Feb 4 12:14:01 2013)Network Distance: 1 hopTCP Sequence PredicDon: Difficulty=262 (Good Luck!)IP ID Sequence GeneraDon: IncrementalService Info: OS: Windows; CPE: cpe:/o:microsoN:windows


20


NUIT DU HACK 2013

How i met your packet

-‐ I looked for jailbroken iPhones with a custom Perl script: -‐ Scan network ranges -‐ For each host, scan 62078 port. -‐ If open 62078 port, then try with SSH -‐ If open SSH port, try to log in with credentials: root/alpine

From kernel Space to user Heaven

21


NUIT DU HACK 2013

NMAP METHODS


22


NUIT DU HACK 2013

SEQUENCE GENERATION (SEQ, OPS, WIN & T1)

ICMP ECHO (IE)

TCP EXPLICIT CONGESTION NOTIFICATION (ECN)

TCP T2-‐T7

UDP

-‐ Nmap sends 15 TCP, UDP and ICMP tests, to open and closed system ports:

Although there are others:§ TCP ISN counter rate (ISR)§ ICMP IP ID sequence genera:on alg (II)§ Shared IP ID sequence Boolean (SS)§ Don’t Fragment ICMP (DFI)§ Explicit conges:on no:fica:on (C)§ TCP miscellaneous quirks (Q)§ TCP sequence number (S)§ etc.

NMAP INTERNAL PROBES

Most important:§ TCP ISN greatest common divisor (GDC)§ TCP IP ID sequence genera:on alg (TI)§ TCP :mestamp op:on alg (TS)§ TCP Op:ons (O, O1-‐O6)§ TCP ini:al Window Size (W, W1-‐W6)§ Responsiveness (R)§ IP don’t fragment bit (DF)§ IP ini:al :me-‐to-‐live guess (TG)

Fingerprint Linux 2.6.17 - 2.6.24Class Linux | Linux | 2.6.X | general purposeSEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(DFI=N%T=3B-45%TG=40%CD=S)


23


NUIT DU HACK 2013

OTHER TOOLS


24


A patch for Linux kernels of version 2.4., that

modifies characteris:cs of network traffic

IP PERSONALITY

Simple TCP packets iden:fica:on solu:on as

a Kenel2.2-‐2.4 core module patch, allowing ignore some kind of packets.

STEALTH PATCH

A kernel module available for Linux kernel of

version 2.2. that also tries to hide the original OS and act as a different

one.

FINGERPRINT FUCKER

TCP and UDP packets filtering op:ons, allowing to respec:vely block RST and ICMP answers on

closed ports

BLACKHOLE

Honeyd isable to simulate Xprobe2 and Nmap (previous

version) signatures for itsvirtual hosts.

HONEYD

Windows so_ware that modifies keys in the

register, tochange some TCP/IP

parameters.

OSFUSCATE

NUIT DU HACK 2013


25


NUIT DU HACK 2013

!! LET’S CAMOUFLAGE !!


26


BITCH PLEASE ...NUIT DU HACK 2013

PASSIVE OS FINGERPRINTING


27


-‐ p0f is a tool that u:lizes an array of sophis:cated, purely passive, traffic fingerprin:ng mechanisms to iden:fy the players behind any iniDal TCP/IP communicaDon (o_en as lille as a single normal SYN) without interfering in any way.

-‐ There are other tools like Elercap, NetworkMiner, PRADS, Satori or PacketFence.

-‐ Passive fingerprin:ng is like a packet sniffer. Examines network traffic, making a copy of the data but without redirec:ng or altering it.

-‐ Can be used for several purposes:1. As stealthy fingerprinDng, bypassing the need for using an ac:ve tool that can be detected by various IDS systems.2. To idenDfy remote proxy firewalls. 3. Organiza:ons can use it to idenDfy rogue systems on their network.

NUIT DU HACK 2013

Sniffer

SIGNATURES

8192:32:1:48:M*,N,N,S:.:Windows:98Opera/ng System -‐ Family -‐ Version

Quirks -‐ Data in SYN packets -‐ Op:ons a_er EOL -‐ IP ID Field = 0 -‐ ACK different to 0 -‐ Unusual flags -‐ Incorrect op:ons decode

TCP op/ons and order -‐ N: NOP -‐ E: EOL -‐ Wnnn: WS -‐ Mnnn: MSS -‐ S: SACK -‐ T / T0: Timestamp -‐ ?n

Window Size -‐ * Any value -‐ %nnn nnn Mul:ple -‐ Sxx MSS Mul:ple -‐ Txx MTU Mul:ple -‐ xxx Constant value

Ini/al TTL

DF Bit

Packet Size


28


NUIT DU HACK 2013


29


NUIT DU HACK 2013

!! LET’S CAMOUFLAGE !!

COMMERCIAL ENGINESThis techniques can be used to avoid commercial implementa:ons. We hide our machine, faking the detector engine and recognizing us like another OS, to alack another host and leading administrator to think it may be a false posi:ve.


30


Fingerprint value example:

key=fp_id;value=100000key=rna_fingerprint_type_id;value=9key=rna_fingerprint_descrip:on;value=iPhonekey=rna_fingerprint_vendor_str;value=Applekey=rna_fingerprint_product_str;value=iOSkey=rna_fingerprint_version_str;value=NULLkey=val1;value=340e4d28c315390dkey=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22fe666cb1dc115309eb77key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b

I had no :me to figure out what each field means in all the commercial appliances I’ve seen so far. I decided to cross the data available with default Nmap and p0f database to get the desired TCP/IP header values.

NUIT DU HACK 2013

( WE’RE RUNNING OUR PROGRAM IN BACKGROUND TO CHANGE ALL OUTBOUND CONNECTIONS )


31

How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN

| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |

| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |NUIT DU HACK 2013

OS FOOLED! NOW OUT LINUX IS AN IOS DEVICE

SPOOF NON EXISTING HOSTS AND CONSUME RNA

ENGINE

HOST CREATED WITH OURNEW TOOL :)


32

How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN



NUIT DU HACK 2013

Long story short:SYN ACK FIN


33


NUIT DU HACK 2013


34


NUIT DU HACK 2013

SEGURIDADOFENSIVA.COM

@SEGOFENSIVA

from kernel space to user heaven #ndh2k13

Technology