leonardo nve egea -...
TRANSCRIPT
![Page 1: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/1.jpg)
Leonardo Nve Egea [email protected]
![Page 2: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/2.jpg)
1. because I’m sure that some people will publish more attacks.
.2 because previously presentations about satellite.
![Page 3: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/3.jpg)
Warezzman – (in 2004 at Undercon VIII first Spanish hacker CON)
Jim Geovedi & Raditya Iryandi (HITBSecConf2006)
Adam Laurie (Blackhat 2009 at DC)
Myself at S21Sec Blog (February 2009)
![Page 4: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/4.jpg)
Orbit based satellites Low Earth orbiting (LEO) Geostationary orbit (GEO) Other: Molniya, High (HEO), etc.
Function based satellites Communications Earth observation Other: Scientifics, ISS, etc.
![Page 5: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/5.jpg)
![Page 6: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/6.jpg)
Satellite LEO Meteorological HAM (Amateur Radio Operator)
Satellite GEO UFO (UHF Follow ON) Military Inmarsat Meteorological (Meteosat) SCPC / Telephony link FDMA
![Page 7: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/7.jpg)
![Page 8: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/8.jpg)
Standard of European Telecommunications Standards Institute (ETSI).
Defines audio and video transmission, and data connections.
DVB‐S & DVB‐S2 is the specification for Satellite communications.
![Page 9: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/9.jpg)
Transponder: Like channels (in Satellite comms) Frecuency (C band or Ku). Ex: 12.092Ghz Polarization. (horizontal/vertical) Symbol Rate. Ex: 27500Kbps FEC.
Every satellite has many transponders onboard which are operating on different frequencies
![Page 10: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/10.jpg)
![Page 11: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/11.jpg)
Header
Program ID (PID): It permits different programs at same transponder with different components [Example BBC1 PIDs: 600 (video), 601 (English audio), 603 (subtitles), 4167 (teletext)]
Special PIDs: NIT (Network Information Table), SDT (Service Description Table), PMT (Program Map Tables), PAT (Program Association Table).
Body 0x47 Flags PID Flags Adaptation Field Data
![Page 12: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/12.jpg)
Temporal video links.
Live emissions, sports, news.
FTA – In open video.
![Page 13: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/13.jpg)
Hispasat Pre news feed (live news)
![Page 14: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/14.jpg)
ATLAS Agency to TV feeds
![Page 15: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/15.jpg)
![Page 16: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/16.jpg)
Captured NATO feeds
![Page 17: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/17.jpg)
Find feeds: Lists of channels in www Blind Scan Visual representations of the signal
![Page 18: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/18.jpg)
Dr HANS http://drhans.jinak.cz/news/index.php
Zackyfiles http://www.zackyfiles.com (in spanish)
Satplaza http://www.satplaza.com
![Page 19: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/19.jpg)
Two scenarios
Satmodem
Satellite Interactive Terminal (SIT) or Astromodem
![Page 20: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/20.jpg)
INTERNET
ISP
CLIENT
![Page 21: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/21.jpg)
DOWNLINK
INTERNET
ISP
CLIENT
![Page 22: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/22.jpg)
DOWNLINK
INTERNET
UPLINK
POTS/GPRS UPLINK
ISP
CLIENT
![Page 23: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/23.jpg)
DOWNLINK
INTERNET
UPLINK
POTS/GPRS UPLINK
ISP
CLIENT
![Page 24: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/24.jpg)
DOWNLINK
INTERNET
UPLINK
POTS/GPRS UPLINK
ISP
CLIENT
ISP’s UPLINK
![Page 25: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/25.jpg)
DOWNLINK & UPLINK
INTERNET
ISP CLIENT
ISP DOWNLINK & UPLINK
DVB Data - Astromodem
![Page 26: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/26.jpg)
![Page 27: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/27.jpg)
![Page 28: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/28.jpg)
Anyone with coverage can SNIFF the DVB Data, and normally it is unencrypted.
![Page 29: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/29.jpg)
What do you need: Skystar 2 DVB Card linuxtv‐dvb‐apps Wireshark The antenna Data to point it.
![Page 30: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/30.jpg)
I bought it for 50€!!! from an PayTV ex‐”hacker” :P (Including a set‐top box that I will not use)
![Page 31: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/31.jpg)
![Page 32: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/32.jpg)
![Page 33: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/33.jpg)
Linux has the modules for this card by default, we only need the tools to manage it:
linuxtv‐dvb‐apps
My version is 1.1.1 and I use Fedora (Not too cool to use Debian :P).
![Page 34: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/34.jpg)
Once the antenna and the card is installed and linuxtv‐dvb‐apps compiled and installed, the process is: 1‐ Tune the DVB Card 2‐ Find a PID with data 3‐ Create an Ethernet interface associated to that PID
We can repeat 2 to 3 any times we want.
![Page 35: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/35.jpg)
1‐ Tune the DVB Card
2‐ Find a PID with data
3‐ Create an Ethernet interface associated to that PID
![Page 36: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/36.jpg)
Tune DVB Card The tool we must use is szap and we need the transponder’s parameters in a configuration file.
For example, for “Sirius‐4 Nordic Beam": # echo “sirius4N:12322:v:0:27500:0:0:0" >> channels.conf
![Page 37: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/37.jpg)
We run szap with the channel configuration file and the transponder we want use (the configuration file can have more than one).
# szap –c channels.conf sirius4N
We must keep it running.
![Page 38: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/38.jpg)
![Page 39: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/39.jpg)
The transponder parameters can be found around Internet.
http://www.fastsatfinder.com/transponders.html
![Page 40: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/40.jpg)
1‐ Tune the DVB Card
2‐ Find a PID with data
3‐ Create an Ethernet interface associated to that PID
![Page 41: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/41.jpg)
Find a PID
#dvbsnoop ‐s pidscan
Search for data section on results.
![Page 42: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/42.jpg)
![Page 43: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/43.jpg)
1‐ Tune the DVB Card
2‐ Find a PID with data
3‐ Create an Ethernet interface associated to that PID
![Page 44: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/44.jpg)
Create an interface associated to a PID
#dvbnet ‐a <adapter number> ‐p <PID>
Activate it #ifconfig dvb0_<iface number> up
![Page 45: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/45.jpg)
![Page 46: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/46.jpg)
Back to de pidscan results
![Page 47: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/47.jpg)
Create another interface
![Page 48: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/48.jpg)
Wireshark is our friend
16358 packets in 10 seconds
![Page 49: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/49.jpg)
![Page 50: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/50.jpg)
We can have more than one PID assigned to an interface, this will be very useful. Malicious users can: Catch passwords. Catch cookies and get into authenticated HTTP sessions. Read emails Catch sensitive files Do traffic analysis Etc ….
![Page 51: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/51.jpg)
Reminder: In satellite communications we have two
scenarios:
A‐ Satmodem, Only Downlink via Satellite
B‐ Astromodem, Both uplink and downlink via Satellite.
![Page 52: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/52.jpg)
In Satmodem scenario we can only sniff the downloaded data. We can only sniff one direction in a connection.
![Page 53: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/53.jpg)
In an astromodem scenario and depending the infraestructure configuration. We can find a PID used to send the uploaded packets to the main ISP to be routed to Internet so we can sniff all the traffic, uploaded and downloaded data.
(¿¿??)
![Page 54: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/54.jpg)
DOWNLINK & UPLINK
INTERNET
ISP CLIENT
ISP DOWNLINK & UPLINK
DVB Data - Astromodem
![Page 55: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/55.jpg)
For this chapter, we will suppose all the time that we are in a Satmodem scenario so we can´t sniff uploaded data of the client with the Satlink.
![Page 56: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/56.jpg)
DNS Spoofing
TCP hijacking
Attacking GRE
![Page 57: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/57.jpg)
DNS Spoofing is the art of making a DNS entry to point to an another IP than it would be supposed to point to. (SecureSphere)
![Page 58: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/58.jpg)
Data we need to perform this attack DNS Request ID Source Port Source IP Destination IP Name/IP asking for
![Page 59: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/59.jpg)
It´s trivial to see that if we sniff a DNS request we have all that information and we can spoof the answer.
Many tools around do this job, the only thing we also need is to be faster than the real DNS server (jizz).
![Page 60: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/60.jpg)
Why is this attack important? Think in phising With this attack, uplink sniff can be possible ▪ Rogue WPAD service ▪ Sslstrip can be use to avoid SSL connections.
![Page 61: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/61.jpg)
DNS Spoofing
TCP hijacking
Attacking GRE
![Page 62: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/62.jpg)
TCP session hijacking is when a hacker takes over a TCP session between two machines. (ISS)
![Page 63: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/63.jpg)
If we sniff 1 we can predict Seq and Ack of 2 and we can send the payload we want in 2
Seq=S1 ACK=A1 Datalen=L1
Seq=A1 ACK=S1+L1 Datalen=L2
Seq=S1+L1 ACK=A1+L2 Datalen=L3
![Page 64: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/64.jpg)
![Page 65: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/65.jpg)
Initially we can only have a false connection with A.
In certain circumstances, we can make this attack with B, when L2 is predictable.
Some tools for doing this: Hunt Shijack Scapy
![Page 66: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/66.jpg)
DNS Spoofing
TCP hijacking
Attacking GRE
![Page 67: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/67.jpg)
Generic Routing Encapsulation
Point to point tunneling protocol
13% of Satellite’s data traffic in our transponder is GRE
![Page 68: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/68.jpg)
This chapter is based in Phenoelit’s discussion paper written by FX applied to satellite scenario.
Original paper: http://www.phenoelit‐us.org/irpas/gre.html
![Page 69: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/69.jpg)
INTERNET
Remote Office Remote Office Remote Office
HQ
![Page 70: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/70.jpg)
Find a target:
#tshark –ni dvb0_0 –R gre –w capture.cap
![Page 71: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/71.jpg)
GRE Packet IP dest 1 IP source 1
GRE header
Payload IP dest Payload IP source
Payload IP Header
Payload Data
![Page 72: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/72.jpg)
IP dest 1 and source 1 must be Internet reachable IPs
The payload´s IPs used to be internal.
![Page 73: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/73.jpg)
INTERNET 1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
![Page 74: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/74.jpg)
INTERNET 1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(*)
![Page 75: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/75.jpg)
(*) GRE Packet 1.1.1.1 1.1.1.2
GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP Header
Payload Data
![Page 76: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/76.jpg)
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
![Page 77: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/77.jpg)
(1) GRE Packet 1.1.1.1 1.1.1.2
GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP Header
Payload Data
![Page 78: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/78.jpg)
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(2)
![Page 79: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/79.jpg)
(2) IP Packet 10.0.0.5 10.0.0.54
IP header
Data
![Page 80: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/80.jpg)
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(2,3)
![Page 81: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/81.jpg)
(3) IP Packet 10.0.0.54 10.0.0.5
IP header 2
Data 2
![Page 82: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/82.jpg)
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(4)
(2,3)
![Page 83: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/83.jpg)
(4) GRE Packet 1.1.1.2 1.1.1.1
GRE header (32 bits without flags)
10.0.0.54 10.0.0.5
Payload IP Header 2
Payload Data 2
![Page 84: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/84.jpg)
At Phenoelit´s attack payload’s IP source is our public IP. This attack lacks when that IP isn´t reachable from the internal LAN and you can be logged.
I use internal IP because we can sniff the responses.
To better improve the attack, find a internal IP not used.
![Page 85: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/85.jpg)
How To Scan NSA And Cannot Be Traced
![Page 86: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/86.jpg)
We can send a SYN packet with any destination IP and TCP port (spoofing a satellite’s routable source IP) , and we can sniff the responses.
We can analyze the responses.
![Page 87: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/87.jpg)
OR… We can configure our linux like a satellite connected host.
VERY EASY!!!
![Page 88: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/88.jpg)
What we need: An internet connection (Let’s use it as uplink) with any technology which let you spoofing.
A receiver, a card….
![Page 89: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/89.jpg)
Let’s rock! Find a satellite IP not used, I ping IPs next to another sniffable satellite IP to find a non responding IP. We must sniff our ping with the DVB Card (you must save the packets).
This will be our IP!
![Page 90: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/90.jpg)
Configure Linux to use it.
We need our router ‘s MAC
![Page 91: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/91.jpg)
Configure our dvb interface to receive this IP (I suppose that you have configure the PID…)
The IP is the one we have selected and in the ICMP scan, we must get the destination MAC sniffed.
![Page 92: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/92.jpg)
Here we get the MAC address we must configure in our DVB interface
![Page 93: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/93.jpg)
I use netmask /32 to avoid routing problems
![Page 94: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/94.jpg)
Now we can configure our Internet interface with the same IP and configure a default route with a false router setting this one with a static MAC (our real router’s MAC).
![Page 95: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/95.jpg)
![Page 96: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/96.jpg)
IT WORKS!
![Page 97: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/97.jpg)
This is all !!!
Some things you must remember:
The DNS server must allow request from any IP or you must use the satellite ISP DNS server.
![Page 98: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/98.jpg)
If you have any firewall (iptables) disable it.
All the things you make can be sniffed by others users.
![Page 99: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/99.jpg)
Now attacking GRE is very easy, you only need to configure your Linux with IP of one of the routers (the one with the satellite connection) and configure the tunneling.
http://www.google.es/search?rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF‐8&q=configuring+GRE+linux
![Page 100: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/100.jpg)
What happened with the scenario where the client use an astromodem?
We can capture the downlink and the uplink so all these attacks are easier to do.
We can capture all queries for the DNS Spoofing attack.
We can capture all traffic in a TCP connection, we can hijack easily in any direction.
![Page 101: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/101.jpg)
I’m studying the different methods to trace illegal users. (I only have a few ideas).
In the future I would like to study the possibilities of sending DVB (or other protocol) data to a satellite via Astromodem.
![Page 102: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/102.jpg)
Satellite communications are insecure.
It can be sniffed.
A lot of attacks can be made, I just talked about only few level 4 and level 3 attacks.
![Page 103: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/103.jpg)
With these technology in our sky, an anonymous connection is possible.
Many kinds of Denial of Service are possible.
![Page 104: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/104.jpg)
With these technology in our sky, an anonymous connection is possible.
Many kinds of Denial of Service are possible.
![Page 105: Leonardo Nve Egea - data.proidea.org.pldata.proidea.org.pl/.../prezentacje/CONFidence2009_leonardo.pdf · Leonardo Nve Egea lnve@s21sec.com ... Myself at S21Sec Blog (February 2009)](https://reader031.vdocuments.mx/reader031/viewer/2022022004/5aa6d7e17f8b9ab4788ef794/html5/thumbnails/105.jpg)