Transcript Document
Tactics to Discover “Passive” Monitoring Devices [email protected] The Problem at Hand Local ether segments behave like party-line phone systems Without encryption there are no secrets A C B E D G F A-B : CDEFGH can listen in A-H : BCDEFG can listen in Etc. etc. H How Systems Know What to Listen To Ether header payload … Ether header Read a packet from the network Network Interface Card decision flow Is the dest ether header my MAC address? yes Make a copy of the packet and hand it to the OS stack no payload Systems are courteous largely for performance. Hardware filtering at the NIC hands up only the packets the system is supposed to receive. Promiscuous mode tells the NIC that all packets should be handed to the OS stack. Not just the ones with the matching MAC destination address. Ether and IP Headers 6 bytes Ether IP 6 bytes Destination Address 4 4 vers len Source Address 8 16 TOS Total length (bytes) 16 identification 8 TTL 3 13 flags fragment offset 8 16 protocol checksum 32 Source IP Address 32 Destination IP Address 2 bytes type Application Transport Network Link Telnet, SMTP, etc TCP, UDP IP, ICMP Device Driver, Interface card 4 layers of TCP/IP protocol suite The Disconnect Application Presentation Session Transport Network Data Physical DNS Method Definition •The Domain Naming System maps IP addresses to names and vice-versa. •DNS allows hierarchical grouping of domain •DNS is a necessity for human convenience % telnet foo.bar.baz Trying 10.10.12.132 … Connected to foo.bar.baz. Q: Who is foo.bar.baz? A: foo.bar.baz is 10.10.12.132 (follow up by initiating TCP connection to port 23) DNS Method 1 Sniffing the Sniffer •Spoofed packets are sent out on the local network •The network is sniffed looking for reverse DNS lookups on spoofed packet •Any systems asking about the fictitious systems is in promiscuous mode Who is 10.0.0.5? 192.168.1.10 10.0.0.5 Bogus System 1 Sniffer Src 10.0.0.5 -> Dst 10.0.0.6 10.0.0.6 Bogus System 2 DNS Method 2 Queries to DNS Server •The DNS server is under our control •Spoofed packets with addresses handled by the DNS server are sent out on the local network •Any requests that the DNS server receives for the spoofed machines are from machines in promiscuous mode Net 10 DNS Server router 192.168.1.10 Sniffer Whois 10.0.0.5? 10.0.0.5 Bogus System 1 Src 10.0.0.5 -> Dst 10.0.0.6 Net 192.168.1 10.0.0.6 Bogus System 2 DNS Method Pros and Cons Pros •Can work across multiple networks •Names of machines are very telling and as such, many malicious sniffers will do the reverse lookups •Does not saturate the local network •High reliability – minimal false positives Cons •Sniffing systems do not have to perform reverse lookups •Sniffing systems can do batch reverse lookups later on – this defeats method 1 but not method 2 Ether Tricks Definition Ether tricks work by intentionally mismapping layer 2 and layer 3 addresses 192.168.1.10 08:00:20:10:22:e0 != 192.168.1.10 66:66:66:66:66:66 Ether Tricks 1 Linux Classic When in promiscuous mode the NIC does not filter the ether address. The kernel must filter the ether address on its own. Normal behavior for non-promiscuous mode ICMP – Echo Request Correct ether address Correct IP address ICMP – Echo Reply Ether Tricks 1 linux (cont) Normal behavior for non-promiscuous mode ICMP – Echo Request In-correct ether address Correct IP address No response as NIC did not pass the packet to the stack Ether Tricks 1 linux (cont) Older linux behavior for promiscuous mode ICMP – Echo Request In-correct ether address Correct IP address ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP Ether Tricks 2 BSD Style Problems Older BSD behavior for promiscuous mode ICMP – Echo Request In-correct ether address Broadcast IP address ICMP – Echo Reply NIC had to pass all traffic to OS. OS forgot to check the MAC address and only looked at IP (took a different path for broadcast) Ether Tricks 3 Microsoft Shortcut 6 bytes Ether Address What the NIC filters on 4 bytes Word What many MS software drivers check when in promisc ff:ff:ff:ff:00:00|IP|ICMP echo request Equivalent to be ff:ff:ff:ff:ff:ff on many promisc NT systems Ether Tricks Pros and Cons Pros •High reliability, low false positives Cons •Limited to local ether segment •Dependent upon particular OS/Kernel “nuances” Machine Latency defined Hardware filtering •Discards packets not addressed to correct MAC address •Handled by on-card logic •Minimal impact on system performance as few interrupts •Kernel not called in to process unless really needed •Match criteria == MAC, broadcast, multicast Software filtering •All packets must be copied and handed over to OS •On-card logic bypassed •Severe impact on system performance due to maximum interrupts •Kernel must process packets •Malicious sniffing often happens in user space – context shift from Kernel to User space is expensive Machine Latency example A C B A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 Machine Latency example 1 A C 2 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 2 ms B 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 Latency == 3 ms A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 Machine Latency example 1 A C 2 2 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:22:16 IP Source: 192.168.1.10 IP Dest: 192.168.1.12 3 B 1 – ICMP Echo Request Ether Src: 08:00:20:ac:1e:e2 Ether Dst: 08:00:20:ac:23:e4 IP Source: 192.168.1.10 IP Dest: 192.168.1.14 Latency == 4 ms 3 – ICMP Echo Request Ether Src: 66:66:66:66:66:67 Ether Dst: 66:66:66:66:66:66 IP Source: 192.168.1.30 IP Dest: 192.168.1.33 Latency == 300 ms A – ether: 08:00:20:ac:1e:e2 IP: 192.168.1.10 B – ether: 08:00:20:ac:22:16 IP: 192.168.1.12 C – ether: 08:00:20:ac:23:e4 IP: 192.168.1.14 Machine Latency Methods for increasing end-node processing •Fake entire three way handshake •Fake connections to well known sniffed ports •Use “legitimate” ether addresses that still have no physical presence •Fake huge numbers of sessions •Fake huge numbers of SYN recv’d states The trick is to make the sniffing application process as much as possible in user space Machine Latency Pros and Cons Pros •Cross platform •Often times crashes sniffing programs •Confined to local segment •High accuracy in watching deltas for a particular machine over time Cons •Limited to local ether segment •Assumptions must be made about systems response under load •Network and regular machine load assumptions must be made •Network congestion Spotting the curious •Create fictitious connections to a real machine •Use a ‘trap’ account •Watch and log on the legitimate machine for anyone attempting to log on with the ‘trap’ account