Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Dissembling Ferret

23df83cefd42a57e7784bcc33527fe40?s=47 Clay Wells
May 03, 2017
Technology
0
110

Dissembling Ferret

A firewall penetration testing tool suite

23df83cefd42a57e7784bcc33527fe40?s=128

Clay Wells

May 03, 2017
Tweet

More Decks by Clay Wells

See All by Clay Wells
Malware Analysis Process - One Slider
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
6
Threat Detection Using Time Series Analysis of Darknet Probes and OSSEC Reports
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
1.5k
OSSEC Overview
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
200
HTTP Header Heuristics
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
170
Passive Fingerprinting with p0f
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
69
Version Control Using Git, Part I
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
120

Other Decks in Technology

See All in Technology
The Fractal Geometry of Software Design
B90ab53ba7cf16ed1a4bb679cc6751d7?s=48 vladikk
1
1.3k
How to start with DDD when you have a Monolith
Ac38eb7117f177d961362cfe1387341b?s=48 javujavichi
0
350
ラブグラフ紹介資料 〜プロダクト解体新書〜 / Lovegraph Product Deck
84ece018b6918e3339fe74075ab3dd18?s=48 lovegraph
0
300
Design for Humans: How to make better modernization decisions
4d71670118785e492d724ba8c0ae54ad?s=48 indualagarsamy
2
130
Data in Google I/O - IO Extended GDG Seoul
3bd69093dbe39b14603242b96cfbd7c6?s=48 kennethanceyer
0
160
Target SDK Versionを上げない Notification runtime permission対応
0c5e92294cc0cfba620641c589db9378?s=48 napplecomputer
0
150
JAWS-UG re:Habilitaion 報告 / JAWS-UG OITA rehabilitation
5acaf9241f1c2e50f3bff920050ae597?s=48 hiranofumio
0
130
データ分析基盤のはじめかた
69a81d6d4d66a348e72f7a28b265fdbe?s=48 chanyou0311
0
130
Laravel.shibuyaで改善してきた IRT勉強会の運営方法について / IRT Study Session Improved Through Laravel Shibuya
F2ab92715fdcc539883d13af4b804ec1?s=48 fendo181
0
120
ソフトウェアテスト自動化、一歩前へ
73ffa4b34cfd87eb417ee531b8224d7a?s=48 yoshikiito
6
1k
令和4年資金決済法等改正を踏まえたステーブルコインに関する規制の動向
525442fc70ca92f82ae503f826956137?s=48 finengine
0
120
スタートアップと技術選定と AWS
Bf5ee9059859ed5d855b5ff4680e63e2?s=48 track3jyo
PRO
2
350

Featured

See All Featured
YesSQL, Process and Tooling at Scale
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
157
12k
A Tale of Four Properties
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
149
21k
Support Driven Design
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
86
8.5k
The Invisible Side of Design
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
290
48k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
Why Our Code Smells
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
55k
Building Flexible Design Systems
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
310
34k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
Designing Experiences People Love
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
130
22k
Large-scale JavaScript Application Architecture
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
499
110k
Building Your Own Lightsaber
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
94
4.6k
jQuery: Nuts, Bolts and Bling
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
6.4k

Transcript

  1. Clay, Justin Dissembling Ferret May 5, 2017 1 / 33

  2. Dissembling Ferret: A Free/Open Source Firewall Testing Suite Clay Wells,

    Justin Klein Keane @ clayball, @madirish2600 https://github.com/clayball/Dissembling Ferret May 5, 2017 Clay, Justin Dissembling Ferret May 5, 2017 2 / 33

  3. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 1 / 33

  4. Introduction Inspiration for this project • Research data exfiltration techniques

    • Research covert TCP/IP channels • Develop a firewall penetration testing tool suite Clay, Justin Dissembling Ferret May 5, 2017 2 / 33

  5. Introduction - View From The C-Suite • Security controls enter

    the environment with a baseline configuration 1. How and if this configuration is ever validated is debatable RFP, while legally binding, won’t help in an incident • After deployment security control, like any system will drift Clay, Justin Dissembling Ferret May 5, 2017 3 / 33

  6. Introduction - View From The C-Suite (cont) • How you

    track drift and spot a failure in a security control is critical 1. Main paths Security audit or penetration test Lucky catch by staff Security incident RCA 2. None of these paths are optimal • Configuration control is essential to validate assumptions of effectiveness of security controls Clay, Justin Dissembling Ferret May 5, 2017 4 / 33

  7. Introduction - Dissembling Ferret • DF will demonstrate failure in

    controls in many circumstances • While it may not be necessary to contact vendors to address the problem 1. It is imperative that teams know their gaps and blind spots to plan effectively Clay, Justin Dissembling Ferret May 5, 2017 5 / 33

  8. Introduction - Continuous Review • DF and other hacker tools

    need to be operationalized in your environment • Only through regular technical testing can you retain confidence in your security posture • Many of these tools are free 1. If it’s on Kali you should be running it! 2. If you can’t staff for this operation consider outsourcing • Responding to drift may make the difference between an emergency config change and a security incident. Clay, Justin Dissembling Ferret May 5, 2017 6 / 33

  9. Introduction - Be Proactive • Keeping up to date with

    the latest tools may be hard 1. Consider making a ”purple team” part of your pen test engagement 2. When the pen testers leave you should be running their tools as part of your remediation plan 3. None of the tools are overly hard and are fun so staffing will likely be easy (junior staff) Clay, Justin Dissembling Ferret May 5, 2017 7 / 33

  10. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 8 / 33

  11. The Initial Problem Data exfiltration methods • DNS - dnn506yrbagrg.cloudfront.net

    • HTTPS - encrypted • HTTP, FTP? - can this be prevented? • Reverse shell, bind shell to TCP port - good luck! Clay, Justin Dissembling Ferret May 5, 2017 9 / 33

  12. Firewalls, Trust Code handling data from untrusted sources is worth

    review. • Firewall Software • Proxy • Host-based Clay, Justin Dissembling Ferret May 5, 2017 10 / 33

  13. Types of Firewalls • Packet-Filtering, Stateless - layer 3, 4

    • Packet-Filtering, Stateful - layer 3, 4 • Next-Generation, Stateful Inspection - layer 3, 4, 7 Clay, Justin Dissembling Ferret May 5, 2017 11 / 33

  14. Attack Landscape Stateless • FIN Scanning, SYN Ambiguity, UDP, Fragmentation

    Stateful • SYN-FIN & SYN-RST, UDP, Directionality, Fragmentation • IP TTL, IP Options, Zero-Length Fragments • Layering Issues, Spoofing External, Spoofing Internal Clay, Justin Dissembling Ferret May 5, 2017 12 / 33

  15. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 13 / 33

  16. TCP/IP Primer - IP Header Clay, Justin Dissembling Ferret May

    5, 2017 14 / 33

  17. TCP/IP Primer - IP Header IP fields we’ll be setting,

    like an envelope • IPID • SRC • DST Clay, Justin Dissembling Ferret May 5, 2017 15 / 33

  18. TCP/IP Primer - TCP Header Clay, Justin Dissembling Ferret May

    5, 2017 16 / 33

  19. TCP/IP Primer - TCP Header TCP fields we’ll be setting

    • Sequence Number • Source Port • Destination Port • TCP FLAGS (C E [U A P R S F]) • Window Clay, Justin Dissembling Ferret May 5, 2017 17 / 33

  20. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 18 / 33

  21. Covert TCP/IP Channels - Methods Used Methods used for data

    exfiltration • Initial Sequence Number • IP ID • ACK Bounce Clay, Justin Dissembling Ferret May 5, 2017 19 / 33

  22. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 20 / 33

  23. Dissembling Ferret Inspired by: Covert Channels in the TCP/IP Protocol

    Suite, 1996 by Craig Rowland. Clay, Justin Dissembling Ferret May 5, 2017 21 / 33

  24. Smuggling Data - Sequence Numbers m u l t i

    p l i e r = 16777216 message=’ Hi ’ for char in message : e x f i l C h a r = ord ( char ) ∗ m u l t i p l i e r print e x f i l C h a r #decode=chr ( e x f i l C h a r / m u l t i p l i e r ) 1207959552 1761607680 Clay, Justin Dissembling Ferret May 5, 2017 22 / 33

  25. Smuggling Data - IP ID m u l t i

    p l i e r = 256 message = ’ Hi ’ for char in message : e x f i l C h a r = ord ( char ) ∗ m u l t i p l i e r print e x f i l C h a r #decode=chr ( e x f i l C h a r / m u l t i p l i e r ) 18432 26880 Clay, Justin Dissembling Ferret May 5, 2017 23 / 33

  26. Smuggling Data - ACK Bounce pkt = IP ( s

    r c=d e s t i n a t i o n , dst=’ 65.199.32.22 ’ ) / TCP( sport=dstport , dport =80, f l a g s=’S ’ ) Clay, Justin Dissembling Ferret May 5, 2017 24 / 33

  27. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 25 / 33

  28. Demo - Dissembling Ferret - Layer 0x3 Youtube link Dissembling

    Ferret- https://youtu.be/smhYFqf3ARU Clay, Justin Dissembling Ferret May 5, 2017 26 / 33

  29. Demo - Fireaway - Layer 0x7 Youtube link Fireaway -

    https://youtu.be/oiDcKMuSOk0 Clay, Justin Dissembling Ferret May 5, 2017 27 / 33

  30. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 28 / 33

  31. Future Work • Building upon Dissembling Ferret • Wily Possum

    - A Firewall Penetration Tool Suite 1. Scan and Analyze 2. Reports 3. Network Mapping (maybe) Clay, Justin Dissembling Ferret May 5, 2017 29 / 33

  32. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 30 / 33

  33. References / Resources Reference • Craig Rowland’s Paper Resources •

    Dissembling Ferret • Fireaway • Wily Possum • Firewalking • Port Scanning without the SYN flag Clay, Justin Dissembling Ferret May 5, 2017 31 / 33

  34. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 32 / 33

  35. Thank you Special thanks to.. Charles Rumford, John O’Brien, and

    the ISC Networking Team Christine Brisson and Warren Petrofsky Questions? @ clayball, @madirish2600 Clay, Justin Dissembling Ferret May 5, 2017 33 / 33