Save 37% off PRO during our Black Friday Sale! »

Dissembling Ferret

23df83cefd42a57e7784bcc33527fe40?s=47 Clay Wells
May 03, 2017
Technology
0
110

Dissembling Ferret

A firewall penetration testing tool suite

23df83cefd42a57e7784bcc33527fe40?s=128

Clay Wells

May 03, 2017
Tweet

More Decks by Clay Wells

See All by Clay Wells
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
3
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
1.5k
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
190
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
160
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
68
23df83cefd42a57e7784bcc33527fe40?s=48 clayball
0
110

Other Decks in Technology

See All in Technology
1e6cfe94614ed96ac769e93f2e0c63f0?s=48 kavisha
1
490
4ccf6c02807d06f043a71435c48ce86a?s=48 eller86
2
1.1k
658c29959d8a9fd352afa440a5813137?s=48 ritou
1
680
D0a6969000c3715087b3a00abd646d20?s=48 timeseriesfr
0
240
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2.9k
Ecad9d801d79f6c6e5df93094690685e?s=48 sinsoku
0
180
60d4494f2321b322b050ea78acb7b0b1?s=48 matyuda
1
110
B403e8d81063fed04df41aa00941aced?s=48 coopsapporo
1
200
Dc5157c1e1b11923f4cdd210ee27d4af?s=48 patorash
1
320
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
0
180
8d80af14296180866264212adbfb587e?s=48 godan
0
160
09796cb754b7d31f1a4f31da436177ab?s=48 sankichi92
0
150

Featured

See All Featured
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
25
4.2k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
396
61k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.9k
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
43
2.2k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
72
3.9k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
208
38k
F716e5f737fcfb03f2cf8d1a184f1dbe?s=48 nonsquared
84
3.7k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
21
5.2k
828ace851b606e1206900f26459f55ad?s=48 speakerdeck
PRO
2
480
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
28k

Transcript

  1. Clay, Justin Dissembling Ferret May 5, 2017 1 / 33

  2. Dissembling Ferret: A Free/Open Source Firewall Testing Suite Clay Wells,

    Justin Klein Keane @ clayball, @madirish2600 https://github.com/clayball/Dissembling Ferret May 5, 2017 Clay, Justin Dissembling Ferret May 5, 2017 2 / 33

  3. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 1 / 33

  4. Introduction Inspiration for this project • Research data exfiltration techniques

    • Research covert TCP/IP channels • Develop a firewall penetration testing tool suite Clay, Justin Dissembling Ferret May 5, 2017 2 / 33

  5. Introduction - View From The C-Suite • Security controls enter

    the environment with a baseline configuration 1. How and if this configuration is ever validated is debatable RFP, while legally binding, won’t help in an incident • After deployment security control, like any system will drift Clay, Justin Dissembling Ferret May 5, 2017 3 / 33

  6. Introduction - View From The C-Suite (cont) • How you

    track drift and spot a failure in a security control is critical 1. Main paths Security audit or penetration test Lucky catch by staff Security incident RCA 2. None of these paths are optimal • Configuration control is essential to validate assumptions of effectiveness of security controls Clay, Justin Dissembling Ferret May 5, 2017 4 / 33

  7. Introduction - Dissembling Ferret • DF will demonstrate failure in

    controls in many circumstances • While it may not be necessary to contact vendors to address the problem 1. It is imperative that teams know their gaps and blind spots to plan effectively Clay, Justin Dissembling Ferret May 5, 2017 5 / 33

  8. Introduction - Continuous Review • DF and other hacker tools

    need to be operationalized in your environment • Only through regular technical testing can you retain confidence in your security posture • Many of these tools are free 1. If it’s on Kali you should be running it! 2. If you can’t staff for this operation consider outsourcing • Responding to drift may make the difference between an emergency config change and a security incident. Clay, Justin Dissembling Ferret May 5, 2017 6 / 33

  9. Introduction - Be Proactive • Keeping up to date with

    the latest tools may be hard 1. Consider making a ”purple team” part of your pen test engagement 2. When the pen testers leave you should be running their tools as part of your remediation plan 3. None of the tools are overly hard and are fun so staffing will likely be easy (junior staff) Clay, Justin Dissembling Ferret May 5, 2017 7 / 33

  10. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 8 / 33

  11. The Initial Problem Data exfiltration methods • DNS - dnn506yrbagrg.cloudfront.net

    • HTTPS - encrypted • HTTP, FTP? - can this be prevented? • Reverse shell, bind shell to TCP port - good luck! Clay, Justin Dissembling Ferret May 5, 2017 9 / 33

  12. Firewalls, Trust Code handling data from untrusted sources is worth

    review. • Firewall Software • Proxy • Host-based Clay, Justin Dissembling Ferret May 5, 2017 10 / 33

  13. Types of Firewalls • Packet-Filtering, Stateless - layer 3, 4

    • Packet-Filtering, Stateful - layer 3, 4 • Next-Generation, Stateful Inspection - layer 3, 4, 7 Clay, Justin Dissembling Ferret May 5, 2017 11 / 33

  14. Attack Landscape Stateless • FIN Scanning, SYN Ambiguity, UDP, Fragmentation

    Stateful • SYN-FIN & SYN-RST, UDP, Directionality, Fragmentation • IP TTL, IP Options, Zero-Length Fragments • Layering Issues, Spoofing External, Spoofing Internal Clay, Justin Dissembling Ferret May 5, 2017 12 / 33

  15. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 13 / 33

  16. TCP/IP Primer - IP Header Clay, Justin Dissembling Ferret May

    5, 2017 14 / 33

  17. TCP/IP Primer - IP Header IP fields we’ll be setting,

    like an envelope • IPID • SRC • DST Clay, Justin Dissembling Ferret May 5, 2017 15 / 33

  18. TCP/IP Primer - TCP Header Clay, Justin Dissembling Ferret May

    5, 2017 16 / 33

  19. TCP/IP Primer - TCP Header TCP fields we’ll be setting

    • Sequence Number • Source Port • Destination Port • TCP FLAGS (C E [U A P R S F]) • Window Clay, Justin Dissembling Ferret May 5, 2017 17 / 33

  20. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 18 / 33

  21. Covert TCP/IP Channels - Methods Used Methods used for data

    exfiltration • Initial Sequence Number • IP ID • ACK Bounce Clay, Justin Dissembling Ferret May 5, 2017 19 / 33

  22. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 20 / 33

  23. Dissembling Ferret Inspired by: Covert Channels in the TCP/IP Protocol

    Suite, 1996 by Craig Rowland. Clay, Justin Dissembling Ferret May 5, 2017 21 / 33

  24. Smuggling Data - Sequence Numbers m u l t i

    p l i e r = 16777216 message=’ Hi ’ for char in message : e x f i l C h a r = ord ( char ) ∗ m u l t i p l i e r print e x f i l C h a r #decode=chr ( e x f i l C h a r / m u l t i p l i e r ) 1207959552 1761607680 Clay, Justin Dissembling Ferret May 5, 2017 22 / 33

  25. Smuggling Data - IP ID m u l t i

    p l i e r = 256 message = ’ Hi ’ for char in message : e x f i l C h a r = ord ( char ) ∗ m u l t i p l i e r print e x f i l C h a r #decode=chr ( e x f i l C h a r / m u l t i p l i e r ) 18432 26880 Clay, Justin Dissembling Ferret May 5, 2017 23 / 33

  26. Smuggling Data - ACK Bounce pkt = IP ( s

    r c=d e s t i n a t i o n , dst=’ 65.199.32.22 ’ ) / TCP( sport=dstport , dport =80, f l a g s=’S ’ ) Clay, Justin Dissembling Ferret May 5, 2017 24 / 33

  27. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 25 / 33

  28. Demo - Dissembling Ferret - Layer 0x3 Youtube link Dissembling

    Ferret- https://youtu.be/smhYFqf3ARU Clay, Justin Dissembling Ferret May 5, 2017 26 / 33

  29. Demo - Fireaway - Layer 0x7 Youtube link Fireaway -

    https://youtu.be/oiDcKMuSOk0 Clay, Justin Dissembling Ferret May 5, 2017 27 / 33

  30. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 28 / 33

  31. Future Work • Building upon Dissembling Ferret • Wily Possum

    - A Firewall Penetration Tool Suite 1. Scan and Analyze 2. Reports 3. Network Mapping (maybe) Clay, Justin Dissembling Ferret May 5, 2017 29 / 33

  32. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 30 / 33

  33. References / Resources Reference • Craig Rowland’s Paper Resources •

    Dissembling Ferret • Fireaway • Wily Possum • Firewalking • Port Scanning without the SYN flag Clay, Justin Dissembling Ferret May 5, 2017 31 / 33

  34. Overview Introduction Problem TCP/IP Primer Covert TCP/IP Channels - Methods

    Used Dissembling Ferret Demos Future Work References / Resources Links Thank You / Questions Clay, Justin Dissembling Ferret May 5, 2017 32 / 33

  35. Thank you Special thanks to.. Charles Rumford, John O’Brien, and

    the ISC Networking Team Christine Brisson and Warren Petrofsky Questions? @ clayball, @madirish2600 Clay, Justin Dissembling Ferret May 5, 2017 33 / 33