The Cynical Trust Model

The Cynical Trust Model James Arlen - @myrcurial Lee Brotherston
- @synackpse

no disclaimer necessary  (for a change)

Networks

Providers

Hardware

Software

Consultants

Regulators

Auditors

Detection

How, what, why, when?

Capture all the Packets

PCAP Tools tcpdump wireshark tshark mergecap tcpsplice tcptrace captcp ntop
pcapdiff tcpﬂow snort

SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header
& Data) More Data……

SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request
? ? ?

HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Content-Script-Type: text/javascript Connection: close
Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: -1 Pragma: no-cache <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>

Packet Headers

TCPDUMP ip[6] = 0 and tcp[14:2] = 1

Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0

Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected
TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)

Fun with Firewalls

But wait, there’s more….

SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request

SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header
& Data) Data

HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Content-Script-Type: text/HTML Connection: close

Retention Time rewrite ^(.*)$ /index.php;

OoB Indexing rewrite ^(.*)$ /index.php; + /etc/hosts + .htaccess

Document Format <html> <head> <title>Oh Hai</title> </head>

Document Format <!doctype html> <html> <head> <title>Oh Hai</title> </head>

Mapping the Network

Traceroute 8bits of magic

ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 reply ttl=2 ttl=1
ttl=3

2 7.40.72.1 3 209.148.241.61 4 66.185.81.221 5 69.63.251.242 6 69.63.249.26
7 * 2 7.40.72.1 3 209.148.241.61 4 * 5 * 6 69.63.249.26 7 * tcptraceroute

Intercept Portscanning for i in `jot 65535 1` do tcptraceroute
-f4 -m5 host $i done >> $i.log

2 7.11.164.41 3 66.185.90.37 4 209.148.224.205 5 209.148.224.242 6 4.31.208.129 
2 7.11.164.41 3 66.185.90.37 4 209.148.224.214 5 209.148.224.209 6 209.148.228.218 7 209.148.228.217 8 209.148.224.254 9 4.31.208.129 tcptraceroute redux

Intercept Portscanning Redux nmap -sS —-ttl 64 host

Which Interface? My Server Target Me

Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")

So, that network… Internal Management LAN extWebServer = "http://64.71.255.194"; intWebServer
= “http://172.19.11.72";

SYN Server Client SYN/ACK ACK RST/PSH/ACK TTL = 1 TTL
= 2 TTL = 3

6 31.55.164.187 7 31.55.164.107 8 109.159.248.69 9 109.159.248.10 10 62.172.103.187
6 31.55.164.187 7 31.55.164.107 8 109.159.248.104 9 109.159.248.142 10 194.71.107.15 Great Firewall of Cameron

4 98.0.3.14 5 98.0.3.3 6 107.14.19.106 7 107.14.17.194 8 64.86.79.97
9 64.86.79.2 4 98.0.3.14 5 98.0.3.3 6 66.109.6.72 7 107.14.17.192 8 64.86.79.97 9 64.86.79.2 RoadRunner

HTTP/1.1 200 OK Date: Thu, 22 May 2014 14:29:09 GMT
Server: PerfTech Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT Accept-Ranges: bytes Content-Length: 2387 Connection: close Cache-Control: no-store, no-cache, must- revalidate, max-age=0 Expires: -1 Pragma: no-cache Content-Type: application/x-javascript

HTTP/1.0 404 Not Found Date: Fri, 23 May 2014 14:00:05
GMT Server: PerfTech Content-Length: 25 Connection: close Cache-Control: no-store, no-cache, must- revalidate, max-age=0 Expires: -1 Pragma: no-cache Content-Type: text/html; charset=iso-8859-1

Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights
Reserved. extWebServer = "http://64.71.255.194"; intWebServer = “http://172.19.11.72"; displayUrl = "http://www.perftech.com/console/original.html";

Attribution: cat NULL planet - @skalnik

Why So Bothered?

Why Metadata Matters • They know you rang a phone
sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about. • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret. • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.

GET / HTTP/1.1 Host: squarelemon.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux
i686; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _pk_ses.4.9b83=* Connection: keep-alive If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT Cache-Control: max-age=0

What could possibly go wrong? Photo Attribution: Tom - @tdawks

Demonstration

Which won’t work.

Not because we tempted the demogods

But because MTCC doesn’t networking

MTCC DEMO

ORIGINAL DEMO

Cynical Trust

Step 1:

Working Presumption

Step 2:

TANSTAAFL

Step 3:

Trust but Verify

Step 4:

Plan for Resilience

What do you do about it…

Trust?

Thank you! James Arlen - @myrcurial Lee Brotherston - @synackpse

The Cynical Trust Model

The Cynical Trust Model

More Decks by Lee Brotherston

Other Decks in Technology

Featured

Transcript