Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More SSL trouble

Published: 2012-09-13
Last Updated: 2012-09-13 14:50:56 UTC
by Mark Baggett (Version: 1)
2 comment(s)

Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days.    Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation.   It allows an attacker to hijack an encrypted SSL session.    It appears that for this attack to work both the website and the browser must support the SPDY protocol.     Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol.    Both the Firefox and Chrome browsers also support this protocol.    Internet Explorer and Safari does not support SPDY and are not vulnerable.    

It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.

References:

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

http://www.computerworld.com/s/article/9231013/Security_researchers_to_present_new_39_CRIME_39_attack_against_SSL_TLS

 

Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett

2 comment(s)

Microsoft disrupts traffic associated with the Nitol botnet

Published: 2012-09-13
Last Updated: 2012-09-13 13:53:56 UTC
by Mark Baggett (Version: 1)
1 comment(s)

There is an interesting article that was just published by Microsoft's Digital Crimes Unit.   Attackers have been infecting manufacturer supply chains to spread their evil warez.   Some unnamed manufacturers have been selling products loaded with "counterfeit versions of Windows software embedded with harmful malware."   The article goes on to say that the "Malware allows criminals to steal a person’s personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts. Examples of this abuse include malware sending fake e-mails and social media posts to a victim’s family, friends and co-workers to scam them out of money, sell them dangerous counterfeit drugs, and infect their computers with malware."    Microsoft worked with law enforcement and began filtering traffic associated with the domain 3322.org to disrupt the botnet's communications.

The full story is here:  http://blogs.technet.com/b/microsoft_blog/archive/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain.aspx

 

Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett

1 comment(s)

TCP Fuzzing with Scapy

Published: 2012-09-13
Last Updated: 2012-09-13 03:07:16 UTC
by Mark Baggett (Version: 1)
0 comment(s)

Greetings ISC Readers!   Today I wanted to share a technique that I find quite useful when I fuzz TCP applications with scapy.   Scapy is a Python module used for packet parsing and packet crafting.   With scapy you can create just about any packet your heart desires, transmit it to a target, capture the response and respond again accordingly.  It is an excellent tool to use for fuzzing network protocols.    But it does require a bit of work when fuzzing TCP protocols because you need to track the sequence and acknowledgement numbers.   There are countless examples of this on the internet, but let's look at it here briefly.   To establish a three way handshake you could do the following.  

First you start Python, import scapy and craft your SYN packet. 

# python
>>> from scapy.all import *

>>> tcp_syn=IP(src="192.168.1.1", dst="10.1.1.1")/TCP(dport=9000, flags="S", seq=10000)

Then we transmit our SYN packet and capture the SYN/ACK from the remote host.

>>> tcp_syn_ack=srp1(tcp_syn)

Now you can calculate the final ACK and transmit it.


>>> tcp_ack=IP(src="192.168.1.1", dst="10.1.1.1")/TCP(dport=9000, flags="A", seq=tcp_syn_ack.ack, ack=tcp_syn_ack.syn+1)
>>> tcp_pack1=srp1(tcp_ack)

Then you can transmit your crafted packet to the remote listener as long as you calculate and send the correct sequence numbers.   There are a couple of downsides to this technique.   First, you have to track the sequence numbers and acknowledgement numbers yourself and increment them as you transmit data.   Second, because these are crafted packet, the real TCP stack on your host will send RESETS to the unexpected responses.  You have to add some IPTABLES rules to block these RESETS from the real TCP stack.   There is another way to do this that can help with these problems.  

If you just want to shoot your packets at a TCP target, tracking sequence and acknowledgement numbers isn't necessary.  Instead you can use Python sockets to establish the connection, then convert the existing socket to a scapy stream.   Once it is a scapy stream you can use all of the normal scapy methods to transmit crafted packets over the established socket.   Using this method you don't have to track the TCP sequence numbers and can focus on creating and transmitting your fuzzing packets.    

Here is an example.  We start the same way and importing scapy.   Then we establish a normal Python Socket connection like this:

>>> from scapy.all import *
>>> mysocket=socket.socket()
>>> mysocket.connect(("10.1.1.1",9000))

With one simple call to "connect()" the TCP Handshake is completed.  But this is just a normal Python socket object.  To use it in scapy you need to create a  "StreamSocket()" object that is based on the established socket.   You can create a StreamSocket object like this:


>>> mystream=StreamSocket(mysocket)

The resulting "mystream" object is a scapy object that can be used to transmit crafted packets across the existing socket.   The mystream object supports the same .recv(), .send(), .sr(), .sr1() and even the sniff() methods that you have with other scapy objects.  Now all you have to do is craft a packet and send it to your target.


>>> ascapypacket=IP(dst="10.1.1.1")/TCP(dport=9000)/fuzz(Raw())
>>> mystream.send(ascapypacket)
1109
>>> mystream.send(ascapypacket)
1091
>>>

That is all there is to it.   I hope you find this technique as useful as I do for fuzzing TCP services.     Do you have another technique or another way to apply this technique?   Leave a comment.


Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett
 

0 comment(s)
ISC StormCast for Thursday, September 13th 2012 http://isc.sans.edu/podcastdetail.html?id=2797
Diary Archives