The Cynical Trust Model

The Cynical Trust Model

James Arlen - @myrcurial Lee Brotherston - @synackpse

no disclaimer necessary (for a change)

TRUST

TRUST

IS

EASY

Networks

Providers

SaaS

IaaS

*aaS

Hardware

Software

Staff

Consultants

Regulators

Auditors

MITM

Detection

How, what, why, when?

Capture all the Packets

PCAP Toolstcpdump wireshark

tshark

mergecap tcpsplice tcptrace captcp

ntop pcapdiff tcpflow snort

SYN

ServerClient

SYN/ACK

ACK

HTTP Request

HTTP Response (Header & Data)

More Data……

SYN

ServerClient

SYN/ACK

ACK

RST/PSH/ACK

HTTP Response

HTTP Request

?

??

HTTP/1.1 200 OKContent-Type: text/html; charset=ISO-8859-1Content-Script-Type: text/javascriptConnection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cache

<html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http://64.71.251.10";</script><script type="text/javascript" src="http://64.71.251.10/ByteCap-075-EO-English/index.js"></script></head><noscript><frameset><frame src="http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></frameset></noscript><body style="margin:0;"><script type="text/javascript">Bulletin("policy=72&category=ByteCap-075&");</script></body></html>

Packet Headers

TCPDUMPip[6] = 0 and tcp[14:2] = 1

Wire/TSharktcp.window_size_value eq 1

and ip.flags.df == 0

Snortalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION

suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)

Fun with Firewalls

But wait, there’s more….

SYN

ServerClient

SYN/ACK

ACK

RST/PSH/ACK

HTTP Response

HTTP Request

SYN

ServerClient

SYN/ACK

ACK

HTTP Request

HTTP Response (Header & Data)

Data

HTTP/1.1 200 OKContent-Type: text/html; charset=ISO-8859-1Content-Script-Type: text/HTMLConnection: close

Tests

Retention Timerewrite ^(.*)$ /index.php;

OoB Indexingrewrite ^(.*)$ /index.php;

+/etc/hosts

+.htaccess

Document Format<html><head><title>Oh Hai</title></head>

Document Format<!doctype html><html><head><title>Oh Hai</title></head>

Mapping the Network

Traceroute 8bits of magic

ttl=1

ttl expiry

ttl=2

ttl expiry

ttl=1

reply

ttl=2 ttl=1ttl=3

2 7.40.72.1 3 209.148.241.61 4 66.185.81.221 5 69.63.251.242 6 69.63.249.26 7 *

2 7.40.72.1 3 209.148.241.61 4 * 5 * 6 69.63.249.26 7 *

tcptraceroute

Intercept Portscanningfor i in `jot 65535 1`do tcptraceroute -f4 -m5 host $idone >> $i.log

2 7.11.164.41 3 66.185.90.37 4 209.148.224.205 5 209.148.224.242

6 4.31.208.129

2 7.11.164.41 3 66.185.90.37 4 209.148.224.214 5 209.148.224.209 6 209.148.228.218 7 209.148.228.217 8 209.148.224.254 9 4.31.208.129

tcptraceroute redux

Intercept Portscanning Reduxnmap -sS —-ttl 64 host

Which Interface?

My Server

TargetMe

Scapysendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/TCP(sport=3125, dport=80, flags="S"), iface="en1")

So, that network…

Internal Management LAN

extWebServer = "http://64.71.255.194";intWebServer = “http://172.19.11.72";

SYN

ServerClient

SYN/ACK

ACK

RST/PSH/ACK

TTL = 1

TTL = 2

TTL = 3

6 31.55.164.187 7 31.55.164.107 8 109.159.248.69 9 109.159.248.1010 62.172.103.187

6 31.55.164.187 7 31.55.164.107 8 109.159.248.104 9 109.159.248.14210 194.71.107.15

Great Firewall of Cameron

4 98.0.3.14 5 98.0.3.3 6 107.14.19.106 7 107.14.17.194 8 64.86.79.97 9 64.86.79.2

4 98.0.3.14 5 98.0.3.3 6 66.109.6.72 7 107.14.17.192 8 64.86.79.97 9 64.86.79.2

RoadRunner

What?

HTTP/1.1 200 OKDate: Thu, 22 May 2014 14:29:09 GMTServer: PerfTechLast-Modified: Thu, 17 Apr 2014 14:42:01 GMTAccept-Ranges: bytesContent-Length: 2387Connection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cacheContent-Type: application/x-javascript

HTTP/1.0 404 Not FoundDate: Fri, 23 May 2014 14:00:05 GMTServer: PerfTechContent-Length: 25Connection: closeCache-Control: no-store, no-cache, must-revalidate, max-age=0Expires: -1Pragma: no-cacheContent-Type: text/html; charset=iso-8859-1

Hints in Scripts// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.

extWebServer = "http://64.71.255.194";intWebServer = “http://172.19.11.72";

displayUrl = "http://www.perftech.com/console/original.html";

Attribution: cat NULL planet - @skalnik

Why So Bothered?

Why Metadata Matters• They know you rang a phone sex service at 2:24 am and spoke

for 18 minutes. But they don't know what you talked about.

• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.

• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.

GET / HTTP/1.1Host: squarelemon.comUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCookie: _pk_ses.4.9b83=*Connection: keep-aliveIf-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMTCache-Control: max-age=0

What could possibly go

wrong?Photo Attribution: Tom - @tdawks

Demonstration

Which won’t work.

Not because we tempted

the demogods

But because MTCC doesn’t

networking

MTCC DEMO

ORIGINAL DEMO

Cynical Trust

Step 1:

Working Presumption

Step 2:

TANSTAAFL

Step 3:

Trust but Verify

Step 4:

Plan for Resilience

YOU

WILL

LOSE

DATA

What do you do about it…

Trust?

Thank you!James Arlen - @myrcurial

Lee Brotherston - @synackpse