際際滷

際際滷Share a Scribd company logo

2010 za con_simeon_miteff

J
Johan Klerk

The document discusses techniques for detecting unauthorized broadband connections to an enterprise network. It describes tricking dual-homed workstations into revealing themselves by getting them to perform network actions like forwarding packets or DNS lookups. This can uncover workstations with direct broadband connections bypassing the firewall. The techniques discussed include actively probing hosts and passively monitoring traffic patterns. More advanced approaches like data mining netflow and ARP data are proposed to better detect when hosts change default gateways. The goal is to identify backdoors into the network without relying on hosts being securely configured.

1 of 12
Download to read offline
Detecting backdoors with network trickery War-dialing in the age of 3G Simeon Mite鍖 SANReN 9 October 2010
Introduction What am I talking about? War dialing audits of yore: PC Anywhere, Modems Broadband backdoors to your enterprise network (3G, ADSL, etc) Assumption: workstations not locked down (no NAC) How do you detect this? Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 2 / 12
Speakers background Why this pet problem? Infosec? For the love of it. Running UCTs network - 2006 to 2008 Manage 鍖rewalls, detect malware, handle DoS Pre-SEACOM era - bandwidth management I want to use skype, I have funding, I want ADSL Firewall policy vs. ADSL lines in o鍖ces What we ended up doing: ADSL modem pool+鍖rewall+VPN Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 3 / 12
When they dont cooperate Doing it anyway, and saying sorry later... Engineering, Compsci, Maths, Physics vs IT Services How do you enforce policy? Step 1, detection: Physical audit... maybe not... With a script Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 4 / 12
Threat model Some thoughts regarding the threat model Assumption: big perimeter 鍖rewall, poor internal security Hack the ADSL box vs. walking into an o鍖ce (lecture hall) Not really a serious discussion about security threat modelling Sorry... Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 5 / 12
Scenarios Forwarding on dual-homed hosts No forwarding Forwarding Forwarding with NAT (masquerading) Where is the default route pointing? DNS stub resolver. Other possibly important things: host 鍖rewall, services running. Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 6 / 12
Forwarding Find something that behaves like a router (active approach): Ask host to forward packet to the Internet What is normal behaviour for a single-homed host? Check for packets arriving at monitoring host Problem: broadband providers with uRPF NAT: no uRPF issues, and more likely to be con鍖gured Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 7 / 12
No forwarding Without forwarding: detecting multi-homed hosts Detect lack of default route via LAN gateway (forwarding independant): Passive: Is the host chatty on subnet, but nothing via GW? Active: test reachability from subnet vs elsewhere on LAN Trick the host into sending something via its default route Firewall: breaks passive approaches Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 8 / 12
Trickery Trick the host into doing a DNS lookup URI in UPNP header Encode the hosts LAN address into a DNS label Custom PowerDNS backend on the monitoring host [Insert Demo Here] Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 9 / 12
Future work Tricks are fun and work in speci鍖c scenrarios Still need a more general approach for this to be useful Investigate data mining Net鍖ow export + query ARP caches and MAC tables Infer when host switches default gateways Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 10 / 12
Thanks Thanks to: Marco Slaviero (for nagging + brainstorming on IRC) UCT (for having problems) CSIR (for paying me to think about networks again) Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 11 / 12
Conclusion Questions? Thank you for listening! Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 12 / 12

More Related Content

2010 za con_simeon_miteff

  • 1. Detecting backdoors with network trickery War-dialing in the age of 3G Simeon Mite鍖 SANReN 9 October 2010
  • 2. Introduction What am I talking about? War dialing audits of yore: PC Anywhere, Modems Broadband backdoors to your enterprise network (3G, ADSL, etc) Assumption: workstations not locked down (no NAC) How do you detect this? Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 2 / 12
  • 3. Speakers background Why this pet problem? Infosec? For the love of it. Running UCTs network - 2006 to 2008 Manage 鍖rewalls, detect malware, handle DoS Pre-SEACOM era - bandwidth management I want to use skype, I have funding, I want ADSL Firewall policy vs. ADSL lines in o鍖ces What we ended up doing: ADSL modem pool+鍖rewall+VPN Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 3 / 12
  • 4. When they dont cooperate Doing it anyway, and saying sorry later... Engineering, Compsci, Maths, Physics vs IT Services How do you enforce policy? Step 1, detection: Physical audit... maybe not... With a script Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 4 / 12
  • 5. Threat model Some thoughts regarding the threat model Assumption: big perimeter 鍖rewall, poor internal security Hack the ADSL box vs. walking into an o鍖ce (lecture hall) Not really a serious discussion about security threat modelling Sorry... Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 5 / 12
  • 6. Scenarios Forwarding on dual-homed hosts No forwarding Forwarding Forwarding with NAT (masquerading) Where is the default route pointing? DNS stub resolver. Other possibly important things: host 鍖rewall, services running. Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 6 / 12
  • 7. Forwarding Find something that behaves like a router (active approach): Ask host to forward packet to the Internet What is normal behaviour for a single-homed host? Check for packets arriving at monitoring host Problem: broadband providers with uRPF NAT: no uRPF issues, and more likely to be con鍖gured Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 7 / 12
  • 8. No forwarding Without forwarding: detecting multi-homed hosts Detect lack of default route via LAN gateway (forwarding independant): Passive: Is the host chatty on subnet, but nothing via GW? Active: test reachability from subnet vs elsewhere on LAN Trick the host into sending something via its default route Firewall: breaks passive approaches Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 8 / 12
  • 9. Trickery Trick the host into doing a DNS lookup URI in UPNP header Encode the hosts LAN address into a DNS label Custom PowerDNS backend on the monitoring host [Insert Demo Here] Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 9 / 12
  • 10. Future work Tricks are fun and work in speci鍖c scenrarios Still need a more general approach for this to be useful Investigate data mining Net鍖ow export + query ARP caches and MAC tables Infer when host switches default gateways Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 10 / 12
  • 11. Thanks Thanks to: Marco Slaviero (for nagging + brainstorming on IRC) UCT (for having problems) CSIR (for paying me to think about networks again) Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 11 / 12
  • 12. Conclusion Questions? Thank you for listening! Simeon Mite鍖 (SANReN) Detecting backdoors with network trickery 9 October 2010 12 / 12