SniffJoke project, README about 0.2 release
WHAT
SniffJoke is a sniffer evasion tool. While usually evasion tool are designed to bypass IDS engine at exploiting time, SniffJoke makes every session originated from your host (optimistically) invisibile to sniffers.
SniffJoke uses well known techniques always effective against sniffers (IDS could rely on a different set of considerations).
These techniques exploit the common assumption made by the sniffer/IDS programmers, that is that intercepted hosts run two real operating systems with a good TCP/IP stack.
WHY
Because:
- A sniffer that does connection tracking could be fooled with some ad-hoc forged packets. These packets could force the sniffer to track a session looking different from real connection.
- Many sniffers and IDS implement a TCP/IP stack in a moderate size and because of their high performance requirements they cut some details: the vulnerabilities we attack are consequences of this reduction of implementation complexity.
An old article talking about these issues: http://www.phrack.org/archives/54/P54-10 These attacks could seem old, but the exploited weakness is still present nowadays. In my implementation some things have been updated, the core concept is still the same anyway. A research papaer talking about that: http://citeseer.ist.psu.edu/ptacek98insertion.html
HOW
With a plugin for ulogd-1.24
tar zxfv sniffjoke-0.2
cd sniffjoke-0.2
./configure && make install
vi /usr/local/etc/ulogd.conf
Check the section [SNIFFJOKE], the default should work nice yet, but you need to choose your working mode and the protected service.
HOW DOES IT WORK IN DETAIL ?
SniffJoke requires ULOG target in netfilter framework.
In [SNIFFJOKE] section of ulogd.conf configuration file, you should configure these options:
- file: this is the logfile generated by SniffJoke, as developer I used it to understand what is happening, if you have no interest about that you can just ignore this option (default: /dev/null)
- verbosity: report error/warning only or full complete total debug. Values are “0″ to disable verbosity, “1″ to enable it. (default: 0)
- application: application:”$username” This type causes the sessions managed with UID of username to be placed side by side with SniffJoke packets. It requires UID MATCH extension of netfilter framework. This is good for local user of a linux desktop computer.
- application: application:”gateway” SniffJoke can run on a lan gateway working in gateway mode. Gateway mode applies SniffJoke’s hacks to all forwarded sessions originating from the computers behind the gateway (but not to local sessions).
- interface: “interface:$interface” is the name (eth0, ppp0) of outgoing interface.
- quickdirty: this is one of the available hack types, it takes as argument a list of TCP ports comma separated: quickdiry:”80,8080,4662″
- slowsure: this is the other hack type (described below), it takes as argument a list of TCP ports comma separated: slowsure:”80,8080,4662″
HOW AND WHY, QUICKDIRTY & SLOWSURE ?
Any kind of traffic injection is based on creation of invalid packets RELATED to the hacked session. Invalid packets count as duplicated packets in the network congestion algorithm, and this involves a shrinkage of transmission window. In protocols like HTTP, based on a moltitude of TCP connections, a slow start connection could be annoying.
The attack slowsure works in the following way:
- new packet, check if it is a new session. is new ? track them, memorize the TTL of packet. is old ? ok, is already tracked.
- take the last TTL used, decrement of the value of TTL_DEC_ANYTIME (default: value of 4), update the last TTL used, forge an hack packet with, more or less, the techniques described in the paper.
- send the hack packet.
This has two goals:
- send the hack packet in the RELATED session to confuse sniffer/IDS
- search with a bruteforce-decrementing-like multiple tries the first TTL able to generate an ICMP TIME EXCEEDED. By finding this TTL it is possible to send packets that will surely never reach the remote host. With this TTL value, we have the possibility to send a valid packet (usually, a reset packet) with a TTL that never reaches the remote host. This attack is tried because is very effective.
WORKING CASE:
SniffJoke attack connection tracking and pattern reconnaissance. If a sniffer don’t make connection tracking (ettercap, sniffit) should not be vulnerable. A sniffer that make connection tracking should be use different technology:
- follow TCP flag, analysis and sequence tracking: if this technology is used correctly, the reassemby (at the moment) appear correct. wireshark is an example of complete precise TCP analysis. ethereal is vulnerable because not so complete.
- follow partial TCP and make some dangerous assumption: tcpflow follow partial information (sequence number is used for resize file, so a reconstruction of the sessions should create 600 megabyte files more or less empty, making an interesting denial of service).
- don’t follow anything: simple detect tuple and make packet in append mode. this is vulnerabile in applicative analysis due to pattern injection. (example: in session dest to 25 port, the pattern of hacked packet contains “\r\n.\r\n” for seem an email completation)
Here the package for download:
http://www.s0ftpj.org/tools/sniffjoke-0.2.tar.gz
If you make some test, please let me know to vecna@s0ftpj.org because I’m keeping track of vulnerabile and immune software. The most limit of sniffjoke at the moment is the impossibility to send packets instead of the real packets, but only as related. this feature must be insert in 0.3
November 9th, 2008 at 10:53 am
[…] 0.6, Xplico will no longer be affected by this type of attack. A good sniffer evasion tool is SniffJoke. SniffJoke prevent Xplico to reconstruct the traffic … and not only to Xplico […]