jericho attack technique

Download Jericho Attack Technique

Post on 13-May-2015

2.665 views

Category:

Technology

4 download

Embed Size (px)

DESCRIPTION

This is my presentation held at Vale Security Conference on September 14th 2013 about multiplexing attacks through TOR exit-nodes and SOCKS/HTTPs proxies

TRANSCRIPT

  • 1.Jericho Attack TechniqueJericho Attack Technique Cluster-bombing TCP attacks for maximum impactCluster-bombing TCP attacks for maximum impact Jan SeidlJan Seidl jseidl@wroot.orgjseidl@wroot.org @jseidl@jseidl

2. $ whoami$ whoami AboutAbout Full Name: Jan SeidlFull Name: Jan Seidl Origin: Rio de Janeiro, RJ BrazilOrigin: Rio de Janeiro, RJ Brazil Work:Work: CTO @ TI SafeCTO @ TI Safe OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl Features:Features: UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!) Python and C loverPython and C lover Coffee dependentCoffee dependent Hates printers and social networksHates printers and social networks Proud DC Labs ResearcherProud DC Labs Researcher Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil 3. $ whoami$ whoami Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil 4. $ whoami$ whoami Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil STUPID, BROKE, NERD, BROKESTUPID, BROKE, NERD, BROKE 5. DisclaimerDisclaimer Jericho is a product from the fictional company StarkJericho is a product from the fictional company Stark Industries from The Iron Man movie franchise fromIndustries from The Iron Man movie franchise from Paramount Pictures and Marvel Studios, as well as anyParamount Pictures and Marvel Studios, as well as any related picture presented in this presentation.related picture presented in this presentation. Please do not sue me.Please do not sue me. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil 6. x00 Overviewx00 Overview x01 Application / Usesx01 Application / Uses x02 Required Partsx02 Required Parts x03 Weapon Assemblyx03 Weapon Assembly x04 Weapon Tuningx04 Weapon Tuning x05 Launching the attackx05 Launching the attack x06 Weapon Maintenancex06 Weapon Maintenance x07 Escalating Firepowerx07 Escalating Firepower x08 Turning into a Smart Weaponx08 Turning into a Smart Weapon x09 Demo!x09 Demo! Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil AgendaAgenda 7. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview The attack consists on utilizingThe attack consists on utilizing public SOCKS proxiespublic SOCKS proxies andand TOR instancesTOR instances throughthrough socket multiplexingsocket multiplexing softwaresoftware (e.g.: Load Balancing/Cluster software) as(e.g.: Load Balancing/Cluster software) as relays for attacks in a load-balancing fashionrelays for attacks in a load-balancing fashion At a glance 8. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview public SOCKS proxies + TOR instances + socketpublic SOCKS proxies + TOR instances + socket multiplexing softwaremultiplexing software At a glance 9. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview At a glance 10. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview Schematics Attacker Proxy 1 Proxy 2 Proxy 3 Proxy 4 Proxy 5 Proxy 6 Proxy 7 VictimHAProxy 11. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview Evading connection and rate limitingEvading connection and rate limiting Bypassing country/origin restrictionsBypassing country/origin restrictions Hiding origin of attacks, making forensics people sad :(Hiding origin of attacks, making forensics people sad :( Low bandwidth attack such as Layer 7 DOS attacksLow bandwidth attack such as Layer 7 DOS attacks Very efficient for Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR)Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR) http://slidesha.re/14yYiuVhttp://slidesha.re/14yYiuV 12. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil OverviewOverview At first HAProxy may seem as a load balancer strictlyAt first HAProxy may seem as a load balancer strictly for HTTP(S), but its not.for HTTP(S), but its not. HAProxys actual description is The Reliable, HighHAProxys actual description is The Reliable, High PerformancePerformance TCPTCP/HTTP Load Balancer./HTTP Load Balancer. Cool, huh?Cool, huh? Paying closer attention 13. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil UsesUses Applications for the Jericho Attack Technique 14. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil UsesUses Web scraping/spideringWeb scraping/spidering Limited API requestsLimited API requests IP-based anti-fraud schemes (eg: Online Voting)IP-based anti-fraud schemes (eg: Online Voting) User enumerationUser enumeration Password brute-forcingPassword brute-forcing Basic multiplexing use 15. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil UsesUses Making Layer 7 Denial-of-Service attacks intoMaking Layer 7 Denial-of-Service attacks into distributed configuration (DoS DdoS)distributed configuration (DoS DdoS) (I like this one very much in particular)(I like this one very much in particular) Hitting hard 16. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil UsesUses Multiplexing mail relays for SPAMMultiplexing mail relays for SPAM Multiplexing and anonymizing backdoor connections /Multiplexing and anonymizing backdoor connections / commandscommands Even more? Go crazy!Even more? Go crazy! Going deeper 17. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil UsesUses FTPFTP SMTP(S) POP3(S) IMAP(S)SMTP(S) POP3(S) IMAP(S) SSHSSH RDP / VNCRDP / VNC MySQLMySQL many more...many more... Possibly supported protocols 18. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Building the weapon 19. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Main assembly Socat: Multipurpose RelaySocat: Multipurpose Relay http://www.dest-unreach.org/socat/http://www.dest-unreach.org/socat/ SSL support:SSL support: HTTPS, IMAPS, POPS, LDAPSHTTPS, IMAPS, POPS, LDAPS 20. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Main assembly HAProxyHAProxy http://haproxy.1wt.eu/http://haproxy.1wt.eu/ The Reliable, High Performance TCP/HTTP LoadThe Reliable, High Performance TCP/HTTP Load BalancerBalancer REQUEST HAPROXY { SERVER A, SERVER B,REQUEST HAPROXY { SERVER A, SERVER B, SERVER C }SERVER C } 21. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Resources SOCKS/HTTP(S) ProxiesSOCKS/HTTP(S) Proxies http://www.proxynova.com/proxy-server-list/http://www.proxynova.com/proxy-server-list/ http://hidemyass.com/proxy-list/http://hidemyass.com/proxy-list/ Just google it...Just google it... 22. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Resources TOR exit nodesTOR exit nodes PRO TIP: You can run as many TOR tunnels as you want (:PRO TIP: You can run as many TOR tunnels as you want (: tor --RunAsDaemon 1 --CookieAuthentication 0tor --RunAsDaemon 1 --CookieAuthentication 0 --HashedControlPassword "pwd" --ControlPort 4444 --PidFile--HashedControlPassword "pwd" --ControlPort 4444 --PidFile torN.pid --SocksPort 9050 --DataDirectory data/torNtorN.pid --SocksPort 9050 --DataDirectory data/torN Multi-TORMulti-TOR https://github.com/jseidl/Multi-TOR/https://github.com/jseidl/Multi-TOR/ EX: ./multi-tor.sh 5 # Opens 5 TOR instancesEX: ./multi-tor.sh 5 # Opens 5 TOR instances 23. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Important Note The proxies may or may not require authentication since socatThe proxies may or may not require authentication since socat supports proxy authentication adding the parameter as follows:supports proxy authentication adding the parameter as follows: proxyauth=user:passproxyauth=user:pass 24. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Important Note Some public proxies append additional headers like X-Forwarded-For thatSome public proxies append additional headers like X-Forwarded-For that may ruin the whole purpose of utilizing a Jericho attack perspective.may ruin the whole purpose of utilizing a Jericho attack perspective. (Thanks for Lucas Fernando Amorim for remembering that!)(Thanks for Lucas Fernando Amorim for remembering that!) 25. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts Important Note For TOR, one can useFor TOR, one can use two-hop circuits for maximumtwo-hop circuits for maximum performance and degraded anonymityperformance and degraded anonymity oror greater-hopgreater-hop circuits for greater anonymity and degraded performancecircuits for greater anonymity and degraded performance.. It just depends on the use.It just depends on the use. Tor: Four Hops instead of ThreeTor: Four Hops instead of Three http://coldwaterq.com/?11http://coldwaterq.com/?11 TOR Auto-circuitTOR Auto-circuit https://thesprawl.org/projects/tor-autocircuit/https://thesprawl.org/projects/tor-autocircuit/ TOR control protocolTOR control protocol https://thesprawl.org/research/tor-control-protocol/https://thesprawl.org/research/tor-control-protocol/ 26. Jericho Attack Technique. SEIDL, Jan ValeSecConf/2013 So Jose dos Campos, Brazil Required partsRequired parts (not so) Important Note Ive developed a python tool named (albeit not very creatively)Ive developed a python tool named (alb

Recommended

View more >