Showing blog posts from September 2015
A new version of our heavy-duty PCAP parser tool CapLoader is now available. There are many new features and improvements in this release, such as the ability to filter flows with BPF, domain name extraction via passive DNS parser and matching of domain names against a local white list.
Filtering with BPF
The main focus in the work behind CapLoader 1.3 has been to fully support the Rinse-Repeat Intrusion Detection methodology. We've done this by improving the filtering capabilities in CapLoader. For starters, we've added an input filter, which can be used to specify IP addresses, IP networks, protocols or port numbers to be parsed or ignored. The input filter uses the Berkeley Packet Filter (BPF) syntax, and is designed to run really fast. So if you wanna analyze only HTTP traffic you can simply write “port 80” as your input filter to have CapLoader only parse and display flows going to or from port 80. We have also added a display filter, which unlike Wireshark also uses BPF. Thus, once a set of flows is loaded one can easily apply different display filters, like “host 188.8.131.52” or “net 192.168.1.0/24”, to apply different views on the parsed data.
Image: CapLoader with input filter "port 80 or port 443" and display filter "not net 184.108.40.206/16".
The main differences between the input filter and display filter are:
- Input filter is much faster than the display filter, so if you know beforehand what ports, protocols or IP addresses you are interested in then make sure to apply them as an input filter. You will notice a delay when applying a display filter to a view of 10.000 flows or more.
- In order to apply a new input filter CapLoader has to reload all the opened PCAP files (which is done by pressing F5). Modifying display filters, on the other hand, only requires you to press Enter or hit the “Apply” button.
- Previously applied display filters are accessible in a drop-down menu in the GUI, but no history is kept of previous input filters.
NetFlow + DNS == true
The “Flows” view in CapLoader gives a great overview of all TCP, UDP and SCTP flows in the loaded PCAP files. However, it is usually not obvious to an analyst what every IP address is used for. We have therefore added a DNS parser to CapLoader, so that all DNS packets can be parsed in order to map IP addresses to domain names. The extracted domain names are displayed for each flow, which is very useful when performing Rinse-Repeat analysis in order to quickly remove “known good servers” from the analysis.
Leveraging the Alexa top 1M list
As we've show in in our previous blog post “DNS whitelisting in NetworkMiner”, using a list of popular domain names as a whitelist can be an effective method for finding malware. We often use this approach in order to quickly remove lots of known good servers when doing Rinse-Repeat analysis in large datasets.
Therefore, just as we did for NetworkMiner 1.5, CapLoader now includes Alexa's list of the 1 million most popular domain names on the Internet. All domain names, parsed from DNS traffic, are checked against the Alexa list. Domains listed in the whitelist are shown in CapLoader's “Server_Alexa_Domian” column. This makes it very easy to sort on this column in order to remove (hide) all flows going to “normal” servers on the Internet. After removing all those flows, what you're left with is pretty much just:
- Local traffic (not sent over the Internet)
- Outgoing traffic to either new or obscure domains
Manually going through the remaining flows can be very rewarding, as it can reveal C2 traffic from malware that has not yet been detected by traditional security products like anti-virus or IDS.
Image: CapLoader with malicious flow to 1.web-counter[.]info (Miuref/Boaxxe Trojan) singled out due to missing Alexa match.
Many new features in CapLoader 1.3
The new features highlighted above are far from the only additions made to CapLoader 1.3. Here is a more complete list of improvements in this release:
- Support for “Select Flows in PCAP” to extract and select 5-tuples from a PCAP-file. This can be a Snort PCAP with packets that have triggered IDS signatures. This way you can easily extract the whole TCP or UDP flow for each signature match, instead of just trying to make sense of one single packet per alert.
- Improved packet carver functionality to better carve IP, TCP and UPD packets from any file. This includes memory dumps as well as proprietary and obscure packet capture formats.
- Support for SCTP flows.
- DNS parser.
- Alexa top 1M matching.
- Input filter and display filter with BPF syntax.
- Flow Producer-Consumer-Ratio PCR.
- Flow Transcript can be opened simply by double-clicking a flow.
- Find form updated with option to hide non-matching flows instead of just selecting the flows that matched the keyword search criteria.
- New flow transcript encoding with IP TTL, TCP flags and sequence numbers to support analysis of Man-on-the-Side attacks.
- Faster loading of previously opened files, MD5 hashes don't need to be recalculated.
- A selected set of flows in the GUI can be inverted simply by right-clicking the flow list and selecting “Invert Selection” or by hitting Ctrl+I.
Downloading CapLoader 1.3
All these new features, except for the Alexa lookup of domain names, are available in our free trial version of CapLoader.
So to try out these new features in CapLoader, simply grab a trial download here:
http://www.netresec.com/?page=CapLoader#trial (no registration needed)
All paying customers with an older version of CapLoader can grab a free update for version 1.3 at our customer portal.
Posted by Erik Hjelmvik on Monday, 28 September 2015 07:30:00 (UTC/GMT)
After Edward Snowden exposed NSA's Man-on-the-Side attack capabilities we've started to see IDS signatures that can detect such attacks being released and re-discovered. However, despite these efforts Man-on-the-Side attacks, such as QUANTUM INSERT, can still be carried out without triggering these IDS signatures.
I recently taught a network forensics class in Stockholm. One of the topics covered in this training was how to detect Man-on-the-Side attacks in full content PCAP files.
In one of the labs, in the network forensics training, students were tasked with finding a Man-on-the-Side attack in a 2.3 GB PCAP dataset. However, the way this MOTS attack was carried out made it invisible to normal signatures designed to detect TCP stream overlaps with different data, such as the Suricata signature 2210050.
alert tcp any any -> any any (msg:"SURICATA STREAM reassembly overlap with different data"; stream-event:reassembly_overlap_different_data; classtype:protocol-command-decode; sid:2210050; rev:2;)
The reason why Suricata and other methods fail to detect this attack is because the injected packet contained both application layer data (an HTTP redirect) and a TCP FIN flag. Upon receiving this spoofed packet the client (victim) followed the redirect as well as closed down its current TCP socket to the web server, by responding with a FIN+ACK packet. Subsequent packets sent by the real web server were then ignored by the client since the TCP socket was already closed when they arrived.
Stream reassembly engines in intrusion detection systems also ignore packets sent after the TCP tear-down, since the TCP session is assumed to be closed at this point. Overlapping TCP segments with different data are therefore not detected by intrusion detection systems when an injected TCP packet carries the FIN flag. I've created an example PCAP file, which illustrate this behavior, called mots-with-fin.pcap (this is not the MOTS attack analyzed in my training). Here's what the PCAP file looks like when analyzed with Tshark:
tshark -r mots-with-fin.pcap -T fields -e ip.src -e ip.dst -e ip.ttl -e tcp.seq -e tcp.flags -e http.response.code -e http.response.phrase
10.0.1.4 220.127.116.11 64 189665416 0x0002
18.104.22.168 10.0.1.4 54 4114717473 0x0012
10.0.1.4 22.214.171.124 64 189665417 0x0010
10.0.1.4 126.96.36.199 64 189665417 0x0018
188.8.131.52 10.0.1.4 64 4114717474 0x0019 302 Found <--INJECTED
10.0.1.4 184.108.40.206 64 189665756 0x0010
220.127.116.11 10.0.1.4 54 4114717474 0x0010
10.0.1.4 18.104.22.168 64 189665756 0x0011
22.214.171.124 10.0.1.4 54 4114717474 0x0018 301 Moved Permanently
Frame number 5 is the injected “302 Found” packet spoofed by the attacker. The TCP flag value 0x19 translates to FIN+PUSH+ACK, which is the attackers attempt to tear-down the TCP connection. The client responds with a FIN+ACK (0x11) in frame 8. The final frame is the real HTTP response coming from the legitimate web server.
Detecting MOTS Attacks
Martin Bruse was one of the guys taking the network forensics class last week. After realizing that there currently doesn't seem to exist any effective method for automatically detecting TCP segment overlaps with different data, regardless of the TCP state, Martin developed a tool called qisniff. This is what it looks like when mots-with-fin.pcap is analyzed with qisniff:
go run qisniff.go -file mots_with_fin.pcap
HTTP/1.1 302 Found
HTTP/1.1 301 Moved Permanently
Date: Tue, 21 Apr 2015 00:40:01 GMT
In the output above we can see the injected content <A> and the legitimate content from the real web server <B>. What qisniff does is basically reassembling streams and comparing the application layer data in new TCP segments with that in previously received segments. This is a very generic way of detecting any form of packet injection in a TCP stream, regardless if it is done as part of a Quantum Insert attack, an Airpwn injection or some brand new packet injection attack.
Martin's qisniff tool is open sourced under a GPLv2 license and is available on GitHub here: https://github.com/zond/qisniff
We would like to thank Fox-IT for publishing their great blog post Deep dive into QUANTUM INSERT, in which they shed some light on many technical details of Man-on-the-Sida attacks as well as published IDS signatures designed to detect such attacks.
Suricata's lead developer Victor Julien has now updated Suricata to fix this bug. The updated code is now merged into the main branch of Suricata and released as part of Suricata 2.0.9.
David Stainton has updated his HoneyBadger tool, which is specifically designed detect TCP injection attacks, so that it now also detects injected TCP packets with the FIN flag set. The update was released on January 31, in update 1457755.Image: HoneyBadger detecting injected packet in the mots-with-fin.pcap file we released.
Posted by Erik Hjelmvik on Monday, 21 September 2015 08:23:00 (UTC/GMT)