Black Ops of TCP/IP 2011

Video thumbnail (Frame 0) Video thumbnail (Frame 3988) Video thumbnail (Frame 6684) Video thumbnail (Frame 7855) Video thumbnail (Frame 9058) Video thumbnail (Frame 10080) Video thumbnail (Frame 12653) Video thumbnail (Frame 14438) Video thumbnail (Frame 18612) Video thumbnail (Frame 21023) Video thumbnail (Frame 22591) Video thumbnail (Frame 25314) Video thumbnail (Frame 27968) Video thumbnail (Frame 32903) Video thumbnail (Frame 34328) Video thumbnail (Frame 35686) Video thumbnail (Frame 37046) Video thumbnail (Frame 39793) Video thumbnail (Frame 44793) Video thumbnail (Frame 46091) Video thumbnail (Frame 48535) Video thumbnail (Frame 51505) Video thumbnail (Frame 53110) Video thumbnail (Frame 54159) Video thumbnail (Frame 57676) Video thumbnail (Frame 59333) Video thumbnail (Frame 60991) Video thumbnail (Frame 66347) Video thumbnail (Frame 67776) Video thumbnail (Frame 69481)
Video in TIB AV-Portal: Black Ops of TCP/IP 2011

Formal Metadata

Black Ops of TCP/IP 2011
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Remember when networks represented interesting targets, when TCP/IP was itself a vector for messiness, when packet crafting was a required skill? In this thoroughly retro talk, we're going to play with systems the old fashioned way, cobbling together various interesting behaviors with the last few shreds of what low level networking has to offer. Here's a few things to expect: * IPv4 and IPv6 Fragmentation Attacks, Eight Years In The Making * TCP Sequence Number Attacks In Modern Stacks * IP TTLs: Not Actually Expired * Inverse Bug Hunting: More Things Found On The Open Net * Rebinding Attacks Against Enterprise Infrastructure * BitCoin: Network Manipulation for Fun And (Literal) Profit * The Net Neutrality Transparency Engine DNS might show up, and applications are going to be poked at. But this will be an old style networking talk, through and through.
Overlay-Netz Sequel Logistic distribution Multiplication sign Firewall (computing) Authentication Client (computing) Web 2.0 Direct numerical simulation Centralizer and normalizer Internetworking Hacker (term) Operator (mathematics) Computer network Integrated development environment Information security Physical system Overlay-Netz Scale (map) Probability density function Mapping Debugger Code Computer network Digital signal Category of being Internetworking Integrated development environment Internet forum Video game Quicksort Game theory Information security Physical system Type color Directed graph Probability density function
Web page Code Multiplication sign Database transaction Entire function Scalability Software bug Wiki Peer-to-peer Computer network Computational fluid dynamics Software testing Scale (map) Scaling (geometry) Software engineering Closed set Fitness function Heat transfer Computer network Database transaction Line (geometry) Cryptography Public-key cryptography Windows Registry Hypothesis Inclusion map Sign (mathematics) Message passing Software Gotcha <Informatik> Social class Row (database)
Web page Point (geometry) Inheritance (object-oriented programming) Virtual machine Numbering scheme Data storage device Bit rate Average 2 (number) Data model Goodness of fit Peer-to-peer Befehlsprozessor Band matrix Military operation Core dump Vertex (graph theory) Endliche Modelltheorie MiniDisc Boss Corporation Execution unit Characteristic polynomial Data storage device Computer network Scalability Element (mathematics) Category of being Word Wiki Befehlsprozessor Hard disk drive Block (periodic table)
Point (geometry) Digital filter Service (economics) Divisor Length Multiplication sign Flash memory Virtual machine Password Numbering scheme Database Disk read-and-write head Database transaction Internetworking String (computer science) Default (computer science) Information Smoothing Block (periodic table) Data storage device Database transaction Database Data mining Internetworking String (computer science) Hard disk drive Block (periodic table) Family
Cybersex Multiplication sign Cybersex Computer network Maxima and minima Total S.A. Public-key cryptography Equivalence relation Band matrix Message passing Hash function Hash function Computer network Quicksort Message passing Fingerprint
Random number Randomization Computer file Multiplication sign Thermal expansion Set (mathematics) Limit (category theory) Stack (abstract data type) Mereology Electronic signature Database transaction Perspective (visual) Theory Computer programming Formal language Software bug Permanent Band matrix Oval Hash function Videoconferencing File system Information Information security Physical system Key (cryptography) Block (periodic table) Computer program Data storage device Content (media) Counting Database transaction Stack (abstract data type) Limit (category theory) Public-key cryptography Formal language Electronic signature Band matrix Message passing Hash function Revision control Block (periodic table)
Trail Source code Mathematical analysis Coma Berenices Database transaction IP address Mathematics Internet forum Intrusion detection system Graph (mathematics) Musical ensemble Process (computing) Information Physical system Source code Link (knot theory) Trail Information Block (periodic table) Pseudonymization Graph (mathematics) Computer network Database transaction Process (computing) Linker (computing) Internet forum Inference Website Right angle Quicksort Musical ensemble Block (periodic table) Identity management Row (database)
Game controller Code Multiplication sign Source code Streaming media Plastikkarte Database transaction Lattice (order) 2 (number) Internetworking Kernel (computing) Computational fluid dynamics Computer network Vertex (graph theory) Statement (computer science) Message passing God Point cloud Source code Constraint (mathematics) Mapping Demo (music) Database transaction Connected space Internetworking Integral domain Address space
Service (economics) Computer file Firewall (computing) IP address Software bug Internetworking Computer network Vertex (graph theory) Implementation Router (computing) Metropolitan area network Wireless LAN God Default (computer science) Operations research Link (knot theory) Inheritance (object-oriented programming) Firewall (computing) Computer network Database transaction Connected space Internetworking Interface (computing) Quicksort Communications protocol Router (computing)
Trail Identifiability Trail Code Open set Statistics Entire function Number Independence (probability theory) Hacker (term) Internetworking Computer network Speech synthesis Right angle Router (computing) Information security
Tuple Randomization Multiplication sign Set (mathematics) IP address Direct numerical simulation Web service Bernstein polynomial Semiconductor memory Different (Kate Ryan album) Hash function Core dump Computer network Query language UDP <Protokoll> Information security HTTP cookie Physical system Point cloud Source code Service (economics) Real number Electronic mailing list Range (statistics) Bit Sequence Connected space Type theory Direct numerical simulation Information security Spacetime Web page Point (geometry) Random number Game controller Server (computing) Sine Functional (mathematics) Dependent and independent variables Password Electronic mailing list Limit (category theory) Number Zugriffskontrolle Sequence Goodness of fit Telecommunication Read-only memory Internetworking Spacetime Integrated development environment Communications protocol Address space Modem Default (computer science) Domain name Airfoil Server (computing) Computer network Denial-of-service attack Cartesian coordinate system Limit (category theory) Number Word Integrated development environment Password Point cloud Game theory HTTP cookie Communications protocol Address space
Random number Randomization Game controller Server (computing) Sine Source code Number Web 2.0 Web service Band matrix Computer network Data Encryption Standard Computer worm HTTP cookie Source code Default (computer science) Service (economics) Electronic mailing list Usability Bit Sequence Connected space Type theory Function (mathematics) Faktorenanalyse HTTP cookie
Randomization Injektivität Euclidean vector Code Scaling (geometry) Direction (geometry) Multiplication sign Range (statistics) Source code Set (mathematics) Database Client (computing) Software bug Direct numerical simulation Sign (mathematics) Cryptography Torvalds, Linus Hash function Computer network Information security Physical system Injektivität Source code Randomization Constructor (object-oriented programming) Bit Control flow Sequence Public-key cryptography Connected space Web application Digital photography Hash function Direct numerical simulation Information security Asymmetry Physical system Random number Server (computing) Identifiability Proxy server Connectivity (graph theory) Password Online help Average Equivalence relation Automatic differentiation Number Sequence Revision control Goodness of fit Causality Form (programming) Window Default (computer science) Server (computing) Code Client (computing) Computer network Database Cryptography Equivalence relation Cross-site scripting Number Film editing Personal digital assistant Password Revision control Window
Standard deviation Vorwärtsfehlerkorrektur Server (computing) Code Server (computing) Cryptosystem Data storage device Password Client (computing) Matching (graph theory) Client (computing) Public-key cryptography Software bug Word Password Normal (geometry) Physical system RSA (algorithm) Physical system Vulnerability (computing)
NP-hard Randomization Code Multiplication sign 1 (number) Function (mathematics) Software bug Cryptography Semiconductor memory Befehlsprozessor Hash function Entropie <Informationstheorie> Stream cipher Encryption Universe (mathematics) Process (computing) Predictability Algorithm NP-hard Block (periodic table) Constructor (object-oriented programming) Streaming media Bit Public-key cryptography Permutation Arithmetic mean Root Befehlsprozessor Hash function Entropie <Informationstheorie> output Normal (geometry) Block (periodic table) Random number Functional (mathematics) Random number generation Algorithm Password Streaming media Read-only memory output Fingerprint Form (programming) Key (cryptography) Basis <Mathematik> Cryptography Cartesian coordinate system Pseudozufallszahlen Number Function (mathematics) Password Universe (mathematics) Revision control HTTP cookie RSA (algorithm)
NP-hard Server (computing) Multiplication sign Authentication Password Client (computing) Generic programming Public key certificate Digital photography Sign (mathematics) Cryptography Read-only memory Semiconductor memory Authorization Encryption Message passing Multiplication Physical system Authentication Standard deviation Public key certificate Key (cryptography) Server (computing) Client (computing) Public-key cryptography Message passing Digital photography Word Password Encryption Key (cryptography) Freeware Physical system
Functional (mathematics) Random number generation Key (cryptography) Information Server (computing) Multiplication sign 1 (number) Password Code Numbering scheme Parameter (computer programming) Client (computing) Instance (computer science) Instance (computer science) Numbering scheme Public key certificate Public-key cryptography Prime ideal Charge carrier Password Revision control Communications protocol RSA (algorithm)
Web page Link (knot theory) Multiplication sign Physical law Computer network Client (computing) Software bug Direct numerical simulation Proof theory Mathematics In-System-Programmierung Googol Network topology Internetworking Network topology Computer network Energy level Game theory Router (computing) God Euklidischer Raum Proof theory
Point (geometry) Dataflow Server (computing) Link (knot theory) Maxima and minima Limit (category theory) Coma Berenices Content (media) Mereology Rule of inference Database normalization Mathematics Different (Kate Ryan album) Band matrix Googol Computer network Cuboid Software testing Router (computing) Identity management Rule of inference Link (knot theory) Content (media) Internet service provider Computer network Maxima and minima Limit (category theory) Band matrix In-System-Programmierung Googol Normal (geometry) Software testing Moving average Resultant
Server (computing) Proxy server Dependent and independent variables Code Source code Client (computing) Coma Berenices IP address Software bug Web 2.0 Database normalization Direct numerical simulation Mathematics Virtuelles privates Netzwerk Internetworking Googol Computer network Computer network Software testing Configuration space Service-oriented architecture Office suite Communications protocol Router (computing) Proxy server Source code Service (economics) Dependent and independent variables Dataflow Server (computing) Internet service provider Client (computing) Connected space Latent heat In-System-Programmierung Googol Internetworking Blog Direct numerical simulation Normal (geometry) Website Encryption Service-oriented architecture Communications protocol Address space
Dataflow Server (computing) Differential (mechanical device) Server (computing) Characteristic polynomial Real number Sampling (statistics) Internet service provider Client (computing) Computer network Client (computing) IP address In-System-Programmierung Googol Sample (statistics) Googol Normal (geometry) Service-oriented architecture Normal (geometry) Service-oriented architecture Routing
Client (computing) Mathematics Strategy game Virtuelles privates Netzwerk Different (Kate Ryan album) Computer network Data conversion Firewall (computing) Structural load Internet service provider Streaming media Knot Sequence Connected space Googol In-System-Programmierung Internetworking Emulator Right angle Summierbarkeit Router (computing) Dataflow Server (computing) Firewall (computing) Characteristic polynomial Online help Amsterdam Ordnance Datum Number Latent heat Hacker (term) Googol Service-oriented architecture Summierbarkeit Message passing Quicksort Dataflow Validity (statistics) Server (computing) Physical law Code Client (computing) Computer network Stack (abstract data type) Cryptography Uniform resource locator Network socket Password Strategy game Service-oriented architecture Perfect group
hello everyone it is great to be here at Def Con 19 thank you all for being here uh you don't know me hi I'm Dan Kaminsky and I write coat I am NOT here to fix
authentication or regale you with stories of DNS or DNS SEC these are still things I'm working on but not today today is it returns for me as a community we have sort of was anyone here out of curiosity at my talking like 2002 about black ops of tcp/ip like anyone awesome this is a sequel to that talk ah got it hey everybody worst impression ever let's see how about this is this good no Logistics know how about this is this work awesome thank you guys all right so we sort of stopped looking at network security you know mapping networks evading firewall subverting design assumptions you know the various arts are messing with pockets kind of been abandoned and that's sort of a good thing you know when you actually look at how systems are broken into it's the same game every time sink will inject the web front end or PDF the client back end take whatever credentials are on the box and move on with your life it's not hard making hacking look difficult it's just something we do so we look awesome to the other people so netsec is only so relevant in such an environment you know what I do not care this is what I liked doing back in the day and we're going to play with the packets so what are we going to start messing with you or we're going to start messing with of all things Bitcoin why not it infects everything else it should hit my talk to know what is Bitcoin now well it's an attempt at making a digital currency with no central bank yeah it's a system with economic properties I don't know anything about I'm not an economist but to be fair neither our most economist so it sort of works out um it's an overlay Network upon the internet it's like an Internet on an Internet that people think has certain properties now that that is a toy to play with so bitcoin is
built on doing three things transferring money i allus give bob 2.1 bitcoins that's done with public key cryptography you sign the message and then there's gossip hey everybody did you hear that Alice gave Bob 2.1 bitcoins Alice goes ahead and gossips that out and it just spreads throughout the network like wildfire look at this great new news and then there's a pending once about every 10 minutes someone on the network does enough computation to say aha the official record of all transactions ever should include that Alice paintball love and Bob hey charlie and Charlie paid David and you know it's a lot of cryptographic work how do you know if we've done enough work well if the network generates answers any faster than 10 minutes you make the problem harder and harder and harder until it takes once every 10 minutes it's really quite elegant in each fit you know if it goes too fast it self corrects so join em up bitcoins is not my bitcointalk go to dan kaminsky calm you all see some slides on that the good news is that bitcoin is really impressive anyone who's all dismissive of it and in the oh it is it oh it's got all these bugs no there's just like missing like the first five times you think you understand Bitcoin you're not even close I'm on Bajor bug nine on Bitcoin that I was absolutely sure was going to work now now they like like the line of code that would have made that bug work is just not there it's a the mark of a pen tester is upon this software of bitcoin is fixed almost all the flaws that aren't forced by the design however there are flaws forced by the design it
totally does not scale and it is absolutely not anonymous what do I mean if you go to the scalability page on the Bitcoin wiki you will see the funniest document in the history of software engineering let me give you some quotes I don't even need to talk about how Bitcoin doesn't scale because they say
it like yeah ever been with eventually we're going to require every machine to exchange a gigabyte a second whuh-oh cpu you'll have to have 50 note 50 cpu cores just to participate in storage well you might need a 3 terabyte hard drive every 21 days but it's cool because they're like only 200 bucks and again as pretty affordable look at this is their own page I'm not making this up so you know
you end up with like super nodes that do special stuff and everyone else who trust them we have another word for this they're called banks not saying banks are bad i'm just saying all these economic properties a bitcoin and everyone Mike's today are going to be gone tomorrow now I'm not saying those are the properties of a Ponzi scheme I'm just yet until we get to this point that Bitcoin completely has to shift over to the banking model um who your nose a very interesting character by the name of Travis good speed you don't even know our ridiculousness guys but he asked me a great question he said damn could we use bitcoin as a thamma stop
service as a way to store information and distribute it you know three terabytes is an awful lot of data there's an old challenge haven't thought of it in years and it's well the internet is about sending data from point A to point B at which point it just magically disappears what if we could get away where it didn't magically disappear or in fact it's stuck around forever well the reason you need a 3 terabyte hard drive and bitcoin is because basically all the transactions have to live forever somewhere so if it's going to live forever what could we do with this um whoo here we are new or
nose lens sassman Len Len was one of our brightest lights in our community there's a command that one can run on Bitcoin today and on Bitcoin forever on any node running Bitcoin strings bytes equals 20 dot Bitcoin flash block 0 0 0 1 dot dot strings will go ahead and extract human readable text from any blob of data we usually use it to find hard coded passwords inside of statically length executables well if we run this on the Block database of all transactions ever moved through Bitcoin on any machine in the world participating you know what you get no Len was our friend and was a brilliant mind a kind soul and a devious schemer whose husband to Meredith he was brother to Calvin who is here at his first Def Con ever son to gym and Dana hartshorne co-author of mine and of many others co-founder and smooth and so much more we dedicate this very silly hack tool and who would have found it absolutely hilarious and just to increase the amusement factor and Len would have loved this bitcoin is now dependent until the end of time on when bitcoin is also dependent until the end of time on the head of the Federal
Reserve Ben Bernanke accident so so how did we do this and Bitcoin Alice gives
money to Bob by issuing a sort of challenge whoever kansaw in a message with the public key that hashes to the following bites it has the following fingerprints may claim this money Oh bites bites instead of pushing the hash of a public key we pushed 20 characters of a testimonial 78 times there are consequences to this it does cost money
cost about a Bitcoin there are minimums to transferring money this does destroy the money forever the Bitcoin network is thoroughly convinced that somewhere somehow there must be a public key with the hash that Len was our friend I am totally cool with that this is the cyber equivalent to pouring one out for your homies so coming at higher bandwidth Bitcoin
does let you send pop money to a public key directly rather than its hash so it gives you like a 10x increase in bandwidth that's not good enough Bitcoin allows for extra data in a signature a really beautiful style too um you see
Bitcoin works with small programs the program from the receiver says please put this signature in public data on public key on a stack pile of data and the program from the sender is hey take the signature and public key off the stack and make sure they're good now if you look at this just from a language perspective Meredith research is all about language theoretic security um what if there is extra data that the receiver puts on you know you know I don't know some video file or something I don't know why someone crazy would do that well the sender just says take the signature in public key off the stack doesn't say anything about making sure there's not more data so this just works fine now it's funny this bug shows up all the time and signature checking systems um it's not just the sender of money who can add the extra content see a signature can't cover itself when you sign a document you don't sign the signature because the signature is not there yet it's a chicken and egg problem you're sending everything but the signature in the extra crap that's been thrown in with the signature now in Bitcoin eventually the extra crap does become part of the permanent set of data those so-called block but there is time between when the transaction is sent and when that thing happens every ten minutes to merge stuff in and in that time it's not just the center of the money who can add actually data it's like anyone can add extra data because it's unsigned it's so this is some limited usefulness if you're awesome random relay that's gossiping the stuff around you know Bitcoin discharge you money are bitcoins per kilobyte of your message the random relay can't add all that much so this limit doesn't count if you're the one adding the extra data because you can just pay the fee it's about you know 14 cents per kilobyte to put something on you know a 30 million a huge multi-million dollar Bitcoin thing also does not count if you generate the block so if you're the guy does the work every 10 minutes you can go ahead and make everyone in the world store two megabytes of data no problem so I ain't me in Chaves you're talking yes we can totally do the Bitcoin file system and
what about anonymity let's look at a block explorer com this is the big site that tells you what's going on in Bitcoin um we say anonymity look you have a bunch of sources of money and a bunch of destinations all these sources are the same guy also you get obvious pseudonym linking a Bitcoin one of these two destinations is all the guys on the left that's just sort of change when you've paid too much you need some money back um and you can build these great
graphs I was going to show you some of mine but read and harrigan actually did a much better job in that recent bitcoin is not anonymous paper so they got there pretty pictures now the problem is is
that they got lucky right like the way they got to IP addresses is some jackass shows up on a forum is like hi I'm Bob Jones and my bitcoin ID is this yes that will in fact d anonymize you idiot a another user another system when it gives bitcoins it tells the IP of who gave it to so they're they're getting d anonymization they're getting pseudonym linking those ids link to each other within Bitcoin but if you want IP addresses that's out of band this audit trail is noisy and deniable you know the authors of this paper know it is there another source of data well there are two sources of transaction informations in Bitcoin there's the blocks that contain the historical record there's also the loose transactions that are getting gossiped all over the place so it's a relay race Alice tells Bob and Charlie Bob tells David and Eric Charlie tells Frank and Gary so what you do is you just connect to
all the bitcoin nodes in the world yeah I say oh my god that'd be like 50,000 connections yeah computers are powerful now it turns out so when you connect every node in the world the first no to inform you of a transaction is the source he don't relay it because he done done it um so I wrote some code which I can't demo for time constraints called blit coin is anyone here get that joke by the way it does accelerated probing of Bitcoin so how do you find out who to probe we can just scan the entire in turn on internet on 8 333 tcp you can join the IRC channels Bitcoin runs like a botnet command and control so you just have this thing called bit but it connects all the IRC channels watches a live stream of everyone who's connecting or you can just add ask every node hey what are the nodes do you know about and they'll tell you they'll give you a map of the network within 30 seconds now the
Bitcoin devs want to be very clear they know bitcoin is not anonymous and they wanted me to spread this out that you know this is just not a feature they're working on so don't think its intention not intentional what about door well
tour is interesting tour will go ahead and hide the IP address for all your outbound connections when the Bitcoin no docks the rest of the world but what if the rest of the world is scanning every IP address on the internet looking for who's listening for Bitcoin tour doesn't do anything about that so there's actually a bug file now in Bitcoin and say when running through tor how about we not listen for incoming connections but unreachable nodes well most are just behind nat and you can't connect to them they can only connect out we already have sort of a super node situation there's only about 3,000 8,000 bitcoin nodes maybe you know ten percent to twenty percent of the nodes in the world that you can go ahead and just arbitrarily connect to and that's awesome because now i create another couple hundred incoming only bitcoin nodes and the other 50,000 depend on me so they come to me and make a direct connection and now again the first people who connect to me and tell me of a transaction I know who they are so probably only need about a few hundred sorry but unreachable many users are behind wireless routers you know these little Wi-Fi devices from linksys like poor man's firewalls now there's a protocol that most of these devices except called upnp and it allows nodes inside your network to say hey can you all let the outside world in and there's a protocol that allows you know you to discover that you can ask for inbound connections are antic sort of speed through this a little well upnp opens
the firewall holes from the inside to the outside man it really be bad if that service wasn't just available on the internal network of like people on the internet to just say hey firewall can you not be a firewall god dammit
hundreds of thousands to millions of these things are out there now of what I
just showed you they're not all fully open the microsoft code is great it actually requires this random identifier that you have to be on the internal network to discover but every other vendor is just like well you know we have this code and it's the most white some of those widely deployed code in the world and you can reach it from the internet from everywhere but our budget for this device is like four dollars maybe we are number one on the security so I don't need to go into this because there's another speaker who found this first so I just got to refer to him Daniel Garcia he's speaking on track three today at five o'clock he found that there were open upnp nodes on the net last year so now we're starting to collaborate to figure out what the exact number is another guy a dutch are are mine hemel i think i pronounce his name right he's doing some great work too he's at upnp hacks at org um the one thing to realize this was found in 2007 and still broken so yeah things oh by the way the other nice thing about home routers it's not like they patch yeah it's like a worst-case scenario so what
about outside the consumer space corporate environments these are less about Bitcoin and upnp and more about web services and apples ackles and access control list says oh you want to access this resource you better be coming from this IP address so of course we live through our teeth do what's called IP spoofing he just pretend to be some IP that the system trusts you might say but but but I thought networks block spoofing it's like yeah they block spoofing from like your cable modem I'm on the core of the Internet it does not give a car wrap would I be addressed like lame the one thing that does care about IP spoofing though I finally found something that the cloud does not do well if you are running in a virtual node and you want to spoof packets good luck you can't do it the hypervisor will stop you he depth I don't know like have a hypervisor exploit no one has those so is IP spoofing still effective to do interesting things well there's a DNS trick that I've been sitting on for a couple years you know in DNS you go to a server you say hey go look up this domain the server goes and runs around the internet looks the domain so you say oh hey go look up a domain I control and I'm you know this random IP you're not going to get the reply with the answer but that server has to go run around the internet to go satisfy the request and they will run around to you see you now see oh okay my spoof type request spawns another request that comes back to me through another channel now this only works for obscure applications like dns UDP um certainly nothing built on tcp right well limits of IP spoofing most modern protocols on over tcp is a reliable communication protocol at tcp has sequence numbers they're kind of like passwords that are exchanged at the beginning of a session to make sure that each side is really able to hear the other side and it's rather effective and it means when you don't get the reply because you spoofed your address you're not able to get to the point at tcp where data is really going to be exchanged now sequence numbers didn't used to be random which meant people could just guess them out of you know out of thin air okay so let's go ahead and make them random well you can't just go ahead and make them random see the problem is is sequence numbers do not start out as passwords they started out as markers we're inside a session here's a bunch of bikes are they on page one or they am page 100 are they on page five hundred got to know where to put the words um so the deal is let's save a connection from 24 1 2 3 on 50,000 and for 221 on port 53 you got to make sure if there are patent two connections and all that stuff is recycled that random packets from the old session don't show up in the news it'd be like you're reading a book and you know suddenly a page from some other book shows up be rather confusing um so the game is to have no random sequence numbers unless the idea is the same then we go sequential and that's done with a
hashing function where you hash all the data with the secrets you get some absolute number and you add time so if you have a slight difference in you know to think 45 to 54 six the numbers become much different but if it's absolutely identical it becomes sequential with time now there's a problem what does someone just floods us with connection requests they don't have to remember all the passwords they just need to like flood us with the question we need to remember their passwords so we run out of resources this in floods older and dirt so solution is came from dan bernstein it's called sin cookies and basically what is sent out to the requester is a challenge if you can read this challenge if you can respond all right i'll go ahead and all store some memory there's 24 bits of security there so okay 24 bit sets their 22 24 16 million um takes about 8 million packets
to go ahead if sin cookies are enabled and guess what the cookie would be it might actually be a little less so did you be knew this right it's like no matter what you do the attacker will succeed in a connection forgery after millions of random act packets well the something has changed in 1999 to 2011 networks so really fast sending eight million packets not that big a deal when you have a spoofed acknowledgement you can also throw a bunch of data in there can throw like a web services payload so if you have like a web like an Apache server and it's behind an access control list that says only connections from my p.i trust every eight million packets he's going to get a fake packet from an IP it trusts and it's going to be received and get to do whatever it wants not so good now what about on Linux what
do we do on Linux well so Linux has sinned cookies on by default but even if you disable it what are the actual sequence numbers look like are they RFC 1948 are they randomized unless you have the same source port desperate source IP des Porte des type II totally randomized well okay not totally three-fourths of its or randomized the lower 24 bits are pretty strong the upper eight bits no no that's just like sequential just keeps incrementing one every five minutes and it gives that number to everyone so you can go ahead find out the offset being your real IP and then you know every sequence number that everyone else is going to use and after eight million tries you win so this lets you go ahead
and there are some old attacks on reset hacking so you'd shut down a session without actually knowing the codes before or the the sequence numbers before it would take you know 128 packets to kill a session in the worst case now it's a one packet kill the other problem is that you might have a live session between two hosts I have to skip through this quickly I'm so sorry you might have a live session between two hosts and there's 64 bits of security 14 between them true to the 64 is an ungodly number of packets but there's windowing which says kind of like a range where the password can be so that cuts off 16 bits in each directions now we're down to two to the 32 4 billion packets oh man that's a lot now we cut off another five bits because the windows might be really big do something called windows scaling oh okay now you're down from 32 bits to 22 bits so now it's a million package to go ahead and inject into a session by inject into session let me translate this into the world's most difficult cross-site scripting attack um now because the eight bits are known in each direction we have a problem because we take 22-8 minus eight six bits it takes 16 packets to have a fifty percent chance of the world's greatest cross-site scripting crap um now that does get a little harder because there's port randomization but you know the port randomization ads at most 13 bits so it's still only 250,000 packets that may not even happen with port randomization if you have a client that's forcibly setting its ports which actually happens with DNS and bgp so status this is some
very old code in Linux it actually predates linis torvalds checking history into the Linux source tree so like this bugs been there since like the late 90s they're figuring out right now the right fix that won't cause even more problems there's a ton of fixes you could do that would make just things even worse so digression check my time here make sure I'm not gonna go over all right RFC 1948 is an interesting construction it is sequential and ordered if you have secrets and it is random and unpredictable other without it's actually kind of a public and private system there's the private component the sequence number is mixed with like a secret and you can generate all possible secrets with that things it's like a private key there's like a public component I give you one of the generated values and if you can see it on the network you can communicate for that one session as that one IP using that one set of connection identifiers which are ports so wow that's like public-private photography without nothing but a password clearly this is impossible it's only possible here because we're at the intersection of network security and cryptography you guys know what public-private cryptography is just as a quick example a photo of my face can be a public key and my actual face is a private key it's very easy for people to identify me from a photo it's very hard for them to you know mash their face and do you know being my face so it's all about asymmetry now I want to be clear here what I'm about to tell you is a terrible idea however nowhere does it say on the deaf sign up form that everything you say must be a good idea in fact not usually the case for passwords are a bad idea they're constantly being lost and forgotten stolen responsible for fifty percent of compromises they increasingly look like leet speak not helping but let's ignore all that for a moment assume we're stuck with them how do we use the password to log into a system without that system learning our password well people say oh you know you idiots you should be hashing the data in your database that's nice the web app is still receiving the password in plain text the attacker just modifies the web app to send the plaintext to them so it doesn't help next thing we challenge you to mix your password with this particular hash and then we'll we'll never have to send the plaintext password on the wire this is like thing called digest or ntlm the problem is if your hashing the plaintext password with some random value they gotta do that too they got to store the plaintext password or some pass or equivalent version um there are things where you would say we require knowledge of the password to complete this compliment complicated asymmetric crypto magic foo speak does this and SRP does this it requires the client and server to run some really obscure code and good luck getting that code deployed what we gonna do is it
possible not advisable but is it possible to build a system where the client only remembers a password but the server stores nothing but a straight-up public eight and deploys no other magic code except the standard challenge to make sure the client has the matching private key derived unilaterally from the password in other words can we construct a cryptographic key pair using nothing but a password so here's a
question and if you can answer it we're going to go get a drink after what vulnerability impacted all asymmetric cryptosystems be the RSA DSA or see see anyone there you go we'll grab some tequila check it out debian bug had
was basically a situation where every time the cryptographic key generator went to get random numbers got the same random numbers so all cryptographic says all asymmetric cryptosystems use entropy as follows they grabbed random bits and they permute them until those bits are roughly a private key they need a public key from predictable entropy means predictable key pairs no matter what the algorithm is so what if we said it wasn't the bug what if we turn the debian bug into a feature cryptography is all about constructions we have hash functions that make fingerprints of data we have stream functions that stream ciphers that give us a stream of data we have block ciphers that take data and a key and mix them all together um you can actually turn any of those into any of the others well we also know how to take a password and construct an everlasting stream of pseudo-random number generators from random number generators this is predictable entropy we can even make this stream of predictable entropy in such a way that is both time hard meaning it takes a whole bunch of CPU to find out what the stream should be from the password and memory hard which means it takes a whole bunch of memory that I don't know a GPU really can't do on a per per block basis so you know screw you elcomsoft so this is a great algorithm called s crip that does this so what if you make the output of a
password seated PRNG the input to an asymmetric key generator you end up with 2048-bit RSA keys that have a trapdoor in the form of a human memorable password this is not theoretical actually went ahead and wrote this so and the way it's written is just awful terrible idea gone um so check it out in normal key generation fire on ssh key gen 4 to 3 times I'm going to get three different keys but now we're going to run little piece of code that I call fidelia's fidelia's is saying you know LD freedom of Fidelia said s 0 password of hi grandma my grandmother comes to my black cat talk over here it's great she brings cookies uh and if you look I run this twice with the hi gramma password and I get a DOD 52 and once again a Tod 52 how is this happening see here's what the deal is with fidelis Harry Potter properly understood is a story about the epic consequences of losing one's password fidelia's is how passwords fail in the Harry Potter universe and if you don't get the reference go find Dumbledore um what Phileas does is it hooks dev random and it hooks Deb you ran them and it hooks open eyes who sells random functions what do I mean by hooking I mean that the applications try to go get random numbers and my code steps in goes have I got some random numbers for you so this just works like unmodified code ssh-keygen will suddenly
develop a standardized keys openssl for certificates will generate the same certificate every time you can get a certificate authority to sign a password free bird will even generate consistent en SF keys so you get you know message signing message encryption client certificate authentication nothing but a password it solves the log in with a password without the system learning your problem thoroughly thought you haven't even store anything anywhere in fact the server has no idea there's a trapdoor and can never find out so it's a I wouldn't say non-consensual it's more backwards compatible with Bitcoin you literally could send money to like a word or even a photograph because you can actually say my private key is a picture of a pony you can do that we have the technology so there's
no pain server-side all time memory hard requirements are limited to the client there are a couple of issues that are
totally real the obvious ones passwords suck the non-obvious ones it is fragile it is dependent on the peculiar way that SSH key gen 5.3 p1 turns random numbers random numbers into a final key that's what you get for being an implicit scheme that you know tries to make function hooking is useful it's also hard to salt what does that mean that means everyone who uses the common password password is going to generate the same certificate every time so that kind of that's kind of a problem now you
can fix that but not implicitly not for free you basically have to have a situation where a randomized salt a thing that says five different instances of the password password are going to get five different certificates the public side needs to contain the random information so instead of just I have this password I generate this private key it's I have this password and a particular instance of a public key I can now generate this private key it can do that but it takes some custom magic
back to tcp/ip I want to get to the the last thing in this talk the thing that uh god I missed packets what can we do with networks that's how I started coming to DEFCON that's what I haven't played with in a while let me tell you something you can do if you're willing to place in games with packets who your nose but net you try honey you know once upon a time the only people messing with my traffic were I don't know you guys up now it's my isp really I don't have a worry about when my isp is obviously messing with me you know because well first of all I can just tunnel around it using DNS um but secondly you know I can know to tunnel around it or I can complain to my congressman what I'm worried about our when the biases are subtle when I can't necessarily prove that they're there what I'm here to tell you is that there has been a change in technology and I'm going to describe it to you and we are going to always be able to know if an ISP is manipulating your traffic so if bias networks are affecting you this is the proof that's going to be able to be shown up in a court of law and if you happen to be working for an ISP doing this stuff I'm just saying if you don't want it on the front page of a newspaper in two weeks you might want to stop doing it now I don't want to embarrass everyone I would love it if I didn't find any violations in it neutrality because then there'd be no violations so
let's look at the topology how we're going to do this because I'm making some big claims here any Oh extraordinary claims require extraordinary evidence a standard topology the real world you have some client goes through home router which has 83 million bugs goes to an ISP the ISP has various links to the internet level 3 and whatnot link one link tooling 3 and then you have google and microsoft and yahoo that are linked to those links so the fear is and it's a
reasonable fear because they're all over Washington saying it's going to be great when we can do this there's a magic box deployed within the ISP network in front of all the links the box matches packets to policies applies different rules to different packets me stateless do I not like this packet or it can be stateful this packet rolls with a bad / abacus it's part of a flow do I not like the flow so and the policies can be anything then they can do anything limit maximum bandwidth increase minimum latency alter content they can do everything but
sometimes you don't know if they're doing it or not let's say bang calm was 50 milliseconds slower than google com it's just because the ISP or is this because google com is better hosting you know there's a lot of different servers there's a lot of different routers and the problem is you can't tell if being is slow because of the ISP or because of all the routers and servers there are many reasons why being may be slower than Google and that means there's plausible deniability look I go deal with that deal with that with normalization whether the tester is accessing bing com or google com the network path should be identical or at least the path should be uncorrelated with the particular identity being run over it that way any changes you to be the result not of the path but of policy at the collection point which is the ISP so simple normalization HTTP let's say
y'all we're looking at websites there are absolutely policies out there today that's if you see an HTTP connection and there's a Hostetter that says bang com go mess with it slow it down by 50 milliseconds so I don't you this is super easy to detect just put up a server at some IP address somewhere that will be I don't know like a proxy or something it'll respond for all web requests no matter if it's for baying or Google or whatnot now you have a consistent server with a consistent path back to the client if packets from the proxy always thinking you don't have to write any code because it's just a proxy server it's just squid if traffic from the same squid server is faster when it seems to come from google then when it seems to come from being you have just discovered a biased network very simple there's problem very protocol dependent works wonderful for HTTP you guys know the Internet is bigger than the wet the problem is all of these other protocols BitTorrent require a lot of work to implement or ambulate and I'm a lazy guy the other problem that proxy servers that some IP you know what that IP is not bings not Google's and the ISP can just look in DNS to find out which IPS are actually associated with Google and Bing so you can have the greatest test server in the world the Paul is that the policy is only applied against genuine Bing or Google servers you're blind so we got to do something about that we got a spoof the whole internet okay so I've written some code it's a neutrality router it's called neuter nooters the network normalization engine is very easy to explain who here has ever run a VPN all right here's the deal got a VPN you're sitting in some starbucks but where you really want your networking to be from is I don't know the home office of the home or somewhere on ec2 anywhere where you know wherever you're at can't see what you're doing and you know there's always access stuff you just want to like operate from the other network so traffic is put in a VPN traffic is punched from a client to a broker and IP address at the broker or VPN concentrator it goes ahead and talks to bang it goes ahead and talks to Google and they respond back to the broker hey now the brokers got all the packets it's all the same source so it's you have a normalized server and then when it sends traffic back to the client it always comes from the broker so you got to normalize path it happens to be because it's encrypted that the ISP doesn't see anything and so no policies are applied well that's a bug we're going to fix that with neuter see what neuter on the server talks for the client okay we're just going to go ahead and send that in to clear in fact we're going to spoof the IP addresses of the real google or the real bang so it looks like Google and Bing are talking change the client why do you do that we
want the ISP to see the return traffic we want the ISP to apply the policies that they only would normally do for Google and Bing and we want them to mess with us too why because then we bust their policies and it works someone in this room thinks oh man I can detect the crap out of that I am gonna mess with Kaminsky stuff I already got like the blog post have written oh oh but the rabbit hole goes so deep see the policy engine in this scenario doesn't see traffic from the client is server that's encrypted VPN style what if the policy engine only worked it's all the traffic from the client to server and all the traffic from server to client otherwise it didn't go anything guess what dude you do that see here's what
we're going to do a normal mooner we're
going to spoof the traffic from the server de clay but in Rhode onew turrets doing it the other way around in packet sample a the clients going to talk to the real google no magic whatsoever it's just going to go talk to it st. you know real routes but full bi-directional flow sugar whatever policy is there and then apparently the policy engine doesn't like half flows well guess what we're going to do we're going to go give it a half flow we're going to take the client to server traffic and we're going to route that thing encrypted right around the ISPs policy engine and then the first thing is to happen at the broker the broker is going to send that traffic straight to Google as if it had the IP address of the client Google's happy it sees request from a client that responds to the clients it's only the ISP the children's got a half flow and isn't triggering his policy so you get differential behavior between full flow and half low and i'm still gotcha busted so guess what it's a catch-22 the ISP
attaches applies policies to have flows new Dorsey's it because the normalized server gets a difference in performance if it only applies policies to full flows when i create a half flow to the real google suddenly it as different performance characteristics either way neuter wins the endgame biased policies might as well be transparent because i'm going to find it
now I think I might go over by two but
no more than two I suppose you really want the ISP to see bi-directional traffic you don't want this you know weird catch-22 I just said well you'd want to do this because it's definitely going to trigger all the policies also if you've got an inconvenient not in the way then that really needs to see client the server traffic to open up return connectivity might be inconvenient to get around a nap now the disadvantages of an ISP is seeing client to server traffic if not router seen client and server traffic the server sees the client to server traffic to when it might reply interfere complain et cetera so what are the tricks we can do now well we can play with TCP checksum client can tunnel valid traffic to the broker and can also send package with invalid checksums to the server so we'll get past than that don't get past the ISP and it'll arrive at the server servers like this thing is corrupt I'm going to ignore it I actually kind of works the problem is the policy engine might actually do TCP check some validation and the nap might go ahead and fix the sums there's been a problem with that but we got another catch-22 because we get differential behavior when the policy engine seized packets with that checksum so once again it's like oh I see a full flow but it's got half checksums I'm going to change policy gotcha so you know that's nice strategy two of three is low GTL when you send traffic on a network this is from my 2000 to talk you can control how far it goes so you can say i want this traffic to get past my not and I want this traffic to get past my isp but not so much with getting to the real server could you like stop along the way you can do that we have the technique so the advantage it's legitimate traffic a disadvantage the policy can locate low TTL and alter behavior that's great actually in the catch-22 because now not only do we identify the policy engine but we know which hop sat nice but okay let's talk about utter utter packet trickery the silence place you see normally according the TCP specification if you ever get a TCP packet that doesn't look right you are supposed to either acknowledge it or send a reset to stop that guy from talking to you so you're always supposed to reply well the thing is there's a lot of servers out there that have the right stack but they got firewalls in front of them the firewall is like I see something that looks even remotely bad I'm in hiding little corner and not say anything i have used for this behavior so what I'm going to do is I'm going to have the real client do a three-way handshake with the server so it's going to go and have a real session and the knots going to see the ISP is going to see it and even Google's going to see it and you know Google's going to see next the broker is going to send a reset and it's going to shut that thing down hard at the server side clients still open clients expecting server to say something any minute now server doesn't want anything to do with client now so now the broker shows up and says hey server why don't you set up a connection with me so brokerage sets up a connection with the server gets it all nice good and then the broker just goes ahead and splices his connection into the connection that has been originally set up at the client and now client sends server traffic server ignores it server spoofs our broker spoofs the server back to the client client accepts it packets go out packets go in you can't explain it that's right so been a warning if you are passively monitoring network traffic these techniques kinda sorta allow any one side of the conversation to impersonate traffic from anybody you can detect it if someone tells you to detect it I'm telling you to detect it we're neuter is now and emulates half loads it's super fast and sports anything that runs over I paying you want to know whether a network prefers xbox 360 traffic to playstation 3 traffic this will tell you at a court of law so I got to end this here's the summary networks or neat Bitcoin isn't anonymous upnp sometimes exposes itself to the outside world ackles can be bypassed using interesting sequence number tricks passwords can be used to seed a symmetric crypto even though they shouldn't and subtle net neutrality hacks are doomed transparency or bust thank you to n 2 km three crowd and docks applying labs for the crazy things they're letting me do on their network and I'm looking for some help release engineering because we got to get this code out and about thank you so much