Horas..!!

Archive

Advanced SPA with fwknop

Sensitive Directory File-1 Sensitive Directory File-2 Shell Dork Advisories and Vulnerabilities-1 Advisories and Vulnerabilities-2 Vectors in C++ Visual Basic Irc Bot Make a Basic Batch Viruses How To Hack a Website (SUPER noobified) PHP Injection - Access Server Modifying Paypal Values on Lowlevel Web's Wireless Hacking Tracking Down a Botnet File of Password Page of Network Data Various Online Devices Vulnerable Servers Error Messages File of Important Information Page of Login Portals Analyzing a Trac SPAM Attempt Knock, Knock, Knockin' on EnGarde's Door (with FWKNOP) RPM and a perl.req Heredoc Bug HowTo: Secure your Ubuntu Apache Web Server :)~~~ Automatically Report all SSH Brute Force Attacks to ISPs <-- ???? :( Website Editing from the Perl Command Line <--wooowww ...... :) SSH Tunnel; HowTo <-- great job's :D Mitigating DNS Cache Poisoning Attacks with iptables Single Packet Authorization with Port Randomization How to write a port scanner in C Server Security <-- hehehehe..... :P Xss (Cross site scripting)  PuttyHijack V1.0 - Hijack SSH/PuTTY Connections on Windows  Pass-The-Hash Toolkit v1.4 Released for Download  SIPcrack - SIP Login Dumper & Hash/Password Cracker  Angry IP Scanner - Cross Platform Port Scanner Advanced SPA with fwknop Profiling psad with Devel::DProf Connecting to Mysql - PHP <-- jo2 Free Software Mapper and Cracker Tools Bot Search by Lateral Exploit from NewOrder and SecurityVulns ru

Advanced SPA with fwknop

In the latest issue (September/October 2008) of Hakin9 Magazine, I had an article published entitled Advanced SPA with fwknop. It was the goal of this article to introduce the port forwarding capabilities of fwknop that make it possible to reach internal services with automatically generated NAT rules, and also to show how fwknop SPA packets (prior to the 1.9.6 release) could be detected with some well-crafted Snort rules that look for certain encryption and encoding artifacts. Also, with the addition of source IP addresses to SPA digest tracking, it is possible to get a sense of routing paths that might at one time have had sniffers watching for SPA packets if a replay attack against the same fwknopd instance is detected at some later time.
The Snort rules mentioned in the article - updated to take into account the more recent 1.9.6 release - are displayed below. The first Snort rule is designed to look for UDP packets over port 62201 that end with two '=' characters - a potential marker of base64-encoded data (when the original data size was not a multiple of four). The second rule looks for the base64-encoded version of the string Salted__, which is added by the Crypt::CBC module to maintain compatibility with how the OpenSSL library encrypts data. The third rule looks for packets that begin with base64-encoded version of the string 0x8502 which is a marker for data encrypted with GnuPG, and also checks to see of the size of the payload is at least 1000 bytes (SPA packets encrypted with GnuPG tend to be larger than those encrypted with Rijndael). Here are the Snort rules:

------
alert udp any any -> any 62201 (msg:"fwknop pre-1.9.6 SPA traffic"; dsize:>150; pcre:"/==$/"; sid:20080001; rev:1;)

alert udp any any -> any 62201 (msg:"fwknop pre-1.9.2 SPA traffic"; content:"U2FsdGVkX1"; depth:10; dsize:>150; sid:20080002; rev:1;)
alert udp any any -> any 62201 (msg:"fwknop GnuPG encrypted pre-1.9.6 SPA traffic"; content:"hQ"; depth:2; dsize:>1000; sid:20080003; rev:1;)

------

Any recent release of fwknop (greater than 1.9.5) strips out these identifying markers before transmitting SPA packets on the wire, so these rules are no longer effective at detecting fwknop SPA communications. Also, strong port randomization features were added in fwknop-1.9.4, both for the randomization of the SPA packet destination port as well as the port where the actual connection (say, SSH) is made, so UDP port 62201 is not effective either when these features are used.

By: Michael Rash on cypherdyne