SlideShare uma empresa Scribd logo

Playing in a Satellite environment

Christian Martorella
Christian Martorella

How TCP/IP attacks can be applied in satellite communications. Interesting example on how to achieve anonymous Internet connection using DVB and some tricks. Presented in

1 de 104
Baixar para ler offline
      Leonardo  Nve  Egea   Christian  Martorella   lnve@s21sec.com   cmartorella@s21sec.com    º  
1.  Because  I’m  sure  that  some  people  will   publish  more  attacks.     2.  Because  there  are  previous  presentations   about  satellites.      
¡  Warezzman  –  (in  2004  at  Undercon  VIII  first   Spanish  hacker  CON)   ¡  Jim  Geovedi  &  Raditya  Iryandi   (HITBSecConf2006)     ¡  Adam  Laurie  (Blackhat  2009  at  DC)   ¡  Leonardo  Nve  (S21sec  Blog  February  2009)  
¡  A    satellite    is    a    radio  frequency    repeater         that    is      launched    by    a    rocket    and    placed    in     orbit    around      the    earth.  
¡  Orbit  based  satellites     §  Low  Earth  orbiting  (LEO)   §  Geostationary  orbit  (GEO)   §  Other:  Molniya,  High  (HEO),  etc.     ¡  Function  based  satellites   §  Communications   §  Earth  observation   §  Other:  Scientifics,  ISS,  etc.  
¡  Satellite  GEO   §  UFO  (UHF  Follow  ON)  Military   §  Inmarsat   §  Meteorological  (Meteosat)   §  SCPC  /  Telephony  link  FDMA    
¡  Standard  of  European  Telecommunications   Standards  Institute  (ETSI).   ¡  Defines  audio    and  video  transmission,  and   data  connections.   ¡  DVB-­‐S  &  DVB-­‐S2  is  the  specification  for   satellite  communications.  
¡  Transponder:    Like  channels  (in  Satellite   comms)     §  Frecuency  (C  band  or  Ku).  Ex:  12.092Ghz   §  Polarization.  (horizontal/vertical)   §  Symbol  Rate.  Ex:  27500Kbps   §  FEC.     ¡  Every  satellite  has  many  transponders   onboard  which  are  operating  on  different   frequencies  
   Header   Body    0x47   Flags   PID   Flags   Adaptation  Field   Data     Program  ID  (PID):  It  permits  different  programs  at  same   transponder  with  different  components  [Example  BBC1   PIDs:  600  (video),  601  (English  audio),  603  (subtitles),  4167   (teletext)]    
¡  Temporal  video  links.   ¡  Live  emissions,  sports,  news.     ¡  FTA  –  In  open  video.  
Captured NATO feeds
NATO COMINT official
¡  Is  widely  known  that  the  Department  of   Defense  (DoD)  and  some  US  defense     contractors  use  satellites  and    DVB  for  their   comms.   ¡  Let`s  see:     http://telecom.esa.int/telecom/media/document/DVB-­‐RCS %20Networks%20for%20the%20US%20Defense%20Market %20(R3).pdf  
U.S COMINT official
¡  How  to  find  feeds:   §  Lists  of  channels  in  www     §  Blind  Scan   §  Visual  representations  of  the  signal    
¡  Dr  HANS   §  http://drhans.jinak.cz/news/index.php     ¡  Zackyfiles   §  http://www.zackyfiles.com  (in  spanish)   ¡  Satplaza   §  http://www.satplaza.com  
¡  Two  scenarios   §  Satmodem   §  Satellite  Interactive  Terminal  (SIT)  or  Astromodem    (DVB/RCS)    
INTERNET   CLIENT   ISP  
DOWNLINK   INTERNET   CLIENT   ISP  
DOWNLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
DOWNLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
DOWNLINK   ISP’s  UPLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
DVB Data - Astromodem DOWNLINK  &  UPLINK   ISP  DOWNLINK  &  UPLINK   INTERNET   CLIENT   ISP  
  Anyone  with  coverage  can  SNIFF   the  DVB  Data,  and  normally  it  is   unencrypted.    
¡  What  do  you  need:   §  Skystar  2  DVB  Card   §  linuxtv-­‐dvb-­‐apps     §  Wireshark   §  The  antenna  (Dish  +  LNB)   §  Data  to  point  it.  
  I  bought  it  for  50€!!!  from  an   PayTV  ex-­‐”hacker”  :P     (Including  a  set-­‐top  box  that  I  will   not  use)  
Linux  has  the  modules  for  this  card  by   default,  we  only  need  the  tools  to  manage  it:     linuxtv-­‐dvb-­‐apps     My  version  is  1.1.1  and  I  use  Fedora  (Not  too   cool  to  use  Debian  :P).  
Once  the  antenna  and  the  card  are  installed   and  linuxtv-­‐dvb-­‐apps  compiled    and  installed,   the  process  is:   1-­‐  Tune  the  DVB  Card   2-­‐  Find  a  PID  with  data   3-­‐  Create  an  Ethernet  interface  associated  to  that   PID   We  can  repeat  2  to  3  any  times  we  want.  
1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to  that   PID    
Tune  DVB  Card   The  tool  we  must  use  is  szap  and  we  need  the   transponder’s  parameters  in  a  configuration   file.     For  example,  for  “Sirius-­‐4  Nordic  Beam":   #  echo  “sirius4N:12322:v:0:27500:0:0:0"  >>  channels.conf          
We  run  szap  with  the  channel  configuration   file  and  the  transponder  we  want  use  (the   configuration  file  can  have  more  than  one).     #  szap  –c  channels.conf  sirius4N     We  must  keep  it  running.    
The  transponder  parameters  can  be  found   around  Internet.   http://www.fastsatfinder.com/transponders.html    
1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to  that   PID    
¡   Find  a  PID     #dvbsnoop  -­‐s  pidscan     Search  for  data  section  on  results.  
1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to   that  PID    
¡   Create  an  interface  associated  to  a  PID     #dvbnet  -­‐a  <adapter  number>  -­‐p  <PID>   ¡   Activate  it   #ifconfig  dvb0_<iface  number>  up      
  Back  to  de  pidscan  results  
Create  another  interface  
Wireshark  is  our  friend               16358  packets  in  10  seconds  
¡   We  can  have  more  than  one  PID  assigned  to  an   interface,  this  will  be  very  useful.   ¡   Malicious  users  can:   §   Catch  passwords.   §   Catch  cookies  and  get  into  authenticated  HTTP   sessions.   §   Read  emails   §   Catch  sensitive  files   §   Do  traffic  analysis   §   Etc  ….    
Reminder:      In  satellite  communications  we  have  two   scenarios:     A-­‐  Satmodem,  Only  Downlink  via  Satellite     B-­‐  Astromodem,  Both  uplink  and  downlink  via   Satellite.  
  We  can  only  sniff  the  downloaded  data.  We   can  only  sniff  one  direction  in  a  connection.    
¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
    DNS  Spoofing  is  the  art  of  making  a  DNS   entry  to  point  to  an  another  IP  than  it  would   be  supposed  to  point  to.  (SecureSphere)  
¡   What  we  need  to  perform  this  attack?   §   DNS  Request  ID   §   Source  Port   § Source  IP   § Destination  IP   § Name/IP  asking  for    
¡   It´s  trivial  to  see  that  if  we  sniff  a  DNS   request  we  have  all  that  information  and  we   can  spoof  the  answer.     ¡   Many  tools  around  do  this  job,    the  only   thing  we  also  need  is  to  be  faster  than  the   real  DNS  server  ( jizz).  
¡   Why  is  this  attack  important?   § Think  in  phising       §   With  this  attack,  uplink  sniff  can  be  possible   ▪   Rogue  WPAD  service   ▪   Sslstrip  can  be  use  to  avoid  SSL  connections.  
¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
       TCP  session  hijacking  is  when  a  hacker  takes   over  a  TCP  session  between  two  machines.   (ISS)  
Seq=S1      ACK=A1      Datalen=L1   Seq=A1      ACK=S1+L1      Datalen=L2   Seq=S1+L1      ACK=A1+L2      Datalen=L3     If  we  sniff  1  we  can  predict  Seq  and  Ack  of  2  and   we  can  send  the  payload  we  want  in  2      
¡   Initially  we  can  only  have  a  false  connection  with  A.   ¡   In  certain  circumstances,  we  can  make  this  attack   with  B,  when  L2  is  predictable.   ¡ Some  tools  for  doing  this:   § Hunt   § Shijack   § Scapy        
¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
¡   Generic  Routing  Encapsulation     ¡   Point  to  point  tunneling  protocol   ¡ 13%  of  Satellite’s  data  traffic  in  our   transponder  is  GRE  
  This  chapter  is  based  on  Phenoelit’s   discussion  paper  written  by  FX  applied  to   satellite  scenario.     Original  paper:     http://www.phenoelit-­‐us.org/irpas/gre.html  
HQ   INTERNET   Remote  Office   Remote  Office   Remote  Office  
Find  a  target:     #tshark  –ni  dvb0_0  –R  gre  –w  capture.cap    
GRE  Packet   IP  d   1   est   IP  source  1     GRE  header   Payload  IP  dest   Payload  IP  source   Payload  IP  Header     Payload  Data        
¡   IP  dest  1  and  source  1  must  be  Internet   reachable    IPs   ¡ The  payload´s  IPs  used  to  be  internal.  
1.1.1.2   1.1.1.1   INTERNET   10.0.0.54   10.0.0.5  
1.1.1.2   1.1.1.1   INTERNET   (*)   10.0.0.54   10.0.0.5  
(*)  GRE  Packet     1.1.1.1   1.1.1.2     GRE  header  (32  bits  without  flags)   10.0.0.5   10.0.0.54   Payload  IP  Header     Payload  Data        
(1)   1.1.1.2   1.1.1.1   10.0.0.54   10.0.0.5  
(1)  GRE  Packet     1.1.1.1   1.1.1.2     GRE  header  (32  bits  without  flags)   10.0.0.5   10.0.0.54   Payload  IP  Header     Payload  Data        
(1)   1.1.1.2   1.1.1.1   (2)   10.0.0.54   10.0.0.5  
(2)  IP  Packet    10.0.0.5   10.0.0.54     IP  header       Data  
(1)   1.1.1.2   1.1.1.1   (2,3)   10.0.0.54   10.0.0.5  
(3)  IP  Packet    10.0.0.54   10.0.0.5     IP  header  2       Data  2  
(4)   (1)   1.1.1.2   1.1.1.1   (2,3)   10.0.0.54   10.0.0.5  
(4)  GRE  Packet     1.1.1.2   1.1.1.1     GRE  header  (32  bits  without  flags)   10.0.0.54   10.0.0.5   Payload  IP  Header  2     Payload  Data  2        
At  Phenoelit´s  attack  payload’s  IP  source  is  our  public  IP.  This   attack  lacks    when  that  IP  isn´t  reachable  from  the  internal   LAN  and  you  can  be  logged.       I  use  internal  IP  because  we  can  sniff  the  responses.         To  improve  the  attack,  find  a  internal  IP  not  used.    
How   To   Scan   NSA   And   Cannot   Be   Traced    
We  can  send  a  SYN  packet  with  any   destination  IP  and  TCP  port  (spoofing  a   satellite’s  routable  source  IP)  ,  and  we  can   sniff  the  responses.     We  can  analyze  the  responses.  
OR…  We  can  configure  our  linux  like  a   satellite  connected  host.       VERY  EASY!!!  
¡  What  we  need:   §  An  internet  connection  (Let’s  use  it  as  uplink)  with   any  technology  which  let  you  spoofing.   §  A  receiver,  a  card….  
¡  Let’s  rock!   §  Find  a  satellite  IP  not  used,  I  ping  IPs  next  to   another  sniffable  satellite  IP  to  find  a  non   responding  IP.    We  must  sniff  our  ping  with  the   DVB  Card  (you  must  save  the  packets).     §  This  will  be  our  IP!    
¡  Configure  Linux  to  use  it.     We  need  our  router  ‘s  MAC  
Configure  our  dvb  interface  to  receive  this  IP   (I  suppose  that  you  have  configure  the  PID…)    The  IP  is  the  one  we  have  selected  and  in  the   ICMP  scan,  we  must  get  the  destination  MAC   sniffed.  
Here  we  get    the  MAC   address    we  must  configure   in  our  DVB  interface  
I  use  netmask  /32  to  avoid  routing  problems  
Now  we  can  configure  our  Internet  interface   with  the  same  IP  and  configure  a  default   route  with  a  false  router  setting  this  one  with   a  static  MAC  (our  real  router’s  MAC).      
IT  WORKS!                
This  is  all  !!!         Some  things  you  must  remember:     The  DNS  server  must  allow  request  from  any   IP  or  you  must  use  the  satellite  ISP  DNS   server.    
If  you  have  any  firewall  (iptables)  disable  it.     All  the  things  you  make  can  be  sniffed  by   others  users.  
Now  attacking  GRE  is  very  easy,  you  only   need  to  configure  your  Linux  with  IP  of  one  of   the  routers  (the  one  with  the  satellite   connection)  and  configure  the  tunneling.     http://www.google.es/search? rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF-­‐8&q=configuring +GRE+linux    
¡  I’m  studying  the  different  methods  to  trace   illegal  users.  (I  only  have  a  few  ideas).   ¡  Now  I’m  studying  the  possibilities  of  sending   data  to  a  satellite  via  Astromodem  (DVB-­‐ RCS).  This  investigation  looks  fine.  
¡  Satellite  communications  are  insecure.   ¡  It  can  be  sniffed.   ¡  A  lot  of  attacks  can  be  made,  I  just  talked   about  only  few  level  4  and  level  3  attacks.  
¡  With  this  technology  in  our  sky,  an   anonymous  connection  is  possible.   ¡  Many  kinds  of  Denial  of  Service  are  possible.  
Leonardo Nve Egea Christian Martorella lnve@s21sec.com cmartorella@s21sec.com

Recomendados

Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_systemMaceni Muse
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
¿Por qué algunas Playas son Turbias?
¿Por qué algunas Playas son Turbias?¿Por qué algunas Playas son Turbias?
¿Por qué algunas Playas son Turbias?Luis E. Cedeño
 
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019Kenneth Ceyer
 
1803 accountability.command team.fast attack.terminology.360
1803 accountability.command team.fast attack.terminology.3601803 accountability.command team.fast attack.terminology.360
1803 accountability.command team.fast attack.terminology.360res1cuenyc
 
PE File Format
PE File FormatPE File Format
PE File Formatn|u - The Open Security Community
 
Recherche documentaire en santé
Recherche documentaire en santéRecherche documentaire en santé
Recherche documentaire en santéUniversité de Bretagne Occidentale
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 

Recomendados

Live data collection_from_windows_system
Live data collection_from_windows_systemLive data collection_from_windows_system
Live data collection_from_windows_systemMaceni Muse
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングTomoya Hibi
 
¿Por qué algunas Playas son Turbias?
¿Por qué algunas Playas son Turbias?¿Por qué algunas Playas son Turbias?
¿Por qué algunas Playas son Turbias?Luis E. Cedeño
 
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019
gRPC와 goroutine 톺아보기 - GDG Golang Korea 2019Kenneth Ceyer
 
1803 accountability.command team.fast attack.terminology.360
1803 accountability.command team.fast attack.terminology.3601803 accountability.command team.fast attack.terminology.360
1803 accountability.command team.fast attack.terminology.360res1cuenyc
 
PE File Format
PE File FormatPE File Format
PE File Formatn|u - The Open Security Community
 
Recherche documentaire en santé
Recherche documentaire en santéRecherche documentaire en santé
Recherche documentaire en santéUniversité de Bretagne Occidentale
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化HuuBachNguyen
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptxHappyness Mkumbo
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料Tetsuya Hasegawa
 
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニックHinemos
 
Nmapの真実(続)
Nmapの真実(続)Nmapの真実(続)
Nmapの真実(続)abend_cve_9999_0001
 
送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018Takahiko Suzuki
 
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)Tatsuya (達也) Katsuhara (勝原)
 
Konfigurasi https pada debian 7
Konfigurasi https pada debian 7Konfigurasi https pada debian 7
Konfigurasi https pada debian 7CyberSpace
 
ConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたAkira Iwamoto
 
Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)Hinemos
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensicsn|u - The Open Security Community
 
DNS再入門
DNS再入門DNS再入門
DNS再入門Takashi Takizawa
 
LXC入門 - Osc2011 nagoya
LXC入門 - Osc2011 nagoyaLXC入門 - Osc2011 nagoya
LXC入門 - Osc2011 nagoyaMasahide Yamamoto
 
3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)Ryuichi Yasunaga
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Network forensics1
Network forensics1Network forensics1
Network forensics1Santosh Khadsare
 
192.0.0.4 on android
192.0.0.4 on android192.0.0.4 on android
192.0.0.4 on android@ otsuka752
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide The World Bank
 
ネットワークの基礎①
ネットワークの基礎①ネットワークの基礎①
ネットワークの基礎①tatsuya yamaguchi
 
Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPLTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPDr. Galina Diker Pildush
 

Mais conteúdo relacionado

Mais procurados

RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化HuuBachNguyen
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011CTIN
 
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料Tetsuya Hasegawa
 
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニックHinemos
 
送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018Takahiko Suzuki
 
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)Tatsuya (達也) Katsuhara (勝原)
 
Konfigurasi https pada debian 7
Konfigurasi https pada debian 7Konfigurasi https pada debian 7
Konfigurasi https pada debian 7CyberSpace
 
ConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたAkira Iwamoto
 
Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)Hinemos
 
3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)Ryuichi Yasunaga
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
192.0.0.4 on android
192.0.0.4 on android192.0.0.4 on android
192.0.0.4 on android@ otsuka752
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide The World Bank
 
ネットワークの基礎①
ネットワークの基礎①ネットワークの基礎①
ネットワークの基礎①tatsuya yamaguchi
 

Mais procurados (20)

RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化RENAT - ネットワーク検証自動化
RENAT - ネットワーク検証自動化
 
Computer Forensics.pptx
Computer Forensics.pptxComputer Forensics.pptx
Computer Forensics.pptx
 
Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011Encase V7 Presented by Guidance Software august 2011
Encase V7 Presented by Guidance Software august 2011
 
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
RFC8071(NETCONF Call Home and RESTCONF Call Home)の勉強資料
 
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
【HinemosWorld2016】A2-5_Hinemosによる運用管理テクニック
 
Nmapの真実(続)
Nmapの真実(続)Nmapの真実(続)
Nmapの真実(続)
 
送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018送信ドメイン認証 導入指南 2018
送信ドメイン認証 導入指南 2018
 
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
とあるセキュリティ会社のIoTセキュリティチームの日常(ErrataはDescription参照)
 
Konfigurasi https pada debian 7
Konfigurasi https pada debian 7Konfigurasi https pada debian 7
Konfigurasi https pada debian 7
 
ConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみたConfD で Linux にNetconfを喋らせてみた
ConfD で Linux にNetconfを喋らせてみた
 
Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)Hinemosのすゝめ(監視編)
Hinemosのすゝめ(監視編)
 
Memory Forensics
Memory ForensicsMemory Forensics
Memory Forensics
 
DNS再入門
DNS再入門DNS再入門
DNS再入門
 
LXC入門 - Osc2011 nagoya
LXC入門 - Osc2011 nagoyaLXC入門 - Osc2011 nagoya
LXC入門 - Osc2011 nagoya
 
3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)3GPP LTE Detailed explanation 4 (X2 Handover)
3GPP LTE Detailed explanation 4 (X2 Handover)
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Network forensics1
Network forensics1Network forensics1
Network forensics1
 
192.0.0.4 on android
192.0.0.4 on android192.0.0.4 on android
192.0.0.4 on android
 
General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide General Ubuntu Advantage Service Guide
General Ubuntu Advantage Service Guide
 
ネットワークの基礎①
ネットワークの基礎①ネットワークの基礎①
ネットワークの基礎①
 

Semelhante a Playing in a Satellite environment

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Chema Alonso
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginEC-Council
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveMiya Kohno
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronHITCON GIRLS
 
TBD - To Block Connection from Suspicious IP addresses by using "DICE"
TBD - To Block Connection from Suspicious IP addresses by using "DICE"TBD - To Block Connection from Suspicious IP addresses by using "DICE"
TBD - To Block Connection from Suspicious IP addresses by using "DICE"Kunio Miyamoto, Ph.D.
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKMarian Marinov
 
ACI_Forwarding_Basic_rev2.pptx
ACI_Forwarding_Basic_rev2.pptxACI_Forwarding_Basic_rev2.pptx
ACI_Forwarding_Basic_rev2.pptxShravanKorthiwada1
 
Security In Dect
Security In DectSecurity In Dect
Security In DectMarc Seeger
 

Semelhante a Playing in a Satellite environment (20)

Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2Asegúr@IT 7: Playing with Satellites 1.2
Asegúr@IT 7: Playing with Satellites 1.2
 
LTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GPLTEcloudSecurityIssuesTakeaways-GP
LTEcloudSecurityIssuesTakeaways-GP
 
Introduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of WagoIntroduction to PROFINET - Derek Lane of Wago
Introduction to PROFINET - Derek Lane of Wago
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
 
FBLajSIPScenarior.ppt
FBLajSIPScenarior.pptFBLajSIPScenarior.ppt
FBLajSIPScenarior.ppt
 
Day 17.1 nat pat (2)
Day 17.1 nat pat (2)Day 17.1 nat pat (2)
Day 17.1 nat pat (2)
 
NAT Traversal
NAT TraversalNAT Traversal
NAT Traversal
 
ENSA_Module_10.pptx
ENSA_Module_10.pptxENSA_Module_10.pptx
ENSA_Module_10.pptx
 
RF Experiments in Raspberry Pi
RF Experiments in Raspberry PiRF Experiments in Raspberry Pi
RF Experiments in Raspberry Pi
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
Tech f42
Tech f42Tech f42
Tech f42
 
BGP evolution -from SDN perspective
BGP evolution -from SDN perspectiveBGP evolution -from SDN perspective
BGP evolution -from SDN perspective
 
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - AaronBirds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron
 
TBD - To Block Connection from Suspicious IP addresses by using "DICE"
TBD - To Block Connection from Suspicious IP addresses by using "DICE"TBD - To Block Connection from Suspicious IP addresses by using "DICE"
TBD - To Block Connection from Suspicious IP addresses by using "DICE"
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Distributed IP-PBX
Distributed IP-PBX Distributed IP-PBX
Distributed IP-PBX
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
ACI_Forwarding_Basic_rev2.pptx
ACI_Forwarding_Basic_rev2.pptxACI_Forwarding_Basic_rev2.pptx
ACI_Forwarding_Basic_rev2.pptx
 
Security In Dect
Security In DectSecurity In Dect
Security In Dect
 

Mais de Christian Martorella

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureChristian Martorella
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainChristian Martorella
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP SpainChristian Martorella
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007Christian Martorella
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Christian Martorella
 

Mais de Christian Martorella (10)

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
OSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and futureOSINT 2.0 - Past, present and future
OSINT 2.0 - Past, present and future
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration Testers
 
A fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP SpainA fresh new look into Information Gathering - OWASP Spain
A fresh new look into Information Gathering - OWASP Spain
 
2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain2011 and still bruteforcing - OWASP Spain
2011 and still bruteforcing - OWASP Spain
 
All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007All your data are belong to us - FIST Conference 2007
All your data are belong to us - FIST Conference 2007
 
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
Principales vulnerabilidades en Aplicaciones Web - Rediris 2008
 
Tactical Information Gathering
Tactical Information GatheringTactical Information Gathering
Tactical Information Gathering
 

Playing in a Satellite environment

  • 1.       Leonardo  Nve  Egea   Christian  Martorella   lnve@s21sec.com   cmartorella@s21sec.com    º  
  • 2. 1.  Because  I’m  sure  that  some  people  will   publish  more  attacks.     2.  Because  there  are  previous  presentations   about  satellites.      
  • 3. ¡  Warezzman  –  (in  2004  at  Undercon  VIII  first   Spanish  hacker  CON)   ¡  Jim  Geovedi  &  Raditya  Iryandi   (HITBSecConf2006)     ¡  Adam  Laurie  (Blackhat  2009  at  DC)   ¡  Leonardo  Nve  (S21sec  Blog  February  2009)  
  • 4. ¡  A    satellite    is    a    radio  frequency    repeater         that    is      launched    by    a    rocket    and    placed    in     orbit    around      the    earth.  
  • 5. ¡  Orbit  based  satellites     §  Low  Earth  orbiting  (LEO)   §  Geostationary  orbit  (GEO)   §  Other:  Molniya,  High  (HEO),  etc.     ¡  Function  based  satellites   §  Communications   §  Earth  observation   §  Other:  Scientifics,  ISS,  etc.  
  • 6.
  • 7. ¡  Satellite  GEO   §  UFO  (UHF  Follow  ON)  Military   §  Inmarsat   §  Meteorological  (Meteosat)   §  SCPC  /  Telephony  link  FDMA    
  • 8.
  • 9. ¡  Standard  of  European  Telecommunications   Standards  Institute  (ETSI).   ¡  Defines  audio    and  video  transmission,  and   data  connections.   ¡  DVB-­‐S  &  DVB-­‐S2  is  the  specification  for   satellite  communications.  
  • 10. ¡  Transponder:    Like  channels  (in  Satellite   comms)     §  Frecuency  (C  band  or  Ku).  Ex:  12.092Ghz   §  Polarization.  (horizontal/vertical)   §  Symbol  Rate.  Ex:  27500Kbps   §  FEC.     ¡  Every  satellite  has  many  transponders   onboard  which  are  operating  on  different   frequencies  
  • 11.    Header   Body    0x47   Flags   PID   Flags   Adaptation  Field   Data     Program  ID  (PID):  It  permits  different  programs  at  same   transponder  with  different  components  [Example  BBC1   PIDs:  600  (video),  601  (English  audio),  603  (subtitles),  4167   (teletext)]    
  • 12. ¡  Temporal  video  links.   ¡  Live  emissions,  sports,  news.     ¡  FTA  –  In  open  video.  
  • 13.
  • 14.
  • 17. ¡  Is  widely  known  that  the  Department  of   Defense  (DoD)  and  some  US  defense     contractors  use  satellites  and    DVB  for  their   comms.   ¡  Let`s  see:     http://telecom.esa.int/telecom/media/document/DVB-­‐RCS %20Networks%20for%20the%20US%20Defense%20Market %20(R3).pdf  
  • 18.
  • 20. ¡  How  to  find  feeds:   §  Lists  of  channels  in  www     §  Blind  Scan   §  Visual  representations  of  the  signal    
  • 21. ¡  Dr  HANS   §  http://drhans.jinak.cz/news/index.php     ¡  Zackyfiles   §  http://www.zackyfiles.com  (in  spanish)   ¡  Satplaza   §  http://www.satplaza.com  
  • 22. ¡  Two  scenarios   §  Satmodem   §  Satellite  Interactive  Terminal  (SIT)  or  Astromodem    (DVB/RCS)    
  • 24. DOWNLINK   INTERNET   CLIENT   ISP  
  • 25. DOWNLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
  • 26. DOWNLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
  • 27. DOWNLINK   ISP’s  UPLINK   POTS/GPRS   UPLINK   INTERNET   CLIENT   UPLINK   ISP  
  • 28. DVB Data - Astromodem DOWNLINK  &  UPLINK   ISP  DOWNLINK  &  UPLINK   INTERNET   CLIENT   ISP  
  • 29.
  • 30.   Anyone  with  coverage  can  SNIFF   the  DVB  Data,  and  normally  it  is   unencrypted.    
  • 31.
  • 32. ¡  What  do  you  need:   §  Skystar  2  DVB  Card   §  linuxtv-­‐dvb-­‐apps     §  Wireshark   §  The  antenna  (Dish  +  LNB)   §  Data  to  point  it.  
  • 33.   I  bought  it  for  50€!!!  from  an   PayTV  ex-­‐”hacker”  :P     (Including  a  set-­‐top  box  that  I  will   not  use)  
  • 34.
  • 35.
  • 36. Linux  has  the  modules  for  this  card  by   default,  we  only  need  the  tools  to  manage  it:     linuxtv-­‐dvb-­‐apps     My  version  is  1.1.1  and  I  use  Fedora  (Not  too   cool  to  use  Debian  :P).  
  • 37. Once  the  antenna  and  the  card  are  installed   and  linuxtv-­‐dvb-­‐apps  compiled    and  installed,   the  process  is:   1-­‐  Tune  the  DVB  Card   2-­‐  Find  a  PID  with  data   3-­‐  Create  an  Ethernet  interface  associated  to  that   PID   We  can  repeat  2  to  3  any  times  we  want.  
  • 38. 1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to  that   PID    
  • 39. Tune  DVB  Card   The  tool  we  must  use  is  szap  and  we  need  the   transponder’s  parameters  in  a  configuration   file.     For  example,  for  “Sirius-­‐4  Nordic  Beam":   #  echo  “sirius4N:12322:v:0:27500:0:0:0"  >>  channels.conf          
  • 40. We  run  szap  with  the  channel  configuration   file  and  the  transponder  we  want  use  (the   configuration  file  can  have  more  than  one).     #  szap  –c  channels.conf  sirius4N     We  must  keep  it  running.    
  • 41.
  • 42. The  transponder  parameters  can  be  found   around  Internet.   http://www.fastsatfinder.com/transponders.html    
  • 43. 1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to  that   PID    
  • 44. ¡   Find  a  PID     #dvbsnoop  -­‐s  pidscan     Search  for  data  section  on  results.  
  • 45.
  • 46. 1-­‐  Tune  the  DVB  Card     2-­‐  Find  a  PID  with  data     3-­‐  Create  an  Ethernet  interface  associated  to   that  PID    
  • 47. ¡   Create  an  interface  associated  to  a  PID     #dvbnet  -­‐a  <adapter  number>  -­‐p  <PID>   ¡   Activate  it   #ifconfig  dvb0_<iface  number>  up      
  • 48.
  • 49.   Back  to  de  pidscan  results  
  • 51. Wireshark  is  our  friend               16358  packets  in  10  seconds  
  • 52.
  • 53. ¡   We  can  have  more  than  one  PID  assigned  to  an   interface,  this  will  be  very  useful.   ¡   Malicious  users  can:   §   Catch  passwords.   §   Catch  cookies  and  get  into  authenticated  HTTP   sessions.   §   Read  emails   §   Catch  sensitive  files   §   Do  traffic  analysis   §   Etc  ….    
  • 54. Reminder:      In  satellite  communications  we  have  two   scenarios:     A-­‐  Satmodem,  Only  Downlink  via  Satellite     B-­‐  Astromodem,  Both  uplink  and  downlink  via   Satellite.  
  • 55.   We  can  only  sniff  the  downloaded  data.  We   can  only  sniff  one  direction  in  a  connection.    
  • 56. ¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
  • 57.     DNS  Spoofing  is  the  art  of  making  a  DNS   entry  to  point  to  an  another  IP  than  it  would   be  supposed  to  point  to.  (SecureSphere)  
  • 58. ¡   What  we  need  to  perform  this  attack?   §   DNS  Request  ID   §   Source  Port   § Source  IP   § Destination  IP   § Name/IP  asking  for    
  • 59. ¡   It´s  trivial  to  see  that  if  we  sniff  a  DNS   request  we  have  all  that  information  and  we   can  spoof  the  answer.     ¡   Many  tools  around  do  this  job,    the  only   thing  we  also  need  is  to  be  faster  than  the   real  DNS  server  ( jizz).  
  • 60. ¡   Why  is  this  attack  important?   § Think  in  phising       §   With  this  attack,  uplink  sniff  can  be  possible   ▪   Rogue  WPAD  service   ▪   Sslstrip  can  be  use  to  avoid  SSL  connections.  
  • 61. ¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
  • 62.        TCP  session  hijacking  is  when  a  hacker  takes   over  a  TCP  session  between  two  machines.   (ISS)  
  • 63. Seq=S1      ACK=A1      Datalen=L1   Seq=A1      ACK=S1+L1      Datalen=L2   Seq=S1+L1      ACK=A1+L2      Datalen=L3     If  we  sniff  1  we  can  predict  Seq  and  Ack  of  2  and   we  can  send  the  payload  we  want  in  2      
  • 64.
  • 65. ¡   Initially  we  can  only  have  a  false  connection  with  A.   ¡   In  certain  circumstances,  we  can  make  this  attack   with  B,  when  L2  is  predictable.   ¡ Some  tools  for  doing  this:   § Hunt   § Shijack   § Scapy        
  • 66. ¡   DNS  Spoofing   ¡   TCP  hijacking   ¡ Attacking  GRE  
  • 67. ¡   Generic  Routing  Encapsulation     ¡   Point  to  point  tunneling  protocol   ¡ 13%  of  Satellite’s  data  traffic  in  our   transponder  is  GRE  
  • 68.   This  chapter  is  based  on  Phenoelit’s   discussion  paper  written  by  FX  applied  to   satellite  scenario.     Original  paper:     http://www.phenoelit-­‐us.org/irpas/gre.html  
  • 69. HQ   INTERNET   Remote  Office   Remote  Office   Remote  Office  
  • 70. Find  a  target:     #tshark  –ni  dvb0_0  –R  gre  –w  capture.cap    
  • 71. GRE  Packet   IP  d   1   est   IP  source  1     GRE  header   Payload  IP  dest   Payload  IP  source   Payload  IP  Header     Payload  Data        
  • 72. ¡   IP  dest  1  and  source  1  must  be  Internet   reachable    IPs   ¡ The  payload´s  IPs  used  to  be  internal.  
  • 73. 1.1.1.2   1.1.1.1   INTERNET   10.0.0.54   10.0.0.5  
  • 74. 1.1.1.2   1.1.1.1   INTERNET   (*)   10.0.0.54   10.0.0.5  
  • 75. (*)  GRE  Packet     1.1.1.1   1.1.1.2     GRE  header  (32  bits  without  flags)   10.0.0.5   10.0.0.54   Payload  IP  Header     Payload  Data        
  • 76. (1)   1.1.1.2   1.1.1.1   10.0.0.54   10.0.0.5  
  • 77. (1)  GRE  Packet     1.1.1.1   1.1.1.2     GRE  header  (32  bits  without  flags)   10.0.0.5   10.0.0.54   Payload  IP  Header     Payload  Data        
  • 78. (1)   1.1.1.2   1.1.1.1   (2)   10.0.0.54   10.0.0.5  
  • 79. (2)  IP  Packet    10.0.0.5   10.0.0.54     IP  header       Data  
  • 80. (1)   1.1.1.2   1.1.1.1   (2,3)   10.0.0.54   10.0.0.5  
  • 81. (3)  IP  Packet    10.0.0.54   10.0.0.5     IP  header  2       Data  2  
  • 82. (4)   (1)   1.1.1.2   1.1.1.1   (2,3)   10.0.0.54   10.0.0.5  
  • 83. (4)  GRE  Packet     1.1.1.2   1.1.1.1     GRE  header  (32  bits  without  flags)   10.0.0.54   10.0.0.5   Payload  IP  Header  2     Payload  Data  2        
  • 84. At  Phenoelit´s  attack  payload’s  IP  source  is  our  public  IP.  This   attack  lacks    when  that  IP  isn´t  reachable  from  the  internal   LAN  and  you  can  be  logged.       I  use  internal  IP  because  we  can  sniff  the  responses.         To  improve  the  attack,  find  a  internal  IP  not  used.    
  • 85. How   To   Scan   NSA   And   Cannot   Be   Traced    
  • 86. We  can  send  a  SYN  packet  with  any   destination  IP  and  TCP  port  (spoofing  a   satellite’s  routable  source  IP)  ,  and  we  can   sniff  the  responses.     We  can  analyze  the  responses.  
  • 87. OR…  We  can  configure  our  linux  like  a   satellite  connected  host.       VERY  EASY!!!  
  • 88. ¡  What  we  need:   §  An  internet  connection  (Let’s  use  it  as  uplink)  with   any  technology  which  let  you  spoofing.   §  A  receiver,  a  card….  
  • 89. ¡  Let’s  rock!   §  Find  a  satellite  IP  not  used,  I  ping  IPs  next  to   another  sniffable  satellite  IP  to  find  a  non   responding  IP.    We  must  sniff  our  ping  with  the   DVB  Card  (you  must  save  the  packets).     §  This  will  be  our  IP!    
  • 90. ¡  Configure  Linux  to  use  it.     We  need  our  router  ‘s  MAC  
  • 91. Configure  our  dvb  interface  to  receive  this  IP   (I  suppose  that  you  have  configure  the  PID…)    The  IP  is  the  one  we  have  selected  and  in  the   ICMP  scan,  we  must  get  the  destination  MAC   sniffed.  
  • 92. Here  we  get    the  MAC   address    we  must  configure   in  our  DVB  interface  
  • 93. I  use  netmask  /32  to  avoid  routing  problems  
  • 94. Now  we  can  configure  our  Internet  interface   with  the  same  IP  and  configure  a  default   route  with  a  false  router  setting  this  one  with   a  static  MAC  (our  real  router’s  MAC).      
  • 95.
  • 96. IT  WORKS!                
  • 97. This  is  all  !!!         Some  things  you  must  remember:     The  DNS  server  must  allow  request  from  any   IP  or  you  must  use  the  satellite  ISP  DNS   server.    
  • 98. If  you  have  any  firewall  (iptables)  disable  it.     All  the  things  you  make  can  be  sniffed  by   others  users.  
  • 99. Now  attacking  GRE  is  very  easy,  you  only   need  to  configure  your  Linux  with  IP  of  one  of   the  routers  (the  one  with  the  satellite   connection)  and  configure  the  tunneling.     http://www.google.es/search? rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF-­‐8&q=configuring +GRE+linux    
  • 100. ¡  I’m  studying  the  different  methods  to  trace   illegal  users.  (I  only  have  a  few  ideas).   ¡  Now  I’m  studying  the  possibilities  of  sending   data  to  a  satellite  via  Astromodem  (DVB-­‐ RCS).  This  investigation  looks  fine.  
  • 101. ¡  Satellite  communications  are  insecure.   ¡  It  can  be  sniffed.   ¡  A  lot  of  attacks  can  be  made,  I  just  talked   about  only  few  level  4  and  level  3  attacks.  
  • 102. ¡  With  this  technology  in  our  sky,  an   anonymous  connection  is  possible.   ¡  Many  kinds  of  Denial  of  Service  are  possible.  
  • 103.
  • 104. Leonardo Nve Egea Christian Martorella lnve@s21sec.com cmartorella@s21sec.com