SlideShare uma empresa Scribd logo

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

44CON
44CON

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw CANAPE is an open source network proxy written in .NET. It has been developed to aid in the analysis and exploitation of unknown application network protocols using a similar use case to common HTTP proxies such as Burp or CAT. This workshop will go through the basics of analysing an unknown application protocol with hands on training examples. By the end of the workshop candidates should be able to better understand CANAPE’s functionality and be able to apply that to other protocols they come across.

Tecnologia
1 de 50
Baixar para ler offline
Binary Protocol Analysis with CANAPE James Forshaw
Schedule 1.What is CANAPE? 2.Say Hello to SuperFunkyChat 3.Proxying and Capturing Traffic 4.NetGraphs 5.Modelling State Transitions 6.Removing SSL/Layers 7.Traffic Manipulation and Replay 8.Developing Network Clients 9.Wrap Up https://www.github.com/tyranid/44con_2014
Playing Along at Home •Pre-built binaries available at: •https://www.github.com/tyranid/44con_2014 •Example projects and slides will come later ASK QUESTIONS https://www.github.com/tyranid/44con_2014
What is CANAPE? •Arbitrary Network Protocol Capture Tool •Specifically designed for Binary Protocols •Windows focused (some Mono support) •Open source, GPLv3, written in C# •https://www.github.com/ctxis/canape https://www.github.com/tyranid/44con_2014
What Makes CANAPE Different? •Number of tools to generate or fuzz network traffic •Scapy, Peach, Sulleyetc. •Takes Web Application Testing Paradigm and applies to arbitrary protocols •GUI •Easy packet manipulation •Quick feedback https://www.github.com/tyranid/44con_2014
Workshop 0: Quick Tour of CANAPE https://www.github.com/tyranid/44con_2014
Say Hello to Super Funky Chat!!11! https://www.github.com/tyranid/44con_2014
SuperFunkyChat •Simple Windows IM Application •Written originally as a CTF and CANAPE tutorial •Uses a binary protocol •Supports SOCKS •Has a few “Undocumented” features •Sourcecodeavailable at https://www.github.com/tyranid/SuperFunkyChat •Don’t use as a real IM system  https://www.github.com/tyranid/44con_2014
Workshop 1: Quick Tour of SuperFunkyChat https://www.github.com/tyranid/44con_2014
Proxying and Capturing Traffic •CANAPE Supports Many Ways of Proxying Traffic: •TCP/UDP Port Forwarding •SOCKS v4/v5 Proxy •HTTP Forward and Reverse Proxies •Can develop your own extensions to support other types of networks (NamedPipes, COM ports) •Also supports Servers and Clients https://www.github.com/tyranid/44con_2014
Identifying Suitable Traffic •Need to work out what traffic to capture •Reverse Engineering •Wireshark/PCAP https://www.github.com/tyranid/44con_2014
Forcing Traffic Through CANAPE •CANAPE works at Application Level (TCP/UDP) not network •Traffic from Application needs to go through CANAPE •Proxy support •DNS redirecting •DNAT •SOCKSifyingtools (Proxifierfor example) https://www.github.com/tyranid/44con_2014
Services •CANAPE insolates your project into a set of services. •You define a template for your service: •Data flow •State model •Dynamic content •When a new connection is made an Instance is instantiated based on the template https://www.github.com/tyranid/44con_2014
Workshop 2: Capturing SuperFunkyChat https://www.github.com/tyranid/44con_2014
NetGraphs https://www.github.com/tyranid/44con_2014
NetGraphs •NetGraphsused to mode data flow and state •Specified as a directed graph •Standard graph nodes available •Can implement custom nodes in C#/IronPython https://www.github.com/tyranid/44con_2014
Specifying a NetGraph Select Default Graph https://www.github.com/tyranid/44con_2014
Netgraphin Service Context Client Application Server Application https://www.github.com/tyranid/44con_2014
Some Standard Nodes Name Description LogNode Logspackets as they traverse the node Decision Node Performs an IF condition on packets Switch Node Selecton output based on state Edit Node Displaysa dialog to allow manual packet editing Dynamic Node Scripted content Layer Section Graphcontainer and layer processing https://www.github.com/tyranid/44con_2014
Graph User Interface •Create a new graph by right clicking project explorer •Left Click to Select and Drag Nodes •Right Click to Add Nodes •Hold and Drag Middle Button to Add Edges •Can also hold left Control and use Left button •Nodes can be disabled from right click menu https://www.github.com/tyranid/44con_2014
Node Properties https://www.github.com/tyranid/44con_2014
Node Filters •Each node has a Filters property •Defines match rules for what packets the node will process https://www.github.com/tyranid/44con_2014
Workshop 3: Playing with Netgraphs https://www.github.com/tyranid/44con_2014
Traffic Analysis https://www.github.com/tyranid/44con_2014
Packet Logging •Only packets which traverse a log node in a graph end up being logged (well unless you do it manually) •Affected by node filters •Can specify a number of properties: •Colour •Logged Name https://www.github.com/tyranid/44con_2014
Workshop 4: Packet Logging Interface https://www.github.com/tyranid/44con_2014
Packet Tools •Analysis of traffic means looking at binary data •Many different tasks: •Comparing packets and sequences of packets •Importing and exporting data •Searching https://www.github.com/tyranid/44con_2014
Workshop 5: Packet Tools https://www.github.com/tyranid/44con_2014
Parsing Traffic •CANAPE’s data pipeline can be scripted using C# or Python •Not necessarily easy thing to do •Parser editor to the rescue https://www.github.com/tyranid/44con_2014
Parser Editor https://www.github.com/tyranid/44con_2014
Parser Editor •Build protocol structure in GUI •Defines 3 types: •Sequences •Enumerations •Parsers •Supports complex expressions, TLV, sub-sequences etc. •Compiles to C# parser script, can be exported and tweaked https://www.github.com/tyranid/44con_2014
Parsed Packet Format Root Key (/) Key A Value Y Key B Value X SelectionPath= /A/Y •Nodes and filtessupport a Selection Path •Uses an XPATH syntax to determine selection https://www.github.com/tyranid/44con_2014
SuperFunkyChatPacket Structure Length (4 bytes) Checksum (4 bytes) Data (Length bytes) Command (1 byte) Command Specific Data (Length-1 bytes) https://www.github.com/tyranid/44con_2014
Workshop 6: Parser Development https://www.github.com/tyranid/44con_2014
Removing TLS/Layers •One of the most common security protocols is TLS/SSL •CANAPE doesn’t assume it knows better than you whether a connection is TLS or not •Can wrap and decrypt entire connection https://www.github.com/tyranid/44con_2014
Workshop 7: Remove TLS Encryption https://www.github.com/tyranid/44con_2014
State Modelling https://www.github.com/tyranid/44con_2014
State Modelling •Most protocols aren’t simple streams of data •Need to deal with State •Main way of handling this in CANAPE is through the netgraphs •Also simpler interface using state graphs https://www.github.com/tyranid/44con_2014
Meta Data Storage Service 1 Instance Local Meta Service 1 Instance Global Meta Local Meta Service 2 Instance Local Meta Project Meta https://www.github.com/tyranid/44con_2014
Accessing Meta Data Storage •Local (Graph.Meta) •Global (Graph.GlobalMeta) •Project (CANAPEProject.CurrentProject.GlobalMeta) •Layers (this.Meta/this.GlobalMeta) https://www.github.com/tyranid/44con_2014
MetaSelection •Already seen XPATH SelectionPath •Filters can also select on MetaData •Examples: •#MetaName–Select the local meta value •$MetaName–Select the global meta value https://www.github.com/tyranid/44con_2014
Workshop 8: Developing XOR Decryption https://www.github.com/tyranid/44con_2014
Traffic Manipulation and Replay https://www.github.com/tyranid/44con_2014
Dealing with Checksums •Up to now we’ve only looked at packets, never changed and replayed them •Something prevents us doing this, the checksum •Could write a script to fix up checksum after modification •Parser editor also gives some basic functions to do this for us https://www.github.com/tyranid/44con_2014
Expressions •Parser editor supports a python-like syntax expression evaluator •Combine with calculated values to recalculate checksum •Can even use python snippets: DoChecksum.RunMe(Command, bytes(Payload)) https://www.github.com/tyranid/44con_2014
Workshop 9: Packet Replay and Injection https://www.github.com/tyranid/44con_2014
Developing Network Clients https://www.github.com/tyranid/44con_2014
Network Clients •CANAPE supports developing network clients •Designed to allow reuse of work developed through MitM(graphs/scripts) to be reused with the minimal of effort •Can be used for fuzzing or other automated tasks. https://www.github.com/tyranid/44con_2014
Workshop 10: Command Fuzzer https://www.github.com/tyranid/44con_2014
Wrap Up https://www.github.com/tyranid/44con_2014

Recomendados

Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
APNIC
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
[Public] gerrit concepts and workflows
[Public] gerrit concepts and workflows[Public] gerrit concepts and workflows
[Public] gerrit concepts and workflows
Yanbin Kong
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
zynamics GmbH
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 

Recomendados

Troubleshooting BGP
Troubleshooting BGPTroubleshooting BGP
Troubleshooting BGP
APNIC
 
.NET for hackers
.NET for hackers.NET for hackers
.NET for hackers
Antonio Parata
 
[Public] gerrit concepts and workflows
[Public] gerrit concepts and workflows[Public] gerrit concepts and workflows
[Public] gerrit concepts and workflows
Yanbin Kong
 
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?44CON @ IPexpo - You're fighting an APT with what exactly?
44CON @ IPexpo - You're fighting an APT with what exactly?
44CON
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish code
jduart
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
zynamics GmbH
 
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON 2014 - Flushing Away Preconceptions of Risk, Thom Langford
44CON
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
44CON
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
44CON
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON
 
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
Altinity Ltd
 
Xamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR clientXamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR client
Chen Yu Pao
 

Mais conteúdo relacionado

Destaque

44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON
 

Destaque (20)

44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
44CON 2104 - Lessons Learned from Black Hat's Infrastructure, Conan Dooley
 
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
44CON 2014 - Researching Android Device Security with the Help of a Droid Arm...
 
44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON London 2015 - Hunting Asynchronous Vulnerabilities
44CON London 2015 - Hunting Asynchronous Vulnerabilities
 
44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering44CON London 2015 - reverse reverse engineering
44CON London 2015 - reverse reverse engineering
 
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
44CON 2013 - .Net Havoc - Manipulating Properties of Dormant Server Side Web ...
 
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
44CON London 2015 - Reverse engineering and exploiting font rasterizers: the ...
 
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
44CON 2014 - Switches Get Stitches, Eireann Leverett & Matt Erasmus
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens44CON 2014 - Advanced Excel Hacking, Didier Stevens
44CON 2014 - Advanced Excel Hacking, Didier Stevens
 
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
44CON London 2015 - Playing with Fire: Attacking the FireEye MPS
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
44CON 2014 - I gave a talk about robots and hardware!, Josh Thomas
 
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
44CON 2014 - GreedyBTS: Hacking Adventures in GSM, Hacker Fantastic
 
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
44CON London 2015 - Smart Muttering; a story and toolset for smart meter plat...
 
44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN44CON London 2015 - Inside Terracotta VPN
44CON London 2015 - Inside Terracotta VPN
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 

Semelhante a 44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022
QAware GmbH
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Michael Noll
 
Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache Thrift
RX-M Enterprises LLC
 
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Timothy Spann
 

Semelhante a 44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw (20)

ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
ClickHouse Paris Meetup. Pragma Analytics Software Suite w/ClickHouse, by Mat...
 
Xamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR clientXamarin Form using ASP.NET Core SignalR client
Xamarin Form using ASP.NET Core SignalR client
 
from Docker to Moby and back. what changed ?
from Docker to Moby and back. what changed ?from Docker to Moby and back. what changed ?
from Docker to Moby and back. what changed ?
 
OFI libfabric Tutorial
OFI libfabric TutorialOFI libfabric Tutorial
OFI libfabric Tutorial
 
Staying Close to Experts with Executable Specifications
Staying Close to Experts with Executable SpecificationsStaying Close to Experts with Executable Specifications
Staying Close to Experts with Executable Specifications
 
P4_tutorial.pdf
P4_tutorial.pdfP4_tutorial.pdf
P4_tutorial.pdf
 
Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022Cloud native IPC for Microservices Workshop @ Containerdays 2022
Cloud native IPC for Microservices Workshop @ Containerdays 2022
 
Monitoring federation open stack infrastructure
Monitoring federation open stack infrastructureMonitoring federation open stack infrastructure
Monitoring federation open stack infrastructure
 
Monitoring your API
Monitoring your APIMonitoring your API
Monitoring your API
 
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge AcademyWireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
Wireshark 101 - OWASP Chandigarh Meetup - CyberForge Academy
 
PNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data AnalyticsPNDA - Platform for Network Data Analytics
PNDA - Platform for Network Data Analytics
 
Logs aggregation and analysis
Logs aggregation and analysisLogs aggregation and analysis
Logs aggregation and analysis
 
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015Being Ready for Apache Kafka - Apache: Big Data Europe 2015
Being Ready for Apache Kafka - Apache: Big Data Europe 2015
 
Realtime traffic analyser
Realtime traffic analyserRealtime traffic analyser
Realtime traffic analyser
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Building high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache ThriftBuilding high performance microservices in finance with Apache Thrift
Building high performance microservices in finance with Apache Thrift
 
Quick look in Reactive Extensions
Quick look in Reactive ExtensionsQuick look in Reactive Extensions
Quick look in Reactive Extensions
 
Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019Fuzzing Janus @ IPTComm 2019
Fuzzing Janus @ IPTComm 2019
 
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
Devfest uk & ireland using apache nifi with apache pulsar for fast data on-r...
 
Infrastructure as Code Presentation v5.pptx
Infrastructure as Code Presentation v5.pptxInfrastructure as Code Presentation v5.pptx
Infrastructure as Code Presentation v5.pptx
 

Mais de 44CON

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
44CON
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
44CON
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
44CON
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
44CON
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
44CON
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
44CON
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
44CON
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
44CON
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
44CON
 

Mais de 44CON (18)

They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...
 
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...
 
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...
 
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...
 
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...
 
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...The UK's Code of Practice for Security in Consumer IoT Products and Services ...
The UK's Code of Practice for Security in Consumer IoT Products and Services ...
 
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...
 
Pwning the 44CON Nerf Tank
Pwning the 44CON Nerf TankPwning the 44CON Nerf Tank
Pwning the 44CON Nerf Tank
 
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
44CON London 2015 - Indicators of Compromise: From malware analysis to eradic...
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train44CON London 2015 - Going AUTH the Rails on a Crazy Train
44CON London 2015 - Going AUTH the Rails on a Crazy Train
 
44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security44CON London 2015 - Software Defined Networking (SDN) Security
44CON London 2015 - Software Defined Networking (SDN) Security
 
44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection44CON London 2015 - DDoS mitigation EPIC FAIL collection
44CON London 2015 - DDoS mitigation EPIC FAIL collection
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
44CON London 2015 - Old Dog, New Tricks: Forensics With PowerShell
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 

Último (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 

44CON 2014 - Binary Protocol Analysis with CANAPE, James Forshaw

  • 1. Binary Protocol Analysis with CANAPE James Forshaw
  • 2. Schedule 1.What is CANAPE? 2.Say Hello to SuperFunkyChat 3.Proxying and Capturing Traffic 4.NetGraphs 5.Modelling State Transitions 6.Removing SSL/Layers 7.Traffic Manipulation and Replay 8.Developing Network Clients 9.Wrap Up https://www.github.com/tyranid/44con_2014
  • 3. Playing Along at Home •Pre-built binaries available at: •https://www.github.com/tyranid/44con_2014 •Example projects and slides will come later ASK QUESTIONS https://www.github.com/tyranid/44con_2014
  • 4. What is CANAPE? •Arbitrary Network Protocol Capture Tool •Specifically designed for Binary Protocols •Windows focused (some Mono support) •Open source, GPLv3, written in C# •https://www.github.com/ctxis/canape https://www.github.com/tyranid/44con_2014
  • 5. What Makes CANAPE Different? •Number of tools to generate or fuzz network traffic •Scapy, Peach, Sulleyetc. •Takes Web Application Testing Paradigm and applies to arbitrary protocols •GUI •Easy packet manipulation •Quick feedback https://www.github.com/tyranid/44con_2014
  • 6. Workshop 0: Quick Tour of CANAPE https://www.github.com/tyranid/44con_2014
  • 7. Say Hello to Super Funky Chat!!11! https://www.github.com/tyranid/44con_2014
  • 8. SuperFunkyChat •Simple Windows IM Application •Written originally as a CTF and CANAPE tutorial •Uses a binary protocol •Supports SOCKS •Has a few “Undocumented” features •Sourcecodeavailable at https://www.github.com/tyranid/SuperFunkyChat •Don’t use as a real IM system  https://www.github.com/tyranid/44con_2014
  • 9. Workshop 1: Quick Tour of SuperFunkyChat https://www.github.com/tyranid/44con_2014
  • 10. Proxying and Capturing Traffic •CANAPE Supports Many Ways of Proxying Traffic: •TCP/UDP Port Forwarding •SOCKS v4/v5 Proxy •HTTP Forward and Reverse Proxies •Can develop your own extensions to support other types of networks (NamedPipes, COM ports) •Also supports Servers and Clients https://www.github.com/tyranid/44con_2014
  • 11. Identifying Suitable Traffic •Need to work out what traffic to capture •Reverse Engineering •Wireshark/PCAP https://www.github.com/tyranid/44con_2014
  • 12. Forcing Traffic Through CANAPE •CANAPE works at Application Level (TCP/UDP) not network •Traffic from Application needs to go through CANAPE •Proxy support •DNS redirecting •DNAT •SOCKSifyingtools (Proxifierfor example) https://www.github.com/tyranid/44con_2014
  • 13. Services •CANAPE insolates your project into a set of services. •You define a template for your service: •Data flow •State model •Dynamic content •When a new connection is made an Instance is instantiated based on the template https://www.github.com/tyranid/44con_2014
  • 14. Workshop 2: Capturing SuperFunkyChat https://www.github.com/tyranid/44con_2014
  • 16. NetGraphs •NetGraphsused to mode data flow and state •Specified as a directed graph •Standard graph nodes available •Can implement custom nodes in C#/IronPython https://www.github.com/tyranid/44con_2014
  • 17. Specifying a NetGraph Select Default Graph https://www.github.com/tyranid/44con_2014
  • 18. Netgraphin Service Context Client Application Server Application https://www.github.com/tyranid/44con_2014
  • 19. Some Standard Nodes Name Description LogNode Logspackets as they traverse the node Decision Node Performs an IF condition on packets Switch Node Selecton output based on state Edit Node Displaysa dialog to allow manual packet editing Dynamic Node Scripted content Layer Section Graphcontainer and layer processing https://www.github.com/tyranid/44con_2014
  • 20. Graph User Interface •Create a new graph by right clicking project explorer •Left Click to Select and Drag Nodes •Right Click to Add Nodes •Hold and Drag Middle Button to Add Edges •Can also hold left Control and use Left button •Nodes can be disabled from right click menu https://www.github.com/tyranid/44con_2014
  • 22. Node Filters •Each node has a Filters property •Defines match rules for what packets the node will process https://www.github.com/tyranid/44con_2014
  • 23. Workshop 3: Playing with Netgraphs https://www.github.com/tyranid/44con_2014
  • 25. Packet Logging •Only packets which traverse a log node in a graph end up being logged (well unless you do it manually) •Affected by node filters •Can specify a number of properties: •Colour •Logged Name https://www.github.com/tyranid/44con_2014
  • 26. Workshop 4: Packet Logging Interface https://www.github.com/tyranid/44con_2014
  • 27. Packet Tools •Analysis of traffic means looking at binary data •Many different tasks: •Comparing packets and sequences of packets •Importing and exporting data •Searching https://www.github.com/tyranid/44con_2014
  • 28. Workshop 5: Packet Tools https://www.github.com/tyranid/44con_2014
  • 29. Parsing Traffic •CANAPE’s data pipeline can be scripted using C# or Python •Not necessarily easy thing to do •Parser editor to the rescue https://www.github.com/tyranid/44con_2014
  • 31. Parser Editor •Build protocol structure in GUI •Defines 3 types: •Sequences •Enumerations •Parsers •Supports complex expressions, TLV, sub-sequences etc. •Compiles to C# parser script, can be exported and tweaked https://www.github.com/tyranid/44con_2014
  • 32. Parsed Packet Format Root Key (/) Key A Value Y Key B Value X SelectionPath= /A/Y •Nodes and filtessupport a Selection Path •Uses an XPATH syntax to determine selection https://www.github.com/tyranid/44con_2014
  • 33. SuperFunkyChatPacket Structure Length (4 bytes) Checksum (4 bytes) Data (Length bytes) Command (1 byte) Command Specific Data (Length-1 bytes) https://www.github.com/tyranid/44con_2014
  • 34. Workshop 6: Parser Development https://www.github.com/tyranid/44con_2014
  • 35. Removing TLS/Layers •One of the most common security protocols is TLS/SSL •CANAPE doesn’t assume it knows better than you whether a connection is TLS or not •Can wrap and decrypt entire connection https://www.github.com/tyranid/44con_2014
  • 36. Workshop 7: Remove TLS Encryption https://www.github.com/tyranid/44con_2014
  • 38. State Modelling •Most protocols aren’t simple streams of data •Need to deal with State •Main way of handling this in CANAPE is through the netgraphs •Also simpler interface using state graphs https://www.github.com/tyranid/44con_2014
  • 39. Meta Data Storage Service 1 Instance Local Meta Service 1 Instance Global Meta Local Meta Service 2 Instance Local Meta Project Meta https://www.github.com/tyranid/44con_2014
  • 40. Accessing Meta Data Storage •Local (Graph.Meta) •Global (Graph.GlobalMeta) •Project (CANAPEProject.CurrentProject.GlobalMeta) •Layers (this.Meta/this.GlobalMeta) https://www.github.com/tyranid/44con_2014
  • 41. MetaSelection •Already seen XPATH SelectionPath •Filters can also select on MetaData •Examples: •#MetaName–Select the local meta value •$MetaName–Select the global meta value https://www.github.com/tyranid/44con_2014
  • 42. Workshop 8: Developing XOR Decryption https://www.github.com/tyranid/44con_2014
  • 43. Traffic Manipulation and Replay https://www.github.com/tyranid/44con_2014
  • 44. Dealing with Checksums •Up to now we’ve only looked at packets, never changed and replayed them •Something prevents us doing this, the checksum •Could write a script to fix up checksum after modification •Parser editor also gives some basic functions to do this for us https://www.github.com/tyranid/44con_2014
  • 45. Expressions •Parser editor supports a python-like syntax expression evaluator •Combine with calculated values to recalculate checksum •Can even use python snippets: DoChecksum.RunMe(Command, bytes(Payload)) https://www.github.com/tyranid/44con_2014
  • 46. Workshop 9: Packet Replay and Injection https://www.github.com/tyranid/44con_2014
  • 47. Developing Network Clients https://www.github.com/tyranid/44con_2014
  • 48. Network Clients •CANAPE supports developing network clients •Designed to allow reuse of work developed through MitM(graphs/scripts) to be reused with the minimal of effort •Can be used for fuzzing or other automated tasks. https://www.github.com/tyranid/44con_2014
  • 49. Workshop 10: Command Fuzzer https://www.github.com/tyranid/44con_2014