O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
The Cynical
Trust Model
James Arlen - @myrcurial
Lee Brotherston - @synackpse
no disclaimer necessary

(for a change)
TRUST
TRUST
IS
EASY
Networks
Providers
SaaS
IaaS
*aaS
Hardware
Software
Staff
Consultants
Regulators
Auditors
MITM
Detection
How, what,
why, when?
Capture all the
Packets
PCAP Tools
tcpdump
wireshark
tshark
mergecap
tcpsplice
tcptrace
captcp
ntop
pcapdiff
tcpflow
snort
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
More Data……
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
?
?
?
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Content-Script-Type: text/javascript
Connection: close
Cache-C...
Packet
Headers
TCPDUMP
ip[6] = 0 and tcp[14:2] = 1
Wire/TShark
tcp.window_size_value eq 1
and ip.flags.df == 0
Snort
alert tcp $EXTERNAL_NET any ->
$HOME_NET any (msg:"INJECTION
suspected TCP injection";
flow:stateless; window:1;
fra...
Fun with
Firewalls
But wait,
there’s more….
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
Data
HTTP/1.1 200 OK
Content-Type: text/html; charset=ISO-8859-1
Content-Script-Type: text/HTML
Connection: close
Tests
Retention Time
rewrite ^(.*)$ /index.php;
OoB Indexing
rewrite ^(.*)$ /index.php;
+
/etc/hosts
+
.htaccess
Document Format
<html>
<head>
<title>Oh Hai</title>
</head>
Document Format
<!doctype html>
<html>
<head>
<title>Oh Hai</title>
</head>
Mapping
the Network
Traceroute
8bits of magic
ttl=1
ttl expiry
ttl=2
ttl expiry
ttl=1
reply
ttl=2 ttl=1ttl=3
2 7.40.72.1
3 209.148.241.61
4 66.185.81.221
5 69.63.251.242
6 69.63.249.26
7 *
2 7.40.72.1
3 209.148.241.61
4 *
5 *
6 69....
Intercept Portscanning
for i in `jot 65535 1`
do
tcptraceroute -f4 -m5 host $i
done >> $i.log
2 7.11.164.41
3 66.185.90.37
4 209.148.224.205
5 209.148.224.242
6 4.31.208.129

2 7.11.164.41
3 66.185.90.37
4 209.148.22...
Intercept
Portscanning Redux
nmap -sS —-ttl 64 host
Which Interface?
My Server
Target
Me
Scapy
sendp(Ether(dst="be:ef:11:11:11:11",
src="31:33:7a:aa:aa:aa")/
IP(src="11.11.11.11",
dst="55.55.55.55",ttl=(1,30),
o...
So, that network…
Internal
Management LAN
extWebServer = "http://64.71.255.194";
intWebServer = “http://172.19.11.72";
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
TTL = 1
TTL = 2
TTL = 3
6 31.55.164.187
7 31.55.164.107
8 109.159.248.69
9 109.159.248.10
10 62.172.103.187
6 31.55.164.187
7 31.55.164.107
8 109....
4 98.0.3.14
5 98.0.3.3
6 107.14.19.106
7 107.14.17.194
8 64.86.79.97
9 64.86.79.2
4 98.0.3.14
5 98.0.3.3
6 66.109.6.72
7 1...
What?
HTTP/1.1 200 OK
Date: Thu, 22 May 2014 14:29:09 GMT
Server: PerfTech
Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT
Accept-R...
HTTP/1.0 404 Not Found
Date: Fri, 23 May 2014 14:00:05 GMT
Server: PerfTech
Content-Length: 25
Connection: close
Cache-Con...
Hints in Scripts
// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.
extWebServer = "http://64.71.255.194";
intWeb...
Attribution: cat NULL planet - @skalnik
Why So
Bothered?
Why Metadata Matters
• They know you rang a phone sex service at 2:24 am and spoke
for 18 minutes. But they don't know wha...
GET / HTTP/1.1
Host: squarelemon.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux
i686; rv:25.0) Gecko/20100101 Firefox/25....
What could
possibly go
wrong? Photo Attribution: Tom - @tdawks
Demonstration
Which won’t
work.
Not because
we tempted
the demogods
But because
MTCC doesn’t
networking
MTCC DEMO
ORIGINAL DEMO
Cynical Trust
Step 1:
Working
Presumption
Step 2:
TANSTAAFL
Step 3:
Trust but Verify
Step 4:
Plan for
Resilience
YOU
WILL
LOSE
DATA
What do you
do about it…
Trust?
Thank you!
James Arlen - @myrcurial
Lee Brotherston - @synackpse
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
The Cynical Trust Model
Próximos SlideShares
Carregando em…5
×

The Cynical Trust Model

4.401 visualizações

Publicada em

The Cynical Trust Model is the accompanying slide deck to the keynote given to SC Congress by James Arlen (@myrcurial) and I (@synackpse).

Publicada em: Tecnologia
  • Seja o primeiro a comentar

The Cynical Trust Model

  1. 1. The Cynical Trust Model James Arlen - @myrcurial Lee Brotherston - @synackpse
  2. 2. no disclaimer necessary
 (for a change)
  3. 3. TRUST
  4. 4. TRUST
  5. 5. IS
  6. 6. EASY
  7. 7. Networks
  8. 8. Providers
  9. 9. SaaS
  10. 10. IaaS
  11. 11. *aaS
  12. 12. Hardware
  13. 13. Software
  14. 14. Staff
  15. 15. Consultants
  16. 16. Regulators
  17. 17. Auditors
  18. 18. MITM
  19. 19. Detection
  20. 20. How, what, why, when?
  21. 21. Capture all the Packets
  22. 22. PCAP Tools tcpdump wireshark tshark mergecap tcpsplice tcptrace captcp ntop pcapdiff tcpflow snort
  23. 23. SYN ServerClient SYN/ACK ACK HTTP Request HTTP Response (Header & Data) More Data……
  24. 24. SYN ServerClient SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request ? ? ?
  25. 25. HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Content-Script-Type: text/javascript Connection: close Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Expires: -1 Pragma: no-cache <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>
  26. 26. Packet Headers
  27. 27. TCPDUMP ip[6] = 0 and tcp[14:2] = 1
  28. 28. Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0
  29. 29. Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
  30. 30. Fun with Firewalls
  31. 31. But wait, there’s more….
  32. 32. SYN ServerClient SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request
  33. 33. SYN ServerClient SYN/ACK ACK HTTP Request HTTP Response (Header & Data) Data
  34. 34. HTTP/1.1 200 OK Content-Type: text/html; charset=ISO-8859-1 Content-Script-Type: text/HTML Connection: close
  35. 35. Tests
  36. 36. Retention Time rewrite ^(.*)$ /index.php;
  37. 37. OoB Indexing rewrite ^(.*)$ /index.php; + /etc/hosts + .htaccess
  38. 38. Document Format <html> <head> <title>Oh Hai</title> </head>
  39. 39. Document Format <!doctype html> <html> <head> <title>Oh Hai</title> </head>
  40. 40. Mapping the Network
  41. 41. Traceroute 8bits of magic
  42. 42. ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 reply ttl=2 ttl=1ttl=3
  43. 43. 2 7.40.72.1 3 209.148.241.61 4 66.185.81.221 5 69.63.251.242 6 69.63.249.26 7 * 2 7.40.72.1 3 209.148.241.61 4 * 5 * 6 69.63.249.26 7 * tcptraceroute
  44. 44. Intercept Portscanning for i in `jot 65535 1` do tcptraceroute -f4 -m5 host $i done >> $i.log
  45. 45. 2 7.11.164.41 3 66.185.90.37 4 209.148.224.205 5 209.148.224.242 6 4.31.208.129
 2 7.11.164.41 3 66.185.90.37 4 209.148.224.214 5 209.148.224.209 6 209.148.228.218 7 209.148.228.217 8 209.148.224.254 9 4.31.208.129 tcptraceroute redux
  46. 46. Intercept Portscanning Redux nmap -sS —-ttl 64 host
  47. 47. Which Interface? My Server Target Me
  48. 48. Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")
  49. 49. So, that network… Internal Management LAN extWebServer = "http://64.71.255.194"; intWebServer = “http://172.19.11.72";
  50. 50. SYN ServerClient SYN/ACK ACK RST/PSH/ACK TTL = 1 TTL = 2 TTL = 3
  51. 51. 6 31.55.164.187 7 31.55.164.107 8 109.159.248.69 9 109.159.248.10 10 62.172.103.187 6 31.55.164.187 7 31.55.164.107 8 109.159.248.104 9 109.159.248.142 10 194.71.107.15 Great Firewall of Cameron
  52. 52. 4 98.0.3.14 5 98.0.3.3 6 107.14.19.106 7 107.14.17.194 8 64.86.79.97 9 64.86.79.2 4 98.0.3.14 5 98.0.3.3 6 66.109.6.72 7 107.14.17.192 8 64.86.79.97 9 64.86.79.2 RoadRunner
  53. 53. What?
  54. 54. HTTP/1.1 200 OK Date: Thu, 22 May 2014 14:29:09 GMT Server: PerfTech Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT Accept-Ranges: bytes Content-Length: 2387 Connection: close Cache-Control: no-store, no-cache, must- revalidate, max-age=0 Expires: -1 Pragma: no-cache Content-Type: application/x-javascript
  55. 55. HTTP/1.0 404 Not Found Date: Fri, 23 May 2014 14:00:05 GMT Server: PerfTech Content-Length: 25 Connection: close Cache-Control: no-store, no-cache, must- revalidate, max-age=0 Expires: -1 Pragma: no-cache Content-Type: text/html; charset=iso-8859-1
  56. 56. Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights Reserved. extWebServer = "http://64.71.255.194"; intWebServer = “http://172.19.11.72"; displayUrl = "http://www.perftech.com/console/original.html";
  57. 57. Attribution: cat NULL planet - @skalnik
  58. 58. Why So Bothered?
  59. 59. Why Metadata Matters • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about. • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret. • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
  60. 60. GET / HTTP/1.1 Host: squarelemon.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: _pk_ses.4.9b83=* Connection: keep-alive If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT Cache-Control: max-age=0
  61. 61. What could possibly go wrong? Photo Attribution: Tom - @tdawks
  62. 62. Demonstration
  63. 63. Which won’t work.
  64. 64. Not because we tempted the demogods
  65. 65. But because MTCC doesn’t networking
  66. 66. MTCC DEMO
  67. 67. ORIGINAL DEMO
  68. 68. Cynical Trust
  69. 69. Step 1:
  70. 70. Working Presumption
  71. 71. Step 2:
  72. 72. TANSTAAFL
  73. 73. Step 3:
  74. 74. Trust but Verify
  75. 75. Step 4:
  76. 76. Plan for Resilience
  77. 77. YOU
  78. 78. WILL
  79. 79. LOSE
  80. 80. DATA
  81. 81. What do you do about it…
  82. 82. Trust?
  83. 83. Thank you! James Arlen - @myrcurial Lee Brotherston - @synackpse

×