1 / 18

Network Spoofing and Packet Manipulation Tool

Explore the capabilities of Blue Raja and Shoveler, two userland tools that allow address spoofing, packet rewriting, and proxy functionality in order to bypass IP address-based access controls and manipulate network traffic.

wsullivan
Download Presentation

Network Spoofing and Packet Manipulation Tool

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Simple Nomad DC214 - 15Jul2004 Mystery Net

  2. Mystery Net – Design Goals • Defeat IP address-based access controls • Allow userland tools to spoof • Have little to no social value

  3. Attacker's Dilemma • Firewalls block addresses • Some firewalls allow some traffic in (business partners, trusted clients, etc) • VPNs may limit addresses that can access • Perimeter technologies log stuff (including our IP address) • Spoofing “dies” using TCP/IP • Advanced spoofing requires rewriting every app/tool from scratch

  4. Our Hero

  5. Enter Blue Raja

  6. Blue Raja Features • Uses Packet Purgatory library • Inserts a “wedge” between the kernel and userland. • The “wedge” rewrites outbound packets on the fly. • We simply rewrite our outbound source address, and add options • We can also use a fake “local” IP proxy (and we handle arp for it)

  7. How Does Our Hero Get Responses?

  8. Enter The Shoveler

  9. Shoveler Features • Uses libpcap and libdnet • Can rewrite packets based upon IP address pairs • Can function as a proxy, and can be chained

  10. Real World Scenario Target Trusted Host • Attacker is blocked, trusted host gets through Mr. Furious

  11. Real World Scenario Target Trusted Host • Attacker uses Blue Raja, packets get through Blue Raja Mr. Furious

  12. Real World Scenario Shoveler Target Trusted Host Shoveler shovels the return packets back Blue Raja Attacker

  13. Shoveler (proxy mode) Target Trusted Host More Fun... Shoveler (proxy mode) • Attacker is blocked, trusted host gets through Shoveler (proxy mode) Shoveler (proxy mode) Shoveler (proxy mode) Attacker

  14. Shoveler Can Do Even More...

  15. Man-in-the-Middle Scenario Shoveler Target Shoveler intercepts online banking traffic MyOnlineBank FakeOnlineBank

  16. Problem Areas • Trusted host is active • RSTs could kill our connection • Can't update Shoveler on the fly • Works great in a lab (needs real world testing)

  17. Future Enhancements - Shoveler • Detect dark IP space from trusted net • “Spleen” mode • DoS against trusted host • Reverse “spleen” mode for better MITM attacks • “Invisible Boy” mode • Update Shoveler remotely via covert channel

  18. Fin • Questions? • http://www.nmrc.org/~thegnome/mn-0.1.tgz (coming soon) • Packet Purgatory • http://www.synacklabs.net/projects/packetp/ • Libdnet • http://libdnet.sourceforge.net/ • Libpcap • http://www.tcpdump.org/

More Related