Attacking the TCP Reassembly Plane of Network Forensics Tools

Attacking the TCP Reassembly Plane of Network Forensics Tools Gérard 12 Thomas Engel 1 1 University of Luxembourg - SECAN LAB 2 SES ASTRA

Outline

Introduction Definitions and terminology A PCAP file contains network packets Analyst is the person that is analyzing a PCAP file An attacker is the person that tries to lure the analyst A 4-tuple is (source IP, source port, destination IP, destination port) A TCP session Starts with the TCP ESTABLISHED state Ends with the TCP CLOSED state

Introduction TCP reassembly (Source IP, Source Port, Destination IP, Destination Port) P1 P2 P3 P4 P5 FIN ACK ACK ACK SYN 1 2 3 4 5 6 7 8 9 Stream 1 2 3 4 5 6 7 8 9 TCP header TCP payload byte

Related work TCP reassembly is not new... and some attacks still work... TCP Reassembly Attacks for Network Intrusion Detection Systems Tools Fragrouter NIDS benchmark Attack countermeasures Traffic Normalization remove ambiguities Reference Nidsbench, describes NIDS tests and attacks A lot of IDS approaches are neglected in Network Forensics

Tools Targeted tools Tcpflow Wireshark Used tools Tcptrace Tcpick Tcpdump User Mode Linux Fragrouter Iptables Socat Nc Standard tools of network researchers and operators

Launching Valgrind on TCP reassembly tools Error Tcptrace Tcpflow Tcpick Invalid read s=4 5 0 0 occ. Invalid read s=1 2 11 0 occ. Definitely lost 345 0 16 bytes Possibly lost 49152 0 0 bytes Invalid fd 36196 0 0 occ. Uninitialization 0 4 2 occ.

Attacking the TCP implementation Definition Example Most of the forensics tools have their own TCP/IP implementation TCP/IP implementations are often incomplete or defective IP fragmentation is not implemented The implementation is vulnerable to fragment attacks The TCP implementation does not completely respect the standard TCP state machine

Attacking the TCP implementation Attack requirements An attacker must control his/her TCP/IP stack Change behavior i.e. force fragmentation, fake checksums Possible solutions Forge TCP/IP packets with tools like scapy and hping Problems A lot of work for forging only one connection Connections with their payloads must be known in advance Interfering with the TCP stack Concurrency problems, race conditions with the regular TCP/IP stack Modify the packets at routing level fragrouter

Attacking the TCP implementation Attacker setup Attacker Router/fragrouter 10.0.0.2 Target UML switch tap0 eth0:10.0.0.3 tcpdump eth1:10.0.1.1 10.0.1.2 UML switch tap1 Note: All is software based on User Mode Linux

Attacking the TCP implementation Constraints Attacker and target need to be on different subnets Cause: Fragrouter eats ARP responses from the attacker On the router UML, /proc/sys/net/ipv4/ip forward must be 0 Avoid race conditions between attacker TCP/IP stack and fragrouter Routing is done by fragrouter (user space)

Attacking the TCP implementation Methodology At the router UML Launch fragrouter with an attack on eth0 Launch fragrouter with IP forwarding on eth1 return packets tcpdump -n -s0 -w packets.cap At the target UML nc -l -p 2000 > receive.dat At the attacker UML cat data.dat nc target 2000 Was the attack successful? diff data.dat receive.dat Launch reassembly tool on packets.cap :-)

Attacking the TCP implementation Fragrouter attacks Attacks are named after the command line switches Check capture process B1 is regular IP forwarding Ordered 16-byte fragments, fwd-overwriting F7 3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments T1 3-whs, ordered 2-byte segments, fwd-overwriting T5

Attacking the TCP implementation Results Attack Tcpflow Wireshark Tcptrace Tcpick B1 T1 T5 F7 IPv6 1 In Wireshark was used the follow TCP stream feature packets were correctly reassembled packets were not at all/wrongly reassembled 1 Not really an attack

Attacking the TCP reassembly software design Definition This attacks target errors not directly to the TCP reassembly code but other implementation flaws. Example Stream identifier Resource management Incomplete knowledge of the reassembly tool like network topology

Attacking the TCP reassembly software design PCAP bomb Problem A vulnerable reassembly tool assumes that: A TCP session is a 4-tuple Consequences Target Different streams are mixed in one file Offset between streams due to random ISN (Initial Sequence Number) Fill analyst s hard disk Memory exhaustion kill high-level stream analysis software

Attacking the TCP reassembly software design PCAP bomb (Source IP, Source Port, Destination IP, Destination Port) SYN FIN SYN ACK FIN ACK SYN ISN 1 SYN ISN 2 1 2 3 1 2 3 1 2 3??? 1 2 3 Stream TCP header ISN 2 - ISN 1 TCP payload byte

Attacking the TCP reassembly software design PCAP bomb Proof of concept Shell tcpdump -i lo -s0 -w pcap-bomb.cap i=1235 while [ 1 ]; do j=0 while [ $j -lt 5 ]; do cat req.txt socat - tcp:localhost:80, sourceport=$i,reuseaddr sleep 1 let j=$j+1 done let i=i$i+1 done

Attacking the TCP reassembly software design PCAP bomb On average each flow has a size of 2GB. Tune attack: Write a small PCAP program that maximize ISN difference Vulnerable tool: Tcpflow

Hiding Streams 1/2 Problem A vulnerable reassembly tool assumes that: Target A TCP session is identified by a 4-tuple Hide intended web request i.e. rootkit download How the attack works Send dummy data ( or just establish a TCP connection ) Download the real data using the same source port

Hiding Streams Proof of Concept Shell $ tcpdump -i lo -s0 -w hidden-stream.cap $ cat empty.txt socat - tcp:localhost:80,sourceport=1235, reuseaddr $ cat req.txt socat - tcp:localhost:80,sourceport=1235, reuseaddr Notes empty.txt is an empty file req.txt contains an HTTP request to download a file Vulnerable tool: Wireshark 0.99.6a, Follow TCP stream feature

Hiding data in streams Problem TCP reassembly tools assume that information is transmitted in the payload of TCP packets (not covering covert channel) Areas to hide data TCP options Ethernet padding Sequence numbers Old attacking technique Modify ethernet padding, choose sequence numbers etc Network forensic tools should do Statistical analysis of those areas Automated analysis of those areas (test of 0 bytes) Simple solution: Perl / Python scripts based on libpcap.

Stream illusions Problem How does the reassembly tool knows how the packets are handled by the recipient? Attack Forge a stream and replay it Use the tool tcprewrite to modify recorded TCP packets Use perl scripts to modify the fields tcprewrite does not want to modify Use tcpreplay to send the TCP packets Tune the attack: Modify TTL such that the packets do not reach the target (old technique but network forensic tools forget about it)

Mitigating TCP reassembly errors Case study Experiment: Comparing reassembled streams Launch multiple TCP reassembly tools on a PCAP file and compare the generated files Used tools Tcpflow Tcptrace Tcpick various perl scripts

Mitigating TCP reassembly errors Experiment: Comparing reassembled streams Data capture Shell tcpdump -s1500 -w test.cap Table: Results Number of TCP packets 41609423 Number of capture length differences 23781098 Streams generated by Tcptrace 66395 Streams generated by Tcpick 66151 Streams generated by Tcpflow 37022 Counted sessions 2 67454 2 Shortcut : Start with a SYN, ends with FIN/RST

Mitigating TCP reassembly errors Checking input data 1/2 Inspect the header information of the parameters that is passed to the PCAP callback function Ensure that caplen = len Tools that do not explicitly notify the analyst 3 tcpflow, tcptrace, tcpick 3 Except in debug mode

Mitigating TCP reassembly errors Checking input data 2/2 Example #!/usr/bin/perl use Net::Pcap qw /pcap open offline pcap loop/; sub process packet{ my($user data, $header, $packet) = @ ; print $header->caplen..$header->len. \n ; } my $pcap = pcap open offline($pcapfile, \$err) or die Cannot open pcap file: cause: $err\n ; pcapi loop($pcap, -1, \&process packet, )

Mitigating TCP reassembly errors Countermeasures Choose the right capture location (e.g. TTL attack) Before analyzing a capture, know how the capture has been performed Filter out spoofed packed with a packet filter Traffic normalization/scrubing before the capture takes place Reassemble fragments Discard packets with wrong checksums Discard packets with wrong TTL

Demo PCAP bomb

Demo Hide streams

Demo Attacking the reassembly implementation

Conclusion TCP reassembly is often seen as a trivial task Two attacks families were presented Attacks on the TCP reassembly implementation Network Intrusion Detection benchmarks were done to test popular TCP reassembly tools TCP reassembly design attacks were presented PCAP bomb Hiding entire streams Stream illusions aiming to deceive the analyst Attack mitigation techniques and a case study were presented Lack of user notification of anomalies needed for network forensics TCP reassembly attacks still work and some more effort is required for improving network forensic tools

Questions and answers Questions? Acknowledgments Hereby I want to thank You My industrial supervisor Alexandre Dulaunoy