 So I'll meet you introduce myself. I'm Kim Artham. I come from Belgium. So sorry about the accent. Sometimes it's gonna be a bit Losey All right, so today I'll go and speak about sniffing cable modems You'll see it's actually very very easy thing It took me about just one day when I had the idea about oh, let's do that this way and how I Get packets now. I can sniff everybody cool. So Sure, sorry So as I said, it took me just one day to find out how to sniff the the packets out of a simple TV card You'll see it's very easy and Refreaky actually Let's see. So I will speak about Duxes, of course This is the agenda for today. What is Duxes? First explain what is this protocol, which is the one used by the cable modems? Detail be the general architecture. So this way you find out you will understand how Duxes network is implemented around across the city and why you can sniff this or this part of the network I'll talk about the registration process. It's an interesting part of This Will sniffing stuff because it gives a lot of information about the modem its configuration You'll see it's really interesting about encryption on the link. There is encryption. Sometimes it's not mandatory I'll talk about this layer Then how to sniff it. So of course what you came for the crunchy part DVBC and ATC card, I'll be the hardware that I use so there are two parts there the hardware the software Software I'll talk about packet-o-matic, which is the software developed to do the sniffing and eventually Talk about what you can do once you sniff this there are Things related to privacy there you can do a lot of SNMP acts on the modems as well That allow you to give to have like well, you'll see And miscellaneous stuff and eventually the references after I'll when I'm now be done with the talk I'll do a demo so you can actually see this going on All right, so let's see. What is Duxes? Duxes stands for data data over cable service interface specification They're actually right now three versions of the Duxes protocol Duxes one, which is the very first one doesn't have a lot of stuff It basically allows you to transfer packets and that's it basic Duxes 1.1 that was the newest version because they've seen oh We can actually clone the max of the modem and there is no authentication. All right, let's fix that so that was fixed in Duxes 1.1 and then Duxes 2.0 that has implemented some more stuff Not much more and eventually Duxes 3 which is not out yet. I mean it's still in development because The hardware required to support that new version which has Higher encryption and higher bandwidth is Really expensive that means that if you want to upgrade to this newer version You have to change the wall infrastructure meaning all the modems of everybody of all your customers and also The CMTS so the CMTS part is not that big but changing all the modems is is not easy The use of Duxes well, you most commonly know that Duxes is used to to provide internet. That's one thing second thing It's used as well for telephony. Most of the modems right now They have got an ATA So it's phone plugs you just plug your phone your normal Analogic phone and you get voice or IP by the modem It's really important this part because No, the the ISPs provide triple-play Subscription so you get internet you get phone and you get as well television since in the say it's the same media Also right now I've seen some set-top box with So TV decoders and they build in cable modem inside it this way the ISP can provide on-demand TV and also Find out what you're looking at which is getting really nice Okay, the general actual sector now This is how it works. So on the ISP side you have a big box, which is called a CMTS and The CMTS will send all the packets on a single frequency So it's it's shared media as in the old days with the 10 megs ethernet It sends everything on the same frequency. So every modem is Listening on that frequency and filters out what it needs what it doesn't need Compared to ethernet the old 10 megs Corax cable the return path is different meaning it's running on different frequencies and The modems have time slots allocated for each other. So they know when they have to send packets and Because of this we can actually Only sniff the the downstream of it because the cards that I use they don't they're not able to to get that Lower frequency that the upstream use I'll detail that later A CMTS that's used for either a full city. So Where I come from there is one city, which is just one seal CMTS You play your TV cable there on on your back of your PC and you got everybody's traffic the wall see it's huge also in bigger city, of course, it's just a Small neighborhood, but it's still a lot of people's when you count all the big buildings and stuff Also really important the dox's protocol has been Engineered in a way that it could be compatible with all the existing equipments for example The frequency range is the very same as in the TV Frequency range. I mean talking about the downstream, of course. This means that If you have a TV card, well, you can tune to either dox's either the TV whatever It's the very same one. Also, it use m-packed packets for encapsulation This is again on purpose that has been done this way because digital so digital For this can just read the m-packed packets and for it as if it was TV or so it does not really matter Okay Registration process the very first thing that mod MS to do is acquired the downstream frequency So all it does that it simply scans the wall range the wall frequency range So it start from bottom goes to top once it goes what should get What a good luck on the certain frequencies it look if there are the packets that it's supposed to have aka the sync messages So there are specific dox's message sync messages There are sent every now and then but you're supposed to receive something like 10 in a second So it's very easy for a modem to find out in a timely fashion if this is dox's frequency or not Once it got the the dumps the downstream frequency it tunes on it read the packets from it and then The upstream parameters are sent to the modem this way then it configures itself and is able to at this point have a link By bi-directional link so This way it can get an IP address. This is done via simply DHCP as in every network And then what's it's got is IP address it downloads the configuration file by a TFTP This configuration fire is very interesting because it contains a lot of information For example, you'll find in there What is your down your downstream speed? So you download speed your upload speed also all the ACLs for example if What device can actually manage the IP address? I'm sorry the modem via SNMP, so it will tell you okay. No you get This IP address the source IP address is allowed with that SNMP community And it will be able to do all source of stuff to the modem There's also ACLs for IP filters for example the The common way to disable the port 25 for SMTP connections that's done via this TFTP configuration They simply block port 25 on the modem this way you cannot send or receive emails And then of course if you can hack around it you can get rid of it So once it's got the TFTP Configuration is a place simply applies all the configuration in the memory And that's it the modem is fully up and running one thing I forgot about that configuration is that all the the configuration entries besides the upstream at the Speed is done using OIDs like in SNMP. So you it says Dot one and etc equals this value so you can layer on change those value via SNMP as well Oops, that's not one Let's talk about the encryption. That's the interesting part So the very first that the important thing to know is that encryption is not mandatory meaning that you may run on Your place you may have a connection which is not encrypted at all meaning everybody can just plug sniff and that's it He sees everything you do That's really really scary to me There is also of course encryption mechanism, so BPI BPI Stands for baseline privacy interface. There are two versions of BPI BPI The normal one and BPI plus and this one provides Authentication so as I said Duxes 1.0 didn't provide any means of authentication you could just change your modem take another one that you hacked and Clone the Mac change the Mac and that's it you were on the network You could do whatever you like, but now with BPI plus it uses certificates So each device has a certificate the CNTS as well, and that's the way they authenticate each other and then eventually they They they negotiate the key this way as well Another interesting stuff is that currently the the encryption algorithm. It's DES and it's only 56 bit key That is too scary So Well, right now I'm not cracking it because my kryptonizes kill are pretty well there. No So I like to use a sober duty to ask here if anybody has crypto Skills I'm sure there is if you could help me on that find a way to crap this DES key That would be amazing meaning we could sniff the wall word So that DES key for example, it's it's just shared key between the ISP and the modem and the key Lasts for 12 hours, so there's plenty of time to crack it. You can even dump it and then eventually We covered the data Talking about a yes a yes That's gonna come later on in Duxes 3.0 But as I said this This a yes encryption is really expensive So you need a special chip in the modem and that raised the price really high That's why all the the ISPs are not gonna go through Duxes 3.0 right now You may see that some ISP do but it's not really the real Duxes 3.0. It's just for the Larger bandwidth that Duxes 3.0 provides it provides a larger bandwidth in the fact that it bounds multiple ups downstream In a single channel so you can go to speeds like 100 max So a yes, it's not gonna come until one or two years the thing will depends your ISP probably some ISP are Will stick to Duxes 1 or Duxes 2 even Okay, so How to sniff it what you need is this what is this a TV card digital TV card? So it's either an ATSC card or a DVVC card The DVVC card you'll find out in Europe It has more advantages. For example, it can use different symbol rates. Well, that's Arab stuff You don't really care about but anyway In US use ATSC and in Europe DVVC you can sniff everybody This is possible just because they did engineer that to use the very same frequencies. So That's it Yeah, I'm talking about the price of this card. It's $100. So everybody can afford it There is one downside is that you as I said you only have the downstream because the upstream is a different frequency It's below 50 megahertz and those cards can't handle it. So But the downstream is way enough. You'll see we can do a lot of stuff already I Like to try different horrors to for example the USRP nature if you guys know USRP stands for universal software radio peripheral and it's actually Coupled with GNU radio and you can use whatever tuner and whatever So tuner and antennas to get sent and receive you could even code a cable modem yourself with that device That would be really nice On the software part, there is Pagomatic so It works this way you got the input module. So it's fully module You got the input module you can select. Okay, I want to sniff from Duxes. I want to sniff from p-cap So interface files, whatever then all your packets are processed using the rules that you specify So you say, okay, I want ethernet then IPv4 and everything that is TCP on port whatever or Even if you use the Duxes input and say, okay, my layer is gonna be First layer is gonna be Duxes. You can say, okay, I want all the Duxes packets. Well, I'll show you there It's various way Once it's processed at the same time There is the helpers for example if you got a fragmented IPv4 packets It's just gonna resamble it and send the complete IPv4 packet to the upper layer this way The the software layer on doesn't have to care about all these specificities of the protocols Forget to say that each protocol is also just a module. So for example, if let's say IPv8 is gonna come later on I hope not You can just code a module and it's it you got IPv8 support So once you match your packets, you know what you want It's processed by the target and the target does whatever you like So for example right now there are targets to dump HTTP Traffic, so it's gonna dump the images. It's gonna dump the web file on the HTML file It's gonna dump the video file. So Start let's say you start the Duxes that software pragmatic on on the Duxes stream You say, okay everything that is on port 80 dump the video and you'll see every that what people are gonna say We're gonna. Sorry. You'll see everything that people go and see on YouTube and you can just click and see That's cool Also everything occurs real time Yeah, I didn't want something like you know ethereal water shark you dump all your stuff You got a peek app you read the file and then if you let's say I want to extract if you want to extract some audio files you have to right-click and then Extract and it's boring. So what you do is simply Set this up say okay all these ports, you know, it's RTPs traffic. It's voice traffic Simply process them as audio and it will just resemble all the files real time So you will see everything growing in your directory. It's really scary too because they're five at the same time Usually you can't just listen to all of them Yep, so also there is a telnet and the XML or PC interface the XML PC interface It's actually a web interface. I'll show you there You can use both the same time as recall Okay, so what you can do? first privacy Of course, you can sniff all the data. That's that's easy, but then you need to process them sniffing all the data Well, you got let's say five megs per second of traffic. This is huge So you need to really sort out and say, okay, I want this part of the traffic So you probably will need to use Wireshark to first analyze the traffic that you get and see okay these IP address are used for voice these IP address I use for Other stuff then you you build your rules build your targets and that's it. It will do whatever you like Yeah, there are additional targets for example the males. I tried once on a test network So for example, let's take this scenario. You have one ISP who has a pop three server so it gives accounts to all its customers and of course the pop three server is not encrypted Which is never encrypted anyway And everybody is gonna connect to the pop three servers and well It's very easy simply to say okay sort all the males that you retrieve put them in IP so sort them by Directors for each directory It's gonna be the IP address of the the guy and it's email for it's all its emails in a male deer Format and it's a simply start Nine map server and you got everybody's email in your male client You can also Do Dyna denial of service so if you're bored if it's like 4 p.m. 8 p.m And you don't have a lot of bandwidth available for you So Well, you simply sniff see you know run end top or whatever She was taking all your bandwidth and it's actually possible terrain to re-inject So it works this way You've got one your PC with the digital the TV card you sniff packets and You re-inject the TCP reset packets through your modem and that's gonna go through because the modem itself is just a stupid Ethernet bridge. I mean of course provided you remove the right ACLs on the modem Anyway, so it just works It's amazing All right SNMP acts so as I said once you get access to to the modem via SNMP you can do a lot of stuff First of all the in most interesting stuff is to change the IP filter So you can't send email you can't receive email for 25. Well, no problem SNMP said what there you go it's removed it goes as well for The file-willing rules that are usually set to access the other modems in the network So each modem gets You know an IP address in a private range like 10 that's something and you cannot access those range for obvious reasons but well once you remove the the filter you can access it and Well, you can do the very same thing meaning connect via the web interface and MP change reboot the people's modem have fun So I mean I haven't been through the wall SNMP Documentation for for the modems, but they're just too much also Yeah, missing things stuff So yeah sniffing the the docsis stream is nice But then you probably want to use the the tools that you have already. I don't know tools like Well, if you simply want to TCP dump or wire shark or D sniff Well, you know You simply create a tab device and it's gonna help output every package that you got to that device So it will create a virtual interface in your Linux system and you can use it as a normal interface SNMP from it Okay, so references if you want to dig deeper into this protocol you can find full protocol specification on cable labs.com It's all open of they just hide a bit of stuff regarding the encryption, but still you can find it Mpeg yeah, as I said the encapsulation works this way. So You got Mpeg packets, which are 100 88 bytes and then in each of these packets are Uncapsulated docsis frames and in those docsis frames, you got Ethernet frames and then the known suit of protocol also IP for TCP whatever and For the software just go on pack-o-matic.com and don't know it All right, let's do the demo now. Oh It's already running. Okay All right, so to start the software just do minus e so it starts with an empty configuration Is it readable or okay? What about this? Okay, oh damn Sorry, I don't think I can do anything about that That's it though, but Anyway, that should be way enough Okay, cool. So let me show you till net in phrase simply till net to it port four six five five choose that like You know like Davian and random dice and that's it First thing to do set up the input module that you want to use to do this very easy set input type docsis Okay, and we got our input configured so you can see current input docsis. It's a normal mode It's your docsis. I'm coming from Europe. So I just said that to through you just gonna have to change that yourself Frequency well, that's a default one But it's not what I want to do. I don't know right now. What is on this network? So well, let's scan So there's another mode for this input set input mode Let's see what we have scan good Okay, so no, it's in modes can Start frequency zero. Well, I know where it is. So I'll put it to something Closer Set input parameter Come on. Is that it? Nope, I should do Yeah, maybe I should change that to megahertz anyway So this is it Well, the only thing left Is to start the input So that's it the start to scan It goes from the frequency I specified to the maximum one It's gonna look into every single megahertz see what's going there Okay. Oh, it got a frequency. It was able to tune but Obviously was not a docsis stream because it didn't receive any sync message. So it goes skip it It's probably a TV cable Sorry TV You know Okay, there we go. So it found it This is it frequency tune Don't stream acquired you got the frequency 442 megahertz symbol rates. Well, you don't care about that Q. I am yeah You may up there two of them that are available QM 256 and 64 So if you don't find anything on QM 256 just try 64 you'll sorry find something Okay, so this is nice. We got our input. Is it dumping packets? Oh, yeah, it is quite a lot actually Okay, so let's do something with that Just for sorry, let's close this I don't need it For privacy reason, I'll just not show anything Come on guys. I can't do that You know I can't Hold on. I'm not done yet All right, so Well, let's just see how much bandwidth you got. So this is in Belgium. It's like It's about 4 a.m. There so I don't expect to have a lot of traffic. Let's see So first of all, let's add a rule rule. I want all the ethernet traffic. Okay, so that's it I've got my rule Sure rules it's disabled. Let's just enable it enable rule zero Okay, so it starts to process packets already. I see it's matching stuff So after the rules we need the target Okay, let's try to do that virtual interface stuff at target Target to rule zero and this is all the target available So you just do tab you get the completion and you see what's what you can do So I'll use target tab Show targets. There we go. It stopped and face name palm zero. That's fine. Let's start it Oops start target zero zero. There we go Okay, let's see If config palm zero cool. It's working. Let's take it up Okay, a bit of traffic not much, but there is something So that's it. I will not show any packets I'll do some more demo in my laptop. You'll see so, yeah This is one of the possibilities. Let's say no I want to dump the wall doxy stream in Pickup file. So as you all know wire shark it dumps ethernet traffic So at the ethernet layer, but it can also you can put different stuff in those pickup file You can put doxies packets. So you can go up one layer So you got doxies ethernet IPv4 and etc. Or you can even go down one layer meaning you can just save the row IP in In pick up and it's all manageable here. So let me start again with the new configuration it'll be easier So I stopped but you can see there are a few stats tells me get that much mpeg packets on so it's not IP packets and apparently my link was quite good because I didn't miss anything Okay, but probably because there is not much bandwidth. I mean no much traffic Alright, so let's start again. I know about the input. So let's set input type doxies Let's do this quickly input parameter frequency Well, come on for you see 4 4 2 1 3 1 2 3 Start input There we go too easy All right, so Rule I am oh, yeah, I forgot something So here you can see out layers ethernet So by default that input is gonna give you ethernet packets because you probably don't care about the that that doxies Layer, but you can change it here by setting that parameter to doxies set input parameter outlayer Doxies Start input There we go Yeah, I forgot to mention something all the rules that you specify you have to specify all the full layers that you want to use So in this case if I want to dump let's say TCP traffic. I have to specify Doxies because the very first layer that I'll have from the input is gonna be doxies then ethernet IPv4 I Do the if you differentiate IPv4 IPv6 just this way and TCP Sure rules. Okay, it's disabled enabled or zero. There I go. There is a bit of traffic and At target zero P cap Let's save all these will be useful Target is stopped. Let's so here again. This is what I was talking about you can set whatever Layer you want to save so if you want to save Doxies packets so it can be useful for doxies engineers who want to troubleshoot what was going on. Well, okay without the upstream You do That's it target parameter zero zero layer doxies There we go Where did I dumped it? Oh done the pkp. Okay. Where is it? There you go. So you can see It's got everything and it's doxies. It's not the ethernet layer. That's very useful. Okay, so Let me show you some more stuff now, but not on this doxies Network simply because it's too far away and it's was such a burden to try to get something out of it So I'll just use pegatomag on my laptop and show you some of the extra stuff you can do But consider this as if it was just on on the doxies network. All right, so let's try to dump some images that I will have go on Go and see on the internet. So I just started Minus e empty config minus x enable the web interface. Whoops. I forgot that it's already running here. Okay So I started here Let me show you the web interface Is this readable? Let's speak too much. Okay Okay, good. So As usual configure the input, I'll just use pkp here. I need to select the mode. I'll say interface This way. I'm not you. I mean you can either sniff from an interface or sniff from a file that you recorded already It takes zero snap links will find safe changes and start input Come on. Okay Apparition of course come on. It works better as a route. All right, let's try again Your input. Okay started now So you see it's same stuff you see in the console All right, so let's see images. Hmm. That must be on port 80. Come on I've got difficulties to click IPv4 TCP the s4 equal 80 Yeah, about this source where you just select one side of the direct one side of the communication Because there are contract contract. So connection tracking modules. They will just find out what what is coming out From the reverse direction. So if you want to sniff Anything that is on port 80 selects source or destination. It does not rematter because once the target will Start to dump the very first connection It will say hey no you save the contract information and I want to know about every single packets from the reverse direction So it's whole taking all taken care of Okay, I got my nice rule. Let's add a target Up HTTP Defo mode dump images. Yes slash dmp. They'll do Okay So input is started. Let's start the rule I mean sorry enable the rule start the target. Let's see if we can get the same Just to confirm So input is configured found rules are okay Target is a cool. All right. Well, let's go on a stupid website. Do you guys like low cats? oops Okay, it's nice Nobody cares about all right. Oh, there are a few images Okay works So as I said, it's that easy you select you select your inputs Okay, Duxes say I want everything on that poor 80 and Dumb image video PDF binary files HTML files, whatever you're just gonna get it you can look at it and have fun All right, so that's one thing. No, let's do something a bit more nasty because okay Let's get rid of this. Goodbye Now I see peace fine, but TCP kill is funnier So simply again select the mode in face of their two modes. Oh, yeah, I forgot to mention that Yeah, I like the CCP kill a lot So I kind of perfect it in a way that it works for IPv4 IPv6 and IPv4 in IPv6 No, sorry the opposite IPv6 in IPv4. So if you if you find somebody who's got a tool you can still have fun with them Alright, there we go. So let's start it. I'm not gonna use the web browser this time simply because it caches everything So I'll connect myself Okay, it connects but oh, oh, that's not good. Let's try again. No, okay All right, so Well, that's about it I could show you a lot more stuff because there are a lot more stuff to to do and to try but Especially just go through it yourself As a conclusion Yeah, connect to your modem make sure it's encrypted If possible ask your SP to switch to dox's three Because dox's to I mean the DES encryption is most probably not gonna last long and Yeah, well, thanks for attending. I hope you had fun