 All right, so it may be the last day, but we still have first-time speakers and we have a first-time speaker here In case you weren't aware First-time speakers must hydrates before they before they speak So he has elected for hydration and we is going to give it. We're going to give it to him Here's to you guys I think you're ready Yeah, if you if you sat through that that that autonomous talk yesterday, you should probably get a shot Hey, thanks for coming today. We're going to be talking about the internet and internet security Over the next 45 minutes, we're going to go over a little bit of fluff who I am why I'm here we're going to go over some remedial networking because There may be some network pros out here, I'm sure there's at least one You know person who's around the birth of the internet has a staff made from in you know transatlantic cable and will be Casting spells on me if I say anything wrong, but first but there's a pretty wide range of people here We've got reporters. We have security experts. We have people who specialize in networking to people who never deal with networking at all so we're going to go over just some of the basic concepts and then we're going to transition to the basics of how the internet works itself and For those of us who don't have a home Cisco lab and you know aren't set up to build it build a home network and Try some of the attacks. We're going to go over today. We're going to show it We're going to go over some tools you can use to build your own internet at home And then we're going to go over some tools we can use to break it We're going to go over some of the ways the internet is already broken We're going to detail we're going to do some demos of some of the attacks that are out in the wild right now and then we're going to Explore some ways in that we can damage the internet a little bit more now. Who am I? I'm Lane Broadbent I'm a security engineer with the Vivint Inc. Vivint is a home security home automation company Also has this cloud storage and is a wireless internet service provider Some of you may know us Some of you may have had our sales guys come to your door The demos and tools that I'll be using today you can get a github I'll be posting them after the after the talk as soon as I can get reliable internet access I Was actually sure when that'll be but I'll try and get them up today definitely now What's bond this here's a here's an announcement from us sir Mentioning well talking about how nation states are targeting internet infrastructure devices and internet routers now Mostly when we talk about routers being attacked people are what we're talking about is home routers with poorly configured credentials and and Backdoors from unknown from firmwares that haven't been updated in a long time But there's also the routers that make up the core infrastructure of the internet that have to be considered and Those are what we're going to talk about today now a Little bit of remedial internet and remedial networking here. We have an IP address and Insider block notation An IP address is a 32-bit number. I'm sorry this slide actually didn't come out too great but internet any IP addresses are generally broken up into Four blocks of eight called octets and this is an octet notation and the after the slash is your subnet mask, so The first 24 bits of our network of our IP address signify our network address Or as we'll be calling it from here on our prefix If for addresses that match that have the same network address in you as you on say your homeland As a simplification You generally you can access them directly for those that have a different network address You generally have to go through a device a device called a router Routers can are connected to multiple networks and they'll they'll take that packet They'll look at where it's trying to go and they'll compare it to the information they have about where they can get to Now routers will have different routes to different networks and they'll there may be multiple routes That'll match so they'll go through the most specific route or the route with the longest match so Quick example that first one ten dot slash eight doesn't match at all. So that's not route that's going to be taken that leaves us with To two routes that do work However, one has a slash 23 and the others a slash 24 24 bits is longer than 23 bits. So We're going to the router is going to choose that route and send the data that direction Now I keep saying router. I know a lot of you probably cut your teeth on these Raise your hand if you have one of these laying in your closet somewhere. That's right Now these are generally called routers, but what they are really is it's a converged device They're a wireless access point their DHCP server firewall that provide NAT DNS server They're neat. They have an ethernet switch web server configuration And they also act as a router which is connecting those two networks and forwarding traffic between them What we're going to be talking about today generally look more like this This is a dedicated router and what it does is it functions as a router And also if you need a nap it's an excellent space heater So quickly what is the internet? Yeah Are one of our elected officials in earlier net neutrality debate informed us the internet is a series of tubes So let's talk about some of those tubes Here we have a you know a greenie hacker. He hasn't earned his of his black hoodie yet He's trying to get to the DEF CON website here He has this tube and that's kind of what it feels like usually you type in an address you hit enter and all of a sudden The website picks shows up on your screen. What's really happening is closer to this Where to get from sign it from one side to the other You have to go through a series of Intermediate networks and these are called autonomous systems and these autonomous systems are what actually make up the internet There is no one provider that gets you from point a to point B You have these different systems such as your ISP which then connects to another autonomous system that it For is the traffic to and so on until you get to your destination So what is that autonomous system? It's a group of network. It's a network a group of networks I'm in control of a single entity using example here of Vivint wireless some company I work for Identify by autonomous system number It connects to enroute traffic between what one or more other autonomous systems. So this autonomous system connects to a hurricane electric and level three communications and They announce an internal IP address space and address space to learn through their peers that they can they can forward traffic to This autonomous system advertises these particular two particular routes as well as others Here's a graph I pulled off hurricane electrics website, which has some great BGP tools So if you want to learn about BGP Here you can see we're connected level three and hurricane electric He's it and then those two autonomous systems connect to a large number of other autonomous systems Now level three is what's called a tier one network tier one networks Are are the big dogs or if you think about the internet this they would be the core of the internet From a tier one network you can get to any play any address That's publicly available on the internet. They generally have thousands of miles of cables spanning countries if not continents and They don't pay anybody for access to their networks. It's either they They have a no-cost agreement with other tier one networks or they have other networks that pay them Hurricane electric has to be a tier two network because they pay somebody else, but then they have a large number of people who also Buy their services and access to their network Now all these autonomous systems communicate over the border gateway protocol so they can exchange routing information So autonomous systems they will agree to interconnect there's a business agreement you pay for access to a network or or you are paid or you have one those as a transit-free agreement And then your autonomous systems Your BGP routers will then announce their routes to their neighbors So you connect to another autonomous system and it says I can reach this address space and this is how I can reach it That's the AS path and the prefix and then when the packet comes in that needs to get to a destination the Most specific prefix most specific route the light route with the longest match is chosen And the data is forwarded through that next autonomous system After that the shortest path and those other attributes and local admins can set policies to prefer certain networks as well Now I said BGP and they'll announce the space. So here we have three different autonomous systems each one with its own Prefix that it's going to be announcing. So we're going to look at autonomous system three and Follow its announcement over to autonomous system one Autonomous system three says hey, I can route to 13 slash eight It tells that to autonomous system to autonomous system two then records that says hey I can get to this prefix through autonomous system three It then announces that to its neighbor autonomous system one and autonomous system one now knows that you can get to 13 slash 8 Through autonomous system two and autonomous system three, which is the final Which is where the address space is serviced and then That continues and eventually every autonomous system on the internet knows how to get to 13 slash 8 Really big quick primer on BGP announcements It's something to know about border gateway the border gateway protocol and autonomous systems There's no central authority that actively monitors it manages and forces who can announce a prefix When you you're assigned a prefix through IANA and its regional registrars The same you as we will receive an address block now. There's no There is no definite link between an autonomous system and an address block You can also have an autonomous system without an address block and You can have you can have a block of that addresses without having an autonomous system There's there's nothing that says that one person can can announce a certain space and then When you come with an agreement to peer your autonomous systems, it's Really the who manages that is between is between those two autonomous systems They'll agree. Hey, you can pass this information to me and I will then pass that round and rounding information on to the neighbors There's there's no one central authority that says this person can announce this route And there's some pretty good reasons for that as well Autonomous system can connect and disconnect to its neighbors at will you can always take down your link And when you do that your route will disappear and and and your draft traffic will take a different route You can take your IP addresses. You can move into a different autonomous system If you if you have a provider that's announcing your address space for you And you want to upgrade or you're say you're under an attack and you want to move to a different provider Then you do that you say Announce this space for me and they start announcing the space They don't have to check with anyone to make sure they can do that first and you can also announce from multiple locations any cast Traffic will I use any cast what it does is it you'll have multiple geographic locations So it'll announce a certain space and and your traffic goes to the closest one Google's DNS and other DNS servers to do that as for example and something to note that the Since the routing decision is made at every autonomous system along the way. There's no definite path That your traffic is going to take you can take one path to the destination and then the return traffic can always take a different route So let's talk about some tools that we can use to build our own internet see how this all works and then destroy it first up Is mini net mini net is a network emulator that you can use to Stand up a realistic network on your your host it doesn't require the You don't have to set aside a host like you would with a hypervisor Well depending on your hypervisor It's a simple tool that you can use to create a network namespace and stand up hosts routers firewalls If you want to learn about software to find networking it uses open-flow switches and you can control that you can set up controllers Important for this discussion is that it is cheaper than buying going out and buying a bunch of Cisco equipment and setting up a home lab And it's a lot more flexible and you don't need the Cisco knowledge this do it and it's incredibly fast So I say it's fast. So let's do a little demo see how fast we can set this up Let's create this network here a nine hosts for four switches Let's get over here primed. All right So really quick. We're gonna set it Okay, not so quick All right, I guess we'll do it in Windows Media Player then okay, so we ran the command it set up the network Created all of our hosts created links between the switches. We don't skin ahead of me now We just did a ping test between all of them. They can all communicate with each other We can we can run commands on the host. So we're gonna tell one host to ping another host that works and Just to show we can still run commands. Let's get the IP address. All right So now we've set up a network. We communicated with the hosts and that was all 21 seconds to set up that network And how do I get back into presentation on this? No, that wasn't it Somebody shout out. How do I get this? You say you View there we go Full screen. See that's why it's a good group to have a technical problem with All right So another tool we're going to use is NFQ and live net filter queue NFQ is an IP tables target that basically Instead of accepting dropping or rejecting a packet it allows you to throw it into a queue That queue is then accessible from user space. You can have a program in user space examine that packet make the routing decision And pass it back down to the kernel. You can also modify that packet before it's accepted Really quick to set it up. Here's here's the command IP tables that we're going to add NFQ I we're going to send traffic to destination port 23 to NFQ and from there It's accessible from user space. Now. What do we use to deal with those packets? We're gonna use escapee those of you aren't familiar escapee is a Python module that allows for packet manipulation decoding We can craft raw packets And most and we can interact with the with net filter queues now We can craft packets and what we have here is a quick one-liner that to generate a DNS request without Going through the different layers we set the destination. We're saying UDP We're going to make it a DNS packet and put a put a name in it and then we send it and that's it one line Okay, so let's get back to the internet Now we how can we exploit the internet? There's too many things we're going to talk about today IP spoofing and prefix hijacking IP spoofing is changing is changing the the source address on your packets as you're sending them out Why you might want to do this you want to hide your identity impersonate somebody else to incriminate them or just annoy them Or you could be doing for the general reasons like load balancing or testing again Here's another one-liner for escapee where we're going to see we're going to forge the IP address of a packet and send it out So why does this work? The routers aren't examined necessarily examining the source of a packet where their main concern is the destination and They're not always configured to care where the packet came from so it's hard to say that a certain autonomous system shouldn't carry the packet because the routes aren't set and those IP addresses are portable and And it's also it's easier to trust somebody than to distrust them You have a relationship with with somebody you trust and to be doing what they're supposed to and not making your life more difficult So you say okay, they must be sending me legitimate traffic There's also the issue that some people don't care or they haven't configured their systems correctly an example This is bogon routes where an autonomous system will advertise private address spaces like 10 10 dots 1 9 2 1 6 8 Various address spaces that shouldn't be used on the the public Internet If you want to see who's doing that Hurricane Electric has a page. They'll give you a report of what different people are sending out bogon routes. It's actually kind of interesting Okay So using IP spoofing. What can we do? we We're gonna talk about state exhaustion attacks specifically sin floods and we're gonna do that really quickly because It's kind of solved, but we're gonna we're gonna come back to that later and Volumetric attacks specifically reflection attacks really quick sin floods older attack TCP To former connection you have to go through a three-way handshake where you send a sin packet that To a server a server responds to the SINAC and then you acknowledge their SINAC You synchronize and you know have a session with them to Initially when doing that you're the server would set aside a certain amount of memory and to attract that session waiting for the SINAC packet because of course the person is going to respond with Correctly to it and everyone's gonna be happy they're gonna communicate you send a lot of sin packets It consumes a lot of resources the servers and no longer longer able to take new connections Mostly solved with things like sin cookies, but we're gonna show how we can do something similar to that again And now volumetric attacks specifically reflection attacks. Oh We're gonna have a demo where we go through one of the more dangerous ones that are on the internet today really quick though IP spoofing Let's say we want to get talk to DNS server host A says host B. What's the address for? I love puppies said with a source address of host A It responds back looking at the host at the source address and says host A. I love puppies is that whatever address? Alright, so let's say we want to spoof Host B. Give me everything you know about a lot of puppies. Sincerely host C We're gonna throw host C's address on as a source pack source address It then responds to host C with all the information host C says, huh? I didn't ask for that. So now we can scale that up We can have our botnet All of our zombies that are then sending spoofed requests to a large number of DNS servers or other UDP services These are gonna act as reflectors And they're all gonna have a source address of whoever we want to target So our botnet's gonna send a lot of traffic to our reflectors The reflectors gonna send an even larger amount of traffic back to our target our target's not gonna be able to handle it and that's the premise behind a Reflect distributor reflection to denial of service attack. So the one way of classifying these is a bandwidth amplification factor US cert uses that Basically what it is is you're looking at the size of the payload in the responses and comparing that to the the payload in the request Now certain UDP services a different reflection a bandwidth amplification factors bit torrent 3.8 So you sent it for every bite you send it's gonna respond with 3.8 times as much to Whoever your target is SNMP v2 6.3 DNS 28 to 54 NTP 550 about and then the latest hotness is memcache so what memcache is is is a In-memory data store that basically allows you to get to put information in quickly and then quickly retrieve it It's often used with web servers to manage web session state 10,000 foot overview there so and this said so let's set up this attack in our It's set up a network and mini net use the tools that we have and perform it so We're gonna simplify it a little bit We know the internet is just a series of routers that make routing decisions so we can replace that with one router We'll call that the internet and then we have our tacker our reflector in our target So let's see how this works Okay, so really quick set up our lab we created our three hosts a router and set up links between them In the background we've got a packet capture running Really quick so it shows in the package capture. We're just gonna send a ping from our attacker to our reflector okay, and Another one the adiata. All right, so let's start up our memcache service on our reflector We're gonna tell we want to listen on all ports and and all address interfaces and that we want to use We want it to use UDP right and let's quickly send our one spoof packet Now there's a little bit of magic sauce behind this to get a higher amplification factor But we don't change any of the settings in it and then we've sent our one packet using our targets Our targets IP address So let's see what happened. We like I said we had a packet capture running in the background All right, so here is the spoof packet that we sent Highlighted there It's got about 15 bytes worth of payload one single packet and also for comparison You've got our pings so we can see what that we did actually spoof the address Here's the response so that's the bottom one there is packet 761 part of it that's part of the response and These are full UDP packets So what do we have we sent one packet with 15 bytes worth of payload and our response with 753 packets with 1,051,705 by payload bytes So that gives us a bandwidth amplification factor of about 70,000 And for those of you who've been spending too much time in the wireless village here. It isn't decibels. All right, so According to us or mem cash D 10,000 to 50,000 band amplification factor. We just showed it can be 70,000 It seems to be some area of debate with how effective this is but as you can see no matter what it's a very effective attack Earlier this year this attack was used to generate 1.7 terabit per second of traffic Towards the service When you're dealing with that you're not actually taking down the services running on the hosts You're not necessarily taking down the hosts either. What you're doing is you're taking down all the infrastructure around it When you start getting 1.7 terabits worth of traffic your upstream providers are going to start shutting off your ports because it's taking them down as well I provide some sample code, but the code I provide is simplified doesn't have the magic sauce It just uses the stats call so it doesn't produce 70k bandwidth amplification factor So really quick way some defenses know your attack surface know what services you're running if you're running UDP services Why are you running them and if you don't need them shut them off? Blunt Form a good relationship with the upstream provider in case you're this the you're the reflector or the target make sure that you can Work with them to to filter your traffic and monitor your infrastructure. You know if you're participating So let's go on to be in BGP prefix hijacks So what happens in these is as I showed earlier autonomous systems learn how to route traffic by announcing their routes to their neighbors What happens in a prefix hijack is that a malicious autonomous system? Advertises a more specific route than the route that's already out there if there's a route for slash 23 and announces a slash 24 All the all the traffic for addresses within that slash 24 will go to them because they have the most specific route The neighbors then pass on this route to their neighbors and eventually Everyone has that route and all the traffic is route is heading towards that route I early example this in 1997 the as 7,007 incident a Network disaggregated all their routes into slash 24s and Through their their own autonomous system number on it and then advertise that on on the internet So now that it's 2018 we can do a high-tech computer simulation of what happened the internet traffic on that day So here that little pink dot is the as 7,007. I think it was in Virginia They announced their routes and all the internet traffic started to go into them They also apparently turned into the Death Star So what happened was base large portions the internet ended up black hole for several hours also their upstream providers shut them off and ended up having to reset Reset large portions of their network I Most routes aren't slash 24s and the equipment in that time wasn't made to handle the entire internet as slash 24s So the routers would crash come back up relearn all the bad routes from their neighbors crash and the cycle to repeat It really couldn't have been better if it had been planned So there's certain height there's certain defenses you can have here's just a list of them probably the most prominent is the As a routing registry where you register your routes say this autonomous system is going to be advertised through this And this IP free-fix is gonna be advertised to this autonomous system And there's other ways to ensure that communication is secure authorized and everyone's on the same page So let's see how that how well that's worked Here we have in April 2018 the eat my ether wallet calm attack. I don't know if any of you I'm sure nobody here uses cryptocurrency, right? Yeah During the hijack it wasn't actually a hijack against the servers themselves. It was a hijack against the DNS infrastructure that my ether wallet was using specifically AWS and militia Poison DNS requests were returned pointing to a Russian provider Now there were defenses in place not all the not all networks carried the bad routes But enough did really all what you all you need is one person who's not configured correctly to pass along the information And all the defenses break down do these trust relationships So really quick how are things are supposed to work on the left side there? We have a client trying to get to the to my ether wallet calm On the right Amazon who route 53 was providing the DNS services Announces its route to the internet. So starts to propagate its route The client asks its DNS server how to get to my ether wallet calm It doesn't know has a cat has a miss so it hits Amazon It says hey, how do I get to this response is returned it caches passes it to the client Client then connects to my ether wallet calm and logs in okay That's how it's supposed to work what really happened Was that another autonomous system likely on behalf of one of its customers began advertising a slash 24? for Amazon's DNS server space where Amazon was using slash 23s so Advertising more specific routes when those propagated up I'll request to Amazon's DNS servers and went to this malicious DNS server The response is returned to a credential for a credential harvester Clients connect to the credential harvester for some reason the attackers decided not to get about SSL certificate so they were agreed people were greeted with an SSL warning and Some of them decided not to heed the warning and Ended up losing money So let's let's give it a try Now I credit where credits do this is a modification of a lab From Yeah, oh But quick note defcon 16. There's an awesome attack against the actual IP address for the defcon web servers I believe trying to remember exactly what it was Go check it out. It's good. I'm not going to demo it here because That's their thing. It was awesome So here we're going to do a prefix hijack base We're going to modify a demo that's already out there and on the mini-net website if you can get to it But we've changed it to be a prefix hijack instead of a path hijack So here's our three networks, but we looked at before as one two and three advertising 11 8 12 8 13 8 we have a web server on AS 3 Well am I doing on time okay good not bad not great Okay, so really quick Here's our here's our environment top left we're going to start up We're going to start up our network Bottom left we're going to we're going to be controlling whether or not we are autonomous systems are running and On the right we're going to be trying to hit our web server to see what happens So really quick. Let's pull the routing table Okay, so looking at looking at that routing table. Sorry. This is broken up Here's the routing table that we have from autonomous system one It can see that through autonomous system two and autonomous system three it can get to 13 slash eight All right All right, so I'm back in our attack We're we're now hitting a website on that web server over here on the bottom left we're going to start up on our Autonomous system four which is going to advertise a slash nine compared to a slash eight for this the 13 slash eight web space our IP space and On the right in a second. You'll see it switching over to the tackling web server Okay So pulling our routing table again We can see that we now have another route. You probably can't see very well, so let's pull it up We started autonomous system four and it Announced a more specific route for slash 13 which caused all of our traffic to divert to our malicious web server now It's not the most exciting attack and the reason for that is that everything worked the way it's supposed to Somebody advertised a better way to get to to an IP prefix so everyone took it So without defenses, this is the correct operation So defenses would be registering your register your routes and an IRR established that relationship the upstream providers So that they know what you're advertising and they're able to defend against people trying to take over your space filter prefixes that you receive from others I To avoid having a website taken over use DNS sec HTTPS with HSTS and make sure you're monitoring your infrastructure All right, so let's move on to a little bit more theoretical So at the beginning we showed that alert. It says Nation-states are trying to take over routers basically, so why should nation-states get to have all the fun? Let's let's let's do some of these attacks ourselves. Let's try it Let's we don't know exactly what people are gonna be what what attacks are gonna be done but we can make some guesses and one of the ways we can make some guesses is because We already know What things are gonna be done because we can see them now in certain pieces of infrastructure really quick We know that if you have control of a router as with any, you know You just think of it as your network monitoring equipment you can monitor traffic and redirect traffic which we saw you can modify Traffic as it's passing through you can block traffic and you can flip the switch and just take down a chunk of infrastructure Now we don't really need to imagine much because we already see this in action There's malicious network equipment widely deployed now malicious is is relative to who's performing the operation So you intrusion detection system tonight intrusion prevention systems other firewalls Internet service providers doing service prioritization or denying access to certain services and then you have nation-level monitoring and filtering enforcement such as You know a country putting up a large firewall to restrict internet access So we can already see what is what can be done with this because it's already being done corporations are already doing it And my cell phone providers blocking my VPN access for some reason, you know, we already see this in action But what else can we do so we know that when you have We know that you can you can prevent IP spoofing by registering a route and having making sure that people aren't passing bad routes But we can also defeat that if we have control of one of the routers So if you have a router on say an internet service providers network It has the ability to talk for addresses on that network and no one's going to question it because It's supposed to be the one carrying that traffic. So we can we're doing that we can defeat IP prefix filtering We can spoof any host we want on that network. It doesn't need to exist doesn't particularly otherwise But but even in this case we can we can now have a bi-directional communication We can send traffic for a host and then receive the response and we can reduce our botnets from thousands of devices To just a handful of routers And I say we can have bi-directional communication Before you can't really spoof TCP traffic because you have to have that you have that handshake and you have to be able to Go through the synchronization But since we're receiving the responses we can now would have Open up TCP sessions other bi-directional communication that we wouldn't have been able to do otherwise And this is kind of concerning because it breaks our attribution models a Lot of you might get daily weekly or whatever threat feeds that with Part of what they have is a list of IP addresses associated with certain activities You throw them into your intrusion detection systems You block them on your firewalls and and that's good but now we can We can change our IP address at will because we can act as any of these other devices We can no longer really trust the IP addresses that we have in our threat feeds Now this is on a symmetric route saying it gets received it receives a response now What can we do if if if we want to still want to spoof traffic from a different network and we're not receiving the response? Like I said before you can really can't spoof a TCP connection because you have to there's a you have to synchronize With the server and this can be using a randomized sequence number However, if we control one of the routers along the path to that spoofed host We can and we can still send our traffic from a different portion of the internet and have a full bi-directional Be able to maintain bi-directional communication and go through our TCP handshake. So we're gonna Do a quick little attack here? We're going to spoof a sin packet we're going to capture the response on the second router the router on the right there and then We're gonna have that router send the information to our to our attacking our attacker computer specifically the sequence number that it needs to Sequence number that needs to Complete the handshake and then we're going to complete the handshake So it was simplified a little bit for the demo We're replacing the routers with switches and running our our interceptor on the spoofed host, but same effect so No, that's So really quick. We're gonna see what our IP address is and we're going to Request a page from a web server that's gonna respond with our IP address that matches up 10 0 10 90 and Then we're gonna make it so we can no longer communicate directly with that host Just for the purposes of demonstration. So now we can no longer communicate with the web server Just so you guys believe me and we're going to spoof TCP connection so here we're gonna send a sin packet That's gonna be intercepted and sent back to us and then we're gonna complete the handshake and make and request traffic Oh, son of God That went too fast. All right All right, so here we're making our HTTP request and Here's the response that we receive back. We're able to complete our TCP handshake Using spoofed traffic and then make a request and receive that that response as it's being sent to the address that we're spoofing now To do this. We need a communication channel Have I I've been I had it out of full screen mode for a while haven't I? Somebody tell me these things All right So we need a control channel to be able to do this we need to communicate between our interceptor and the The host that's doing the spoofing and how can we do this? One way is network steganography steganography is hiding data and its presence from an observer There's numerous ways of doing this with network traffic, but some of them are pretty slow You'll flip a flag and in the in a header which gives you about one bit per packet not the quickest thing ever But if we want to trade a degree of stealth for increased data rate What we can do is we can inject traffic into other packets as their traffic as they're passing through a node and then strip that data out Before it's passed on to its final destination and to do this HTTPS and other encrypted traffic using that as our cover medium is ideal Really quick. Here's a TCP packet the payload can be assuming payload usually can be up to 14 160 bytes But a lot of traffic is either has a full payload or has no payload as an act packet there's a bind there's a bimodal distribution on the internet and Basically, you'll have a lot of traffic that's being received and a lot of act packets for that received traffic So these act packets have a lot of free space that we can use There's nothing that says that you can't send data with an act packet. In fact, it's normal. I Got a clap for that. Okay. Oh I Made a meme All right, so Very long how we do it on time Okay, I can't see anyone anyway. So all right. So what I'm proposing is we do we use access space It's not being consumed and we inject our own traffic into it now We need to make sure that it can't be read as well Yeah, we want to make sure that it can't be read so we're going to encrypt everything At the end we're going to put a counter that We're an encrypted counter that says how much data we're going to put in it So we can quickly then pull that data out check for the flags at the beginning the end of the data that we're sending and Know if it's if it's actually our traffic or if it's a mistake So three steps before we get to our data that allows us to quickly toss out traffic that looks like our data But it's not If that makes sense. Sorry. I'm rushing to make sure I get this closed Why are we going to use HTTPS? Most the internet is HTTPS It's expensive to monitor HTTPS traffic and there's little value in recording it You can gather metadata about it, but there's If you record HTTPS traffic at large scale what you have is a bunch of data that you can't read That's going to fill up your drives and when properly implemented encrypted data Pretty much statistically indistinguishable from random data So we can take our we can take this already encrypted data throw our encrypted data on the end And there shouldn't be any way of determining that we've added data This was the demo that I was going to do As you might be able to guess it ended up being kind of busy So we're going to simplify it and we're going to do a demo just between two hosts that have been had their traffic blocked basically Right on this let's say autonomous system one autonomous system for just to show that it works So we're going to bypass some blocking through our covert channel Don't let me forget to go back in full-screen mode On you guys All right So here we're just testing that we can reach the web server on 10 0 10 90 and Then we're going to set up a listener through our using our tunnel to on local host 87 65 Now we've just blocked access to it on port 80 so we can no longer directly access that web server on port 80 so now And that still doesn't work. So now we're going to start our covert channel What what we're going to do is we're going to start on the Other end we've already started our listener and then we're going to run this quickly run the script starts the listener on this end That creates the channel and then gives us a bunch of cover traffic And I'm just using watch and coral command to generate a bunch of HTTPS traffic Okay, so we've started it and let's see so now we have a Channel that we can use that here's our HTTPS requests We got to the server that we couldn't access before what we did is we hit a local listener on our box sent that over the tunnel using HTTPS traffic as our cover medium and Then had the other side complete the connection to the web server and return that traffic back to us So means of creating a covert channel there and what does that look like? At the packet level and going back into full screen Yes, so here's the original packet and then here's here's the packet with our data added on to it and At the end I left the counter unencrypted so we can look at that So what you have is traffic that looks like the traffic that we already have there Generally indistinguishable from what should be there now if you're going to monitor If you're going to monitor sessions and keep track of seek of acknowledgments You might be able to detect this is going on But if this isn't on a connection that you would expect to be malicious or you want to monitor Chances are you're not going to be doing full session monitoring and this is going to slide by along with the other terabytes of HTTPS traffic Okay, thanks for listening appreciate you coming