Recent changes

This is an old revision of the document!

05. [30p] NetfilterQueue

A tool that you have previously used is iptables. This user space tool interacts with the packet filtering framework that is implemented in the kernel (i.e. netfilter) in order to allow you to specify your firewall rules.

Netfilter is a framework for packet mangling, outside the normal Berkeley socket interface. It has four parts. Firstly, each protocol defines “hooks” (IPv4 defines 5) which are well-defined points in a packet’s traversal of that protocol stack. At each of these points, the protocol will call the netfilter framework with the packet and the hook number.

In this exercise, we introduce Netfilter Queues, an iptables target (also part of the netfilter project). What's interesting about this tool is that the hook that it inserts in the network protocol stack does not immediately decide what happens to the packet, based only on the usual vectors (protocol, src/dst IP, src/dst port, etc). Instead, it sends the packet to a user space process for analysis. All packets are buffered and the user space process can retrieve them, evaluate their contents and decide whether to ACCEPT, DROP or RETURN them. The messages do not need to be evaluated in the order that they were received. Moreover, the process can even alter the packets and ask the kernel to use the modified version (this happens to be very useful when implementing MitM attacks).

Next, we will look at two examples of Netfilter Queue analysis programs that also alter the traffic. First, download the demo scripts. Also, make sure that you install all dependencies before starting the tasks: 

$ sudo apt update
$ sudo apt install -y python3-pip wireshark openssh-server libnetfilter-queue1 libnetfilter-queue-dev nfqueue-bindings-python python3-scapy
$ pip3 install NetfilterQueue

[15p] Task A - DNS hijack

In this task we will intercept all DNS responses and alter the returned IP address for a certain domain name. Before proceeding with the following commands, make sure you have a ssh server running on your machine (we will mess around with that later on). The main goal is to understand how it all works, so make sure you read the script.

If you feel that you need a better understanding of the DNS message format, check out Let's hand write DNS messages. 

$ dig +short fep.grid.pub.ro
$ sudo iptables -I INPUT -p udp --sport 53 -j NFQUEUE --queue-num 1
$ sudo ./mitm-dns fep.grid.pub.ro. 127.0.0.1
 
$ dig +short fep.grid.pub.ro
$ ssh student@fep.grid.pub.ro
    Password: student
$ sudo iptables -D INPUT 1

Let's take a look at what just happened:

  • first, we use dig to obtain the IP address of fep.grid.pub.ro and it should be 141.85.241.99 or something along those lines
  • next, we add an iptables rule: redirect all UDP incoming traffic that originated from port 53 to queue number 1 for validation in userspace
  • then, we run the python3 script that will subscribe to queue number 1 and will replace all DNS reponses to fep's domain with 127.0.0.1
  • after checking the IP again with dig, we notice that the script worked
  • what may be a possible implication? Well… let's try connecting to fep via ssh
  • finally, we stop the script and delete the iptables rule

[15p] Task B - TLS downgrade & Wireshark

TLS is a cryptographic protocol meant to provide secure communication over a network (e.g. https). All sessions that use this protocol start with a TLS handshake (see figure below). When the client contacts the server, it sends a Client Hello. This message includes a list of supported encryption algorithms. The server receives this message, chooses the best encryption algorithm (that it also knows) and responds with a Server Hello, containing the chosen algorithm.

So we know how Netfilter Queues and TLS work. In this task we will use wireshark to detect abnormal traffic. This time, our script will intercept all Client Hello messages and replace the supported cipher suite list with a single (weaker) item that the server will be forced to select. Let's try to connect to ocw.cs.pub.ro and see what cipher suite it normally chooses: 

$ echo | openssl s_client -connect ocw.cs.pub.ro:443

The answer should be ECDHE-RSA-AES256-GCM-SHA384. Now, make sure you have wireshark installed and get a network capture of this unaltered handshake. Save it for later.

Next, set up the iptables rule and run the process: 

$ sudo iptables -I OUTPUT -p tcp --dport 443 -j NFQUEUE --queue-num 1
$ sudo ./mitm-tls_downgrade.py
 
$ sudo iptables -D OUTPUT 1

Try to capture the Client Hello once again with wireshark.

:!: :!: NON-DEMO TASK

Add in the submission the capture of the unaltered handshake and the capture after running the script.

Place the two captures side by side and identify the cipher suites lists. Explain briefly which algorithm did our script force the server to accept.

General Information

Lectures

Labs

Assignments

Archived Labs

Table of Contents

ep/labs/04/contents/tasks/ex5.1604227413.txt.gz · Last modified: 2020/11/01 12:43 by gheorghe.petre2608
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0