Detecting malicious payloads across multiple packets v0.2
As you can expect, we are currently working hard for the next release which will introduce new interesting features: protocol dissection, pattern matching, API improvements, etc.
As you can expect, we are currently working hard for the next release which will introduce new interesting features: protocol dissection, pattern matching, API improvements, etc.
Haka can analyze states of a network protocol with its state machine. A state machine is defined as a set of states and a set of transition functions between these states. This post will present a part of the SSL state machine we used in the previous blog post to detect heartbleed.
In a previous post, we defined security rules on SSL protocol in order to block heartbleed attack. This post will present a v0.2 feature: the grammar used to specify the SSL protocol. Our grammar can parse binary-based as well as text-based protocols.
This post will focus on the dissection of the ClientHello handshake.
As most of you must have heard, a very nasty bug was discovered few weeks ago in the OpenSSL project, a widely used open source implementation of the SSL/TLS protocol. This bug which is better known as the heartbleed bug, relies on a wrongly implemented SSL extension called "heartbeat".
As you know, the initial version of Haka doesn't ship with a SSL dissector. However, the 0.2 version — which will be released soon — features a new grammar allowing to specify network protocols and their underlying state machine. Thanks to that grammar, we were able to write, with a little effort, a dissector covering almost the full specification of SSLv3 protocol. This specification will be covered in upcoming post.
The well-known scanning tool Nmap allows users to discover running services on a target machine. In this tutorial, we use Haka to fool Nmap scans by crafting reset packets.
When launching a NULL (-sN), FIN (-sF) or XMAS (-sX) scan, Nmap forges a malicious packet with some flags activated. Nmap concludes that a port is closed on the target machine if it receives a RST packet.
Thanks to Haka API, we can forge RST packets and fool Nmap queries letting him think that all ports are closed on the target side. The following script starts by loading ipv4 and tcp dissectors. The next line disable the tcp-connection dissector to avoid Haka dropping all packets do not belonging to a valid connection. Finally, we define the secuity rule which will create a RST tcp packet if a nmap scanning packet is detected. In the last lines, we inject the newly crafted packet and drop the Nmap forged packet.