This document provides an overview of building an Android intrusion detection system (IDS) to monitor network traffic on the device. It discusses setting up a VPN tunnel between the Android device and a computer to redirect all network packets from the kernel space to user space where tools like Snort can be used to analyze the traffic in real-time. It also covers ways to disguise the device operating system fingerprint through tools like OSFooler to prevent remote OS identification by scanners like Nmap. The goal is to develop a practical approach for detecting and analyzing malware and threats based on the device's network activity.
7. THE"PROBLEM"?
There is a massive growth in the volume of malware
families and samples ...
Google"Play’s"track"record"with"malware"is"not"too"
good"(Bouncer"can"be"compromised)"...
18. FROM KERNEL How"i"met"your"packet
From"kernel"Space"to"user"Heaven
SPACE TO USER HEAVEN
ANDROIDS: MOBILE SECURITY RELOADED
NMAP"INTERNAL"PROBES
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)
Most"important:
!"TCP"ISN"greatest"common"divisor"(GDC)
!"TCP"IP"ID"sequence"generaGon"alg"(TI)
!"TCP"Gmestamp"opGon"alg"(TS)
!"TCP"OpGons"(O,"O1RO6)
!"TCP"iniGal"Window"Size"(W,"W1RW6)
!"Responsiveness"(R)
!"IP"don’t"fragment"bit"(DF)
!"IP"iniGal"GmeKtoKlive"guess"(TG)
JAIME SÁNCHEZ (@SEGOFENSIVA)
Although"there"are"others:
!"TCP"ISN"counter"rate"(ISR)
!"ICMP"IP"ID"sequence"generaGon"alg"(II)
!"Shared"IP"ID"sequence"Boolean"(SS)
!"Don’t"Fragment"ICMP"(DFI)
!"Explicit"congesGon"noGficaGon"(C)
!"TCP"miscellaneous"quirks"(Q)
!"TCP"sequence"number"(S)
!"etc.
18
NUIT DU HACK 2013
DEEPSEC
19. OSFOOLER: REMOTEMOBILE SECURITY RELOADED
FROM KERNEL How"i"met"your"packet
From"kernel"Space"to"user"Heaven ...
SPACE TO USER OVER
ANDROIDS: OS FINGERPRINTING ISHEAVEN
P0F"SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera&ng)System
""K"Family
""K"Version
Packet)
Size
Quirks
"""K"Data"in"SYN"packets
"""K"OpGons"arer"EOL
"""K"IP"ID"Field"="0
"""K"ACK"different"to"0
"""K"Unusual"flags
"""K"Incorrect"opGons"decode
DF)Bit)
Ini&al)TTL
TCP)op&ons)and)order
Window)Size
"""K"N:"NOP
"""K"E:"EOL
"""K"Wnnn:"WS
"""K"Mnnn:"MSS
"""K"S:"SACK
"""K"T"/"T0:"Timestamp""
"""K"?n
"""K"*"Any"value
"""K"%nnn"nnn"MulGple
"""K"Sxx"MSS"MulGple
"""K"Txx"MTU"MulGple
"""K"xxx"Constant"value
JAIME SANCHEZ (@SEGOFENSIVA)
JAIME SÁNCHEZ (@SEGOFENSIVA)
16
19
NUIT DU HACK 2013 2013
BLACKHAT ARSENAL USA
DEEPSEC
20. BUILDING AN ANDROID IDS ON NETWORK LEVEL
ANDROIDS: MOBILE SECURITY RELOADED
!" I" need" to" process" traffic" before"
being"processed"inside"my"Android"
device.
!" I" can"redirect"all" network" packet"
from"Kernel"Space"to"User"Space
!"I"can"do"whatever"I"want"with"the"
packets
!"This"is"done"in"RealR7me.
!" Runs" conGnuously" without"
h u m a n" s u p e r v i s i o n" a n d" i s"
completely"transparent"for"user.
JAIME SÁNCHEZ (@SEGOFENSIVA)
20
DEFCON 21
DEEPSEC
25. OSFOOLER: REMOTEMOBILE SECURITY RELOADED
From"kernel"Space"to"user"Heaven
How"i"met"your"packet
ANDROIDS: OS FINGERPRINTING IS OVER ...
APPLICATION
USER"SPACE
read()
TCP"recv"Buffer
TCP"Process
KERNEL"SPACE
tcp_v4_rcv()
Socket
Backlog
IP"Layer
Pointer"to
Device
NIC
ip_rcv()
sorirq
Internal
Memory
Packet"Data
Interrupt
Handler
Poll"List
Ring
Buffer
DEVICE"DRIVER
Interrupt
DMA"Engine
NIC"Memory
Incoming"Packet
JAIME SANCHEZ (@SEGOFENSIVA)
JAIME SÁNCHEZ (@SEGOFENSIVA)
BLACKHAT ARSENAL USA 2013
DEEPSEC
26. OSFOOLER: REMOTEMOBILE SECURITY RELOADED
FROM KERNEL How"i"met"your"packet
From"kernel"Space"to"user"Heaven ...
SPACE TO USER OVER
ANDROIDS: OS FINGERPRINTING ISHEAVEN
USER"SPACE
APPLICATION
read()
TCP"recv"Buffer
TCP"Process
KERNEL"SPACE
CONNTRACK
Inbound"Packets
MANGLE
Socket
Backlog
PREROUTING
FORWARD ip_rcv()
IP"Layer
forwarded"and"accepted"packets
Pointer"to
Device
locally"desGned"packets"must"pass"the"
INPUT"chains"to"reach"listening"sockets
tcp_v4_rcv()
FILTER
NIC
INPUT
sorirq
forwarded"
packets
Memory
Kernel
local
packets
Packet"Data
Interrupt
Handler
Poll"List
ConGnue"Processing
Ring
Buffer
DEVICE"DRIVER
Interrupt
DMA"Engine
NIC"Memory
JAIME SANCHEZ (@SEGOFENSIVA)
JAIME SÁNCHEZ (@SEGOFENSIVA)
Incoming"Packet
27
NUIT DU HACK 2013 2013
BLACKHAT ARSENAL USA
DEEPSEC
27. OSFOOLER: REMOTEMOBILE SECURITY RELOADED
From"kernel"Space"to"user"Heaven
How"i"met"your"packet
ANDROIDS: OS FINGERPRINTING IS OVER ...
APPLICATION
USER"SPACE
read()
TCP"recv"Buffer
TCP"Process
KERNEL"SPACE
tcp_v4_rcv()
Socket
Backlog
IP"Layer
Pointer"to
Device
NIC
ip_rcv()
sorirq
Memory
Kernel
Packet"Data
Interrupt
Handler
Poll"List
Ring
Buffer
DEVICE"DRIVER
Interrupt
DMA"Engine
NIC"Memory
Incoming"Packet
JAIME SANCHEZ (@SEGOFENSIVA)
JAIME SÁNCHEZ (@SEGOFENSIVA)
BLACKHAT ARSENAL USA 2013
DEEPSEC
28. OSFOOLER: REMOTEMOBILE SECURITY RELOADED
From"kernel"Space"to"user"Heaven
How"i"met"your"packet
ANDROIDS: OS FINGERPRINTING IS OVER ...
APPLICATION
USER"SPACE
read()
TCP"recv"Buffer
TCP"Process
KERNEL"SPACE
tcp_v4_rcv()
Socket
Backlog
IP"Layer
Pointer"to
Device
NIC
ip_rcv()
sorirq
Memory
Kernel
Packet"Data
Interrupt
Handler
Poll"List
Ring
Buffer
DEVICE"DRIVER
Interrupt
DMA"Engine
NIC"Memory
Incoming"Packet
JAIME SANCHEZ (@SEGOFENSIVA)
JAIME SÁNCHEZ (@SEGOFENSIVA)
BLACKHAT ARSENAL USA 2013
DEEPSEC
29. FROM KERNEL How"i"met"your"packet
From"kernel"Space"to"user"Heaven
SPACE TO USER HEAVEN
ANDROIDS: MOBILE SECURITY RELOADED
IPTABLES
)A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to)
provide)new)command)line)op&ons.
There)are)several)extensions)in)the)default)NeRilter)distribu&on:
JAIME SÁNCHEZ (@SEGOFENSIVA)
30
NUIT DU HACK 2013
DEEPSEC
30. FROM KERNEL How"i"met"your"packet
From"kernel"Space"to"user"Heaven
SPACE TO USER HEAVEN
ANDROIDS: MOBILE SECURITY RELOADED
QUEUE
!)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace"
processing.
!)For)this)to)be)useful,)two)further)components)are)required:
• a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between)
the)kernel)and)userspace;)and
• a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on)
packets.
!)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new)
packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.)
$ iptables -A INPUT -j NFQUEUE --queue-num 0
JAIME SÁNCHEZ (@SEGOFENSIVA)
31
13
NUIT DU HACK 2013
DEEPSEC
32. How"i"met"your"packet
BUILDING AN ANDROID IDS ON NETWORK LEVEL
ANDROIDS: MOBILE SECURITY RELOADED
The"logo"should"look"like"...
JAIME SÁNCHEZ (@SEGOFENSIVA)
DEFCON 21
DEEPSEC
33. How"i"met"your"packet
BUILDING AN ANDROID IDS ON NETWORK LEVEL
ANDROIDS: MOBILE SECURITY RELOADED
PLEASE!"don't"make"decisions"at"
night"in"Las"Vegas
JAIME SÁNCHEZ (@SEGOFENSIVA)
DEFCON 21
DEEPSEC