00:00:06.359
Video equipment rental costs paid for by Peep Code.
00:00:19.880
Screencasts. All right, this is Packet Fu ninja style, mid-level packet manipulation for Ruby.
00:00:25.960
Hello, I'm Tod Beardsley. I'm a security researcher most of the time.
00:00:34.000
This means I do a lot of attack and defense research and application work.
00:00:40.760
At Breaking Point, we create test equipment mainly for routers and security devices,
00:00:49.160
such as IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems).
00:00:54.680
How many people here have ever administered an IDS device? A couple of you. IDS is an intrusion detection system,
00:01:01.719
which warns you when you've been compromised. IPS is intrusion prevention,
00:01:08.119
it's the system that tells you that you almost got owned.
00:01:14.119
I work a lot in testing these devices, and I'm a Ruby newbie. I've been using Ruby for less than a year.
00:01:20.400
I started using Ruby because it seemed like all the cool kids were doing it.
00:01:25.680
As soon as I started, I noticed that there was no reasonable way to perform packet manipulation in Ruby! Network packets.
00:01:33.439
You may be asking yourselves, "Why forge packets when you have perfectly wonderful OS stacks that handle all your packet processing?"
00:01:39.000
Well, like I said, I test network equipment, so very often I have to create strange packets that would never be found in the real world.
00:01:46.000
I do this to observe how security devices and routers interact with such packets.
00:01:52.680
Do they fail if you send them packets that are ridiculously large or small, or a great number of them?
00:01:59.240
It's the same with security equipment, which is supposed to prevent attacks.
00:02:05.039
If I can perform weird TCP reordering, will that affect your IDS?
00:02:11.160
You may also want to capture packets and sanitize them.
00:02:16.280
For example, you might massively rewrite IP addresses or MAC addresses for sharing.
00:02:21.480
You want to share data but not reveal your identity, which is common in the security community.
00:02:26.640
By the way, this is my first language conference and definitely my first Ruby conference.
00:02:32.800
It's very different from security conferences.
00:02:38.040
I see many open notebooks here. You don't see that much at security conferences because people are paranoid.
00:02:45.120
They're concerned about being on untrusted networks surrounded by strangers who may hijack their devices.
00:02:50.319
Apparently, you guys don't mind. Our badges are definitely less cool than those at Defcon.
00:02:57.000
They are much easier to forge.
00:03:02.400
So why would you want to sniff packets on the wire instead of relying on your applications for that?
00:03:08.760
You may have connectivity issues and want to see what's happening at the packet level.
00:03:15.159
One of my favorite things to do with packets at a lower level is device fingerprinting.
00:03:20.640
I want to know how many MAC addresses are in the room, or what your web server really is.
00:03:27.599
You may have an IIS banner, or you may have an Apache banner, but you could be dishonest, and the packets will reveal the truth.
00:03:33.920
In almost all cases.
00:03:41.200
And lastly, for application reversing, if I'm dealing with an application that may not have an RFC,
00:03:49.959
like everything from Oracle, I want to understand how it works at the wire level for reimplementation.
00:03:55.840
This is largely what I do when I'm not engaged in security work, so I need to examine packets as they appear on the wire.
00:04:03.040
So why Ruby? Like I mentioned earlier, I just picked up Ruby, and it's super rad.
00:04:10.640
All the usual reasons apply: Ruby is object-oriented, and so forth.
00:04:16.239
Threading might not be the greatest, but it is super easy.
00:04:23.120
Ruby is cross-platform; it works great on all the environments I care about, which are Linux and Windows.
00:04:30.360
Sorry, Mac users, but of course, Ruby is cross-platform on Macs as well.
00:04:37.120
But there's nothing available in Ruby for this kind of packet manipulation,
00:04:44.960
which is a bummer because Python has Scapy.
00:04:50.039
Has anyone here used Scapy in Python? No one?
00:04:55.840
Perl has Raw IP, which is somewhat similar.
00:05:02.960
C has Libnet, which is considered the standard for packet forging.
00:05:09.400
But there's nothing for Ruby. But wait, there is!
00:05:14.759
Did I just reinvent the wheel over the last couple of months?
00:05:20.919
There is Scrooby.
00:05:26.800
Scrooby was released in April of 2007; it's a port of Scapy for Python.
00:05:34.120
So if you love Scapy, you may like Scrooby. Its syntax is similar, albeit rather unusual.
00:05:40.120
There's Racket, which was released this past March.
00:05:46.240
The folks at Matano Security use RIT for their protocol debugger.
00:05:53.080
They utilize a tool called Ramble that’s built on Racket, and it's quite new and impressive.
00:05:59.840
Racket is a bit tricky for some applications, as its syntax can be verbose.
00:06:06.000
However, it’s quite strong.
00:06:11.520
There are literally thousands of different implementations of similar concepts in Ruby.
00:06:18.360
Thus, I created Pakao, which I started in September of 2008.
00:06:26.520
Just yesterday, I even made some check-ins for bug fixes.
00:06:32.680
I began looking into this back in March, when I posted a question to the local Ruby users group.
00:06:40.520
I asked if Scrooby was truly the state-of-the-art for packet manipulation in Ruby.
00:06:46.880
There was a bit of silence on the mailing list.
00:06:53.520
Then, replying a couple of days later, I thought, "Well, that's great.
00:06:59.879
I can now write this and learn Ruby at the same time!"
00:07:06.360
Pakao is based on BinData. Has anyone here used BitStruct or BinData?
00:07:12.800
Yes? BitStruct has a great interface for some things.
00:07:20.759
However, BinData is more robust for what I need to accomplish, which is why I chose it.
00:07:26.520
So let me briefly discuss its design and core functionalities.
00:07:34.679
I utilize PcapRub because it employs libpcap, which is quite ubiquitous.
00:07:40.800
If you're doing this type of development, libpcap drives popular tools like Wireshark, TCPDump, and TCPReplay.
00:07:46.240
I definitely did not use Ruby Pcap. Don't ever rely on Ruby Pcap if you want to copy or reimplement anything related to packets.
00:07:54.199
You will search for Ruby LibPcap and find it on the first couple of pages of Google.
00:07:59.720
However, it hasn't been updated since 2001, so it isn't utilizing LibPcap's packet injection features.
00:08:06.720
The threading model employed is blocking, which is not ideal.
00:08:12.000
PcapRub is the best-kept secret in Ruby packet manipulation; you won't find it on the first couple of pages of Google.
00:08:18.960
It's actively maintained as part of the Metasploit project now.
00:08:25.680
When I began building binary structs in Pakao, as many developers might do,
00:08:30.360
I created my own factory methods, which I called Packa Factory.
00:08:36.479
I also recently purchased a book on Ruby object-oriented design. That was a huge mistake!
00:08:42.039
I quickly abandoned this idea around April.
00:08:47.760
After that, I switched to BitStruct, as it's widely used and has a nice interface.
00:08:53.160
Unfortunately, when working with things like variable-length data or optional headers and data, BitStruct can be complicating.
00:09:00.800
However, BinData handles all that natively. It has an array type and supports reading until the end of a file.
00:09:06.000
This makes it very feature-rich. It's a structured language and is actively maintained at Ruby Forge.
00:09:12.600
The maintainer is responsive and quickly accepts patches, which is excellent.
00:09:18.360
This is somewhat what BinData headers look like. These examples come from the Pakao documentation.
00:09:22.680
In this case, we can see the TCP header as defined by BinData.
00:09:28.360
For instance, this may show things like TCP source address, which might be a 16-bit value.
00:09:35.040
These are all pretty standard data types for network packets.
00:09:44.400
For example, four bits for the field and eight bits for another field.
00:09:50.600
The ability to work with bit widths is significantly useful when dealing with networks.
00:09:56.120
You can also define custom ones in BinData.
00:10:02.680
For instance, TCP Flags can be defined as one bit each. With BinData, you can create your own data type.
00:10:10.560
This makes implementing such applications much easier. I strongly urge you to explore BinData if you're working with binary libraries.
00:10:17.160
Pakao creates packet headers using BinData, collecting them into packets that function like regular Ruby objects.
00:10:23.959
This is the core magic behind how Pakao operates. There is a wealth of intelligent design regarding various packet types.
00:10:29.160
I have several basic packets currently implemented, and I plan to add many more soon.
00:10:35.280
I noticed that not many hands went up when I asked about using IDS.
00:10:41.080
However, has anyone here used Wireshark recently? About half of you.
00:10:48.320
I won't bore you with the OSI layer model; besides, I'm not sure it's entirely accurate for me.
00:10:54.239
This is a quick diagram of how Pakao treats packets. Picture all these as objects.
00:11:01.279
This is the Ethernet header, containing elements such as source address, protocol, and payload.
00:11:08.240
There's a blank spot in the payload.
00:11:13.360
Within the payload, we have IP headers, which also include several elements like version and header length.
00:11:20.800
And a TCP header that has attributes such as source port, sequence numbers, flags, and more.
00:11:26.760
That tiny box represents the body of the TCP header, where things like SSH headers and data reside.
00:11:34.080
I generally don't go deep into the application-level protocols; I'm mainly interested in the first three layers.
00:11:41.840
You can work with application protocols in Pakao, but that's a topic for another time.
00:11:48.720
All of this is encapsulated within a packet, which serves as the outermost object in this design.
00:11:55.680
Packets consist of headers that store elements in an array.
00:12:01.279
Header zero is the Ethernet header, header one is the IP header, and header two is the TCP header.
00:12:07.680
You can access all of these headers and read and write data.
00:12:13.159
Packets also contain payloads, primarily the body of the TCP header. The payload is typically what you're looking for.
00:12:21.240
So that's built in. Now I have to sift through everything.
00:12:27.640
I see you have TCP headers there. Can you also work with UDP packets? Absolutely!
00:12:33.960
Right now, I've implemented TCP, UDP, ICMP, ARP, and IPv6 to some extent.
00:12:40.760
I believe that's pretty much what you're going to encounter online.
00:12:45.360
One important point to mention is this star packet. This packet's identity is determined by the innermost header.
00:12:53.680
So, when you construct packets in Pakao, it derives its type from the data.
00:13:00.480
If I have a file with ICMP packets, I simply store all the binary data into an array.
00:13:06.680
This is how packets are structured, but it's not very useful by itself.
00:13:14.360
If I establish an ICMP packet variable, it can equal an unknown packet.
00:13:20.480
This allows you to inspect the unknown packet class and determine its attributes.
00:13:28.560
The class will analyze the binary data and identify components, such as Ethernet or IP.
00:13:37.240
It will determine the type of packet being examined, such as ICMP.
00:13:43.840
This process allows for converting raw binary data into useful packets for practical applications.
00:13:50.760
Moving on, when attempting to talk to the network, you go through PcapRub.
00:13:56.760
You can transmit and receive through a network interface, requiring root privileges, of course.
00:14:06.320
When handling libraries, you can also read and write files using a standard libpcap format.
00:14:12.720
This means you can direct packets to a specific location: the default is /tmp/out.
00:14:18.720
I presume you’re using Linux, but you can easily override that with the target file name.
00:14:27.920
I have a couple of utility functions that are Singleton methods.
00:14:34.720
I favor Singletons and don't care what specific critics say about them!
00:14:42.560
One function is called Who Am I? When I began developing this, I struggled to obtain my IP address or MAC address.
00:14:49.679
I found myself doing shell commands and looking through files.
00:14:56.079
So, what the Who Am I function does is confirm who I am by sending out a packet.
00:15:03.359
Let's see if I can demo that functionality.
00:15:09.879
I prefer to avoid revealing sensitive information this early.
00:15:14.920
Let’s just check if it works.
00:15:19.920
Oh, right! I need root access.
00:15:25.440
Oh wait, the password will be concealed.
00:15:32.920
Great! I'm connected.
00:15:41.880
This is Wireshark for anyone who hasn't seen it.
00:15:48.520
So, in the context of Pakao, the Who Am I utility sends out a packet to check who I am.
00:15:54.760
Then, I will capture that packet and read the response.
00:16:02.160
After capturing, I'll get back the matching data, confirming my identity.
00:16:09.120
Unluckily, this requires root privileges.
00:16:16.320
I also have ARP functionality because I don't want to crawl through usual ARP tools.
00:16:24.760
I've created a function to generate ARP packets.
00:16:31.920
You can, for example, generate an ARP table using my utility.
00:16:39.480
I employed various mnemonic functions within the processes.
00:16:46.560
You send packets through PcapRub, or you can utilize the send method.
00:16:54.720
If W is your default interface, that's also easy to incorporate.
00:17:02.160
In Pakao, the 2f method saves packets to a file, which we mentioned earlier.
00:17:09.680
This framework simplifies packet creation.
00:17:16.960
For example, you can create a new UDP packet by recycling an old TCP packet payload.
00:17:22.720
This helps in modifying your data to appear UDP-ified.
00:17:29.280
Still applicable, I also support varied packet flavors.
00:17:37.679
I haven't fleshed out this feature yet, but I aim to improve it soon.
00:17:45.520
Have any of you used Nmap or POF? My knowledge suggests that such functionality is very evolving.
00:17:52.960
Like device impersonation, for example, you can create realistic packet headers.
00:17:59.440
You can impersonate other operating systems by establishing packet flavors.
00:18:06.160
This could be beneficial for things like asset management on managed networks.
00:18:11.760
Once you understand your devices, you might wish to query how many Apple devices are accessible.
00:18:17.720
I will be introducing additional features as they develop.
00:18:24.680
Currently, the version is 0.03, and improvements will be added down the line.
00:18:31.440
I invite you to check out the utility at the specified location.
00:18:38.440
I encourage everyone to download it, but please avoid attacking anyone!
00:18:45.720
You can manipulate various headers and packet flavors.
00:18:54.440
Such as deploying distributed scanning techniques, which can scan for a variety of device fingerprints.
00:19:01.440
I have a friend crafting a distributed scanner using the concepts I discussed.
00:19:10.160
Wait, let's circle back and discuss upcoming innovations for Pakao.
00:19:17.360
I see a future where this tool may find incorporation into Metasploit.
00:19:22.760
Both HD and I aren't particularly keen on Scrooby's implementation, given its quirks.
00:19:29.200
I intend for Pakao to eventually replace it, so if you use the Metasploit framework, Pakao will be included.
00:19:40.000
In addition to this concept, I plan to develop streamlined packet response code.
00:19:45.440
This will allow users to receive responses in real-time.
00:19:54.960
As it stands, a comprehensive TCP reassembly process remains on my radar.
00:20:00.360
I feel this generally falls under the application developer's responsibility.
00:20:09.240
However, I presume I'll have to tackle this issue eventually!
00:20:15.840
The Honeypot Demaster is another concept I wanted to showcase.
00:20:22.920
I believe this functions as a charming decoy for unsuspecting attackers.
00:20:29.560
Much like the classic Phantom of the Carnival scenario—only a digital version!
00:20:37.200
By crafting and generating packets tailored to mislead them, perhaps they may think they are probing an actual service.
00:20:44.160
These measures are critical for asset management in networks where user permissions may not be guaranteed.
00:20:51.080
This ability has potential usability in terms of inquiries about device counts.
00:20:58.440
I can zip around stealthily while gathering relevant information.
00:21:05.760
It's necessary for me to refactor any remaining kinks in the application.
00:21:12.960
A series of rational test cases need to be constructed as well.
00:21:20.160
Since I primarily operate within IRB, my functional tests typically only confirm success.
00:21:28.440
That's the game plan post-RubyConf.
00:21:36.720
Once again, you can find the tool at coded.google.com.
00:21:42.890
It's not up on Ruby Forge yet. This is just a trial to increase visibility.
00:21:49.480
I'm open to any questions or comments regarding the presentation.
00:21:56.640
Thank you for your attention!
00:22:03.440
Any additional inquiries before we conclude?
00:22:08.440
I'll definitely make myself available.
00:22:15.240
I’m also keen to learn about various perspectives.
00:22:20.240
And if there are no further questions, I will step away for now.
00:22:27.280
Once again, thank you everyone, and I hope you enjoy the rest of the conference.
00:22:35.400
Take care!
00:22:41.920
Video equipment rental costs were covered by Peep Code. Screencasts.
