Dailydave mailing list archives
Defeating Correlation with Pretty Pictures
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 17 Apr 2006 10:35:13 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So one thing I've noticed is that while everyone is using graphs (inspired by Halvar) to look at programs, few people are using graphs in their exploit frameworks. For example, right now, CANVAS is basically a tree structure. 1.1.1.1 attacks 2.2.2.2 which attacks 3.3.3.3, etc. But networks aren't a tree structure. Networks are a confusing graph. The host 3.3.3.3 is the same host for both 1.1.1.1 and 2.2.2.2, for example. Displaying your captured machines and their knowledge of the world as a graph instead of a tree structure allows the attacker to do more complex things with less brain-cycles. For example, dragging a file from one host to another can take the shortest route between those two nodes over your covert network. And you should be able to establish multiple connections around your covert network with a simple drag of the mouse. That way, if someone pulls the plug on one of your nodes while you're hacking, you still have another way to get deeper into the network. You just tell it to route some other way, or make it do auto-route detection. A lot of security products are championing correlation of attacks. Well, they pretty much have for the last 6 years. I'm not sure how much the correlation of attacks stuff got used in the market, but it's been around, and there is that wacky govt project to do similar things on a bigger scale (http://cryptome.org/traceback.htm). To combat this, once you know that N nodes have the same world view with respect to a third node, you can attack that third node from N nodes at once (routed in Y ways over your covert network, ideally, but we don't have this implemented). In other words: if you go into next month's CANVAS and hack a few boxes, say, box A and box B. It'll pop up two new Nodes. You can then select those nodes, and a target C, and click on any exploit. That exploit will hack box C by doing random connections from both box A and box B. Right now this is most useful for simple things like portscans, in which an IDS (or human with tethereal) does correlation as part of their default setup. But as defenses get more complex with regards to attack correlation, this will make their lives really hard. :> And it's fun to see on the network. :> - -dave P.S. I killed the other threads. After you've shown that the emperor has no clothes, all that's left is to point at his private parts and make comments about his personal hygiene, which I felt was getting a bit boring. Really all defense gets pretty boring pretty quickly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFEQ6ehB8JNm+PA+iURAlQLAJ9Q1KUAdZ5eOx9Xi+jm8m443INZhgCgv9m3 4i9I1OkHKZCboATplPl8dQ8= =o3Tm -----END PGP SIGNATURE-----
Current thread:
- Defeating Correlation with Pretty Pictures Dave Aitel (Apr 17)