Post on 30-May-2018
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 1/98
Playing in a Satellite
environment 1.2
Christian MartorellaLeonardo Nve
cmartorella@s21sec.com
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 2/98
Why 1.2?
1. because I’m sure that some people will publishmore attacks.
.2 because there are previously presentationsabout satellites.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 3/98
Who commented this before?
Warezzman – (in 2004 at Undercon VIII rst Spanish hacker CON)
Jim Geovedi & Raditya Iryandi (HITBSecConf2006)
Andre Adelbach (Hack.lu 2006)
Adam Laurie (Blackhat 2009 at DC)
Leonardo Nve at S21Sec Blog (February 2009)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 4/98
Intro to SAT
A satellite is a radio-frequency repeater - that islaunched by a rocket and placed in orbit around
the earth.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 5/98
Intro to SAT
Orbit based satellitesLow Earth orbiting (LEO)Geostationary orbit (GEO)Other: Molniya, High (HEO), etc.
Function based satellitesCommunicationsEarth observationOther: Scientics, ISS, GPS, etc.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 6/98
Intro to SAT
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 7/98
Intro to SAT
Satellite LEO
Meteorological
HAM (Amateur Radio Operator)GPS
Satellite GEO
UFO (UHF Follow ON) MilitaryInmarsatMeteorological (Meteosat)SCPC / Telephony link FDMA
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 8/98
The signal from the sky you have beenwaitin
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 9/98
DVB
Denes audio and video transmission, and dataconnections.
Standard of “European TelecommunicationsStandards Institute” (ETSI).
DVB-S & DVB-S2 is the specication for Satellitcommunications.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 10/98
DVB-S
Transponder: Like channels (in Satellite comms)▪ Frequency (C band or Ku). Ex: 12.092Ghz▪ Polarization. (horizontal/vertical)▪ Symbol Rate. Ex: 27500Kbps▪ FEC.
Every satellite has many transponders onboard
which are operating on different frequencies
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 11/98
DVB-S TS (Transport Stream)
ssss
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 12/98
DVB-S TS (Transport Stream)
Header
Program ID (PID): It permits different programs at sametransponder with different components [Example BBC1 PIDs:600 (video), 601 (English audio), 603 (subtitles), 4167(teletext)]
Special PIDs: NIT (Network Information Table), SDT (ServiceDescription Table), PMT (Program Map Tables), PAT (ProgramAssociation Table).
Body0x47 Flags PID Flags Adaptation Field Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 13/98
DVB Feeds
Temporal video links.
Live emissions, sports, news.
FTA – In open video. (unencrypted)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 14/98
DVB Feeds
Hispasat Pre newsfeed (live news)
ATLAS Agency to TV feeds
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 15/98
DVB Feeds
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 16/98
DVB Feeds
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 17/98
DVB Feeds
Find feeds:
Lists of channels in www
Blind ScanVisual representations of the signal
Dr HANS: http://drhans.jinak.cz/news/index.phpZackyfiles: http://www.zackyfiles.com (in spanishSatplaza: http://www.satplaza.com
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 18/98
DVB Data
Two scenarios
Satmodem
Satellite Interactive Terminal (SIT) or Astromodem
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 19/98
DVB Data - Satmodem
DOWNLINK
INTERNET
ISP
CLIENT
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 20/98
DVB Data - Satmodem
DOWNLINK
INTERNET
UPLINK
POTS/GPRS/3G UPLINK
ISP
CLIENT
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 21/98
DVB Data - Satmodem
DOWNLINK
INTERNET
UPLINKISP
CLIENT
POTS/GPRS/3G UPLINK
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 22/98
DVB Data - Satmodem
DOWNLINK
INTERNET
UPLINKISP
CLIENT
ISP’s UPLINK
POTS/GPRS/3G UPLINK
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 23/98
DOWNLINK & UPLINK
INTERNET
ISPCLIENT
ISP DOWNLINK & UPLINK
DVB Data - Astromodem
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 24/98
Satellite Coverage
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 25/98
Satellite Coverage
Anyone with coverage can SNIFF the DVBData, and usually it is unencrypted.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 26/98
DVB Data
What do you need:
Skystar 2 DVB Cardlinuxtv-dvb-appsWiresharkThe antennaData to point it.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 27/98
DVB Data
We bought it for 50€!!! from anPayTV ex-”hacker” :P(Including a set-top box that we
will not use)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 28/98
DVB Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 29/98
DVB Data
Linux has the modules for this card by default,we only need the tools to manage it:
linuxtv-dvb-apps
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 30/98
Sniffing Data
Once the antenna and the card is installed andlinuxtv-dvb-apps compiled and installed, theprocess is:
1- Tune the DVB Card2- Find a PID with data3- Create an Ethernet interface associated to that PID
We can repeat 2 to 3 any times we want.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 31/98
Sniffing Data
1- Tune the DVB Card
2- Find a PID with data
3- Create an Ethernet interface associated to that PID
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 32/98
Sniffing Data
Tune DVB CardThe tool we must use isszap and we need thetra nsponder’s parameters in a congurationle.
For example, for “Sirius-4 Nordic Beam":# echo “sirius4N:12322:v:0:27500:0:0:0" >> channels.conf
http://www.fastsatfinder.com/transponders.html
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 33/98
Sniffing Data
We run szap with the channel conguration leand the transponder we want use (theconguration le can have more than one).
# szap –c channels.conf sirius4N
We must keep it running.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 34/98
Sniffing Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 35/98
Sniffing Data
1- Tune the DVB Card
2- Find a PID with data
3- Create an Ethernet interface associated to that PID
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 36/98
Sniffing Data
Find a PID
#dvbsnoop -s pidscan
Search for data section on results.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 37/98
Sniffing Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 38/98
Sniffing Data
1- Tune the DVB Card
2- Find a PID with data
3- Create an Ethernet interface associated to thatPID
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 39/98
Sniffing Data
Create an interface associated to a PID
#dvbnet -a <adapter number> -p <PID>
Activate it
#ifcong dvb0_<iface number> up
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 40/98
Sniffing Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 41/98
Sniffing Data
Back to de pidscan results
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 42/98
Sniffing Data
Create another interface
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 43/98
Sniffing Data
Wireshark is our friend
16358 packets in 10 seconds
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 44/98
Sniffing data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 45/98
Sniffing Data
Malicious users can:Catch passwords.Catch cookies and get into authenticated HTTP
sessions.Read emailsCatch sensitive lesDo traffic analysisEtc ….
We can have more than one PID assigned to an interface, this wbe very useful.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 46/98
Sniffing Data
Reminder:In satellite communications we have two
scenarios:
A- Satmodem, Only Downlink via Satellite
B- Astromodem, Both uplink and downlink viaSatellite.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 47/98
Sniffing Data
In Satmodem scenario we can only sniff thedownloaded data. We can only sniff onedirection in a connection.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 48/98
Sniffing data
In an astromodem scenario and depending theinfraestructure conguration. We can nd a PIDused to send the uploaded packets to the mainISP to be routed to Internet so we can sniff allthe traffic, uploaded and downloaded data.
(¿¿??)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 49/98
Wardriving? no way...
47
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 50/98
Wardriving? no way...
47
SatDrivingWednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 51/98
Active Attacks
For this chapter, we will suppose all the timethat we are in a Satmodem scenario so we can´sniff uploaded data of the client with theSatlink.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 52/98
Some “old” Stuff in Sat hacking
DNS Spoong
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 53/98
DNS Spoong
DNS Spoong is the art of making a DNS entrto point to an another IP than it wouldbe supposed to point to. (SecureSphere)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 54/98
DNS Spoong
Data we need to perform this attack
DNS Request IDSource Port
Source IPDestination IPName/IP asking for
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 55/98
DNS Spoong
It´s trivial to see that if we sniff a DNS requwe have all that information and we can spoofthe answer.
Many tools around do this job, the only thingwe also need is to be faster than the real DNS
server (jizz).
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 56/98
DNS Spoong
Why is this attack important?
Phishing attacks
With this attack, uplink sniff can be possible▪ Rogue WPAD service▪ Sslstrip can be use to avoid SSL connections.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 57/98
Some “old” Stuff in Sat hacking
DNS Spoong
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 58/98
TCP hijacking
TCPsessionhijacking is when an attacker takesover aTCP session between two machines.(ISS)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 59/98
TCP hijacking
If we sniff1 we can predict Seq and Ack of2 andwe can send the payload we want in2
A BSeq=S1 ACK=A1 Datalen=L11
2 Seq=A1 ACK=S1+L1 Datalen=L2
Seq=S1+L1 ACK=A1+L2 Datalen=L33
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 60/98
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 61/98
TCP Hijacking
Initially we can only have a false connection with A.
In certain circumstances, we can make this attack withB, when L2 is predictable.
Some tools for doing this:HuntShijackScapy
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 62/98
Some “old” Stuff in Sat hacking
DNS Spoong
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 63/98
Attacking GRE
Generic Routing Encapsulation
Point to point tunneling protocol
13% of Satellite’s data traffic in our transponderis GRE
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 64/98
Attacking GRE
This chapter is based in Phenoelit’s discussionpaper written by FX applied to satellitescenario.
Original paper:
http://www.phenoelit-us.org/irpas/gre.html
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 65/98
Attacking GRE
INTERNET
Remote Office Remote OfficeRemote Office
HQ
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 66/98
Attacking GRE
Find a target:
#tshark –ni dvb0_0 –R gre –w capture.cap
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 67/98
Attacking GRE
GRE PacketIP dest 1 IP source 1
GRE header
Payload IP dest Payload IP source
Payload I P Header
Payloa d Data
• IP source 1 must be Internet reachable IP dest 1 and
• The payload´s IPs usually are internal.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 68/98
Attacking GRE
INTERNET1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(*)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 69/98
Attacking GRE
(*) GRE Packet1.1.1.1 1.1.1.2
GRE header (32 b its without ags)
10.0.0.5 10.0.0.54
Payload I P Header
Payloa d Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 70/98
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 71/98
Attacking GRE
(1) GRE Packet1.1.1.1 1.1.1.2
GRE header (32 b its without ags)
10.0.0.5 10.0.0.54
Payload I P Header
Payloa d Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 72/98
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)(2,3)
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 73/98
Attacking GRE
(2) IP Packet (3) IP Packet
10.0.0.54 10.0.0.5
IP he ader 2
Da ta 2
10.0.0.5 10.0.0.54
IP h ader
Data
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 74/98
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 75/98
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(4)
(2,3)
Wednesday, November 11, 2009
k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 76/98
Attacking GRE
(4) GRE Packet1.1.1.2 1.1.1.1
GRE header (32 b its without ags)
10.0.0.54 10.0.0.5
Payload I Header 2
Payloa Data 2
Wednesday, November 11, 2009
k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 77/98
Attacking GRE
In Phenoelit´s attack payload’s IP source is our public IP. Thisattack lacks when that IP isn´t reachable from the internalLAN and you can be logged.
I use internal IP because we can sniff the responses.
To better improve the attack, nd a internal IP not used.
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 78/98
HTSNACBT Attack
HowTo
ScanNSAAnd
CannotBeTraced
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 79/98
HTSNACBT Attack
We can spoof(putting a satellite’s routable source IP)a SYN packetwith any destination IP andTCPport, and we can sniff the responses.
We can analyze the responses.
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 80/98
HTSNACBT Attack
OR… We can congure our linux box like asatellite connected host.
VERY EASY!!!
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 81/98
HTSNACBT Attack
What we need:
An internet connection (Let’s use it asuplink ) with anytechnology which let you spoof your source address.
A receiver, a card….
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 82/98
HTSNACBT Attack
Let’s rock!Find a satellite IP not used, I ping IPs next to anothersniffable satellite IP to nd a non responding IP. Wemust sniff our ping with the DVB Card (you must savthe packets).
This will be our IP!
Wednesday, November 11, 2009
HTSNACBT A k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 83/98
HTSNACBT Attack
Congure Linux to use it.
We need our router ‘s MAC
Wednesday, November 11, 2009
HTSNACBT Att k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 84/98
HTSNACBT Attack
Congure our dvb interface to receive this IP(Isuppose that you have congure the PID…)
The IP is the one we have selected and in theICMP scan, we must get the destination MACsniffed.
Wednesday, November 11, 2009
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 85/98
HTSNACBT Att k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 86/98
HTSNACBT Attack
I use netmask /32 to avoid routing problems
Wednesday, November 11, 2009
HTSNACBT Att k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 87/98
HTSNACBT Attack
Now we can congure our Internet interfacewith the same IP and congure a default routewith a false router setting this one with a staticMAC (our real router’s MAC).
Wednesday, November 11, 2009
HTSNACBT Att k
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 88/98
HTSNACBT Attack
Wednesday, November 11, 2009
HTSNACBT Att ck
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 89/98
HTSNACBT Attack
IT WORKS!
Wednesday, November 11, 2009
HTSNACBT Attack
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 90/98
HTSNACBT Attack
IT WORKS!
That’s all !!!Wednesday, November 11, 2009
HTSNACBT Attack Connection
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 91/98
HTSNACBT Attack - Connection
DOWNLINK DVB
INTERNET
UPLINK via CABLE MODEM
CLIENT
ISP’s UPLINK
Wednesday, November 11, 2009
HTSNACBT Attack
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 92/98
HTSNACBT Attack
Some things you must remember:
The DNS server you use must allow request from any
or you must use the satellite ISP DNS server.
If you have any rewall (iptables) disable it.
All the things you make can be sniffed by others users
Wednesday, November 11, 2009
HTSNACBT Attack
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 93/98
HTSNACBT Attack
Now attacking GRE is very easy, you only needto congure your Linux with IP of one of therouters (the one with the satellite connection)and congure the tunneling.
http ://www.google.es/search?rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF-8&q=conguring
+GRE+linux
Wednesday, November 11, 2009
The other scenario
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 94/98
The other scenario
What happened with the scenario where the client use anastromodem?
We can capture the downlink and the uplink so all theseattacks are easier to do.
We can capture all queries for the DNS Spoong attack.
We can capture all traffic in a TCP connection, we can hijackeasily in any direction.
Wednesday, November 11, 2009
What TODO now?
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 95/98
What TODO now?
Leonardo is studying the different methods totrace illegal users.(He only have a few ideas).
In the future we would like to study thepossibilities of sending DVB (or other protocol)data to a satellite via Astromodem.
Wednesday, November 11, 2009
Conclusions
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 96/98
Conclusions
Satellite communications are insecure.
They can be sniffed.
A lot of attacks can be made, we just talkedabout only few layer 4 and layer 3 attacks.
Wednesday, November 11, 2009
Conclusions
8/9/2019 Playing With SAT 1.2 - Hacklu
http://slidepdf.com/reader/full/playing-with-sat-12-hacklu 97/98
Conclusions
With these technologies in our sky, ananonymous connection is possible.
Many kinds of Denial of Service are alsopossible.
Wednesday, November 11, 2009