Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf ·...
Transcript of Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf ·...
![Page 1: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/1.jpg)
Playing in a Satellite environment 1.2
Christian MartorellaLeonardo Nve
Wednesday, November 11, 2009
![Page 2: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/2.jpg)
Why 1.2?
1. because I’m sure that some people will publish more attacks.
.2 because there are previously presentations about satellites.
Wednesday, November 11, 2009
![Page 3: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/3.jpg)
Who commented this before?
Warezzman – (in 2004 at Undercon VIII first Spanish hacker CON)
Jim Geovedi & Raditya Iryandi (HITBSecConf2006)
Andre Adelbach (Hack.lu 2006)
Adam Laurie (Blackhat 2009 at DC)
Leonardo Nve at S21Sec Blog (February 2009)
Wednesday, November 11, 2009
![Page 4: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/4.jpg)
Intro to SAT
A satellite is a radio-‐frequency repeater -‐ that is launched by a rocket and placed in orbit around the earth.
Wednesday, November 11, 2009
![Page 5: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/5.jpg)
Intro to SAT
Orbit based satellites Low Earth orbiting (LEO)Geostationary orbit (GEO)Other: Molniya, High (HEO), etc.
Function based satellitesCommunicationsEarth observationOther: Scientifics, ISS, GPS, etc.
Wednesday, November 11, 2009
![Page 6: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/6.jpg)
Intro to SAT
Wednesday, November 11, 2009
![Page 7: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/7.jpg)
Intro to SAT
Satellite LEO
Meteorological HAM (Amateur Radio Operator) GPS
Satellite GEO
UFO (UHF Follow ON) Military Inmarsat Meteorological (Meteosat) SCPC / Telephony link FDMA
Wednesday, November 11, 2009
![Page 8: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/8.jpg)
The signal from the sky you have been waiting
Wednesday, November 11, 2009
![Page 9: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/9.jpg)
DVB
Defines audio and video transmission, and data connections.
Standard of “European Telecommunications Standards Institute” (ETSI).
DVB-‐S & DVB-‐S2 is the specification for Satellite communications.
Wednesday, November 11, 2009
![Page 10: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/10.jpg)
DVB-‐S
Transponder: Like channels (in Satellite comms) ▪ Frequency (C band or Ku). Ex: 12.092Ghz▪ Polarization. (horizontal/vertical)▪ Symbol Rate. Ex: 27500Kbps▪ FEC.
Every satellite has many transponders onboard which are operating on different frequencies
Wednesday, November 11, 2009
![Page 11: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/11.jpg)
DVB-‐S TS (Transport Stream)
ssss
Wednesday, November 11, 2009
![Page 12: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/12.jpg)
DVB-‐S TS (Transport Stream)
Header
Program ID (PID): It permits different programs at same transponder with different components [Example BBC1 PIDs: 600 (video), 601 (English audio), 603 (subtitles), 4167 (teletext)]
Special PIDs: NIT (Network Information Table), SDT (ServiceDescription Table), PMT (Program Map Tables), PAT (ProgramAssociation Table).
Body0x47 Flags PID Flags Adaptation Field Data
Wednesday, November 11, 2009
![Page 13: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/13.jpg)
DVB Feeds
Temporal video links.
Live emissions, sports, news.
FTA – In open video. (unencrypted)
Wednesday, November 11, 2009
![Page 14: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/14.jpg)
DVB Feeds
Hispasat Pre news feed (live news)
ATLAS Agency to TV feeds
Wednesday, November 11, 2009
![Page 15: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/15.jpg)
DVB Feeds
Wednesday, November 11, 2009
![Page 16: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/16.jpg)
DVB Feeds
Wednesday, November 11, 2009
![Page 17: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/17.jpg)
DVB Feeds
Find feeds:
Lists of channels in www
Blind ScanVisual representations of the signal
Dr HANS: http://drhans.jinak.cz/news/index.phpZackyfiles: http://www.zackyfiles.com (in spanishSatplaza: http://www.satplaza.com
Wednesday, November 11, 2009
![Page 18: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/18.jpg)
DVB Data
Two scenarios
Satmodem
Satellite Interactive Terminal (SIT) or Astromodem
Wednesday, November 11, 2009
![Page 19: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/19.jpg)
DVB Data -‐ Satmodem
DOWNLINK
INTERNET
ISP
CLIENT
Wednesday, November 11, 2009
![Page 20: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/20.jpg)
DVB Data -‐ Satmodem
DOWNLINK
INTERNET
UPLINK
POTS/GPRS/3G UPLINK
ISP
CLIENT
Wednesday, November 11, 2009
![Page 21: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/21.jpg)
DVB Data -‐ Satmodem
DOWNLINK
INTERNET
UPLINKISP
CLIENT
POTS/GPRS/3G UPLINK
Wednesday, November 11, 2009
![Page 22: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/22.jpg)
DVB Data -‐ Satmodem
DOWNLINK
INTERNET
UPLINKISP
CLIENT
ISP’s UPLINK
POTS/GPRS/3G UPLINK
Wednesday, November 11, 2009
![Page 23: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/23.jpg)
DOWNLINK & UPLINK
INTERNET
ISPCLIENT
ISP DOWNLINK & UPLINK
DVB Data - Astromodem
Wednesday, November 11, 2009
![Page 24: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/24.jpg)
Satellite Coverage
Wednesday, November 11, 2009
![Page 25: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/25.jpg)
Satellite Coverage
Anyone with coverage can SNIFF the DVB Data, and usually it is unencrypted.
Wednesday, November 11, 2009
![Page 26: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/26.jpg)
DVB Data
What do you need:
Skystar 2 DVB Card linuxtv-‐dvb-‐apps WiresharkThe antennaData to point it.
Wednesday, November 11, 2009
![Page 27: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/27.jpg)
DVB Data
We bought it for 50€!!! from an PayTV ex-‐”hacker” :P (Including a set-‐top box that we will not use)
Wednesday, November 11, 2009
![Page 28: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/28.jpg)
DVB Data
Wednesday, November 11, 2009
![Page 29: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/29.jpg)
DVB Data
Linux has the modules for this card by default, we only need the tools to manage it:
linuxtv-‐dvb-‐apps
Wednesday, November 11, 2009
![Page 30: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/30.jpg)
Sniffing Data
Once the antenna and the card is installed and linuxtv-‐dvb-‐apps compiled and installed, the process is:
1-‐ Tune the DVB Card2-‐ Find a PID with data3-‐ Create an Ethernet interface associated to that PID
We can repeat 2 to 3 any times we want.
Wednesday, November 11, 2009
![Page 31: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/31.jpg)
Sniffing Data
1-‐ Tune the DVB Card
2-‐ Find a PID with data
3-‐ Create an Ethernet interface associated to that PID
Wednesday, November 11, 2009
![Page 32: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/32.jpg)
Sniffing Data
Tune DVB CardThe tool we must use is szap and we need the transponder’s parameters in a configuration file.
For example, for “Sirius-‐4 Nordic Beam":# echo “sirius4N:12322:v:0:27500:0:0:0" >> channels.conf
http://www.fastsatfinder.com/transponders.html
Wednesday, November 11, 2009
![Page 33: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/33.jpg)
Sniffing Data
We run szap with the channel configuration file and the transponder we want use (the configuration file can have more than one).
# szap –c channels.conf sirius4N
We must keep it running.
Wednesday, November 11, 2009
![Page 34: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/34.jpg)
Sniffing Data
Wednesday, November 11, 2009
![Page 35: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/35.jpg)
Sniffing Data
1-‐ Tune the DVB Card
2-‐ Find a PID with data
3-‐ Create an Ethernet interface associated to that PID
Wednesday, November 11, 2009
![Page 36: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/36.jpg)
Sniffing Data
Find a PID
#dvbsnoop -‐s pidscan
Search for data section on results.
Wednesday, November 11, 2009
![Page 37: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/37.jpg)
Sniffing Data
Wednesday, November 11, 2009
![Page 38: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/38.jpg)
Sniffing Data
1-‐ Tune the DVB Card
2-‐ Find a PID with data
3-‐ Create an Ethernet interface associated to that PID
Wednesday, November 11, 2009
![Page 39: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/39.jpg)
Sniffing Data
Create an interface associated to a PID
#dvbnet -‐a <adapter number> -‐p <PID>
Activate it
#ifconfig dvb0_<iface number> up
Wednesday, November 11, 2009
![Page 40: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/40.jpg)
Sniffing Data
Wednesday, November 11, 2009
![Page 41: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/41.jpg)
Sniffing Data
Back to de pidscan results
Wednesday, November 11, 2009
![Page 42: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/42.jpg)
Sniffing DataCreate another interface
Wednesday, November 11, 2009
![Page 43: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/43.jpg)
Sniffing Data
Wireshark is our friend
16358 packets in 10 seconds
Wednesday, November 11, 2009
![Page 44: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/44.jpg)
Sniffing data
Wednesday, November 11, 2009
![Page 45: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/45.jpg)
Sniffing Data
Malicious users can: Catch passwords. Catch cookies and get into authenticated HTTP sessions. Read emails Catch sensitive files Do traffic analysis Etc ….
We can have more than one PID assigned to an interface, this will be very useful.
Wednesday, November 11, 2009
![Page 46: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/46.jpg)
Sniffing Data
Reminder: In satellite communications we have two scenarios:
A-‐ Satmodem, Only Downlink via Satellite
B-‐ Astromodem, Both uplink and downlink via Satellite.
Wednesday, November 11, 2009
![Page 47: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/47.jpg)
Sniffing Data
In Satmodem scenario we can only sniff the downloaded data. We can only sniff one direction in a connection.
Wednesday, November 11, 2009
![Page 48: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/48.jpg)
Sniffing data
In an astromodem scenario and depending the infraestructure configuration. We can find a PID used to send the uploaded packets to the main ISP to be routed to Internet so we can sniff all the traffic, uploaded and downloaded data.
(¿¿??)
Wednesday, November 11, 2009
![Page 49: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/49.jpg)
Wardriving? no way...
47
Wednesday, November 11, 2009
![Page 50: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/50.jpg)
Wardriving? no way...
47
SatDriving
Wednesday, November 11, 2009
![Page 51: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/51.jpg)
Active Attacks
For this chapter, we will suppose all the time that we are in a Satmodem scenario so we can´t sniff uploaded data of the client with the Satlink.
Wednesday, November 11, 2009
![Page 52: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/52.jpg)
Some “old” Stuff in Sat hacking
DNS Spoofing
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
![Page 53: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/53.jpg)
DNS Spoofing
DNS Spoofing is the art of making a DNS entry to point to an another IP than it wouldbe supposed to point to. (SecureSphere)
Wednesday, November 11, 2009
![Page 54: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/54.jpg)
DNS Spoofing
Data we need to perform this attack
DNS Request ID Source PortSource IPDestination IPName/IP asking for
Wednesday, November 11, 2009
![Page 55: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/55.jpg)
DNS Spoofing
It´s trivial to see that if we sniff a DNS request we have all that information and we can spoof the answer.
Many tools around do this job, the only thing we also need is to be faster than the real DNS server (jizz).
Wednesday, November 11, 2009
![Page 56: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/56.jpg)
DNS Spoofing
Why is this attack important?
Phishing attacks
With this attack, uplink sniff can be possible▪ Rogue WPAD service▪ Sslstrip can be use to avoid SSL connections.
Wednesday, November 11, 2009
![Page 57: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/57.jpg)
Some “old” Stuff in Sat hacking
DNS Spoofing
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
![Page 58: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/58.jpg)
TCP hijacking
TCP session hijacking is when an attacker takes over a TCP session between two machines. (ISS)
Wednesday, November 11, 2009
![Page 59: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/59.jpg)
TCP hijacking
If we sniff 1 we can predict Seq and Ack of 2 and we can send the payload we want in 2
A BSeq=S1 ACK=A1 Datalen=L11
2 Seq=A1 ACK=S1+L1 Datalen=L2
Seq=S1+L1 ACK=A1+L2 Datalen=L33
Wednesday, November 11, 2009
![Page 60: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/60.jpg)
TCP Hijacking
B
ASeq=S1 ACK=A1 Datalen=L1
1
Seq=S1+L1 ACK=A1+L2
Datalen=L3
3
Wednesday, November 11, 2009
![Page 61: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/61.jpg)
TCP Hijacking
Initially we can only have a false connection with A.
In certain circumstances, we can make this attack with B, when L2 is predictable.
Some tools for doing this:HuntShijackScapy
Wednesday, November 11, 2009
![Page 62: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/62.jpg)
Some “old” Stuff in Sat hacking
DNS Spoofing
TCP hijacking
Attacking GRE
Wednesday, November 11, 2009
![Page 63: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/63.jpg)
Attacking GRE
Generic Routing Encapsulation
Point to point tunneling protocol
13% of Satellite’s data traffic in our transponder is GRE
Wednesday, November 11, 2009
![Page 64: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/64.jpg)
Attacking GRE
This chapter is based in Phenoelit’s discussion paper written by FX applied to satellite scenario.
Original paper: http://www.phenoelit-‐us.org/irpas/gre.html
Wednesday, November 11, 2009
![Page 65: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/65.jpg)
Attacking GRE
INTERNET
Remote Office Remote OfficeRemote Office
HQ
Wednesday, November 11, 2009
![Page 66: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/66.jpg)
Attacking GRE
Find a target:
#tshark –ni dvb0_0 –R gre –w capture.cap
Wednesday, November 11, 2009
![Page 67: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/67.jpg)
Attacking GRE
GRE PacketIP dest 1 IP source 1
GRE headerGRE header
Payload IP dest Payload IP source
Payload IP HeaderPayload IP Header
Payload DataPayload Data
• IP source 1 must be Internet reachable IP dest 1 and
•The payload´s IPs usually are internal.
Wednesday, November 11, 2009
![Page 68: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/68.jpg)
Attacking GRE
INTERNET1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(*)
Wednesday, November 11, 2009
![Page 69: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/69.jpg)
Attacking GRE
(*) GRE Packet1.1.1.1 1.1.1.2
GRE header (32 bits without flags)GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP HeaderPayload IP Header
Payload DataPayload Data
Wednesday, November 11, 2009
![Page 70: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/70.jpg)
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
Wednesday, November 11, 2009
![Page 71: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/71.jpg)
Attacking GRE
(1) GRE Packet1.1.1.1 1.1.1.2
GRE header (32 bits without flags)GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP HeaderPayload IP Header
Payload DataPayload Data
Wednesday, November 11, 2009
![Page 72: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/72.jpg)
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)(2,3)
Wednesday, November 11, 2009
![Page 73: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/73.jpg)
Attacking GRE
(2) IP Packet (3) IP Packet
10.0.0.54 10.0.0.5
IP header 2IP header 2
Data 2Data 2
10.0.0.5 10.0.0.54
IP headerIP header
DataData
Wednesday, November 11, 2009
![Page 74: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/74.jpg)
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(4)
(2,3)
Wednesday, November 11, 2009
![Page 75: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/75.jpg)
Attacking GRE
1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
(1)
(4)
(2,3)
Wednesday, November 11, 2009
![Page 76: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/76.jpg)
Attacking GRE
(4) GRE Packet1.1.1.2 1.1.1.1
GRE header (32 bits without flags)GRE header (32 bits without flags)
10.0.0.54 10.0.0.5
Payload IP Header 2Payload IP Header 2
Payload Data 2Payload Data 2
Wednesday, November 11, 2009
![Page 77: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/77.jpg)
Attacking GRE
In Phenoelit´s attack payload’s IP source is our public IP. This attack lacks when that IP isn´t reachable from the internal LAN and you can be logged.
I use internal IP because we can sniff the responses.
To better improve the attack, find a internal IP not used.
Wednesday, November 11, 2009
![Page 78: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/78.jpg)
HTSNACBT Attack
HowToScanNSAAndCannotBeTraced
Wednesday, November 11, 2009
![Page 79: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/79.jpg)
HTSNACBT Attack
We can spoof (putting a satellite’s routable source IP) a SYN packet with any destination IP and TCP port, and we can sniff the responses.
We can analyze the responses.
Wednesday, November 11, 2009
![Page 80: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/80.jpg)
HTSNACBT Attack
OR… We can configure our linux box like a satellite connected host.
VERY EASY!!!
Wednesday, November 11, 2009
![Page 81: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/81.jpg)
HTSNACBT Attack
What we need:
An internet connection (Let’s use it as uplink) with any technology which let you spoof your source address.
A receiver, a card….
Wednesday, November 11, 2009
![Page 82: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/82.jpg)
HTSNACBT Attack
Let’s rock! Find a satellite IP not used, I ping IPs next to another sniffable satellite IP to find a non responding IP. We must sniff our ping with the DVB Card (you must save the packets).
This will be our IP!
Wednesday, November 11, 2009
![Page 83: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/83.jpg)
HTSNACBT AttackConfigure Linux to use it.
We need our router ‘s MAC
Wednesday, November 11, 2009
![Page 84: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/84.jpg)
HTSNACBT Attack
Configure our dvb interface to receive this IP (I suppose that you have configure the PID…)
The IP is the one we have selected and in the ICMP scan, we must get the destination MAC sniffed.
Wednesday, November 11, 2009
![Page 85: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/85.jpg)
HTSNACBT Attack
Here we get the MAC address we must configure in our DVB interface
Wednesday, November 11, 2009
![Page 86: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/86.jpg)
HTSNACBT Attack
I use netmask /32 to avoid routing problems
Wednesday, November 11, 2009
![Page 87: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/87.jpg)
HTSNACBT Attack
Now we can configure our Internet interface with the same IP and configure a default route with a false router setting this one with a static MAC (our real router’s MAC).
Wednesday, November 11, 2009
![Page 88: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/88.jpg)
HTSNACBT Attack
Wednesday, November 11, 2009
![Page 89: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/89.jpg)
HTSNACBT Attack
IT WORKS!
Wednesday, November 11, 2009
![Page 90: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/90.jpg)
HTSNACBT Attack
IT WORKS!
That’s all !!! Wednesday, November 11, 2009
![Page 91: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/91.jpg)
HTSNACBT Attack -‐ Connection
DOWNLINK DVB
INTERNET
UPLINK via CABLE MODEM
CLIENT
ISP’s UPLINK
Wednesday, November 11, 2009
![Page 92: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/92.jpg)
HTSNACBT Attack
Some things you must remember:
The DNS server you use must allow request from any IP or you must use the satellite ISP DNS server.
If you have any firewall (iptables) disable it.
All the things you make can be sniffed by others users.
Wednesday, November 11, 2009
![Page 93: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/93.jpg)
HTSNACBT Attack
Now attacking GRE is very easy, you only need to configure your Linux with IP of one of the routers (the one with the satellite connection) and configure the tunneling.
http://www.google.es/search?rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF-‐8&q=configuring+GRE+linux
Wednesday, November 11, 2009
![Page 94: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/94.jpg)
The other scenario
What happened with the scenario where the client use an astromodem?
We can capture the downlink and the uplink so all these attacks are easier to do.
We can capture all queries for the DNS Spoofing attack.
We can capture all traffic in a TCP connection, we can hijack easily in any direction.
Wednesday, November 11, 2009
![Page 95: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/95.jpg)
What TODO now?
Leonardo is studying the different methods to trace illegal users. (He only have a few ideas).
In the future we would like to study the possibilities of sending DVB (or other protocol) data to a satellite via Astromodem.
Wednesday, November 11, 2009
![Page 96: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/96.jpg)
Conclusions
Satellite communications are insecure.
They can be sniffed.
A lot of attacks can be made, we just talked about only few layer 4 and layer 3 attacks.
Wednesday, November 11, 2009
![Page 97: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/97.jpg)
Conclusions
With these technologies in our sky, an anonymous connection is possible.
Many kinds of Denial of Service are also possible.
Wednesday, November 11, 2009
![Page 98: Playing with SAT 1 - Hack.luarchive.hack.lu/2009/Playing with SAT 1.2 - Hacklu.pdf · Playingina(Satellite(environment(1.2 Christian(Martorella Leonardo(Nve cmartorella@s21sec.com(Wednesday,](https://reader031.fdocuments.net/reader031/viewer/2022030420/5aa6d7e17f8b9ab4788ef79e/html5/thumbnails/98.jpg)
Questions time
THANK YOU!!!
Wednesday, November 11, 2009