Scribd
Upload
109 views27 pages

Think Red, Act Blue - Evaluating The Security Cost of New Technology - Douglas McKee, Ismael Valenzuela

This document discusses approaches for analyzing proprietary protocols during product security assessments. It outlines techniques like traffic analysis using Zeek and Kibana, data exploration with Pandas and Matplotlib, and dissecting protocol basics through tasks like simplifying scope, examining capture files, documenting protocols with Scapy, and concluding that analyzing proprietary protocols is an important skill for security professionals.

Uploaded by

ALZ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
109 views27 pages

Think Red, Act Blue - Evaluating The Security Cost of New Technology - Douglas McKee, Ismael Valenzuela

This document discusses approaches for analyzing proprietary protocols during product security assessments. It outlines techniques like traffic analysis using Zeek and Kibana, data exploration with Pandas and Matplotlib, and dissecting protocol basics through tasks like simplifying scope, examining capture files, documenting protocols with Scapy, and concluding that analyzing proprietary protocols is an important skill for security professionals.

Uploaded by

ALZ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

Douglas McKee

Ismael Valenzuela
May 2021
Who Are We
• Principal Engineer & Sr. Security Researcher,
McAfee ATR
• 12 yrs. ‘Hacking All The Things’
• @fulmetalpackets

• SANS Certified Instructor


• Sr. Principal Engineer at McAfee
• 20 yrs. ‘Defending All The Things’
• @aboutsecurity @thinkredactblue
Product Security Assessments ?
• “An assessment to understand the architecture of the system and
identify potential risks.”

• IS NOT
• a full product assurance process
• a penetration test
• a redteam exercise
• IS
• Tailored to a product
• Customized to organizational requirements
• Considers the likely threat to the product
• Considers the impact of a breach in security
Proprietary Protocols?
• No RFC available
• Outside the “norm”
• Created by vendors for a specific purpose
• Although unique, have common traits
• Adversarial playground
• Less review, often leads to more vulnerabilities
• Problematic for blue teams – lack of documentation and deep
understanding
• Can be dissected by adversary in a lab setting
• Often can allow attacks to go undetected

• **Important to review in Product Security Assessments **


1. Traffic Analysis with Zeek and Kibana dashboards:
• SANS Security 530 style!

Two Blue Team 2. Data Exploration with Pandas and Matplotlib in a


Approaches Jupyter Notebook
• Ideal for exploring limited but structured data in
two-dimensional datasets (a pandas
DataFrame)
• Use the Anaconda distribution to install all
necessary libraries
• GitHub repo:
• https://github.com/fulmetalpackets/protohacking
Releasing All
Our Tools & • Jupyter Notebook:
Code! • https://github.com/aboutsecurity/jupyter-
notebooks
Dissecting Protocol Basics
• Simplify Scope
• Embedded networking
• Enumerate Patterns
• Clear text clues
• Examine externally
• Behavior modification
• Application reverse engineering (if possible)
• Documentation by Scapy
Simplify Scope
Initial Capture
generated_traffic_1.pcap
General Quick Observations
generated_traffic_1.pcap
Protocol Distribution generated_traffic_1.pcap
Protocol Distribution (code snippet)
TCP Observations
generated_traffic_1.pcap
UDP Observations
generated_traffic_1.pcap
TCP & UDP Length Observations
generated_traffic_1.pcap
TCP & UDP Length Observations
generated_traffic_1.pcap
Simplified Scope

generated_traffic_1.pcap
Data Exploration – Byte Analysis
• Finding patterns by splitting payload in group of ’n’ bytes, then
visualizing top 20 occurrences, sorted by most common
generated_traffic_1.pcap
Embedded Networking
Closer Look at First 4 bytes
generated_traffic_1.pcap
Search_IP.py
Search IP – Data Exploration
generated_traffic_1.pcap
Documentation by Scapy
from scapy.all import *

class firstpacket(Packet):
name = "first"
fields_desc = [ IPField("ipaddress", "127.0.0.1"),
ShortField("unknown1",0),
FieldLenField("next_len",None, length_of="unknown2"),
XStrLenField("unknown2", "", length_from=lambda x:x.next_len)

bind_layers(TCP,firstpacket,dport=1234)
Documentation by Scapy
from scapy.all import *
from proto1 import *

pcapFile = sys.argv[1]
packets = rdpcap(pcapFile)

for p in packets:
if firstpacket in p:
p.show()
Documentation by Scapy - Output
Conclusions – Thank You!
• Being able to analyze proprietary protocols is a very important skill for
both red teamers and blue teamers, i.e.:
• Malware
• ICS networks
• IoT devices
• Medical devices

• Data exploration tools and the right process will help you to tackle
these challenges

• More hands-on sessions and trainings coming from us soon!

• Follow us on twitter: @fulmetalpackets & @aboutsecurity


What's Next?
@fulmetalpackets & @aboutsecurity

You might also like