[24] | 1 | <h2>Nanown</h2> |
---|
| 2 | <p> |
---|
[18] | 3 | A tool for identifying, evaluating, and exploiting timing |
---|
| 4 | vulnerabilities remotely. This is part of the output from a research |
---|
[25] | 5 | effort <a href="https://www.blackhat.com/us-15/briefings.html#web-timing-attacks-made-practical">discussed at BlackHat 2015</a>. |
---|
[18] | 6 | This project is still highly experimental and not particularly easy to |
---|
| 7 | use at this point. |
---|
[24] | 8 | </p> |
---|
[18] | 9 | |
---|
[24] | 10 | <h2> Prerequisites</h2> |
---|
| 11 | <p> |
---|
[18] | 12 | Linux and Python 3.4+ are required. Yes, really, your Python needs to |
---|
| 13 | be that new. You will also need to install the following modules for |
---|
| 14 | this version of Python: |
---|
[24] | 15 | </p> |
---|
| 16 | <pre> |
---|
[25] | 17 | requests |
---|
| 18 | numpy |
---|
| 19 | netifaces |
---|
| 20 | matplotlib |
---|
[24] | 21 | </pre> |
---|
| 22 | <p> |
---|
[18] | 23 | On Debian unstable, you can get these by running: |
---|
[24] | 24 | </p> |
---|
| 25 | <pre> |
---|
| 26 | apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib |
---|
| 27 | </pre> |
---|
| 28 | <p> |
---|
| 29 | If you can't get the appropriate packages from your distro, resort to <code>pip3</code>. |
---|
| 30 | </p><p> |
---|
[18] | 31 | In addition, you'll need to have a C compiler and the development |
---|
| 32 | package for libpcap installed. Under Debian this is probably sufficient: |
---|
[24] | 33 | </p> |
---|
| 34 | <pre> |
---|
| 35 | apt-get install libpcap-dev gcc |
---|
| 36 | </pre> |
---|
[18] | 37 | |
---|
| 38 | |
---|
[24] | 39 | <h2> Installation</h2> |
---|
| 40 | <p> |
---|
[18] | 41 | Hah! Funny. |
---|
[24] | 42 | </p><p> |
---|
[18] | 43 | Currently there's no installation script... |
---|
[24] | 44 | </p><p> |
---|
[18] | 45 | To attempt to use this code, clone the repository and build the |
---|
[24] | 46 | <code>nanown-listen</code> tool with: |
---|
| 47 | </p> |
---|
| 48 | <pre> |
---|
| 49 | cd nanown/trunk/src && ./compile.sh |
---|
| 50 | </pre> |
---|
| 51 | <p> |
---|
| 52 | That will drop the <code>nanown-listen</code> binary under <code>nanown/trunk/bin</code>. You |
---|
| 53 | must then put this directory in your <code>$PATH</code> in order to perform any |
---|
[18] | 54 | data collection. |
---|
[24] | 55 | </p><p> |
---|
[18] | 56 | To run any of the other scripts, change to the nanown/trunk directory |
---|
| 57 | and run them directly from there. E.g.: |
---|
[24] | 58 | </p> |
---|
| 59 | <pre> |
---|
| 60 | bin/train ...args... |
---|
| 61 | bin/graph ...args... |
---|
| 62 | </pre> |
---|
[18] | 63 | |
---|
| 64 | |
---|
[24] | 65 | <h2> Usage</h2> |
---|
| 66 | <p> |
---|
[18] | 67 | Our goal for a usage workflow is this: |
---|
[24] | 68 | </p> |
---|
| 69 | <ol> |
---|
| 70 | <li>Based on example HTTP requests, and test cases supplied by the user, |
---|
[18] | 71 | a script generator creates a new script. This new script serves |
---|
| 72 | as the sample collection script, customized for your web |
---|
| 73 | application. |
---|
[24] | 74 | </li> |
---|
| 75 | <li>After collecting samples using the script from step 1, you run a |
---|
[18] | 76 | mostly automated script to train and test various classifiers on your |
---|
| 77 | samples. This will then tell you how many samples you need to |
---|
| 78 | reliably detect the timing difference. |
---|
[24] | 79 | </li> |
---|
| 80 | <li>Given the output from step 3 and inputs to step 1, a second script |
---|
[18] | 81 | generator creates an attack script for you as a starting point. You |
---|
| 82 | customize this and run your attacks. |
---|
[24] | 83 | </li> |
---|
| 84 | </ol> |
---|
| 85 | <p> |
---|
[18] | 86 | Sounds great, yeah? Well steps 1 and 3 aren't quite implemented yet. =\ |
---|
[24] | 87 | </p><p> |
---|
[18] | 88 | If you are really dying to use this code right now, just make a copy of |
---|
[24] | 89 | the <code>trunk/bin/sampler</code> script and hack on it until it sends HTTP requests |
---|
[18] | 90 | that your targeted web application expects. Be sure to define the test |
---|
| 91 | cases appropriately. Then run it to collect at least |
---|
[21] | 92 | 50,000 samples for each of the train, test and train_null data sets |
---|
[24] | 93 | (150,000 samples total). NOTE: Your sampler script must be run as <code>root</code> |
---|
[18] | 94 | so it can tweak local networking settings and sniff packets. |
---|
[24] | 95 | </p><p> |
---|
[18] | 96 | Next you can move on to step 2, where you simply run the train script |
---|
| 97 | against the database created by your sampler script: |
---|
[24] | 98 | </p> |
---|
| 99 | <pre> |
---|
| 100 | bin/train mysamples.db |
---|
| 101 | </pre> |
---|
| 102 | <p> |
---|
[18] | 103 | This will run for a while. If you cancel out and re-run it, it will |
---|
| 104 | pick up where it left off. Pay special attention to the final results |
---|
| 105 | it prints out. This will tell you how many samples are needed to |
---|
| 106 | distinguish between the test cases. Do a little math on your own to |
---|
| 107 | decide how feasible your overall attack will be. |
---|
[24] | 108 | </p><p> |
---|
[18] | 109 | Finally, we come to step 3. If you choose to carry out an attack, you |
---|
| 110 | will need to implement your own attack script that collects batches of |
---|
| 111 | samples, distinguishes between them using the best classifier available |
---|
| 112 | (from step 2) and then repeats as needed. Consider starting with the |
---|
[24] | 113 | sample script at <code>test/blackhat-demo/jregistrate-attack</code>. |
---|
| 114 | </p><p> |
---|
| 115 | Any questions? See the source, watch our <a href="https://www.youtube.com/watch?v=k-Pv3sf3G2A">BlackHat presentation</a>, read |
---|
[26] | 116 | our <a href="https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf">research paper</a>, |
---|
[24] | 117 | or <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">post a ticket</a>. |
---|
| 118 | </p> |
---|
[18] | 119 | |
---|
[24] | 120 | <h2> License</h2> |
---|
| 121 | <p> |
---|
| 122 | Unless otherwise indicated in the source code, this software is licensed under the GNU GPL version 3. See the LICENSE file for details. |
---|
| 123 | </p> |
---|
[19] | 124 | |
---|
[24] | 125 | <h2> Contributing</h2> |
---|
| 126 | <p> |
---|
[19] | 127 | We certainly welcome and encourage code contributions, no matter how |
---|
[24] | 128 | small. To submit a patch, please check out the latest revision with: |
---|
| 129 | </p> |
---|
| 130 | <pre> svn co https://code.blindspotsecurity.com/dav/nanown/</pre> |
---|
| 131 | <p> |
---|
| 132 | Then apply your changes and run "<code>svn diff</code>". Save the resulting diff and attach it to a <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">ticket</a>. |
---|
| 133 | </p> |
---|