Context Navigation

source: README.wiki @ 25

Last change on this file since 25 was 25, checked in by tim, 8 years ago
.
File size: 4.8 KB

Rev	Line
[24]	1	<h2>Nanown</h2>
	2	<p>
[18]	3	A tool for identifying, evaluating, and exploiting timing
	4	vulnerabilities remotely. This is part of the output from a research
[25]	5	effort <a href="https://www.blackhat.com/us-15/briefings.html#web-timing-attacks-made-practical">discussed at BlackHat 2015</a>.
[18]	6	This project is still highly experimental and not particularly easy to
	7	use at this point.
[24]	8	</p>
[18]	9
[24]	10	<h2> Prerequisites</h2>
	11	<p>
[18]	12	Linux and Python 3.4+ are required. Yes, really, your Python needs to
	13	be that new. You will also need to install the following modules for
	14	this version of Python:
[24]	15	</p>
	16	<pre>
[25]	17	requests
	18	numpy
	19	netifaces
	20	matplotlib
[24]	21	</pre>
	22	<p>
[18]	23	On Debian unstable, you can get these by running:
[24]	24	</p>
	25	<pre>
	26	apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib
	27	</pre>
	28	<p>
	29	If you can't get the appropriate packages from your distro, resort to <code>pip3</code>.
	30	</p><p>
[18]	31	In addition, you'll need to have a C compiler and the development
	32	package for libpcap installed. Under Debian this is probably sufficient:
[24]	33	</p>
	34	<pre>
	35	apt-get install libpcap-dev gcc
	36	</pre>
[18]	37
	38
[24]	39	<h2> Installation</h2>
	40	<p>
[18]	41	Hah! Funny.
[24]	42	</p><p>
[18]	43	Currently there's no installation script...
[24]	44	</p><p>
[18]	45	To attempt to use this code, clone the repository and build the
[24]	46	<code>nanown-listen</code> tool with:
	47	</p>
	48	<pre>
	49	cd nanown/trunk/src && ./compile.sh
	50	</pre>
	51	<p>
	52	That will drop the <code>nanown-listen</code> binary under <code>nanown/trunk/bin</code>. You
	53	must then put this directory in your <code>$PATH</code> in order to perform any
[18]	54	data collection.
[24]	55	</p><p>
[18]	56	To run any of the other scripts, change to the nanown/trunk directory
	57	and run them directly from there. E.g.:
[24]	58	</p>
	59	<pre>
	60	bin/train ...args...
	61	bin/graph ...args...
	62	</pre>
[18]	63
	64
[24]	65	<h2> Usage</h2>
	66	<p>
[18]	67	Our goal for a usage workflow is this:
[24]	68	</p>
	69	<ol>
	70	<li>Based on example HTTP requests, and test cases supplied by the user,
[18]	71	a script generator creates a new script. This new script serves
	72	as the sample collection script, customized for your web
	73	application.
[24]	74	</li>
	75	<li>After collecting samples using the script from step 1, you run a
[18]	76	mostly automated script to train and test various classifiers on your
	77	samples. This will then tell you how many samples you need to
	78	reliably detect the timing difference.
[24]	79	</li>
	80	<li>Given the output from step 3 and inputs to step 1, a second script
[18]	81	generator creates an attack script for you as a starting point. You
	82	customize this and run your attacks.
[24]	83	</li>
	84	</ol>
	85	<p>
[18]	86	Sounds great, yeah? Well steps 1 and 3 aren't quite implemented yet. =\
[24]	87	</p><p>
[18]	88	If you are really dying to use this code right now, just make a copy of
[24]	89	the <code>trunk/bin/sampler</code> script and hack on it until it sends HTTP requests
[18]	90	that your targeted web application expects. Be sure to define the test
	91	cases appropriately. Then run it to collect at least
[21]	92	50,000 samples for each of the train, test and train_null data sets
[24]	93	(150,000 samples total). NOTE: Your sampler script must be run as <code>root</code>
[18]	94	so it can tweak local networking settings and sniff packets.
[24]	95	</p><p>
[18]	96	Next you can move on to step 2, where you simply run the train script
	97	against the database created by your sampler script:
[24]	98	</p>
	99	<pre>
	100	bin/train mysamples.db
	101	</pre>
	102	<p>
[18]	103	This will run for a while. If you cancel out and re-run it, it will
	104	pick up where it left off. Pay special attention to the final results
	105	it prints out. This will tell you how many samples are needed to
	106	distinguish between the test cases. Do a little math on your own to
	107	decide how feasible your overall attack will be.
[24]	108	</p><p>
[18]	109	Finally, we come to step 3. If you choose to carry out an attack, you
	110	will need to implement your own attack script that collects batches of
	111	samples, distinguishes between them using the best classifier available
	112	(from step 2) and then repeats as needed. Consider starting with the
[24]	113	sample script at <code>test/blackhat-demo/jregistrate-attack</code>.
	114	</p><p>
	115	Any questions? See the source, watch our <a href="https://www.youtube.com/watch?v=k-Pv3sf3G2A">BlackHat presentation</a>, read
	116	our <a href="https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf">research paper</a>),
	117	or <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">post a ticket</a>.
	118	</p>
[18]	119
[24]	120	<h2> License</h2>
	121	<p>
	122	Unless otherwise indicated in the source code, this software is licensed under the GNU GPL version 3. See the LICENSE file for details.
	123	</p>
[19]	124
[24]	125	<h2> Contributing</h2>
	126	<p>
[19]	127	We certainly welcome and encourage code contributions, no matter how
[24]	128	small. To submit a patch, please check out the latest revision with:
	129	</p>
	130	<pre> svn co https://code.blindspotsecurity.com/dav/nanown/</pre>
	131	<p>
	132	Then apply your changes and run "<code>svn diff</code>". Save the resulting diff and attach it to a <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">ticket</a>.
	133	</p>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: