1 | <h2>Nanown</h2> |
---|
2 | <p> |
---|
3 | A tool for identifying, evaluating, and exploiting timing |
---|
4 | vulnerabilities remotely. This is part of the output from a research |
---|
5 | effort [discussed at BlackHat 2015](https://www.blackhat.com/us-15/briefings.html#web-timing-attacks-made-practical). |
---|
6 | This project is still highly experimental and not particularly easy to |
---|
7 | use at this point. |
---|
8 | </p> |
---|
9 | |
---|
10 | <h2> Prerequisites</h2> |
---|
11 | <p> |
---|
12 | Linux and Python 3.4+ are required. Yes, really, your Python needs to |
---|
13 | be that new. You will also need to install the following modules for |
---|
14 | this version of Python: |
---|
15 | </p> |
---|
16 | <pre> |
---|
17 | requests |
---|
18 | numpy |
---|
19 | netifaces |
---|
20 | matplotlib |
---|
21 | </pre> |
---|
22 | <p> |
---|
23 | On Debian unstable, you can get these by running: |
---|
24 | </p> |
---|
25 | <pre> |
---|
26 | apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib |
---|
27 | </pre> |
---|
28 | <p> |
---|
29 | If you can't get the appropriate packages from your distro, resort to <code>pip3</code>. |
---|
30 | </p><p> |
---|
31 | In addition, you'll need to have a C compiler and the development |
---|
32 | package for libpcap installed. Under Debian this is probably sufficient: |
---|
33 | </p> |
---|
34 | <pre> |
---|
35 | apt-get install libpcap-dev gcc |
---|
36 | </pre> |
---|
37 | |
---|
38 | |
---|
39 | <h2> Installation</h2> |
---|
40 | <p> |
---|
41 | Hah! Funny. |
---|
42 | </p><p> |
---|
43 | Currently there's no installation script... |
---|
44 | </p><p> |
---|
45 | To attempt to use this code, clone the repository and build the |
---|
46 | <code>nanown-listen</code> tool with: |
---|
47 | </p> |
---|
48 | <pre> |
---|
49 | cd nanown/trunk/src && ./compile.sh |
---|
50 | </pre> |
---|
51 | <p> |
---|
52 | That will drop the <code>nanown-listen</code> binary under <code>nanown/trunk/bin</code>. You |
---|
53 | must then put this directory in your <code>$PATH</code> in order to perform any |
---|
54 | data collection. |
---|
55 | </p><p> |
---|
56 | To run any of the other scripts, change to the nanown/trunk directory |
---|
57 | and run them directly from there. E.g.: |
---|
58 | </p> |
---|
59 | <pre> |
---|
60 | bin/train ...args... |
---|
61 | bin/graph ...args... |
---|
62 | </pre> |
---|
63 | |
---|
64 | |
---|
65 | <h2> Usage</h2> |
---|
66 | <p> |
---|
67 | Our goal for a usage workflow is this: |
---|
68 | </p> |
---|
69 | <ol> |
---|
70 | <li>Based on example HTTP requests, and test cases supplied by the user, |
---|
71 | a script generator creates a new script. This new script serves |
---|
72 | as the sample collection script, customized for your web |
---|
73 | application. |
---|
74 | </li> |
---|
75 | <li>After collecting samples using the script from step 1, you run a |
---|
76 | mostly automated script to train and test various classifiers on your |
---|
77 | samples. This will then tell you how many samples you need to |
---|
78 | reliably detect the timing difference. |
---|
79 | </li> |
---|
80 | <li>Given the output from step 3 and inputs to step 1, a second script |
---|
81 | generator creates an attack script for you as a starting point. You |
---|
82 | customize this and run your attacks. |
---|
83 | </li> |
---|
84 | </ol> |
---|
85 | <p> |
---|
86 | Sounds great, yeah? Well steps 1 and 3 aren't quite implemented yet. =\ |
---|
87 | </p><p> |
---|
88 | If you are really dying to use this code right now, just make a copy of |
---|
89 | the <code>trunk/bin/sampler</code> script and hack on it until it sends HTTP requests |
---|
90 | that your targeted web application expects. Be sure to define the test |
---|
91 | cases appropriately. Then run it to collect at least |
---|
92 | 50,000 samples for each of the train, test and train_null data sets |
---|
93 | (150,000 samples total). NOTE: Your sampler script must be run as <code>root</code> |
---|
94 | so it can tweak local networking settings and sniff packets. |
---|
95 | </p><p> |
---|
96 | Next you can move on to step 2, where you simply run the train script |
---|
97 | against the database created by your sampler script: |
---|
98 | </p> |
---|
99 | <pre> |
---|
100 | bin/train mysamples.db |
---|
101 | </pre> |
---|
102 | <p> |
---|
103 | This will run for a while. If you cancel out and re-run it, it will |
---|
104 | pick up where it left off. Pay special attention to the final results |
---|
105 | it prints out. This will tell you how many samples are needed to |
---|
106 | distinguish between the test cases. Do a little math on your own to |
---|
107 | decide how feasible your overall attack will be. |
---|
108 | </p><p> |
---|
109 | Finally, we come to step 3. If you choose to carry out an attack, you |
---|
110 | will need to implement your own attack script that collects batches of |
---|
111 | samples, distinguishes between them using the best classifier available |
---|
112 | (from step 2) and then repeats as needed. Consider starting with the |
---|
113 | sample script at <code>test/blackhat-demo/jregistrate-attack</code>. |
---|
114 | </p><p> |
---|
115 | Any questions? See the source, watch our <a href="https://www.youtube.com/watch?v=k-Pv3sf3G2A">BlackHat presentation</a>, read |
---|
116 | our <a href="https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf">research paper</a>), |
---|
117 | or <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">post a ticket</a>. |
---|
118 | </p> |
---|
119 | |
---|
120 | <h2> License</h2> |
---|
121 | <p> |
---|
122 | Unless otherwise indicated in the source code, this software is licensed under the GNU GPL version 3. See the LICENSE file for details. |
---|
123 | </p> |
---|
124 | |
---|
125 | <h2> Contributing</h2> |
---|
126 | <p> |
---|
127 | We certainly welcome and encourage code contributions, no matter how |
---|
128 | small. To submit a patch, please check out the latest revision with: |
---|
129 | </p> |
---|
130 | <pre> svn co https://code.blindspotsecurity.com/dav/nanown/</pre> |
---|
131 | <p> |
---|
132 | Then apply your changes and run "<code>svn diff</code>". Save the resulting diff and attach it to a <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">ticket</a>. |
---|
133 | </p> |
---|