Changeset 24
- Timestamp:
- 11/05/16 19:03:28 (8 years ago)
- Files:
-
- 2 edited
- 1 moved
Legend:
- Unmodified
- Added
- Removed
-
README.wiki
r23 r24 1 # Nanown 2 1 <h2>Nanown</h2> 2 <p> 3 3 A tool for identifying, evaluating, and exploiting timing 4 4 vulnerabilities remotely. This is part of the output from a research … … 6 6 This project is still highly experimental and not particularly easy to 7 7 use at this point. 8 </p> 8 9 9 10 # Prerequisites 11 10 <h2> Prerequisites</h2> 11 <p> 12 12 Linux and Python 3.4+ are required. Yes, really, your Python needs to 13 13 be that new. You will also need to install the following modules for 14 14 this version of Python: 15 ``` 15 </p> 16 <pre> 16 17 requests 17 18 numpy 18 19 netifaces 19 20 matplotlib 20 ``` 21 </pre> 22 <p> 21 23 On Debian unstable, you can get these by running: 22 ``` 23 apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib 24 ``` 25 If you can't get the appropriate packages from your distro, resort to `pip3`. 26 24 </p> 25 <pre> 26 apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib 27 </pre> 28 <p> 29 If you can't get the appropriate packages from your distro, resort to <code>pip3</code>. 30 </p><p> 27 31 In addition, you'll need to have a C compiler and the development 28 32 package for libpcap installed. Under Debian this is probably sufficient: 29 ``` 30 apt-get install libpcap-dev gcc 31 ``` 33 </p> 34 <pre> 35 apt-get install libpcap-dev gcc 36 </pre> 32 37 33 38 34 # Installation 35 39 <h2> Installation</h2> 40 <p> 36 41 Hah! Funny. 37 42 </p><p> 38 43 Currently there's no installation script... 39 44 </p><p> 40 45 To attempt to use this code, clone the repository and build the 41 `nanown-listen` tool with: 42 ``` 43 cd nanown/trunk/src && ./compile.sh 44 ``` 45 46 That will drop the `nanown-listen` binary under nanown/trunk/bin. You 47 must then put this directory in your `$PATH` in order to perform any 46 <code>nanown-listen</code> tool with: 47 </p> 48 <pre> 49 cd nanown/trunk/src && ./compile.sh 50 </pre> 51 <p> 52 That will drop the <code>nanown-listen</code> binary under <code>nanown/trunk/bin</code>. You 53 must then put this directory in your <code>$PATH</code> in order to perform any 48 54 data collection. 49 55 </p><p> 50 56 To run any of the other scripts, change to the nanown/trunk directory 51 57 and run them directly from there. E.g.: 52 ``` 53 bin/train ...args... 54 bin/graph ...args... 55 ``` 58 </p> 59 <pre> 60 bin/train ...args... 61 bin/graph ...args... 62 </pre> 56 63 57 64 58 # Usage 59 65 <h2> Usage</h2> 66 <p> 60 67 Our goal for a usage workflow is this: 61 62 1. Based on example HTTP requests, and test cases supplied by the user, 68 </p> 69 <ol> 70 <li>Based on example HTTP requests, and test cases supplied by the user, 63 71 a script generator creates a new script. This new script serves 64 72 as the sample collection script, customized for your web 65 73 application. 66 67 2.After collecting samples using the script from step 1, you run a74 </li> 75 <li>After collecting samples using the script from step 1, you run a 68 76 mostly automated script to train and test various classifiers on your 69 77 samples. This will then tell you how many samples you need to 70 78 reliably detect the timing difference. 71 72 3.Given the output from step 3 and inputs to step 1, a second script79 </li> 80 <li>Given the output from step 3 and inputs to step 1, a second script 73 81 generator creates an attack script for you as a starting point. You 74 82 customize this and run your attacks. 75 83 </li> 84 </ol> 85 <p> 76 86 Sounds great, yeah? Well steps 1 and 3 aren't quite implemented yet. =\ 77 87 </p><p> 78 88 If you are really dying to use this code right now, just make a copy of 79 the `trunk/bin/sampler`script and hack on it until it sends HTTP requests89 the <code>trunk/bin/sampler</code> script and hack on it until it sends HTTP requests 80 90 that your targeted web application expects. Be sure to define the test 81 91 cases appropriately. Then run it to collect at least 82 92 50,000 samples for each of the train, test and train_null data sets 83 (150,000 samples total). NOTE: Your sampler script must be run as `root`93 (150,000 samples total). NOTE: Your sampler script must be run as <code>root</code> 84 94 so it can tweak local networking settings and sniff packets. 85 95 </p><p> 86 96 Next you can move on to step 2, where you simply run the train script 87 97 against the database created by your sampler script: 88 ``` 89 bin/train mysamples.db 90 ``` 98 </p> 99 <pre> 100 bin/train mysamples.db 101 </pre> 102 <p> 91 103 This will run for a while. If you cancel out and re-run it, it will 92 104 pick up where it left off. Pay special attention to the final results … … 94 106 distinguish between the test cases. Do a little math on your own to 95 107 decide how feasible your overall attack will be. 96 108 </p><p> 97 109 Finally, we come to step 3. If you choose to carry out an attack, you 98 110 will need to implement your own attack script that collects batches of 99 111 samples, distinguishes between them using the best classifier available 100 112 (from step 2) and then repeats as needed. Consider starting with the 101 sample script at `test/blackhat-demo/jregistrate-attack`. 113 sample script at <code>test/blackhat-demo/jregistrate-attack</code>. 114 </p><p> 115 Any questions? See the source, watch our <a href="https://www.youtube.com/watch?v=k-Pv3sf3G2A">BlackHat presentation</a>, read 116 our <a href="https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf">research paper</a>), 117 or <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">post a ticket</a>. 118 </p> 102 119 103 Any questions? See the source, watch our [BlackHat presentation](https://www.youtube.com/watch?v=k-Pv3sf3G2A), read 104 our [research paper](https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf), 105 or [post an issue](https://github.com/ecbftw/nanown/issues) on GitHub. 120 <h2> License</h2> 121 <p> 122 Unless otherwise indicated in the source code, this software is licensed under the GNU GPL version 3. See the LICENSE file for details. 123 </p> 106 124 107 108 # License 109 110 Unless otherwise indicated in the source code, this software is licensed 111 under the GNU GPL version 3. See the LICENSE file for details. 112 113 114 # Contributing 115 125 <h2> Contributing</h2> 126 <p> 116 127 We certainly welcome and encourage code contributions, no matter how 117 small. Currently, this GitHub repository is a mirror of an SVN 118 repository. Please don't submit pull requests. Instead, just contact us 119 through the issue tracker and send us a patch if needed. We may switch 120 to git later. 128 small. To submit a patch, please check out the latest revision with: 129 </p> 130 <pre> svn co https://code.blindspotsecurity.com/dav/nanown/</pre> 131 <p> 132 Then apply your changes and run "<code>svn diff</code>". Save the resulting diff and attach it to a <a href="https://code.blindspotsecurity.com/trac/nanown/newticket">ticket</a>. 133 </p> -
trunk/lib/nanownlib/stats.py
r20 r24 365 365 366 366 367 from pykalman import KalmanFilter367 #from pykalman import KalmanFilter 368 368 def pyKalman4DTest(params, greater, samples): 369 369 kp = params['kparams'] -
trunk/lib/nanownlib/train.py
r16 r24 300 300 301 301 302 from pykalman import KalmanFilter302 #from pykalman import KalmanFilter 303 303 _pykalman4d_params = None 304 304 _pykalman4d_params = {'observation_covariance': [[11960180434.411114, 4760272534.795976, 8797551081.431936, 6908794128.927051], [4760272534.795962, 12383598172.428213, 5470747537.2599745, 11252625555.297853], [8797551081.431955, 5470747537.2601185, 1466222848395.7058, 72565713883.12643], [6908794128.927095, 11252625555.297981, 72565713883.12654, 1519760903943.507]], 'transition_offsets': [592.5708159274, 583.3804671015271, 414.4187239098291, 562.166786712371], 'observation_offsets': [165.2279084503762, 157.76807691937614, 168.4235495099334, 225.33433430227353], 'initial_state_covariance': [[33599047.5, -18251285.25, 3242535690.59375, -8560730487.84375], [-18251285.25, 9914252.3125, -1761372688.59375, 4650260880.1875], [3242535690.59375, -1761372688.59375, 312926663745.03125, -826168494791.7188], [-8560730487.84375, 4650260880.1875, -826168494791.7188, 2181195982530.4688]], 'initial_state_mean': [12939012.5625, 12934563.71875, 13134751.608, 13138990.9985], 'transition_covariance': [[2515479496.145993, -401423541.70620924, 1409951418.1627903, 255932902.74454522], [-401423541.706214, 2744353887.676857, 1162316.2019491254, 1857251491.3987627], [1409951418.1628358, 1162316.2020361447, 543279068599.8229, -39399311190.5746], [255932902.74459982, 1857251491.398838, -39399311190.574585, 537826124257.5266]], 'observation_matrices': [[1.4255288693095167, -0.4254638445329988, 0.0003406844036817347, -0.0005475021956726778], [-0.46467270827589857, 1.4654311778340343, -0.0003321330280128265, -0.0002853945703691352], [-0.2644570970067974, -0.33955835481495455, 1.7494161615202275, -0.15394117603733548], [-0.3419097544041847, -0.23992883666045373, -0.15587790880447727, 1.7292393175137022]], 'transition_matrices': [[0.52163952865412, 0.47872618354122665, -0.0004322286766109684, 0.00017293351811531466], [0.5167436693545113, 0.48319044922845933, 7.765428142114672e-05, -0.00021518950285326355], [0.2091705950622469, 0.41051399729482796, 0.19341113299389256, 0.19562916616052917], [0.368592004009912, 0.22263632461118732, 0.20756792378812872, 0.20977025833570906]]}
Note: See TracChangeset
for help on using the changeset viewer.