Welcome
Nanown
A tool for identifying, evaluating, and exploiting timing vulnerabilities remotely. This is part of the output from a research effort discussed at BlackHat 2015. This project is still highly experimental and not particularly easy to use at this point.
Prerequisites
Linux and Python 3.4+ are required. Yes, really, your Python needs to be that new. You will also need to install the following modules for this version of Python:
requests numpy netifaces matplotlib
On Debian unstable, you can get these by running:
apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib
If you can't get the appropriate packages from your distro, resort to pip3
.
In addition, you'll need to have a C compiler and the development package for libpcap installed. Under Debian this is probably sufficient:
apt-get install libpcap-dev gcc
Installation
Hah! Funny.
Currently there's no installation script...
To attempt to use this code, clone the repository and build the
nanown-listen
tool with:
cd nanown/trunk/src && ./compile.sh
That will drop the nanown-listen
binary under nanown/trunk/bin
. You
must then put this directory in your $PATH
in order to perform any
data collection.
To run any of the other scripts, change to the nanown/trunk directory and run them directly from there. E.g.:
bin/train ...args... bin/graph ...args...
Usage
Our goal for a usage workflow is this:
- Based on example HTTP requests, and test cases supplied by the user, a script generator creates a new script. This new script serves as the sample collection script, customized for your web application.
- After collecting samples using the script from step 1, you run a mostly automated script to train and test various classifiers on your samples. This will then tell you how many samples you need to reliably detect the timing difference.
- Given the output from step 3 and inputs to step 1, a second script generator creates an attack script for you as a starting point. You customize this and run your attacks.
Sounds great, yeah? Well steps 1 and 3 aren't quite implemented yet. =\
If you are really dying to use this code right now, just make a copy of
the trunk/bin/sampler
script and hack on it until it sends HTTP requests
that your targeted web application expects. Be sure to define the test
cases appropriately. Then run it to collect at least
50,000 samples for each of the train, test and train_null data sets
(150,000 samples total). NOTE: Your sampler script must be run as root
so it can tweak local networking settings and sniff packets.
Next you can move on to step 2, where you simply run the train script against the database created by your sampler script:
bin/train mysamples.db
This will run for a while. If you cancel out and re-run it, it will pick up where it left off. Pay special attention to the final results it prints out. This will tell you how many samples are needed to distinguish between the test cases. Do a little math on your own to decide how feasible your overall attack will be.
Finally, we come to step 3. If you choose to carry out an attack, you
will need to implement your own attack script that collects batches of
samples, distinguishes between them using the best classifier available
(from step 2) and then repeats as needed. Consider starting with the
sample script at test/blackhat-demo/jregistrate-attack
.
Any questions? See the source, watch our BlackHat presentation, read our research paper, or post a ticket.
License
Unless otherwise indicated in the source code, this software is licensed under the GNU GPL version 3. See the LICENSE file for details.
Contributing
We certainly welcome and encourage code contributions, no matter how small. To submit a patch, please check out the latest revision with:
svn co https://code.blindspotsecurity.com/dav/nanown/
Then apply your changes and run "svn diff
". Save the resulting diff and attach it to a ticket.