Documentation of SniffJoke project.

WHAT

	SniffJoke is a sniffer evasion tool.
	While usually evasion tool are designed to bypass IDS engine at
	exploiting time, SniffJoke makes every session originated from your
	host or LAN (optimistically) invisibile to sniffers.

	SniffJoke uses well known techniques always effective against
	sniffers (IDS could rely on a different set of considerations).

	These techniques exploit the common assumption made by the
	sniffer/IDS programmers, that is that intercepted hosts run two real
        operating systems with a good TCP/IP stack.

WHY

	Because:

	1) A sniffer that does connection tracking could be fooled with some
	   ad-hoc forged packets. These packets could force the sniffer
	   to track a session looking different from real connection.
	2) Many sniffers and IDS implement a TCP/IP stack in a moderate size
	   and because of their high performance requirements they cut some
	   details: the vulnerabilities we attack are consequences of this
           reduction of implementation complexity.

	An old article talking about these issues:
        http://www.phrack.org/archives/54/P54-10
	These attacks could seem old, but the exploited weakness is still
	present nowadays. In my implementation some things have been updated,
	the core concept is still the same anyway. A research paper talking
	about that:
	http://citeseer.ist.psu.edu/ptacek98insertion.html
	
HOW 

	With a plugin for ulogd-1.24

	tar zxfv sniffjoke-0.2
	cd sniffjoke-0.2
	./configure && make install
	vi /usr/local/etc/ulogd.conf

	Check the section [SNIFFJOKE], the default should work nice yet, but
	you need to choose your working mode and the protected service.

HOW DOES IT WORK IN DETAIL ? 

	SniffJoke requires ULOG target in netfilter framework.

	In [SNIFFJOKE] section of ulogd.conf configuration file, you
	should configure these options:

	+ file: this is the logfile generated by SniffJoke, as developer
          I used it to understand what is happening, if you have no interest
          about that you can just ignore this option
	  (default: /dev/null)

	+ verbosity: report error/warning only or full complete total debug.
	  Values are "0" to disable verbosity, "1" to enable it. 
	  (default: 0)

	+ application: the application type sets the working mode of SniffJoke.
	  You must declare only one kind of application type. 
	  * local user mode: 
		application:"username"
	  This type causes the sessions managed with UID of username to
	  be placed side by side with SniffJoke packets. It requires UID MATCH
	  extension of netfilter framework. This is good for local user of a
	  linux desktop computer.
	  * gateway mode:
		application:"gateway"
	  SniffJoke can run on a LAN gateway working in gateway mode.
	  Gateway mode applies SniffJoke's hacks to all forwarded sessions
	  originating from the computers behind the gateway (but not to local
	  sessions).

	+ interface: is the name (eth0, ppp0) of outgoing interface.

	+ quickdirty: this is one of the available hack types, it takes as
	  argument a list of TCP ports comma separated:
		quickdiry:"80,443,4662"

	+ slowsure: this is the other hack type (described below), it takes as
	  argument a list of TCP ports comma separated:
                slowsure:"21,23,25,110,143,6667"

HOW AND WHY, QUICKDIRTY & SLOWSURE ?

	Any kind of traffic injection is based on creation of invalid 
	packets RELATED to the hacked session. Invalid packets count as
	duplicated packets in the network congestion algorithm, and this
	involves a shrinkage of transmission window. In protocols like HTTP,
	based on a moltitude of TCP connections, a slow start connection
	could be annoying. 

	The attack slowsure works in the following way:
	* new packet, check if it is a new session.
		-> is new ? track them, memorize the TTL of packet
		-> is old ? ok, is already tracked.
	* take the last TTL used, decrement of the value of TTL_DEC_ANYTIME
          (default value: 4), update the last TTL used, forge an hack packet
          with, more or less, the techniques described in the paper.
	* send the hack packet.

	This has two goals: 
	1) send the hack packet in the RELATED session to confuse sniffer/IDS
	2) search with a bruteforce-decrementing-like multiple tries the
	   first TTL able to generate an ICMP TIME EXCEEDED. By finding this
	   TTL it is possible to send packets that will surely never reach the
   	   remote host. With this TTL value, we have the possibility to
	   send a valid packet (usually, a reset packet) with a TTL that 
	   never reaches the remote host. This attack is tried because is
	   very effective.

	SLOW & SURE follows the algorithm explained before.
	QUICK & DIRTY simply tries to send a reset packet with the fixed TTL
	value of 7. 

WORKING CASE:

	SniffJoke attacks connection tracking and pattern reconnaissance.
	If a sniffer doesn't make connection tracking (ettercap, sniffit), then
	probably it is not vulnerable. A sniffer that makes connection tracking
	should use one of the following different technologies:
	
	1. follow TCP flag, analysis and sequence tracking: if this technology
	   is implemented correctly, the reassemby (at the moment) appears
	   correct. Wireshark is an example of complete precise TCP analysis.
	   Ethereal is vulnerable because is not so complete.
	2. follow partial TCP and make some dangerous assumptions: tcpflow
	   follows partial information (sequence number is used to resize file,
	   so a reconstruction of the sessions could create 600 MB files more
           or less empty, realizing an interesting Denial Of Service).
	3. don't follow anything: simply detect tuple and make packet in append
	   mode. This is vulnerabile in application level analysis due to
	   pattern injection (example: in session dest to port 25, the pattern
	   of a hacked packet contains “\r\n.\r\n” to simulate an end of mail).

	If you make some tests, please let me know mailing to vecna@s0ftpj.org
	because I am keeping track of vulnerable and immune software. The
	biggest limit of SniffJoke at the moment is that it sends only related
	packets, but it is still impossible to send other packets instead of
	the real ones. This feature will be added in version 0.3.

HISTORY VERSION:

	0.1: slow & sure
	     local user application
	0.2: quick & dirty
	     cleaning of closed session
	     gateway support
	     verbosity support
	     icmp filtering plausible detection
             three infamous hack used insted of reset only
	TODO, 0.3:
	     dynamic TTL instead of a fixed bruteforce
	     tracking of TTL per IP
	     randomization of attack
	MAYBE: other feature scrapped in the code :P

WHO

	Claudio Agosti <vecna@delirandom.net>
	http://www.s0ftpj.org 
	http://www.delirandom.net

WHEN

	Thu May 3 21:23:47 CEST 2007
