- Reverse-Engineering and Fuzzing Custom Network Protocol
Trainer Name: Munawwar Hussain Sheila
Title: Reverse-Engineering and Fuzzing Custom Network Protocol
Duration: 4 Days
Dates: 1st - 4th March 2021
Time: 10:00 AM to 2:00 PM IST
Delivery Mode: via Zoom.us and Discord Platform
The communication protocol defines the format and semantics of message exchange between applications. In modern times there are a myriad of proprietary application protocols like Skype Protocol, Dropbox Protocol, etc which applications use to achieve various goals like bandwidth efficiency, custom encryption/compression, etc. These protocols could have security vulnerabilities. Protocol Reverse Engineering (PRE) is not only useful for offensive purposes but also used by modern Intrusion Detection Systems(IDS), they use the knowledge of protocol specification to do Deep Packet Inspection(DPI) which can enhance its capabilities, where it earlier relied just based on pattern matching which may produce lots of false positives. Custom protocols are not only used by legitimate applications but also by malware and botnets like Zeus, Emotet, etc. By reversing malware protocol you can connect to malware servers and track their campaigns.
Protocol Reverse Engineering(PRE) is an art and science of recovering the protocol specification of the obscure/proprietary protocol whose documentation is unavailable or poorly documented. There are efforts to develop automated PRE tools but they are largely academic and are not mature enough to be usable, and can’t give the accuracy a human analyst can offer. Automated tools face the challenges of heterogeneous protocol data which is often a mixture of text and binary, and it has different data types and variable-length fields and this is the reason I have created this training to help you understand these challenges and learn to recover protocol specification.
This training is divided into three parts, in the first part we will learn about Protocol Reverse Engineering principles. We will look at some of the common data formats and other protocol structures and with that understanding we will write a protocol dissector using Scapy framework for a target Desktop game Minetest (a Minecraft clone). Minetest has a multiplayer feature in which different players can connect to the server and play with other players, there are also many public servers which you can connect and play. Once we have written the dissector forthe communication we will sniff the connection and look at the communication flow between the client and the server which we will capture and re-analyze the traffic to improve the dissector further, using this newly improved dissector we will implement a custom game client/bot which will connect to the server and play as a Bot player.
In the second part, with a decent understanding of the Minetest protocol we will move on to the offensive side of the training and try to fuzz the game server to find some security vulnerabilities, we will start with basic fuzzer and try to do incremental improvement such that we have good code coverage. A good protocol fuzzer has a semantic understanding of the protocol, since we have that understanding we will do generation fuzzing in which we will define protocol specification in Boofuzz fuzzing framework and aging fuzzing the application. We will also try the approach of mutation fuzzing and see if we get lucky with a crash or two. Next we will study how message parsing bugs can lead to security vulnerabilities in softwares. We will also look into some real-world vulnerabilities like OpenSSL Heartbleed attack in which information disclosure bugs can leak the server private key. In another example we will analyze Netatalk vulnerability which is an implementation of Apple Filing Protocol (AFP) and last but not the least we will exploit an IoT Device a Kankan Smart plug and control it using its protocolvulnerability.
And in the final section, we will move to the defensive side where we will configure and deploy a popular Intrusion detection system(IDS) Snort. Then we will learn how to write some detection signatures for exploits and for application network communication.
Why should you take this course?
- Understand the structure of the requests and response especially useful for a malware analyst.
- Construction of protocol decoders useful for writing gaming clients or to add support for a third-party proprietary product.
- Reverse engineer communication of online games like MMORPG which can help you do security testing of multi-player online games.
- Create Network signatures for malware communication that can be integrated with IDS and IPS, understanding the protocol specification can help you to do deep packet inspection.
- Write a protocol fuzzer to feed the remote server with crafted randomness in the data to crash the data processing part of the application with the intent of finding security vulnerabilities.
- Identify security vulnerabilities in protocol implementation like authentication bypass, replay attack, information disclosure, DOS, RCE etc. PRE can also help you to do deeper black-box testing of the application.
- Build a protocol specification for a vaguely/undocumented protocol.
- Audit the privacy and security of an application running on your phone/computer by looking at what data is it exporting.
Who should take this course?
- DFIR practitioner - to investigation malicious activity in the network
- Reverse Engineer - write a custom client that fully replicates the existing client software/game.
- Bug Hunter - Write protocol fuzzer for Black Box testing for application processing remote data, for example, lots of IoT Devices use custom protocol for efficient communication.
- Malware Analyst - To decode C&C server commands and the data which is exfiltrated
- Threat Hunting - write network signatures for new emerging APT threats or it could be an intruder in your network, this course will help you decode network and analyze network traffic.
- Developer -
- who don’t have access to source code or protocol documentation, it usually happens when you are dealing with a legacy system which is too old and the company cannot find any documentation and you intend to migrate the system to new technology.
- While debugging software over the network, writing a protocol dissector can help you to get a deeper understanding of network communication done by your software.
- Helps you to do network debugging/diagnostics of application layer data.
- It helps you understand what is really transmitted over the network.
- RED Team - take advantage of what the Security Operation Center (SOC) doesn't know. Look for data leaks, do attacks like inject, replay and spoofing.
- Vulnerability Researcher/Exploit Developer - this will also help exploit developer and vulnerability research to reproduce remote vulnerability and find zero-day bugs.
Day 1 - Basics
- Networking Basics
- Capturing Network Traffic
- Passive analysis
- Network Sniffing
- Syscall hooking (strace)
- Active analysis
Note: each of the above section will have labs on
- Network Proxies
- Passive analysis
- Protocol Reversing
- Protocol Structure
- Common data format
- Data Encoding
- Binary Protocol Structure
- Text Protocol Structure
- Protocol Flow
- Protocol Structure
- Protocol Dissector (targeting Minetest game)
- Scapy 101
- Implementing protocol dissector in scapy for Minetent game. This section will have Labs on
- Protocol decoding TLV format
- Packet decompression
- Packet Reassembly
- Custom Client (Bot Player for Minetest Game)
- Brief Understanding of Application
- Authenticate the client
- Establish a valid session
- Some game hacks like making the player fly
- Create A Bot Army (if time permits) Note: each of the above section will have labs
- Protocol Fuzzing (targeting Minetest game)
- What is fuzzing?
- Implement Mutation fuzzer
- Implement Dumb fuzzer
- Implement Generation Fuzzing (Protocol Aware Fuzzing) Note: each of the above section will have labs
- Writing Malware/Exploit Signatures for IDS (with Snort)
- Introduction to IDS/IPS
- Setting up snort
- Rule writing basics
Tools of the Trade
Below are some of the tools that you will learn in this training that will make you Protocol Reversing experience more fun.
- Protocol Reversing tools
- Protocol Fuzzing Tool
- boofuzz(Sulley) fuzzing framework
- Intrusion Detection System (for Defensive purpose)
- Snort IDS/IPS
- Knowledge of security concepts
- Basic understanding of networking concepts.
- Knowledge of Linux OS
- Basic Python programming language
What attendees should bring
- Laptop with at least 50 GB free space
- 8+ GB minimum RAM (4+GB for theVM)
- External USB access (min. 2 USB ports)
- Administrative privileges on the system
- Virtualization software – Latest VirtualBox (5.2.X) (including Virtualbox extension pack)
- Linux host machines should have exfat-utils and exfat-fuse installed (ex: sudo apt-get install exfat-utils exfat-fuse).
- Virtualization (Vx-t) option enabled in the BIOS settings for VirtualBox to work
What attendees will be provided with
- Virtual Machine with all the needed software pre-installed.
- Training Material/slides.
- Lab Manua
What to expect
- Hands-on Labs
- The job of Reverse Engineer (looking under the hood)
- Getting familiar with Network Protocol Analysis
- Unlimited Email Support.
What not to expect
- Become a Protocol Reversing Ninja.
- Use the knowledge gained in this training to start exploring some Open and Close Protocol to improve your understanding of this topic. That will help you to get a deeper understanding of some underlying issues more closely.
Munawwar Hussain Shelia
He works as an IoT Security Researcher at Payatu, where his full-time responsibility involves looking for bugs in customers IoT Devices and developing tools for pen-testing. He has a background in Computer Science and 4+ years of software development experience, having a development background helps him to think how products are designed and created which help him to break them viciously. He has delivered “Practical IoT Hacking” Training in Nullcon 2019, and a workshop on the same topic in CPX 360 (2019). He has also delivered a talk in c0c0n conference in 2020. His main focus areas are Reverse engineering, Binary Analysis, Malware Analysis and Software Exploitation, he also writes about this on his blog taintedbits.com. He has also delivered training to numerous governmental and private organizations around the globe.