On Feb 22, 2013, [email protected] wrote: > Although it is useful to be able to send fwknop packets in udp, > tcp, icmp packets, there are times when I've wanted to send spoofed > packets through routers and prevent triggering of alerts that could > make admins look too closely. > > It might be interesting to have some sort of plugin framework with > templates for packet types which would appear to be legitimate > traffic especially if seen by say, wireshark. Obviously the payload > would be visible on closer scrutiny, but the idea would be to make > them look close enough that a packet analyzer would parse the > packet as something that looks typical. The idea would be to blend > in with expected traffic in order to prevent any alerts of unusual > traffic.
Thanks for the feedback. For this to work, would you say that it would be important for SPA packets to essentially be tunneled over other application layer protocols then? That is, send SPA data over things like legitimate DNS requests or via HTTP connections? Seems like this would allow your goal of blending with expected traffic to be achieved, and would certainly be a cool feature. --Mike > >From discussions in the past, it became evident that there's lots > of space in many different packet types, and this would allow > contributions of packet templates to extend the types of packets > that could be sent. > > This would be useful for quietly sending encrypted commands around > an internal network without having a constant connection say, in a > pentest situation. > > ozmart > > On Fri, 22 Feb 2013 14:34:57 +1100 "Michael Rash" > <[email protected]> wrote: > >Return-Path: [email protected] > >Received: from mip.hushmail.com (LHLO smtp5.hushmail.com) > >(65.39.178.78) by > > server with LMTP; Fri, 22 Feb 2013 03:34:57 +0000 (UTC) > >Received: from smtp5.hushmail.com (localhost.localdomain > >[127.0.0.1]) > > by smtp5.hushmail.com (Postfix) with SMTP id 3E78E512D0 > > for <[email protected]>; Fri, 22 Feb 2013 03:34:57 +0000 > >(UTC) > >X-Hush-Real-Recipient: [email protected] > >Received: from lists.sourceforge.net (lists.sourceforge.net > >[216.34.181.88]) > > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > > (No client certificate requested) > > by smtp5.hushmail.com (Postfix) with ESMTP > > for <[email protected]>; Fri, 22 Feb 2013 03:34:47 +0000 (UTC) > >Received: from localhost ([127.0.0.1] helo=sfs-ml- > >3.v29.ch3.sourceforge.com) > > by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) > > (envelope-from <[email protected]>) > > id 1U8jPI-0004N6-0c; Fri, 22 Feb 2013 03:34:44 +0000 > >Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] > > helo=mx.sourceforge.net) > > by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) > > (envelope-from <[email protected]>) id 1U8jPG-0004N1-ER > > for [email protected]; > > Fri, 22 Feb 2013 03:34:42 +0000 > >Received-SPF: neutral (sog-mx-3.v43.ch3.sourceforge.com: > >76.96.62.32 is > > neither permitted nor denied by domain of cipherdyne.org) > > client-ip=76.96.62.32; [email protected]; > > helo=qmta03.westchester.pa.mail.comcast.net; > >Received: from qmta03.westchester.pa.mail.comcast.net > >([76.96.62.32]) > > by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) > > id 1U8jP7-0001cN-5g for [email protected]; > > Fri, 22 Feb 2013 03:34:42 +0000 > >Received: from omta15.westchester.pa.mail.comcast.net > >([76.96.62.87]) > > by qmta03.westchester.pa.mail.comcast.net with comcast > > id 32VS1l03W1swQuc53FaH2f; Fri, 22 Feb 2013 03:34:17 +0000 > >Received: from minastirith.cipherdyne.org ([50.76.15.170]) > > by omta15.westchester.pa.mail.comcast.net with comcast > > id 3FaG1l00d3g8vuS3bFaGaF; Fri, 22 Feb 2013 03:34:17 +0000 > >Received: by minastirith.cipherdyne.org (Postfix, from userid > >1000) > > id 6A5E68198E; Thu, 21 Feb 2013 22:34:14 -0500 (EST) > >Date: Thu, 21 Feb 2013 22:34:14 -0500 > >From: Michael Rash <[email protected]> > >To: [email protected] > >Message-ID: <[email protected]> > >MIME-Version: 1.0 > >Content-Disposition: inline > >User-Agent: Mutt/1.5.21 (2010-09-15) > >X-Spam-Score: 0.7 (/) > >X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. > > See http://spamassassin.org/tag/ for more details. > > 0.7 SPF_NEUTRAL SPF: sender does not match SPF record (neutral) > > -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at > >http://www.dnswl.org/, > > no trust [76.96.62.32 listed in list.dnswl.org] > > 0.1 DKIM_SIGNED Message has a DKIM or DK signature, > > not necessarily valid > > -0.1 DKIM_VALID Message has at least one valid DKIM or DK > >signature > >X-Headers-End: 1U8jP7-0001cN-5g > >Subject: [Fwknop-discuss] fwknop road map > >X-BeenThere: [email protected] > >X-Mailman-Version: 2.1.9 > >Precedence: list > >List-Id: fwknop discussion list <fwknop- > >discuss.lists.sourceforge.net> > >List-Unsubscribe: > ><https://lists.sourceforge.net/lists/listinfo/fwknop-discuss>, > > <mailto:fwknop-discuss- > >[email protected]?subject=unsubscribe> > >List-Archive: > ><http://sourceforge.net/mailarchive/forum.php?forum_name=fwknop- > >discuss> > >List-Post: <mailto:[email protected]> > >List-Help: <mailto:fwknop-discuss- > >[email protected]?subject=help> > >List-Subscribe: > ><https://lists.sourceforge.net/lists/listinfo/fwknop-discuss>, > > <mailto:fwknop-discuss- > >[email protected]?subject=subscribe> > >Content-Type: text/plain; charset="us-ascii" > >Content-Transfer-Encoding: 7bit > >Errors-To: [email protected] > > > >All, > > > >A candidate road map for the next few major releases of fwknop has > >been > >committed to the hmac_support branch (org mode format): > > > >http://www.cipherdyne.org/cgi- > >bin/gitweb.cgi?p=fwknop.git;a=blob;f=roadmap.org;h=8a02d93e867edbfa > >d0f29c169efded7fd78d13f2;hb=381487569c4ba0ad5c90e58c9a532977a15acce > >d > > > >These were converted into milestones on github: > > > >https://github.com/mrash/fwknop/issues/milestones > > > >This road map is a draft of major functionality that is to be > >implemented - all feedback is welcome. If there is anything you > >would > >like to see added, changed, or removed, please let me know. > > > >The code in the hmac_support branch will become the next major > >release > >(fwknop-2.5), and it will change things quite a bit. It will > >still be > >possible to use fwknop-2.5 with older releases through support for > >the > >current way of doing things, but the recommended work flow will > >become: > > > >- Use fwknop in '--key-gen' mode to generate a Rijndael key as > >well as > > an HMAC key. These keys are base64 encoded random data > >collected from > > the local entropy source, and here is an example: > > > >$ fwknop --key-gen > >KEY_BASE64: 11MTyBqJDI1zXHGuJd7pYstkeqzbFwKqzCPdNYupCRI= > >HMAC_KEY_BASE64: > >W9YKG3XhZ6wJX2yJ3U0zK8SZZbyZEfIrX+umkaIZJOuG6/X025E7GPlfFdxu/BYHenJ > >tnOchIjsDZkrq8saL9w== > > > >- Place these keys within the ~/.fwknoprc file in the client > >filesystem. > > An example from the test suite can be found here: > > > >http://www.cipherdyne.org/cgi- > >bin/gitweb.cgi?p=fwknop.git;a=blob;f=test/conf/fwknoprc_default_hma > >c_base64_key;h=173dbed29c7113a1a5c99a4abd8bdf09c9e9d6dd;hb=refs/hea > >ds/hmac_support#l49 > > > >- Place the keys within the /etc/fwknop/access.conf file on the > >server. > > Example: > > > >http://www.cipherdyne.org/cgi- > >bin/gitweb.cgi?p=fwknop.git;a=blob;f=test/conf/hmac_access.conf;h=6 > >8c148a40fa8fb6b22cb36b9bcd9843aa3818959;hb=refs/heads/hmac_support > > > >- Now, from the client, use the '--named-config' argument to > >reference > > the keys and SPA server destination from the ~/.fwknoprc file. > >This > > will generate an SPA packet that the server will authenticate > >via > > HMAC-SHA256 before running any decryption code. There are > >several > > strong security benefits that this will provide to SPA > >communications > > beyond what is currently possible. > > > >Instead of using --key-gen, you will be able to just manually type > >in > >encryption and HMAC keys as well if you prefer that. > > > >And, if you prefer to keep things as they are right now and not > >use HMAC > >at all, that will continue to be supported. > > > >Beyond the addition of HMAC-SHA256 authentication, for SPA packets > >encrypted with Rijndael, libfko will also ensure that the > >encrypted data > >is precisely compatible with how OpenSSL creates Rijndael data in > >CBC > >mode. This is to ensure that fwknop can benefit from research > >that the > >security community does against the OpenSSL library without having > >to > >link against it directly. Even though this compatibility will be > >checked, fwknop will _not_ use OpenSSL's authenticate-then-encrypt > >model, which has been a source of serious problems represented by > >padding oracle attacks. fwknop will strictly use the > >encrypt-then-authenticate model for HMAC operations similar to > >IPSEC. > > > >Current development efforts are focused on ensuring a good design > >for > >the HMAC code along with both static and dynamic analysis > >(clang-analyzer, splint, and valgrind being primary tools). The > >test > >suite is receiving a lot of work too. > > > >Thanks, > > > >--Mike > > > >------------------------------------------------------------------- > >----------- > >Everyone hates slow websites. So do we. > >Make your web apps faster with AppDynamics > >Download AppDynamics Lite for free today: > >http://p.sf.net/sfu/appdyn_d2d_feb > >_______________________________________________ > >Fwknop-discuss mailing list > >[email protected] > >https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
