blackhat dc 2010 nve playing with sat 1.2 slides
TRANSCRIPT
![Page 1: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/1.jpg)
Leonardo Nve EgeaLeonardo Nve [email protected]
![Page 2: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/2.jpg)
1. because I’m sure that some people will publish more attacks.
.2 because previously presentations about llsatellite.
![Page 3: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/3.jpg)
Warezzman – (in 2004 at Undercon VIII first Spanish hacker CON)
Jim Geovedi & Raditya Iryandi f(HITBSecConf2006)
d l khAdam Laurie (Blackhat 2009 at DC)
lf l bMyself at S21Sec Blog (February 2009)
![Page 4: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/4.jpg)
Orbit based satellites Low Earth orbiting (LEO)Geostationary orbit (GEO)Other: Molniya, High (HEO), etc.
Function based satellitesCommunicationsEarth observationOther: Scientifics, ISS, etc., ,
![Page 5: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/5.jpg)
![Page 6: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/6.jpg)
S lli LEOSatellite LEOMeteorologicalHAM (A R di O )HAM (Amateur Radio Operator)
Satellite GEOSatellite GEOUFO (UHF Follow ON) MilitaryInmarsatInmarsatMeteorological (Meteosat)SCPC / Telephony link FDMASCPC / Telephony link FDMA
![Page 7: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/7.jpg)
![Page 8: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/8.jpg)
fStandard of European Telecommunications Standards Institute (ETSI).
Defines audio and video transmission, and ddata connections.
h f fDVB‐S & DVB‐S2 is the specification for satellite communications.
![Page 9: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/9.jpg)
Transponder: Like channels (in Satellite comms) Frecuency (C band or Ku). Ex: 12.092GhzPolarization. (horizontal/vertical)Symbol Rate. Ex: 27500KbpsFEC.
Every satellite has many transponders onboard which are operating on different frequencies
![Page 10: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/10.jpg)
![Page 11: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/11.jpg)
Header dHeader Body0x47 Flags PID Flags Adaptation Field Data
Program ID (PID): It permits different programs at same transponder with different components [Example BBC1 PIDs: 600 (video), 601 (English audio), 603 (subtitles), 4167 PIDs: 600 (video), 601 (English audio), 603 (subtitles), 4167 (teletext)]
Special PIDs NIT (Network Information Table) SDT (ServiceSpecial PIDs: NIT (Network Information Table), SDT (ServiceDescription Table), PMT (Program Map Tables), PAT (ProgramAssociation Table).
![Page 12: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/12.jpg)
Temporal video links.
Live emissions, sports, news.
dFTA – In open video.
![Page 13: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/13.jpg)
Hispasat Pre news feed (live news)
![Page 14: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/14.jpg)
ATLAS Agency to TV feedsfeeds
![Page 15: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/15.jpg)
![Page 16: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/16.jpg)
Captured NATO feeds
![Page 17: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/17.jpg)
NATO COMINT official
![Page 18: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/18.jpg)
fI widely known that the Department of Defense (DoD) and someUS defense
ll d f hcontractors use satellites and DVB for theircomms.
![Page 19: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/19.jpg)
Let`s see:
http://telecom.esa.int/telecom/media/document/DVB‐RCS%20Networks%20for%20the%20US%20Defense%20Market%20(R3).pdf
![Page 20: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/20.jpg)
![Page 21: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/21.jpg)
US COMINT official
![Page 22: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/22.jpg)
fFind feeds:Lists of channels in wwwBlind ScanVisual representations of the signal
![Page 23: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/23.jpg)
Dr HANShttp://drhans.jinak.cz/news/index.php
Zackyfileshttp://www.zackyfiles.com (in spanish)
Satplazahttp://www.satplaza.comp p
![Page 24: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/24.jpg)
Two scenarios
Satmodem
Satellite Interactive Terminal (SIT) orAstromodem
![Page 25: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/25.jpg)
INTERNETCLIENT
ISP
![Page 26: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/26.jpg)
DOWNLINK
INTERNETCLIENT
ISP
![Page 27: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/27.jpg)
DOWNLINK
POTS/GPRS POTS/GPRS UPLINK
INTERNET
UPLINKCLIENT
UPLINKISP
![Page 28: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/28.jpg)
DOWNLINK
POTS/GPRS POTS/GPRS UPLINK
INTERNET
UPLINKCLIENT
UPLINKISP
![Page 29: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/29.jpg)
DOWNLINK
ISP’s UPLINK
POTS/GPRS POTS/GPRS UPLINK
INTERNET
UPLINKCLIENT
UPLINKISP
![Page 30: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/30.jpg)
DVB Data - Astromodem
DOWNLINK & UPLINK ISP DOWNLINK & UPLINK
INTERNET
ISPCLIENT
![Page 31: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/31.jpg)
![Page 32: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/32.jpg)
![Page 33: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/33.jpg)
Anyone with coverage can SNIFF Anyone with coverage can SNIFF the DVB Data, and normally it is yunencrypted.
![Page 34: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/34.jpg)
What do you need:Skystar 2 DVB Cardlinuxtv‐dvb‐apps WiresharkThe antennaData to point it.p
![Page 35: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/35.jpg)
I bought it for 50€!!! from an g 5PayTV ex‐”hacker” :P (I l di t t b th t I ill (Including a set‐top box that I will not use))
![Page 36: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/36.jpg)
![Page 37: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/37.jpg)
![Page 38: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/38.jpg)
fLinux has the modules for this card by default, we only need the tools to manage it:
linuxtv‐dvb‐apps
My version is 1.1.1 and I use Fedora (Not too l bcool to use Debian :P).
![Page 39: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/39.jpg)
Once the antenna and the card is installed and linuxtv‐dvb‐apps compiled and installed, hthe process is:1‐Tune the DVB Card2‐ Find a PID with data3‐Create an Ethernet interface associated to that PID
We can repeat 2 to 3 any times we want.
![Page 40: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/40.jpg)
h d1‐ Tune the DVB Card
2‐ Find a PID with data
3‐Create an Ethernet interface associated to that PID
![Page 41: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/41.jpg)
Tune DVB CardThe tool we must use is szap and we need the
d ftransponder’s parameters in a configuration file.
For example, for “Sirius‐4 Nordic Beam":# echo “sirius4N:12322:v:0:27500:0:0:0" >> channels.conf# echo sirius4N:12322:v:0:27500:0:0:0 >> channels.conf
![Page 42: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/42.jpg)
fWe run szap with the channel configuration file and the transponder we want use (the
f f l h hconfiguration file can have more than one).
# szap –c channels.conf sirius4Np 4
We must keep it running.
![Page 43: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/43.jpg)
![Page 44: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/44.jpg)
fThe transponder parameters can be found around Internet.
http://www.fastsatfinder.com/transponders.html
![Page 45: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/45.jpg)
h d1‐Tune the DVB Card
2‐ Find a PID with data
3‐Create an Ethernet interface associated to that PID
![Page 46: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/46.jpg)
Find a PID
d b d#dvbsnoop ‐s pidscan
h f d lSearch for data section on results.
![Page 47: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/47.jpg)
![Page 48: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/48.jpg)
h d1‐Tune the DVB Card
2‐ Find a PID with data
3‐ Create an Ethernet interface associated to that PID
![Page 49: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/49.jpg)
fCreate an interface associated to a PID
d b d b#dvbnet ‐a <adapter number> ‐p <PID>
Activate it#ifconfig dvb0_<iface number> up
![Page 50: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/50.jpg)
![Page 51: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/51.jpg)
Back to de pidscan results
![Page 52: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/52.jpg)
Create another interface
![Page 53: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/53.jpg)
fWireshark is our friend
16358 packets in 10 seconds
![Page 54: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/54.jpg)
![Page 55: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/55.jpg)
W h th PID i d t We can have more than one PID assigned to an interface, this will be very useful.Malicious users can:Malicious users can:Catch passwords.Catch cookies and get into authenticated HTTP g
sessions.Read emailsC h f lCatch sensitive filesDo traffic analysisEtc Etc ….
![Page 56: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/56.jpg)
Reminder: In satellite communications we have two
scenarios:
A‐ Satmodem, Only Downlink via Satellite
B‐Astromodem, Both uplink and downlink via Satellite.
![Page 57: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/57.jpg)
We can only sniff the downloaded data. We l ff dcan only sniff one direction in a connection.
![Page 58: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/58.jpg)
fDNS Spoofing
h kTCP hijacking
kAttacking GRE
![Page 59: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/59.jpg)
f h f kDNS Spoofing is the art of making a DNS entry to point to an another IP than it wouldb d hbe supposed to point to. (SecureSphere)
![Page 60: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/60.jpg)
fData we need to perform this attackDNS Request IDSource PortSource IPDestination IPName/IP asking forg
![Page 61: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/61.jpg)
´ f ffIt´s trivial to see that if we sniff a DNS request we have all that information and we
f hcan spoof the answer.
l d d h b h lMany tools around do this job, the only thing we also need is to be faster than the
lreal DNS server (jizz).
![Page 62: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/62.jpg)
Why is this attack important?Think in phisingWith this attack, uplink sniff can be possible▪ Rogue WPAD service▪ Sslstrip can be use to avoid SSL connections.
![Page 63: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/63.jpg)
fDNS Spoofing
h kTCP hijacking
kAttacking GRE
![Page 64: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/64.jpg)
TCP session hijacking is when a hacker takes b hover a TCP session between two machines.
(ISS)
![Page 65: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/65.jpg)
Seq=S1 ACK=A1 Datalen=L1
Seq=A1 ACK=S1+L1 Datalen=L2
f ff d d k f d
Seq=S1+L1 ACK=A1+L2 Datalen=L3
If we sniff 1 we can predict Seq and Ack of 2 and we can send the payload we want in 2
![Page 66: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/66.jpg)
![Page 67: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/67.jpg)
I iti ll l h f l ti ith AInitially we can only have a false connection with A.
In certain circumstances, we can make this attack ,with B, when L2 is predictable.
Some tools for doing this:Some tools for doing this:HuntShijackScapy
![Page 68: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/68.jpg)
fDNS Spoofing
h kTCP hijacking
kAttacking GRE
![Page 69: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/69.jpg)
Generic Routing Encapsulation
l lPoint to point tunneling protocol
f ll d ff13% of Satellite’s data traffic in our transponder is GRE
![Page 70: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/70.jpg)
This chapter is based in Phenoelit’s discussion b l d llpaper written by FX applied to satellite
scenario.
Original paper: h h l h lhttp://www.phenoelit‐us.org/irpas/gre.html
![Page 71: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/71.jpg)
HQHQ
INTERNETINTERNET
Remote Office Remote OfficeRemote Office
![Page 72: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/72.jpg)
Find a target:
h k d b#tshark –ni dvb0_0 –R gre –w capture.cap
![Page 73: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/73.jpg)
GRE PacketIP dest 1 IP source 1
GRE h dGRE header
Payload IP dest Payload IP source
Payload IP Header
Payload Data
![Page 74: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/74.jpg)
IP dest 1 and source 1 must be Internet reachable IPs
The payload´s IPs used to be internal.
![Page 75: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/75.jpg)
INTERNET1.1.1.2 1.1.1.1
10.0.0.54 10.0.0.5
![Page 76: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/76.jpg)
INTERNET1.1.1.2 1.1.1.1
(*)
10.0.0.54 10.0.0.5
![Page 77: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/77.jpg)
(*) GRE Packet1.1.1.1 1.1.1.2
GRE h d ( bit ith t fl )GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP Header
Payload Data
![Page 78: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/78.jpg)
1.1.1.2 1.1.1.1(1)
10.0.0.54 10.0.0.5
![Page 79: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/79.jpg)
(1) GRE Packet1.1.1.1 1.1.1.2
GRE h d ( bit ith t fl )GRE header (32 bits without flags)
10.0.0.5 10.0.0.54
Payload IP Header
Payload Data
![Page 80: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/80.jpg)
1.1.1.2 1.1.1.1(1)
(2)
10.0.0.54 10.0.0.5
![Page 81: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/81.jpg)
(2) IP Packet10.0.0.5 10.0.0.54
IP header
Data
![Page 82: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/82.jpg)
1.1.1.2 1.1.1.1(1)
(2,3)
10.0.0.54 10.0.0.5
![Page 83: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/83.jpg)
(3) IP Packet10.0.0.54 10.0.0.5
IP header 2
Data 2
![Page 84: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/84.jpg)
(4)
1.1.1.2 1.1.1.1(1)
(2,3)
10.0.0.54 10.0.0.5
![Page 85: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/85.jpg)
(4) GRE Packet1.1.1.2 1.1.1.1
GRE h d ( bit ith t fl )GRE header (32 bits without flags)
10.0.0.54 10.0.0.5
Payload IP Header 2
Payload Data 2
![Page 86: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/86.jpg)
A Ph li ´ k l d’ IP i bli IP Thi At Phenoelit´s attack payload’s IP source is our public IP. This attack lacks when that IP isn´t reachable from the internal LAN and you can be logged. y gg
I use internal IP because we can sniff the responses.
To better improve the attack, find a internal IP not used.
![Page 87: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/87.jpg)
HHowToScanNSAAndCannotCannotBeTracedTraced
![Page 88: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/88.jpg)
We can send a SYN packet with any destination IP and TCP port (spoofing a
ll bl dsatellite’s routable source IP) , and we can sniff the responses.
We can analyze the responses.
![Page 89: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/89.jpg)
fOR… We can configure our linux like a satellite connected host.
VERY EASY!!!
![Page 90: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/90.jpg)
What we need:An internet connection (Let’s use it as uplink) with any technology which let you spoofing.
A receiver, a card….
![Page 91: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/91.jpg)
Let’s rock!Find a satellite IP not used, I ping IPs next to another sniffable satellite IP to find a non responding IP. We must sniff our ping with the DVB Card (you must save the packets)DVB Card (you must save the packets).
Thi ill b IP!This will be our IP!
![Page 92: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/92.jpg)
Configure Linux to use it.g
We need our router ‘s MAC
![Page 93: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/93.jpg)
f fConfigure our dvb interface to receive this IP (I suppose that you have configure the PID…)
The IP is the one we have selected and in the h dICMP scan, we must get the destination MAC
sniffed.
![Page 94: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/94.jpg)
Here we get the MAC address we must configure address we must configure in our DVB interface
![Page 95: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/95.jpg)
I use netmask /32 to avoid routing problems
![Page 96: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/96.jpg)
f fNow we can configure our Internet interface with the same IP and configure a default
h f l h hroute with a false router setting this one with a static MAC (our real router’s MAC).
![Page 97: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/97.jpg)
![Page 98: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/98.jpg)
IT WORKS!
![Page 99: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/99.jpg)
This is all !!!
h bSome things you must remember:
h ll fThe DNS server must allow request from any IP or you must use the satellite ISP DNS server.
![Page 100: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/100.jpg)
f fIf you have any firewall (iptables) disable it.
ll h h k b ff d bAll the things you make can be sniffed by others users.
![Page 101: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/101.jpg)
Now attacking GRE is very easy, you only need to configure your Linux with IP of one of h h h h llthe routers (the one with the satellite connection) and configure the tunneling.
http://www.google.es/search?rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF‐8&q=configuring+GRE+linuxq g g
![Page 102: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/102.jpg)
ffI’m studying the different methods to trace illegal users. (I only have a few ideas).
In the future I would like to study the b l f d d llpossibilities of sending data to a satellite via
Astromodem (DVB‐RCS).
![Page 103: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/103.jpg)
Satellite communications are insecure.
b ff dIt can be sniffed.
l f k b d lk dA lot of attacks can be made, I just talked about only few level 4 and level 3 attacks.
![Page 104: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/104.jpg)
With this technology in our sky, an anonymous connection is possible.
Many kinds of Denial of Service are possible.
![Page 105: BlackHat DC 2010 Nve Playing With SAT 1.2 Slides](https://reader034.vdocuments.site/reader034/viewer/2022052218/54501350b1af9fbb568b477a/html5/thumbnails/105.jpg)