profiling ssl and attributing private networks · profiling ssl and attributing private networks an...

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

PROFILING SSL AND ATTRIBUTING PRIVATE NETWORKS

An introduction to FLYING PIG and HUSH PUPPY

ICTR - Network Exploitation GCHQ


T ft-*« ~ " N 1 3 """ssri: xs, — » C S n ^ C O N T A I N S I N T E L L E C T U A L P B D P E H T Y O W N E D A N D / O R M A N A G E D BY B C H Q . " L L L N V ^

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


Outline

- Two separate prototypes - FLYING PIG and HUSH PUPPY

- Both are cloud analytics which work on bulk unselected data

- FLYING PIG is a knowledge base for investigating TLSI SSL traffic

- HUSH PUPPY is a tool for attributing private network traffic

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL T L P T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M o r L E G I S L A T I O N . SJITF' ~

I I V " |L R E F E N A N Y F G I A G U E R I E S G C H Q D N ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ H H I H I M M I L C O N T A I N S I N T E L L E C T U A L P R D P E R T ^ W N E ^ N D ' N N A N A A E ^ ^ C H ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ C J C H Q ^ ^

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


FLYING PIG - TLS/SSL Background

- TLS/SSL (Transport Layer Security I Secure Sockets Layer) provides encrypted communication over the internet

- Simple TLS/SSL handshake:

Client Server Client hello Server hello Certificate

Server hello done

Application data

TR *i;0° TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

T H I S I N F O R M A T I O N 13 E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I C I ^

REFER ANY FEDI A quERlÊS TO G C H Q O ^ISMAT'DN LEGISLATION.

C O N T A I N S I N T E L L E C T U A L P R O P E R T Y O W N E D A N D / O H M A N A G E D BY E C H I J .

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N . ^ G C H Q ^


Motivations for FLYING PIG

More and more services used by GCHQ targets are moving to TLS/SSL to increase user confidence, e.g. Hotmail, Yahoo, Gmail, etc.

Terrorists and cyber criminals are common users of TLS/SSL to hide their comms (not necessarily using the big providers).

A TLS/SSL knowledge base could provide a means to extract as much information from the unencrypted traffic as possible.


D P E H T Y O W N E D A N D / O R M A N A G E D BY G C H Q . ^ ^ C L C - H Q ^ ^

T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O F ^ C T R E F E R A M Y F D I A Q U E R I E S T O G C H Q • N « R R U R ^ L

C O N T A I N S I N T E L L E C T U A L P R O P E R T Y O W N E D A N D / O R M A N A G E D BY G C H Q . ^ ^ G C H Q I T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


FLYING PIG implementation

• Federated QFD approach - Multiple separate cloud analytics, each of which produce a QFD (Query

Focussed Dataset).

- Analytics are run once a week, on approximately 20 billion events.

- A single query in the web interface results in calls to multiple QFDs, which are returned to the user in separate panels.

- Results in: (a) fast queries, (b) easy-to-maintain modular code, and importantly (c) easy to add future TLS/SSL QFDs.


T ft-*« ~ " N 1 3 C O N T A I N S I N T E L L E C T U A L P B D P E H T Y O W N E D A N D / O R M A N A G E D BY B C H Q . " L L L N V ^

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


Query by certificate metadata F L Y I N G P I G T L S / S S L KNOWLEDGE: B A S E

HRA Justification Query F L Y I N G P I G - general SSL toolkit Query QUICK ANT - Tor events QFD Prototype owner : !

Query F LY ING P I G IP / network / certificate field %mail.£y Query as: O Client I P O Server I P O Both

or: O Network [e.g. 1.2,3,0/24]

or; (§> Server Certificate [e,Q, %exarnplle,com (use % f o r wildcards)]

Run Query!

¡Certificate field search: Q'omail.rul

S e r ve r certificate fields to search within: Subject common name j Subject organisation name Issuer common name Issuer organisation name RSA modulus

All HTTP requests matching your query ( ? ) H

1 - 5 of 50D items

184.105 184,104 134,201 135,13 135,12

10 I 25 I 5Û I 100 1 2 3 4 5 6 7 » >i *

Host name

swa.mail.ru swa.mail.ru fc.ef.d4.cf, bd. a l .top mail ,ru top5.mail.ru top3.mail.ru

2011-10-13 16:05:53.0 2011-11-25 21 2011-10-13 17:29:18.0 2011-11-25 21 2011-10-13 21:43:10.0 2011-11-25 21 2011-10-14 20:00:00,0 2011-11-25 21 2011-10-1420:00:00,0 2011-11-25 21

Count vt/e 25th Nov

: 11:59.0 6085663 :11:55.0 6073183 : 10:49.0 4049743 : 12:05.0 3006868 :10:43.0 2480950

Count all t ime

42640739 36825411 19360920 14168963 12386999

All certificates matching your query ( ? ) Se rve r I P s ( Tip 1: Right click on a row to find all sen/er IPs that serve that certificate' Tip 2: Click ori the disk icon in the title bar to download data in CSV format Tip 3: Double-dick ori a field to enable copy and paste! Tip 4: Change displayed columns ( Basic1 is default; 'Advanced' adds RSA Modulus and cipher suite distribution columns): Basic columns Advanced columns

Tip 1: Right click an a server IP to explore it further!

1 - 25 of 500 1 2 3 4 items Se rve r I P

5 6 7 • H

1 -10 of 70 items

Full First seen Certificate

308203CD308212011-09-22 2011-11-25 13:17:32 19:01:59

303203613082(2011-09-22 2011-11-25 14:05:50 10:59:32

303203D33082I2011-10-07 2011-11-25 20:29:55 18:53:40

303203513082(2011-09-23 2011-11-25 17:01:50 15:40:05

308202C83082I2011-08-22 2011-09-06 08:14:21 06:15:36

303204383082(2011-10-17 2011-11-25 14:09:52 10:50:10

308203C430B212011-10-08 2011-11-25 00:05:24 17:04:02

303204153082(2011-11-01 2011-11-25 07:36:53 14:26:29

308202E43082C2011-10-14 2011-11-21 18:20:34 05:13:34

303204153082(2011-10-31 2011-11-25 14:14:12 15:45:50

10 I 25 I 50 I 100 1 2 3 4 5 6 7

Count w / e 25th Nov

Count all Valid from time

30520

16638958 2011-00:00

1085232 2010-00:00 2011-1 00 : 00 2010-1 15:42 2011' 06:42 2011 00:00 2010-1 14:19 2011-1 11:47 2 0 1 1 . 08:07 2 0 1 1 ' 11:47

01-31 :00 0 1 - 2 1 00

09-25 00

01-25 :05 03-04 : 12 05-27 00

02-13 :06 09-15 :51 10-05 :34 09-15 51

Valid to

2012-03-27 23:59:59 2 0 1 1 - 0 2 - 2 0 23:59:59 2013-11-23 23:59:59 2012-01-27 10:12:59 2012-03-03 06:42:12 2012-07-25 23:59:59 2 0 1 2 - 1 1 - 0 8 14:19:06 2012-09-14 11:47:51 2014-10-04 08:07:34 2012-09-14 11:47:51

Subject common name

* .maii.ru

* .mail ,ru

* .money.mail.ru

mail.ru.is

maiLru-sib.ru

mail.ru-com.ru

mxi.shogo-riaiLru

limgs.mail.ru

moder.foto.mail.ru

auth.mail.ru

Subject Subject org Issuer common country name name

Issuer country

Issuer org name

lie mail.ru

lie mail.ru

lie mail.ru

mail.ru .is

thawte ssl ca

thawte premium server ca thawte ssl ca

thawte, inc.

Self signe

N

Cert Cert count count all w / e time 25th Nov

Explore this server IP further!

us

mail.ru-sib.ru us

mail.ru-com.ru thawte dv ssl ca us

shogo shogo.ru ru

isp.cegedim.fr fr

mail.ru moder.foto.mail.ru ru

isp.cegedim.fr fr

thawte N consulting cc thawte, inc. N

equifax N

V

N

N

N

Y

N

thawte, inc.

shogo

cegedim

mail.ru

cegedim

177.1 191,213 184.16 184.17 104,15 189,160 184,77 104.74 184.75 184.76 135.55 135.56 134,151 63.121 136,43 134,98 179.89 179.90 136.84

333592 330212 308599 297232 294437 158414 12D533 113555 112574 110325 3779 3740 3564 2532 2523 2360 2227 2051 1981

1052616 1388617 2496916 2226133 2395012 659037 560336 515169 533512 690093 6023 735B 3498 4307 9226 9165 7600 7320 8442

'Pi TR '",:)0 TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

T H I S I N F O R M A T I O N IS E X E M P T U N D E R T H E F R E E D O M o r I N F O R M A T I O * J A £ T 2 P P O I F M U N O F B Q T H F R U K I N F O R M A T I O N L E G I S L A T I O N . R E F E R A N Y Q U E R I E S T O G C H Q

C O N T A I N S I N T E L L E C T U A L P H N P E R T ^ W N E ^ N D / N ^ A N A Q E I I B Y G C H

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S 5 E M IN A T I O N O U T S I D E T H E O R G A N 15 A T I O N .

: ^ G C H Q ^


Query by server IP F L Y I N G P I G T L 5 / S 5 L K N O W L E D G E B A S E

HRA Justification Quenf FLYING P IG - general SSL toolkit Quer» FLYING PIG IP / network / certificate fiel 184,14 Query as: • Client IP (gl Server IP Both

or: O Network [e.g. 1.2,3,0/24] or: O Server Certificate [e.g. %example,com (use % for wildcards)]

Query QUICK ANT - Tor events QFD Prototype owner!

Run Query!

General IP info "7 Top ID SSL client geos •/ Top ID SSL server ports J Top io SSL case notations J SSL Traffic stats g ]

Server IP-specific panels SSL Server certificates seen on this IP J SSL Pattern of life J HTTP requests to this IP J Top 100 SSL clients J

¡Certificate field search: %mail.rül Iserver I .184.141 O General IP info for server IP 184-14 Geolocation ( ? ): WHOIS info ( ? ): Country: RU (M) Network: 76.0/20. Network type: No results. City: MOSCOW (L) Company: Mail.Ru. Domain; mail.ru,

AS info ( ? ): D N S ( ? J : Advertised by AS: 47764. Found within network: No results

76.0/20 AS name: MAI LRU-AS Limited liability company Mail.Ru

Tor node ( ? ): No matches

Top 10 SSL client gens ( ? ) Top 10 SSL server ports ( ? ) Top 10 SSL case notations ( ? ) SSL Traffic stats ( ? ):

• • ]

Paired (approximate) o

& ]

For week ending 2011-12-23 No unique clients - 104317-% client-server IPs with traffic seen In both directions = 14.7Wi.

^Unique clients vith chant-server Unique clients with server-client Unique clients with traffic only traffic only bidirectional traffic

SSL Certificates seen on this IP ( ? ) Tip 1: Right click on a certificate to explore it further!

1 - 3 of 3 items 11 I 25 I 50 I 100

First seen on this IP

2011-09-22 13:31:06 2011-08-00 12:23:45 2011-11-16 14:13:03

Last seen on this I P

2011-11-25 19:01:47 2011-11-25 07:50:07 2011-11-16 14:13:03

Count vi/e 25th Nov

357643 1441 0

Count all time

2359179 1447304 1

Valid from J 2011-31-31 00:00:33 2011-01-31 00:00:30 2011-08-05 13:34:19

Valid to

2012-03-27 23:59:59 2012-03-27 23:59:59 2014-08-05 18:34:19

Subject common name

* .maii.ru * mail.ru * .vkontakte.ru

Issuer common name

thawte ssl ca thawte ssl ca go daddy secure certification authority

Average pattern of life for a client (seeded around SSL events to this server I P ) ( ? ) HTTP requests to this IP (top 1 0 0 ) ( ? __L)

Tip 1: Filter by rnin. % occurrences of event:¿^t 1 - 3 Df 233 items ID I 25 I 50 I 100

1', Apply filtering

1 2 3 4 5 6 7

Correlated event

GET request to tops .mail ,ru GET request to top5.mail.ru GET request to d0.Cl.bf.al.tOp.mail.ru iiFT reniiR- t̂ tn mv.rnail.ru

135.12 135.13 134.253 FI4.4n

Event port

80 80 80 Fin

Percentage occurrences of event 213.1 15.1 14.2 13 ?

Tip 1: Right click on a server IP to explore it as an SSL server!

1 - 10 Of 226 items 10 I 25 I 53 I 100

Server IP

1 2 3 4 5 6 7

184.14 164.14 184,14 184.14 I

Host name requested

e,mail.ru m.maii.ru

184,14 auth.maii.ru t-al rrail ri.

First seen Last seen

2011-13-14 2011-10-14 2C11-10-14 2011-10-14 oni 1 _1 n_i d

2011-11-25 2011-11-25 2011-11-25 2011-11-25 •̂n 11-11

Count last week 1989215 89268 17426 11738

Count all time

13992636 664189 108536 70020 fi^án

TR '",:)0 TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

^FORMATION 19 EXEMPT UNDER THE FREEDOM OF INFORMATIOI REFER ANY FOIA QUERIES TO GCHQ •

C O N T A I N S I N T E L L E C T U A L P i iwmNV I J Y N F O R M A T I O N L E G I S L A T I O N .

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N , ^ C C H Q Í


Query by server IP F L Y I N G P I E T L S / S S L K N O W L E D G E B A S E

HRA Justification Query F LY ING P I G - general SSL toolkit Query QUICK ANT - Tür event; QFD Query F LY ING P IG IP / network / certificate fiel Query a; : • Client IP Server IP Both

or; Network [e.g. 1.2,3.0/24]

Prototype Dwner J

184.14

or: O Server Certificate [e.g. %example,com (use % f o r wildcards)] Run Query!

General IP info Top 10 SSL client geos Top 10 SSL server ports Top 10 SSL case notations SSL Traffic stats

Server IP-specific panels y SSL Server certificates seen on this IP y •J SSL Pattern of life •/ g HTTP requests to this IP •/ v< Top 100 SSL clients V 0

ICertificate field search %mall,rul I s e r ve r l ,184.14| Gb 1 request to top3 mail, ru 13S.12 au 28.1 GET request to top5 rnail.ru 135,13 80 15.1 GET request to do. c l , hf.el.top.mail.ru 134.253 80 14.2 GET nequestto my,mail.ru 184.40 80 13.2 GET requestto my,mail,ru 184,41 80 12.9 GET requestto stat.my.mell.ru 184.40 80 10.8 GET requestto stat.my.mail.ru 184.41 80 10.5 GET requestto mrimrakerl.miail.ru 189,183 80 10.4

184.14 134.14 134.14 184.14 134.14 134.14 184.14 134.14 134.14

m.mail.ru 94.100.184,14 auth.mail.ru tel.rri3il.ru e e,mai email. mail.ru e,rn

2011-10-14 2011-10-14 2011-10-14 2011-10-14 2011-10-15 2011-10-14 2011-10-14 2011-10-24 2 0 1 1 - 1 0 - 1 j

2011-11-25 2011-11-25 2011-11-25 2011-11-25 2011-11-25 2011-11-25 2011-11-25 2011-11-23 2011-11-25

89268 17426 11738 8994 307 155 119 110 107

664189 103536 70020 65540 616 1101 705 367 400

1 Top 100 S S L clients of serve L84.14 ( ? ) 1 Tip 1: Filter by country of client IP (e.g. enter nothing to avoid filtering or PKJR. IQ to filterby multiple countries): GB,US,CA,NZ,Ali

OQnly show clients in these countries • Remove clients in these countries [7] Remove clients that also act es servers Number of results returned: 100

Filter! RESET

Tip 2: Right click on a client or server IP to explore it further!

1 - 20 of 100 items 10 1 25 1 50 1 100 1 2 3 4 5 1 n +

Client IP Client Client company First seen Last seen Count w/e 25th Count all time Pairing status tv/e 25th Pairing status all time country Nov Nov (conf)

H . 2 1 2 ES(V) Telefonica_de_Espana_SAU; rima-tde net 2011-10-16 2011-11-19 1415 50136 Server -> Client only Both directions ,139 ES(H) R_Cable__y_Telecomunicaciones_Galicia_S.A;mundo-r. 2011-10-24 2011-11-25 424 726 Client Server only Client -> Server only .111 DE(V) Bertelsmann_ZL_GmbH; mediaways.net 2011-11-23 2011-11-23 417 417 Server -> Client only Server -> Client only .56 NO(V) Telenor_Nextel_AS; telenor.net 2011-11-21 2011-11-24 403 403 Server -> Client onlv Server -> Client only .38 IE(VJ Vodafone_ISP;UMKNOWN 2011-11-23 2011-11-23 330 330 Both directions Both directions .114 DE(V) Bertelsmann_ZI_GmbH; mediaways.net 2011-11-23 2011-11-23 329 329 Server -> Client only Server -> Client only

Korea Telecoi , u . , . T T T ^ ^ ^ ^ ^ ^ ^ ^ ^ Explore this client IP further ^ ^ ^ ^ 2011-09-04 2011-11-25 325 12266 Both directions Both directions , £ • j i j

.152 -K-J EC(H) EcuadortelecDm_S. A.; ecutel.net.ec

¿u i L - i i - i a 2011-11-10

¿ U i l - J i - I D 2011-11-25

¿ Ï U 290 291

OUL 1 UIIBLUUI 13 Bath directions

DULi i LJir ei,uui ps Both directions

.136 IE(V) Vodafone_lSP: UNKNOWN 2011-11-20 2011-11-20 196 196 Bath directions Both directions .9 MY(H) TMNET; hoi cim.net 2011-09-03 2011-11-24 189 383 Bath directions Both directions

.153 KR(M) QRlXNET;UNKNOWN 2011-10-20 2011-11-25 181 198 Bath directions Both directions .53 MY(H) C ORE_IP_DEVELOPMENT jdancom .com .my 2011-11-19 2011-11-25 179 179 Bath directions Both directions

.121 IR(V) Static-Pool-TP3jpol,ir 2011-11-21 2011-11-21 177 177 Client -> Server only Client -> Server only .41 1E(V) IJTV_PLC; utvlnternet.net 2011-11-19 2011-11-20 167 167 Bath directions Both directions .237 KR(M) KRNIC;ktcu.or.kr 2011-09-03 2011-11-25 150 1007 Bath directions Both directions .38 BP.(M) Comite_Gestor_da_Internet_no_Brasil;ampernet.com 2011-11-23 2D11-11-25 145 145 Server Client only Server -> Client only

.87 KR(H) Korea_Telecom;postman.co,kr 2011-10-16 2D11-11-25 143 161 Bath directions Both directions .155 KR(H) Korea_Telecom;kornet,net 2011-10-24 2011-11-24 138 503 Bath directions Both directions .1 IE(V) Vodafone_ISP;UNKNOWN 2011-11-13 2011-11-18 137 158 Client -> Server only Both directions

0

»III T R - " M

:

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL T H I S I N F O R M A T I O N IS E X E M P T U N D E R T H E F R E E D O M O F I N F Q R M A T I O I ^ A £ T 2 P P O I F C ^ ^ U N O F R Q T H F R U K I N F O R M A T I O N L E G I S L A T I O N .

R E F E R A N Y guERies T O G C H Q C O N T A I N S I N T E L L E C T U A L P H N P E H T ^ W N E ^ I N D ' N ^ A N A Q E F I BY G C H

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M IN A T I O N O U T S I D E T H E O R G A N I S A T I O N . ^ G C H Q ^


Query by client IP F L Y I N G P I G T L S / S S L K N O W L E D G E B A S E

HFA Justification Q'uery F L Y I N G P IG - general SSL toolkit

Query F L Y I N G P I G IP / network / certificate field ,127 Query as: • Client I P Q Se r ve r I P Both

or: Network [e.g. 1.2.3.0/24] or: • Server Certificate [e.g. %example corn [use % for wildcards)]

Run Query! ¡Certificate field search: %mail.rul ISenfer IP:"

Query QUICK ANT - Tor events QFD

Client IP-specific panels General IP info 0 SSL Servers visited J

Prototype o w n e r !

184.14] Client IP: •1271 O General IP info for client IP . 1 2 7 Geolocation ( ? ): W H O I S Infn ( ? ): Country: KR (M) Network; .0/20. Network type; No results. City: S E O U L (L) Company: Korea Telecom. Domain groupon.kr.

AS info ( ? ): Advertised by AS: 4766. Found within network: AS name: K I X S AS KR Korea Telecom

DNS ( ? ): .0.0/13. No results

Tor node ( 1 ):

.127 O ): Top 1D0 S S L servers visited bv

Tip 1: Filter bv country of server IP (e.g. enter PK to filter by Pakistan only or PK.IR.IQ to filter by multiple countries)

Tip 2: Right click on a client or server IP to explore it further!

1 - 3 of 8 items 10 I 25 I 50 I 100

Client I P Se rve r I P Se rve r Server company info ( from G E O F U S I O N export) First see

Only show servers in these countries Remove servers in these countries RESET

.127

.127

.127 127

i m .127 .127 .127

104.14 184.17 184.16 104.15

country (conf )

RU(M) RU(M)

RU(M) RU(M)

Mail.Ru;mail.ru Mail .Ru; mail.ru Mail.Rujmail.ru Mail.Ru;mail.ru

04-09-11 02:23:55 04-09-11 02:13:48 03-09-11 05:13:48 03-09-11 03:20:27

.131.207 :DE(M) :BBBK91667; rap id? h a

213.87 NL(L) 181,127 RU(M) 191.213 RU(M)

Mozilla_Corporatid Mail.Rujmail.ru Mail.Rujmail.ru

Explore this sewer IP further!

25-11-11 13:47:52 25-11-11 13:23:36 25-11-11 10:15:23 25-11-11 11:49:27 ibbbbebeee

Count w / e 25th Nov

325 299 269 213

Count all time

2266 2207 2240 2354

Pairing status w / e 25th Nov

Both directions Both directions Both directions Both directions

Pairing status all t ime

Both directions Both directions Both directions Both directions

09-10-11 05:07:48 06-11-11 22:38:50 0 16-10-1119:05:16 13-11-1121:31:31 0 24-10-11 17:53:21 24-10-11 17:53:21 0

e 13 1

No traffic w/e 25th Nov Cl ient -> Server only No traffic w/e 25th Nov Server -> Client only No traffic w/e 25th Nov Client -> Server only No traffic w/e 25th Nov Client -> Server only

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL T T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O N A C T 2 Q Q Q I F O I A ) A N D M A Y B E E X E M P T U N D E R O T H E R U K I N F O R M A T I O N L E G I S L A T I O N . S I F " ~

I I V R E F E R A N Y raiA Q U E R I E S T O G C H Q ^ ^ I N T E L L E C T U A L M H M W W M I H I I H H I M M V I V M I ^ ^ ^ ^ ^ ^ ^ ^ L ^ ^ G C H Q ^ ^

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N -


Query by network range F L Y I N G P I G T L S / S S L K N O W L E D G E B A S E

HRA Justification Query F L Y I N G P IG - general SSL toolkit Query QU ICK ANT - Tor events QFD Prototype owner : |

.0/24 Query F LY ING P I G IP / network / certificate field Query as; O Client I P Server IP Both

or; if) Network [e.g. 1,2.3.0/24] or; Server Certificate [e.g. %example.com (use % for wildcards)]

Run Query!

Network-specific ponéis General network info y SSL Clients present in network •/ SSL Servers present in network j HTTP requests to IPs in network •/

¡Certificate field search; %mail.rul IServer IP:' 194.141 ICIientlP: .1271 iNetwark: .0/241 General network info for .0/24 Geolocation ( ? ) : Country: KR (M) City: SEOUL (L)

W H O I S infn ( ? ): Network; No results. Network tvpe; No results. Company: No results, Domain: No results.

AS Info ( ? ) : Advertised by AS: No results. Found within network: No results. AS name: No results,

DNS ( ? ): No results

S S L clients In network .0/24: ( ? ): Tip 1: Right click on a client IP to explore it further!

1 - 20 of 57 items 10 I 25 I 50 I 100

Client I P Client company info (front GEOFUS ION export) First seen Last seen Total S S L traffic w/e Total S S L traffic all Num. unique servers Num. unique servers 25th Nov time contacted w/e 25th contacted all time

Nov Korea_Telecom;mailplug,co.kr Korea_Telecom;mailplug.co.kr

Explore this client IP further!

2011-09-04 2 0 1 1 - 1 0 - 2 6

2 0 1 1 - 1 1 - 1 6

2011-11-19 2011-10-14 2011-10-24 2 0 1 1 - 1 0 - 2 1

2011-11-09 2011-09-09 2 0 1 1 - 1 0 - 1 2

2 0 1 1 - 1 0 - 0 8

2011-10-14 2011-11-15 2011-11-13 2 0 1 1 - 1 1 - 1 2

2011-11-04 2011-10-25 2011-09-05 2011-11-03

2011-09-04 2011-11-23

2 0 1 1 -

2011.

2 0 1 1 '

2011 2011 2 0 1 1 '

2 0 1 1 '

2 0 1 1 -

2011 2 0 1 1 '

2011 2011 2011 2 0 1 1 '

2011 2011 2011'

1 1 - 1 8

11-22 11-16 1 0 - 2 6

1 0 - 2 1

11-11 09-09 10-12 10-31 11-07 11-15 1 1 - 1 8

1 1 - 1 2

11-04 1 1 - 2 1

09-05 11-03

2 7 21 2 1 3 1 1 18 14 2 1 1 2 12 1 1

.0/2-4: ( !• ) HTTP requests to I P s in network .0/24 (top 100) ( : ) IP to explore it further!

10 I 25 I 50 I 100

Tip 1: Right click on a server IP to explore it as an SSL server!

1 - 1 of 1 item; ID | 5 I 50 I 10D

Server compony info (from G E O F U S I O N export)

Korea_Telecom;mailplug.co.kr test

Last week seen:

2 0 1 1 - 1 1 - 1 1

2011-12-09

^ Paired clients that week

0.0

0.0

Num. unique clients that week 1 1

Num. unique clients all time 1 1

Server I P Host name requested

• Ï . 4 0 I H .40

First seen Last seen Count last Count all time week

2011-10-30 2011-10-30 0 5

»Iii T R ' " M :

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL I E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O N A C T 2 D O O I F O I A ) A N D M A Y B E E X E M P T U N D E R O T H E R U K I N F O R M A T I O N L E G I S L A T I O N .

mm T H I S I N F O R M A T I O N I S

R E F E R A N Y F O I A Q U E R I E S T O G C H Q O N ^ C O N T A I N S I N T E L L E C T U A L P R O P E R T ^ O W N E ^ ^ ^ D / O R M A N A Q E D BY I

T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M IN A T I O N O U T S I D E T H E O R G A N I S A T I O N . ^ G C H Q ^


Cyber applications How the attack was done:

Diginotar certificate authority compromise: - Private keys of legitimate certificate

authority, Diginotar, stolen by hacker.

- FLYING PIG was used to identify a FIS using them to launch a MITM against their own citizens.

FLYING PIG screenshot showing fake certificate:

Logs into router and adds static route for target traffic

308204303082039 2011-09-16 20:54:29

2011-10-20 17:14:05

0 3154 2011-09-05 06:05:49

2012-09-D5 06:15:49

* .google.com us google ine zsealer us www.zscaler.comY

3082052A3082049 2011-10-11 16:56:45

2011-11-25 15:41:29

5 1214 2011-09-20 06:07:12

2012-09-20 06:17:12

google.com google internet authority N

30820452308203B2011-11-11 02:30:27

2011-11-25 06:20:50

26 572 2011-11-02 21:08:36

2012-11-02 21:18:36

*, google.com us google ine zsealer us www.zscaler.comY

3Q3202DA3Q82Q242011-11-01 01:23:06

2011-11-25 17:48:58

71 547 2010-09-02 07:56:28

2011-09-02 08:06:28

*,google.com us google in: sfibluecoat.sficorp.com us is N

30B204303082039 2011-08-25 13:03:12

2011-10-13 07:51:24

0 467 2011-08-12 03:49:02

2012-08-12 03:59:02

* .google.com us google ine zsealer us www.zscaler.comY

1 30820528308204112011-08-19 121:04:42

12011-08-26 •19:51:50

441 ;2011-07-10 19:06:30

•2013-07-09 ;19:06:30

*,google.com us google ine diginotar public ca 2025 nl diginotar N

30B204AA30820392011-11-08 09:35:22

2011-11-25 15:00:37

173 440 2011-09-20 06:07:12

2012-09-20 06:17:12

*,google.com us google ine lore alinternetbrowsing fr lorea N

30820464308203C2011-11-17 2011-11-25 436 438 2011-11-10 2012-11-10 *,google.com us google ine zsealer us www.zscaler.comY

e-r TR '-"M TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

O T H E R U K I N F O R M A T I O N L E G I S L A T I O N . T H I S I N F O R M A T I O N I S E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O N A C T : R E F E R A N Y F D I A Q U E R I E S T O G C H

C O N T A I N S I N T E L L E C T U A L I T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M IN A T I O N O U T S I D E T H E O R G A N I S A T I O N .

: ^ G C H Q ^

http://www.zscaler.comY





Cyber applications

• Other Cyber applications: - Multiple examples of FIS data exfiltration using SSL have been found using

FLYING PIG.

- In particular, certificates related to LEGION JADE, LEGION RUBY, and MAKERSMARK activity were found on FLYING PIG using known signatures

- These were then used to find previously unknown servers involved in exfiltration from US companies.

- FLYING PIG has also been used to identify events involving a mail server used by Russian Intelligence.


T ft-*"« ~ 13 —— Grfu^ C O N T A I N S I N T E L L E C T U A L P B D P E H T Y O W N E D A N D / O R M A N A G E D BY B C H Q . " L L L N V ^



Identification of malicious TLS/SSL

• Can identify malicious TLS/SSL using signatures if known

• However this approach generally does not allow discovery of new threats

• Alternative is to use "behavioural" features to automatically identify potentially malicious traffic

• Features currently being investigated include:

- Certificates with same subject but different issuers - may be indicative of Diginotar-style attack

- Beaconing in TLS/SSL (indicative of botnets/FIS implants) - Number of client cipher suites offered

- Repeated identical random challenges

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL ^ T L P T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M o r I N F O R M A T I O ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ M A T I O N L E G I S L A T I O N . ' J I F "

I I V " |L R E F E R A M Y F D I A Q U E R I E S T O G C H G ^ ^ C O N T A I N S I N T E L L E C T U A L F ' B S P E H T ^ W N E ^ N D ' S ^ A N A S E ^ ^ C H ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ V J C H Q ^ ^



HUSH PUPPY - motivation

• Much private network traffic seen but previously discarded

• If traffic could be attributed, potential high value - close access

• HUSH PUPPY is a bulk private network identification Cloud analytic

• Basic idea is to look for the same TDI being seen coming from a private address and then from a public address within a short time

• The private traffic can then be attributed to the owner of the public address

• Works for SSE & COMSAT


C O N T A I N S I N T E L L E C T U A L P B D P E H T Y O W N E D A N D / O R M A N A G E D BY B C H Q . T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S 5 E M IN A T I O N O U T S I D E T H E O R G A N I S A T I O N .


HUSH PUPPY-example

Internet

1.2.3.4 Y cookie:

[email protected]

NAT or proxy

Private network request to Yahoo

Y cookie: [email protected]

192.168.0.2

TR «si® TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL

3 H M A T IO N A C ^ Û Û ^ F Û L A U N ^ A ^ M F M P N I N D R O N

C T I J A L P R D P ^ R T ^ A W N E ^ ^ ^ ^ A ^ M ^ N A Q ^ ^ B ^ B C F F L ^ ^

T H I S I N F O R M A T I O N IS E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O N A C T Z D O O I F O I A ) A N D M A Y O R F U F M P T U N D F P O T H F P U K IN F O R M A T I O N L E G I S L A T I O N . R E F E R A N Y F D I A Q U E R I E S T O G C H

C O N T A I N S I N T E L L E C T U A L I T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T G C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S 5 E M IN A T I O N O U T S I D E T H E O R G A N I S A T I O N .

^ G C H Q ^

mailto:[email protected]

mailto:[email protected]


Other HUSH PUPPY datasets

• HUSH PUPPY also makes use of Yahoo T-cookies to do correlations

• A T-cookie contains the IP address of the client as Yahoo sees it

• Hence a T cookie coming from a private IP can give the public IP of the NAT or proxy

• In addition, HUSH PUPPY uses the following data to help verify results Kerberos & Lotus Notes: Domains, organisations, departments, countries, machine names, user names HTTP: Heuristic detection of Intranet web servers SSL: Issuers, subjects, countries SMTP: From & to domains

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL T " V ! T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E O O M O F I N F O R M A T I O N A C T 2 Q Q Q I F G I A ) A N D M A Y B E E X E M P T U N D E R O T H E R U K I N F O R M A T I O N L E G I S L A T I O N . SIFC^

1 K * — - ^.^llJlil^^ Scchq^ T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N . B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


Results - what do we find?

• Foreign government networks • Airlines • Energy companies • Financial organisations

• In cases of good collection, 50-80% of collected private network traffic has been attributed

• Some false positives can arise if few events correlated, due to factors such as TDIs not being completely unique and public internet proxies giving misleading public IP results

• Results can frequently be verified using Kerberos etc data


C O N T A I N S I N T E L L E C T U A L P B O P E H T Y O W N E D A N D / O R M A N A G E D BY B C H Q . ^ ^ V J V ^ R L ' L T ^ ^ T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


Examples of operational successes

• A large private network related to the Afghan government was identified, with -800,000 events correlated.

• Examination of the case notations suggested it belonged to the Afghan MOD

- A Kerberos domain mod.local - HTTP servers *.mod.local & mail - SSL certificates with the subject "Ministry of Defense" and the geo "AF"

• Results confirmed by analysis of content on XKEYSCORE

• A VSAT private network belonging to a Ministry of Foreign Affairs was identified

• NOSEY PARKER events were correlated with S S E

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL I^Y'LTON T H I S I N F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M o r I N R O R M A T I O I ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ M ^ ^ ^ O R M A T I O N L E G I S L A T I O N . ^ ~ — ^

I I V " |L R E F E R A N V T D I A T O C C H Q ^ ^ C O N T A I N S I N T E L L E C T U A L P B N P E H T ^ W N E ^ N D M ^ A N A B E ^ ^ C H ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ V J C H Q ^ ^

T H E M A T E R I A L M A Y B E D I S 5 E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N . B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .


Contacts

• FLYING P I G -

• HUSH P U P P Y -

TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL I T H I S IN F O R M A T I O N 19 E X E M P T U N D E R T H E F R E E D O M O F I N F O R M A T I O N A C T 2 Q Q Q I F O I A » A N D M A Y B E E X E M P T U N D E R O T H E R U K I N F O R M A T I O N L E G I S L A T I O N . SJIV' I I V " • R E F E R A N Y F O I A T O G C H Q • R R U N ^

C O N T A I N S I N T E L L E C T U A L P R O P E B T Y O W N E D A N D / O R M A N A G E D B Y B C H Q . ^ ^ C J C H Q ^ ^ T H E M A T E R I A L M A Y B E D I S S E M I N A T E D T H R O U G H O U T T H E R E C I P I E N T O R G A N I S A T I O N , B U T B C H Q P E R M I S S I O N M U S T B E O B T A I N E D F O R D I S S E M I N A T I O N O U T S I D E T H E O R G A N I S A T I O N .

profiling ssl and attributing private networks · profiling ssl and attributing private networks an...

Documents