0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/551 Thanks! 1 00:00:09,960 --> 00:00:12,089 He has published articles 2 00:00:12,090 --> 00:00:14,549 in several big German 3 00:00:14,550 --> 00:00:16,679 magazines, computer 4 00:00:16,680 --> 00:00:19,139 magazines, and he's an expert on packet 5 00:00:19,140 --> 00:00:21,249 capture and analysis. 6 00:00:21,250 --> 00:00:23,459 Yes, but we'll be talking today about 7 00:00:23,460 --> 00:00:25,379 where the various issues that kind of 8 00:00:25,380 --> 00:00:27,659 rissman sanitizing and anonymizing 9 00:00:27,660 --> 00:00:29,819 packett captures and how 10 00:00:29,820 --> 00:00:31,349 to deal with them. 11 00:00:31,350 --> 00:00:33,509 So please help me welcome yes 12 00:00:33,510 --> 00:00:35,369 to this talk on sanitizing. 13 00:00:35,370 --> 00:00:37,709 Pacard captures fun and games until 14 00:00:37,710 --> 00:00:40,169 someone uses IP Version six 15 00:00:40,170 --> 00:00:42,009 or TCP Balcomb. 16 00:00:48,230 --> 00:00:50,089 Thank you so welcome. 17 00:00:50,090 --> 00:00:51,769 I didn't expect so many people in this 18 00:00:51,770 --> 00:00:53,689 room because they have not news shows 19 00:00:53,690 --> 00:00:54,629 coming up soon. 20 00:00:54,630 --> 00:00:56,689 So if you're leaving in the 21 00:00:56,690 --> 00:00:58,969 middle of the talk, I'm not 22 00:00:58,970 --> 00:01:00,169 going to be disappointed. 23 00:01:00,170 --> 00:01:01,460 So just go ahead. 24 00:01:02,930 --> 00:01:04,139 Yeah, I'm jaspar. 25 00:01:04,140 --> 00:01:06,199 If you want to follow my stuff 26 00:01:06,200 --> 00:01:08,269 on Twitter, this is my 27 00:01:08,270 --> 00:01:09,909 handle. 28 00:01:09,910 --> 00:01:12,259 OK, let's talk is about 29 00:01:12,260 --> 00:01:13,879 sanitizing ups. 30 00:01:13,880 --> 00:01:15,709 So pick it captures. 31 00:01:15,710 --> 00:01:18,199 I do a lot of work reading 32 00:01:18,200 --> 00:01:20,569 packet capture. So you probably 33 00:01:20,570 --> 00:01:22,189 heard of the tool called Wireshark. 34 00:01:23,570 --> 00:01:25,819 I use it every day and 35 00:01:25,820 --> 00:01:27,139 very often I have something that I want 36 00:01:27,140 --> 00:01:28,849 to show other people. But there's 37 00:01:28,850 --> 00:01:31,009 something in there that I can let them 38 00:01:31,010 --> 00:01:33,469 know, like IP addresses and other 39 00:01:33,470 --> 00:01:35,869 stuff that may be sensitive. 40 00:01:35,870 --> 00:01:37,969 So I need to sanitize them, 41 00:01:37,970 --> 00:01:40,069 remove all the critical information so 42 00:01:40,070 --> 00:01:42,229 that nobody can see what 43 00:01:42,230 --> 00:01:43,729 my IP addresses are, what my mic 44 00:01:43,730 --> 00:01:45,589 addresses are, because from the megadoses 45 00:01:45,590 --> 00:01:47,659 of you, which you probably know, 46 00:01:47,660 --> 00:01:49,939 you can deduct the vendor 47 00:01:49,940 --> 00:01:52,099 of the device quite a quite 48 00:01:52,100 --> 00:01:54,829 often, not always, but in a lot of cases. 49 00:01:54,830 --> 00:01:57,199 So it may be important 50 00:01:57,200 --> 00:01:58,590 to do that before sharing stuff. 51 00:02:00,080 --> 00:02:02,149 OK, so then first slide that I'm 52 00:02:02,150 --> 00:02:03,559 going to show you is going to surprise 53 00:02:03,560 --> 00:02:04,909 you because it has nothing to do with 54 00:02:04,910 --> 00:02:05,910 because 55 00:02:07,580 --> 00:02:09,679 once upon a time I did something 56 00:02:09,680 --> 00:02:10,758 other than that. 57 00:02:10,759 --> 00:02:12,829 I worked on computer games like this 58 00:02:12,830 --> 00:02:14,959 one. I didn't write it, but I did the 59 00:02:14,960 --> 00:02:15,960 German translation 60 00:02:17,030 --> 00:02:19,069 and also that one. 61 00:02:19,070 --> 00:02:20,449 It's like 20 years ago 62 00:02:22,520 --> 00:02:25,249 I came to 63 00:02:25,250 --> 00:02:28,219 remembering those times 64 00:02:28,220 --> 00:02:30,469 when writing the talk, because back 65 00:02:30,470 --> 00:02:33,349 then I had to do something that I hated 66 00:02:33,350 --> 00:02:36,079 when sanitizing kept as well. 67 00:02:36,080 --> 00:02:38,149 And that is using in Hex editor to 68 00:02:38,150 --> 00:02:40,489 edit stuff because it's very complicated 69 00:02:40,490 --> 00:02:42,859 to get things right back then, 70 00:02:42,860 --> 00:02:44,989 in those times when Lucas Arts 71 00:02:44,990 --> 00:02:47,270 and Westwood published those games, 72 00:02:48,440 --> 00:02:49,879 we didn't get any source code 73 00:02:50,930 --> 00:02:52,609 because you can imagine Lucas holds back 74 00:02:52,610 --> 00:02:54,709 then was already very 75 00:02:54,710 --> 00:02:56,629 well. They're not giving things to you 76 00:02:56,630 --> 00:02:58,489 that way where they think you could do 77 00:02:58,490 --> 00:03:00,319 something with it, like compile their 78 00:03:00,320 --> 00:03:01,879 game again or something. 79 00:03:01,880 --> 00:03:03,979 So they only get that got us the 80 00:03:03,980 --> 00:03:06,019 binaries. So I had to pitch the German 81 00:03:06,020 --> 00:03:07,580 translation into the English game. 82 00:03:09,610 --> 00:03:11,949 Most of you know that most sentences 83 00:03:11,950 --> 00:03:15,639 in German, if they are going to be nice, 84 00:03:15,640 --> 00:03:18,459 are much longer than the English ones. 85 00:03:18,460 --> 00:03:20,439 So we're sitting there in the room 86 00:03:20,440 --> 00:03:21,849 translating the game and always thinking 87 00:03:21,850 --> 00:03:23,769 like how damn how I'm going to translate 88 00:03:23,770 --> 00:03:25,959 this. It needs to be 89 00:03:25,960 --> 00:03:28,479 not longer than the English phrase 90 00:03:28,480 --> 00:03:30,459 and still sound cool. 91 00:03:30,460 --> 00:03:31,669 And that is a big problem. 92 00:03:31,670 --> 00:03:33,789 So it cost a lot of nerve to 93 00:03:33,790 --> 00:03:36,699 do that. And I can show you how that 94 00:03:36,700 --> 00:03:38,829 looked like because I got the eye of 95 00:03:38,830 --> 00:03:40,899 the beholder binary 96 00:03:40,900 --> 00:03:42,069 here. 97 00:03:42,070 --> 00:03:44,559 And you can see here there are all the 98 00:03:44,560 --> 00:03:47,619 strings in there in the executable 99 00:03:47,620 --> 00:03:50,109 and obfuscated, which was Krank. 100 00:03:50,110 --> 00:03:52,059 In these times. It's quite, quite 101 00:03:52,060 --> 00:03:54,219 surprising. Nobody uses plaintext 102 00:03:54,220 --> 00:03:56,529 strings anymore. Right back 103 00:03:56,530 --> 00:03:58,509 then there were. And so we were editing 104 00:03:58,510 --> 00:04:01,029 in this all the time, translating 105 00:04:01,030 --> 00:04:02,739 the game. And that is something that I 106 00:04:02,740 --> 00:04:03,639 never want to do again. 107 00:04:03,640 --> 00:04:06,249 But sometimes with pictures, 108 00:04:06,250 --> 00:04:07,270 I had to do it again. 109 00:04:08,640 --> 00:04:10,119 And this is what the talk is about, how 110 00:04:10,120 --> 00:04:12,309 to get a solution to that kind 111 00:04:12,310 --> 00:04:14,709 of problem these days. 112 00:04:14,710 --> 00:04:16,268 Now, if you're doing computer game 113 00:04:16,269 --> 00:04:17,708 translation, of course, you get the 114 00:04:17,709 --> 00:04:19,268 resource files with all the translation 115 00:04:19,269 --> 00:04:21,278 strings and them and everything. 116 00:04:21,279 --> 00:04:23,319 So it's much easier. But back then, that 117 00:04:23,320 --> 00:04:24,320 was really hard work. 118 00:04:25,450 --> 00:04:27,579 So for those of 119 00:04:27,580 --> 00:04:29,679 you who don't know what a picture 120 00:04:29,680 --> 00:04:31,689 is, a picture is a packet capture, 121 00:04:31,690 --> 00:04:34,359 meaning it's network effects 122 00:04:34,360 --> 00:04:36,669 that have been captured using 123 00:04:36,670 --> 00:04:37,839 a capture device. 124 00:04:37,840 --> 00:04:40,839 It can be a PC or something special. 125 00:04:40,840 --> 00:04:42,429 And it's a file format. 126 00:04:42,430 --> 00:04:43,809 It's a binary lock. 127 00:04:43,810 --> 00:04:45,879 And that is something quite 128 00:04:45,880 --> 00:04:47,739 a number of people doesn't always 129 00:04:47,740 --> 00:04:49,869 recognize or understand because a lot 130 00:04:49,870 --> 00:04:51,579 of times we get questions about how to 131 00:04:51,580 --> 00:04:53,380 read it with a text editor 132 00:04:54,760 --> 00:04:55,719 doesn't really work. 133 00:04:55,720 --> 00:04:58,059 You need to have something to read it. 134 00:04:58,060 --> 00:05:00,219 And most people are for this kind 135 00:05:00,220 --> 00:05:01,449 of thing, use Wireshark. 136 00:05:02,650 --> 00:05:04,719 Peacoat is an old format. 137 00:05:04,720 --> 00:05:07,119 It's used a lot still because 138 00:05:07,120 --> 00:05:09,249 it's easy to write and easy to 139 00:05:09,250 --> 00:05:10,419 read. 140 00:05:10,420 --> 00:05:11,709 The much better one is pick up. 141 00:05:11,710 --> 00:05:13,869 Gee, I don't know if you've heard about 142 00:05:13,870 --> 00:05:16,429 it, but I can recommend it because 143 00:05:16,430 --> 00:05:18,609 you can do much more things with it, 144 00:05:18,610 --> 00:05:20,379 like putting comments into packets and 145 00:05:20,380 --> 00:05:21,380 stuff like that. 146 00:05:22,650 --> 00:05:24,869 But still, a lot of tools only can 147 00:05:24,870 --> 00:05:26,999 do Peekapoo, so we have to 148 00:05:27,000 --> 00:05:28,829 still work with it to be done right? 149 00:05:28,830 --> 00:05:31,109 It's Wireshark right there. 150 00:05:31,110 --> 00:05:33,089 Well done. Cap is the tool that writes 151 00:05:33,090 --> 00:05:34,889 it. But Wireshark tells Dummkopf to write 152 00:05:34,890 --> 00:05:37,169 the stuff and snort and 153 00:05:37,170 --> 00:05:38,189 everything else. 154 00:05:38,190 --> 00:05:40,170 So why sanitization? 155 00:05:42,390 --> 00:05:44,069 Yeah, first of all, it's quite similar 156 00:05:44,070 --> 00:05:46,319 for editing 157 00:05:46,320 --> 00:05:48,389 packets to be able to replay them, 158 00:05:48,390 --> 00:05:50,879 which is sometimes necessary to 159 00:05:50,880 --> 00:05:52,739 mess with them and play them back to the 160 00:05:52,740 --> 00:05:54,719 network and see how a device reacts to 161 00:05:54,720 --> 00:05:55,559 it. 162 00:05:55,560 --> 00:05:57,629 But it's a little bit different 163 00:05:57,630 --> 00:06:00,209 because your focus is not on 164 00:06:00,210 --> 00:06:02,549 changing the packets to test something, 165 00:06:02,550 --> 00:06:04,979 but to remove sensitive details 166 00:06:04,980 --> 00:06:07,379 like user credentials 167 00:06:07,380 --> 00:06:09,509 or network topology. 168 00:06:09,510 --> 00:06:11,219 You don't want somebody to know what the 169 00:06:11,220 --> 00:06:13,259 IP addresses are in your network and what 170 00:06:13,260 --> 00:06:15,299 the gateways are and what the addresses 171 00:06:15,300 --> 00:06:17,609 are. Stuff like this device 172 00:06:17,610 --> 00:06:18,809 and software version information. 173 00:06:18,810 --> 00:06:21,119 Because as we all know, if you find 174 00:06:21,120 --> 00:06:23,039 a banner from a device that tells you 175 00:06:23,040 --> 00:06:25,469 this is Cisco router something, whatever, 176 00:06:25,470 --> 00:06:27,329 everybody will, Google is there exploit 177 00:06:27,330 --> 00:06:28,559 for this. 178 00:06:28,560 --> 00:06:30,659 And if there's one, you try to attack 179 00:06:30,660 --> 00:06:32,909 it. So it may be interesting to remove 180 00:06:32,910 --> 00:06:35,039 those vulnerable protocols. 181 00:06:35,040 --> 00:06:36,569 Of course, if you have telnet in your 182 00:06:36,570 --> 00:06:38,549 network, I would consider that a 183 00:06:38,550 --> 00:06:39,550 vulnerable protocol 184 00:06:40,620 --> 00:06:42,119 and of course, payloads. 185 00:06:42,120 --> 00:06:43,979 So if you have something that is 186 00:06:43,980 --> 00:06:46,379 sensitive in itself and it's transported 187 00:06:46,380 --> 00:06:48,329 over the network, maybe you want to 188 00:06:48,330 --> 00:06:50,459 remove it because you don't 189 00:06:50,460 --> 00:06:52,349 need it for the analysis or something 190 00:06:52,350 --> 00:06:54,359 that you're doing later and then you can 191 00:06:54,360 --> 00:06:55,360 strip it. 192 00:06:56,970 --> 00:06:58,769 OK, very often people do something like 193 00:06:58,770 --> 00:07:00,719 this, this is actually an screenshot that 194 00:07:00,720 --> 00:07:02,759 I have taken from one of the Wireshark 195 00:07:02,760 --> 00:07:03,899 Q&A sites. 196 00:07:05,370 --> 00:07:07,739 People post these kinds of screenshots 197 00:07:07,740 --> 00:07:10,409 of Wireshark and try to 198 00:07:10,410 --> 00:07:12,689 remove the sensitive stuff by painting 199 00:07:12,690 --> 00:07:14,069 over it. 200 00:07:14,070 --> 00:07:15,509 Sometimes it's really funny because you 201 00:07:15,510 --> 00:07:17,249 still have to decode down here and then 202 00:07:17,250 --> 00:07:19,469 you can if you can read Hex, still 203 00:07:19,470 --> 00:07:20,879 see everything. 204 00:07:20,880 --> 00:07:22,619 So that's also the danger that you have 205 00:07:22,620 --> 00:07:23,849 when doing something like this. 206 00:07:23,850 --> 00:07:25,979 You may miss something that you need 207 00:07:25,980 --> 00:07:27,929 to sanitize, but you didn't. 208 00:07:27,930 --> 00:07:30,059 Well, see that this is also the same 209 00:07:30,060 --> 00:07:31,019 information. 210 00:07:31,020 --> 00:07:33,359 Most people never look at the hex 211 00:07:33,360 --> 00:07:35,339 in Wireshark, so they don't realize that 212 00:07:35,340 --> 00:07:37,469 everything that is in the Decode 213 00:07:37,470 --> 00:07:39,689 area is also in the area. 214 00:07:39,690 --> 00:07:40,579 And this one it isn't. 215 00:07:40,580 --> 00:07:41,749 So that's OK. 216 00:07:42,840 --> 00:07:45,209 And if I'm going to analyze something, 217 00:07:45,210 --> 00:07:47,069 somebody shows me a screenshot like this 218 00:07:47,070 --> 00:07:49,139 very often, my answer will be, first 219 00:07:49,140 --> 00:07:51,299 of all, nice, but I 220 00:07:51,300 --> 00:07:53,099 can't help you with it. 221 00:07:53,100 --> 00:07:55,319 Get me a up if you can get 222 00:07:55,320 --> 00:07:57,149 me the picture, because there's the IP 223 00:07:57,150 --> 00:07:59,459 addresses that you don't want me to see 224 00:07:59,460 --> 00:08:01,349 sanitized to replace them with something 225 00:08:01,350 --> 00:08:03,449 else. OK, and this 226 00:08:03,450 --> 00:08:04,920 is what we're going to talk about. 227 00:08:06,390 --> 00:08:08,759 So there's two main 228 00:08:09,930 --> 00:08:12,059 groups of people that want to send 229 00:08:12,060 --> 00:08:14,189 it out, packet capture stats. 230 00:08:14,190 --> 00:08:16,619 First of all, the network analysts and 231 00:08:16,620 --> 00:08:19,199 a lot of them are, for example, 232 00:08:19,200 --> 00:08:20,759 guys who work in the company. 233 00:08:20,760 --> 00:08:21,760 I had one 234 00:08:23,460 --> 00:08:25,949 occurrence where a firewall 235 00:08:25,950 --> 00:08:28,349 administrator told his boss, OK, 236 00:08:28,350 --> 00:08:30,479 this firewall company wants me to send 237 00:08:30,480 --> 00:08:32,759 them captures from what our firewall 238 00:08:32,760 --> 00:08:34,529 does so they can dybbuk why it's not 239 00:08:34,530 --> 00:08:35,530 doing what it should do. 240 00:08:36,690 --> 00:08:38,489 And the boss said, well, we can do that 241 00:08:38,490 --> 00:08:40,859 because they're sensitive information 242 00:08:40,860 --> 00:08:42,928 in this network and they're at 243 00:08:42,929 --> 00:08:45,059 a kind of a deadlock like the 244 00:08:45,060 --> 00:08:46,049 database. 245 00:08:46,050 --> 00:08:48,239 The firewall vendor says, I 246 00:08:48,240 --> 00:08:50,459 can help you without the pickups. 247 00:08:50,460 --> 00:08:52,289 And the customer says, well, I can send 248 00:08:52,290 --> 00:08:53,399 you the pickups. 249 00:08:53,400 --> 00:08:54,929 So what do we do? Well, you could 250 00:08:54,930 --> 00:08:57,089 sanitize them and remove everything that 251 00:08:57,090 --> 00:08:59,249 you think is critical and then 252 00:08:59,250 --> 00:09:01,499 hopefully not remove too 253 00:09:01,500 --> 00:09:03,809 much, because if you remove too much, the 254 00:09:03,810 --> 00:09:06,059 firewall window will say, well, with this 255 00:09:06,060 --> 00:09:08,609 I can see what the problem is. 256 00:09:08,610 --> 00:09:10,259 So you're always trying to find the right 257 00:09:10,260 --> 00:09:13,109 balance between removing stuff 258 00:09:13,110 --> 00:09:15,479 so that nobody sees your IP addresses 259 00:09:15,480 --> 00:09:17,699 and whatever, but not so much 260 00:09:17,700 --> 00:09:19,559 that it is unusable. 261 00:09:19,560 --> 00:09:21,659 And sometimes I see people removing so 262 00:09:21,660 --> 00:09:24,119 much stuff that it's basically unusable. 263 00:09:24,120 --> 00:09:26,279 So you need to find the 264 00:09:26,280 --> 00:09:28,289 right amount of sanitization. 265 00:09:29,310 --> 00:09:31,379 As a network analyst, I often only need 266 00:09:31,380 --> 00:09:33,599 packets up to the TCP layer because 267 00:09:33,600 --> 00:09:35,699 if things go wrong in a network these 268 00:09:35,700 --> 00:09:38,789 days, it's most of the time 269 00:09:38,790 --> 00:09:40,919 related to how TCP works and 270 00:09:40,920 --> 00:09:43,199 what it does. I can see timing 271 00:09:43,200 --> 00:09:45,449 issues, retransmissions, packet 272 00:09:45,450 --> 00:09:47,519 loss, whatever, and I don't need 273 00:09:47,520 --> 00:09:49,619 the payload for it. So removing all 274 00:09:49,620 --> 00:09:51,719 of this payload after the TGP had 275 00:09:51,720 --> 00:09:53,490 a it's no big deal 276 00:09:54,990 --> 00:09:57,059 because a lot of networks have 277 00:09:57,060 --> 00:09:58,499 these obscure little boxes. 278 00:09:58,500 --> 00:10:00,059 I don't know if you have seen any of 279 00:10:00,060 --> 00:10:01,060 those. 280 00:10:01,800 --> 00:10:04,319 There can be things like package papers, 281 00:10:04,320 --> 00:10:07,499 firewalls, von accelerators, 282 00:10:07,500 --> 00:10:09,839 all these magic boxes that 283 00:10:09,840 --> 00:10:11,969 do funny things with GCP but don't 284 00:10:11,970 --> 00:10:14,279 get them quite right all the time. 285 00:10:14,280 --> 00:10:16,679 So in that case, you can lose everything 286 00:10:16,680 --> 00:10:17,579 about TCP. 287 00:10:17,580 --> 00:10:19,619 All the payloads doesn't care. 288 00:10:19,620 --> 00:10:21,119 Don't matter. 289 00:10:21,120 --> 00:10:23,339 So and sometimes you still 290 00:10:23,340 --> 00:10:25,469 need stuff like Epicureans, so 291 00:10:25,470 --> 00:10:27,899 DNS names and things like this, 292 00:10:27,900 --> 00:10:29,579 or you URLs and then things get 293 00:10:29,580 --> 00:10:31,799 complicated because then you're on top 294 00:10:31,800 --> 00:10:33,869 of TCP, so you're in the 295 00:10:33,870 --> 00:10:35,999 stuff that is transported over UDP 296 00:10:36,000 --> 00:10:38,459 RTP and replacing 297 00:10:38,460 --> 00:10:40,319 those can be a big nightmare. 298 00:10:40,320 --> 00:10:42,929 And I will talk more about why it 299 00:10:42,930 --> 00:10:44,669 can be a nightmare. 300 00:10:44,670 --> 00:10:46,919 Security analyst or researcher, they 301 00:10:46,920 --> 00:10:48,749 usually have other stuff they care about 302 00:10:48,750 --> 00:10:50,459 because they don't care about Ethernet. 303 00:10:50,460 --> 00:10:52,529 Our IP before TCP UDP 304 00:10:53,970 --> 00:10:54,989 not that much at least. 305 00:10:54,990 --> 00:10:57,179 I mean, if you see like an 306 00:10:57,180 --> 00:10:59,249 ARP based attack. 307 00:10:59,250 --> 00:11:01,109 Yeah, well, OK then Sanitas to make 308 00:11:01,110 --> 00:11:02,969 addresses and you can still see the tech 309 00:11:02,970 --> 00:11:04,769 going but from different Megadeath, it 310 00:11:04,770 --> 00:11:05,770 doesn't matter 311 00:11:07,020 --> 00:11:09,299 if you can also see here I intentionally 312 00:11:09,300 --> 00:11:11,369 wrote IPV four because 313 00:11:11,370 --> 00:11:13,859 nobody cares about IP for more anymore 314 00:11:13,860 --> 00:11:16,139 because it's quite stable by now. 315 00:11:17,340 --> 00:11:19,649 That doesn't really work for IPv6 316 00:11:19,650 --> 00:11:21,779 because IPV six is still in a stage 317 00:11:21,780 --> 00:11:24,749 where it does crazy things sometimes. 318 00:11:24,750 --> 00:11:27,419 And it may be interesting to see attacks 319 00:11:27,420 --> 00:11:29,669 that are based on IPV six like 320 00:11:29,670 --> 00:11:32,159 extension header chains that you build. 321 00:11:32,160 --> 00:11:34,289 I don't know how many of you are 322 00:11:34,290 --> 00:11:35,700 using IPV six already. 323 00:11:37,020 --> 00:11:38,539 Uh, quite a few. 324 00:11:38,540 --> 00:11:40,729 OK, not that many say 10 325 00:11:40,730 --> 00:11:42,839 percent, maybe there 326 00:11:42,840 --> 00:11:44,929 are a lot of things 327 00:11:44,930 --> 00:11:47,689 in life that is still problematic. 328 00:11:47,690 --> 00:11:50,339 So sometimes you need to see those. 329 00:11:50,340 --> 00:11:52,849 And of course, as malware analysts 330 00:11:52,850 --> 00:11:55,129 or security analysts, you often need 331 00:11:55,130 --> 00:11:56,449 stuff like the Epicureans. 332 00:11:56,450 --> 00:11:58,639 You earles binary payloads so 333 00:11:58,640 --> 00:12:00,229 you can just remove them. 334 00:12:00,230 --> 00:12:01,790 So sometimes the. 335 00:12:03,510 --> 00:12:05,639 Now, kind of sanitization that you do 336 00:12:05,640 --> 00:12:07,949 is different if you're looking at it 337 00:12:07,950 --> 00:12:09,719 from a network and as this point of view 338 00:12:09,720 --> 00:12:11,879 or from a security researcher point 339 00:12:11,880 --> 00:12:12,880 of view. 340 00:12:14,810 --> 00:12:17,089 OK, the challenge, as I already said, is 341 00:12:17,090 --> 00:12:18,769 don't remove too much to make it 342 00:12:18,770 --> 00:12:21,349 unusable, unusable, but remove 343 00:12:21,350 --> 00:12:23,419 as much as you need to not give away 344 00:12:23,420 --> 00:12:24,589 anything that you want to keep her 345 00:12:24,590 --> 00:12:25,429 secret. 346 00:12:25,430 --> 00:12:27,529 So you need to find the right 347 00:12:27,530 --> 00:12:30,379 amount of, well, replacement 348 00:12:30,380 --> 00:12:32,839 or removal, whatever. 349 00:12:34,520 --> 00:12:36,829 The second problem that we have is 350 00:12:36,830 --> 00:12:38,359 if there's only one packet that you need 351 00:12:38,360 --> 00:12:39,649 to change. That's quite simple. 352 00:12:39,650 --> 00:12:41,299 You can still do it in the Hex editor if 353 00:12:41,300 --> 00:12:43,669 you have to, because, yeah, 354 00:12:43,670 --> 00:12:45,499 it's a lot of work, but it's just one 355 00:12:45,500 --> 00:12:46,500 packet. 356 00:12:47,150 --> 00:12:49,759 I put out a challenge like 357 00:12:49,760 --> 00:12:52,069 half a year ago or a couple of months ago 358 00:12:52,070 --> 00:12:54,199 at the Wireshark conference. 359 00:12:54,200 --> 00:12:56,269 The packets were in the range 360 00:12:56,270 --> 00:12:58,939 of, I don't know, a couple of million and 361 00:12:58,940 --> 00:13:00,679 it was like a two gigabyte file 362 00:13:01,940 --> 00:13:04,099 editing those because they were taking a 363 00:13:04,100 --> 00:13:05,749 customer side. It was a real world 364 00:13:05,750 --> 00:13:07,999 problem that I wanted to show as a as 365 00:13:08,000 --> 00:13:09,349 an exercise. 366 00:13:09,350 --> 00:13:11,449 So I had to sanitize 367 00:13:11,450 --> 00:13:13,909 600000 or more packets. 368 00:13:13,910 --> 00:13:15,619 And doing that was the Hex editor. 369 00:13:15,620 --> 00:13:17,689 Well, I would be editing to the end 370 00:13:17,690 --> 00:13:19,999 of my days, probably so trying 371 00:13:20,000 --> 00:13:21,349 to replace everything that I needed. 372 00:13:21,350 --> 00:13:23,329 So for that, you need something else you 373 00:13:23,330 --> 00:13:25,699 can just do. It was an accident or 374 00:13:25,700 --> 00:13:27,349 something that works well for just one 375 00:13:27,350 --> 00:13:28,369 packet. 376 00:13:28,370 --> 00:13:29,929 And I will show you a couple of editors 377 00:13:29,930 --> 00:13:32,599 that you can use for one packet, 378 00:13:32,600 --> 00:13:33,800 but not so much for any. 379 00:13:35,960 --> 00:13:37,969 The protocol complexity is another 380 00:13:37,970 --> 00:13:38,970 challenge. 381 00:13:39,590 --> 00:13:41,959 Most of you have not yet 382 00:13:41,960 --> 00:13:43,789 worked or played with AP physics that 383 00:13:43,790 --> 00:13:45,949 much, but AP physics has a lot 384 00:13:45,950 --> 00:13:48,079 of dependencies that can you really 385 00:13:48,080 --> 00:13:50,599 make things very difficult. 386 00:13:50,600 --> 00:13:52,849 I'm going to show you an example of how 387 00:13:52,850 --> 00:13:54,319 difficult it can get. 388 00:13:54,320 --> 00:13:56,599 And you maybe see, even 389 00:13:56,600 --> 00:13:58,129 if you don't know much about IPV six, 390 00:13:58,130 --> 00:13:59,509 that there are a lot of things that you 391 00:13:59,510 --> 00:14:01,939 need to look at to be able to replace 392 00:14:01,940 --> 00:14:04,519 stuff that it doesn't fall apart after 393 00:14:04,520 --> 00:14:05,809 sanitization, basically. 394 00:14:07,920 --> 00:14:10,229 You have protocol dependencies 395 00:14:10,230 --> 00:14:12,509 again, IPV six or sometimes 396 00:14:12,510 --> 00:14:14,279 AAFP and stuff like this depend on each 397 00:14:14,280 --> 00:14:15,809 other. So if you replace something in 398 00:14:15,810 --> 00:14:17,969 another protocol, you need to keep 399 00:14:17,970 --> 00:14:20,219 that replacement consistent in 400 00:14:20,220 --> 00:14:21,929 the next protocol. 401 00:14:21,930 --> 00:14:24,359 Again, something I will show in 402 00:14:24,360 --> 00:14:26,249 IPV six. 403 00:14:26,250 --> 00:14:28,619 And then there's something that a German 404 00:14:28,620 --> 00:14:31,259 university coined as a term I think 405 00:14:31,260 --> 00:14:33,569 it's called defensive transformation. 406 00:14:33,570 --> 00:14:34,949 Who's ever heard that defensive 407 00:14:34,950 --> 00:14:35,950 transformation? 408 00:14:36,870 --> 00:14:39,089 It basically means if you're looking at 409 00:14:39,090 --> 00:14:41,009 a network package and you find some kind 410 00:14:41,010 --> 00:14:42,719 of information that you don't know what 411 00:14:42,720 --> 00:14:45,539 it is for, drop it 412 00:14:45,540 --> 00:14:46,919 because you cannot keep it. 413 00:14:46,920 --> 00:14:49,169 If you keep it, it may expose something 414 00:14:49,170 --> 00:14:50,309 sensitive. 415 00:14:50,310 --> 00:14:52,829 So defensive transformation means 416 00:14:52,830 --> 00:14:55,199 when I look at the network packet, 417 00:14:55,200 --> 00:14:56,999 I try to understand everything in the 418 00:14:57,000 --> 00:14:59,129 packet and everything that I 419 00:14:59,130 --> 00:15:00,149 don't understand. 420 00:15:00,150 --> 00:15:02,429 I will not write into 421 00:15:02,430 --> 00:15:04,709 the sanitized packet, so I will lose 422 00:15:04,710 --> 00:15:06,659 information. But it's better to lose 423 00:15:06,660 --> 00:15:08,969 information than to expose 424 00:15:08,970 --> 00:15:11,519 stuff that you don't want to be exposed, 425 00:15:11,520 --> 00:15:13,769 because very often in the end 426 00:15:13,770 --> 00:15:15,689 you will find out, oh, I still expose the 427 00:15:15,690 --> 00:15:17,149 IP address because it was still in the 428 00:15:17,150 --> 00:15:19,079 Hexton or something like this. 429 00:15:19,080 --> 00:15:21,359 So defensive transformation is a 430 00:15:21,360 --> 00:15:22,769 principle that you should 431 00:15:23,850 --> 00:15:26,429 well keep in place to 432 00:15:26,430 --> 00:15:28,799 avoid mistakes exposing stuff. 433 00:15:28,800 --> 00:15:29,800 Thank you. 434 00:15:31,460 --> 00:15:33,529 OK, hexameters, I showed you that 435 00:15:33,530 --> 00:15:35,839 already. So, I mean, replacing 436 00:15:35,840 --> 00:15:38,719 packett content in the Hex editor is 437 00:15:38,720 --> 00:15:39,949 well, it's quite a challenge 438 00:15:41,450 --> 00:15:42,769 even if you are able to. 439 00:15:43,970 --> 00:15:45,439 Well, I have Bill Murray here because 440 00:15:45,440 --> 00:15:47,539 it's sort of like Groundhog's 441 00:15:47,540 --> 00:15:49,039 Day task if you do that on a lot of 442 00:15:49,040 --> 00:15:50,040 packets. 443 00:15:51,910 --> 00:15:54,279 It looks like this you go on some 444 00:15:54,280 --> 00:15:56,379 packets, like maybe 445 00:15:56,380 --> 00:15:57,380 this one. 446 00:16:02,190 --> 00:16:04,349 I use one or one editor 447 00:16:04,350 --> 00:16:06,809 for this, so, 448 00:16:06,810 --> 00:16:08,459 well, you can go in here and start 449 00:16:08,460 --> 00:16:10,559 replacing stuff, but 450 00:16:10,560 --> 00:16:12,869 you need to calculate IP addresses 451 00:16:12,870 --> 00:16:14,759 into hex values all the time. 452 00:16:14,760 --> 00:16:16,949 That doesn't make any kind of sense. 453 00:16:16,950 --> 00:16:19,199 Not not for many IP addresses. 454 00:16:19,200 --> 00:16:21,269 You can use search and replace, of 455 00:16:21,270 --> 00:16:23,429 course, but very often you 456 00:16:23,430 --> 00:16:24,479 will miss stuff. 457 00:16:24,480 --> 00:16:25,889 And I want to show you something where 458 00:16:25,890 --> 00:16:27,269 you can easily miss stuff. 459 00:16:27,270 --> 00:16:29,459 And that is in, for example, the 460 00:16:29,460 --> 00:16:31,500 GDP packet that I have here. 461 00:16:32,880 --> 00:16:35,639 If you're replacing by 462 00:16:35,640 --> 00:16:38,070 bytes, for example, in this set request. 463 00:16:41,610 --> 00:16:44,409 You will see here IP addresses up here 464 00:16:44,410 --> 00:16:47,309 they are 32 bit numbers, 465 00:16:47,310 --> 00:16:48,310 but. 466 00:16:49,030 --> 00:16:51,189 The IP address of the forward for here, 467 00:16:51,190 --> 00:16:53,529 that is ASCII text, so 468 00:16:53,530 --> 00:16:55,269 that is something completely different. 469 00:16:55,270 --> 00:16:57,219 But it's the same IP address, but one is 470 00:16:57,220 --> 00:16:59,199 32 bits, the other one is much longer. 471 00:16:59,200 --> 00:17:01,269 Obviously, we can also 472 00:17:01,270 --> 00:17:03,369 see that in the decode done 473 00:17:03,370 --> 00:17:05,348 here, the IP addresses are somewhere in 474 00:17:05,349 --> 00:17:07,509 here and down here you will 475 00:17:07,510 --> 00:17:09,789 see the IP address 476 00:17:09,790 --> 00:17:10,790 as text. 477 00:17:11,440 --> 00:17:13,509 So you need to replace 478 00:17:13,510 --> 00:17:15,578 text and 32 bit numbers and they 479 00:17:15,579 --> 00:17:17,469 need to be the same IP address. 480 00:17:17,470 --> 00:17:19,118 So you have to transform them all the 481 00:17:19,119 --> 00:17:21,309 time. This is really no fun at all 482 00:17:21,310 --> 00:17:23,588 because it will also change 483 00:17:23,589 --> 00:17:24,249 the packet length. 484 00:17:24,250 --> 00:17:25,539 If you do something like this and if you 485 00:17:25,540 --> 00:17:27,669 change Peca length, something really 486 00:17:27,670 --> 00:17:28,899 funny will happen. 487 00:17:28,900 --> 00:17:30,429 And I can show you that because I already 488 00:17:30,430 --> 00:17:32,779 did. You look at this trace there, 489 00:17:32,780 --> 00:17:34,809 it looks fine. You have a son at the 490 00:17:34,810 --> 00:17:37,059 beginning of Finback at the end. 491 00:17:37,060 --> 00:17:39,129 No retransmissions, no packet loss, no 492 00:17:39,130 --> 00:17:41,079 no warnings from Wireshark, nothing. 493 00:17:42,130 --> 00:17:43,450 And I did a replacement 494 00:17:44,560 --> 00:17:47,799 of the IP address in the forward form. 495 00:17:47,800 --> 00:17:50,179 And now the trace looks like this. 496 00:17:50,180 --> 00:17:52,449 You have a lot of red lines there 497 00:17:52,450 --> 00:17:53,799 that really small. I will make them 498 00:17:53,800 --> 00:17:54,800 bigger for you. 499 00:17:56,840 --> 00:17:58,519 It tells me your previous segment not 500 00:17:58,520 --> 00:18:00,739 captured an unknown segment, so 501 00:18:00,740 --> 00:18:02,509 this is something where a network analyst 502 00:18:02,510 --> 00:18:03,769 will get kind of 503 00:18:04,880 --> 00:18:05,809 something is wrong here. 504 00:18:05,810 --> 00:18:06,959 I have lost packets. 505 00:18:06,960 --> 00:18:09,079 There's something missing here. 506 00:18:09,080 --> 00:18:11,239 No, there isn't the only problem. 507 00:18:11,240 --> 00:18:13,099 And you can see that up to this packet, 508 00:18:13,100 --> 00:18:14,449 everything is fine. 509 00:18:14,450 --> 00:18:17,149 The problem is that I replaced 510 00:18:17,150 --> 00:18:19,729 the IP address in here, which was 192, 511 00:18:19,730 --> 00:18:22,429 168, something longer than this, 512 00:18:22,430 --> 00:18:25,489 actually seven characters longer 513 00:18:25,490 --> 00:18:26,629 with something that's shorter. 514 00:18:26,630 --> 00:18:28,459 And that means that every sequence number 515 00:18:28,460 --> 00:18:30,529 in TCP following this packet will 516 00:18:30,530 --> 00:18:32,119 be seven bytes too long. 517 00:18:32,120 --> 00:18:34,249 So a wireshark will all be like a missing 518 00:18:34,250 --> 00:18:35,719 seven byte here. 519 00:18:35,720 --> 00:18:37,069 There are seven bytes missing. 520 00:18:37,070 --> 00:18:39,019 There must be packet loss and it goes 521 00:18:39,020 --> 00:18:40,849 through all the packets because every 522 00:18:40,850 --> 00:18:42,679 sequence number after the packet that is 523 00:18:42,680 --> 00:18:45,079 shorter or even longer 524 00:18:45,080 --> 00:18:47,269 will be off by the same amount of points 525 00:18:47,270 --> 00:18:49,339 that we replace. So you need to 526 00:18:49,340 --> 00:18:51,409 then go into every packet and 527 00:18:51,410 --> 00:18:53,479 adjust every sequence number, but 528 00:18:53,480 --> 00:18:55,369 only after you did the replacement, not 529 00:18:55,370 --> 00:18:56,509 before. 530 00:18:56,510 --> 00:18:58,079 So you need to keep like a lookup data. 531 00:18:58,080 --> 00:19:00,349 Like in which conversation did I 532 00:19:00,350 --> 00:19:02,629 replace? In what sequence 533 00:19:02,630 --> 00:19:04,759 number? How many bytes and how much do 534 00:19:04,760 --> 00:19:06,139 I need to adjust this? 535 00:19:06,140 --> 00:19:08,479 And you can do multiple replacements 536 00:19:08,480 --> 00:19:10,219 in one conversation. 537 00:19:10,220 --> 00:19:12,409 So they have multiple points of now 538 00:19:12,410 --> 00:19:14,059 I need to at seven now I need to remove 539 00:19:14,060 --> 00:19:16,399 14. No, I need to add twenty five 540 00:19:16,400 --> 00:19:17,579 is really a nightmare. 541 00:19:17,580 --> 00:19:20,419 So this is why TCP very often 542 00:19:20,420 --> 00:19:22,669 can be hard to sanitize 543 00:19:22,670 --> 00:19:24,799 correctly if you're going into 544 00:19:24,800 --> 00:19:27,379 replacing stuff in the payload. 545 00:19:27,380 --> 00:19:29,419 This only happens if you're in the TCP 546 00:19:29,420 --> 00:19:31,369 payload. It doesn't happen if you change 547 00:19:31,370 --> 00:19:33,470 anything. And that is if you had a. 548 00:19:35,970 --> 00:19:38,069 All right, so this is how 549 00:19:38,070 --> 00:19:40,649 you do the menu replacement, 550 00:19:40,650 --> 00:19:43,439 there's also something in Wireshark that 551 00:19:43,440 --> 00:19:45,239 I don't think many people have seen who 552 00:19:45,240 --> 00:19:46,500 is used by a shark before 553 00:19:47,910 --> 00:19:49,469 most of you. OK, good. 554 00:19:50,820 --> 00:19:52,359 You can do this. 555 00:19:52,360 --> 00:19:53,759 You can go into Wireshark. 556 00:19:55,400 --> 00:19:57,289 And this one is, I hope, the correct 557 00:19:57,290 --> 00:19:59,629 version, this 558 00:19:59,630 --> 00:20:01,450 two point one. Well, it's quite new. 559 00:20:02,810 --> 00:20:05,059 I use the legacy version. 560 00:20:05,060 --> 00:20:07,189 Legacy means it's GTK based. 561 00:20:07,190 --> 00:20:08,190 That's the old one. 562 00:20:09,350 --> 00:20:11,239 And in here, you can go into edit 563 00:20:11,240 --> 00:20:12,240 preferences. 564 00:20:14,100 --> 00:20:16,469 And down here, there's a checkbox 565 00:20:16,470 --> 00:20:18,929 for an able editor, 566 00:20:18,930 --> 00:20:21,090 and with that, you can now 567 00:20:22,140 --> 00:20:23,309 go to any picket. 568 00:20:26,480 --> 00:20:28,190 And say I detected. 569 00:20:30,620 --> 00:20:32,270 And now I can 570 00:20:33,290 --> 00:20:36,539 go in here and for example. 571 00:20:36,540 --> 00:20:37,540 Change. 572 00:20:38,350 --> 00:20:41,080 Time to live and say, well, now it's 63. 573 00:20:42,130 --> 00:20:45,279 OK, and instantly, of course, 574 00:20:45,280 --> 00:20:46,329 the checksum is wrong 575 00:20:47,560 --> 00:20:49,299 because I changed something right? 576 00:20:49,300 --> 00:20:50,829 So if you're doing a replacement in a 577 00:20:50,830 --> 00:20:53,109 packet, you always need 578 00:20:53,110 --> 00:20:55,209 to fix the 579 00:20:55,210 --> 00:20:56,499 checksum. 580 00:20:56,500 --> 00:20:58,029 Really? Always. 581 00:20:58,030 --> 00:20:59,769 Well, sometimes you have packets, whether 582 00:20:59,770 --> 00:21:02,289 checksum is already bad in the original. 583 00:21:02,290 --> 00:21:04,479 So what do we do to fix it in the fixed 584 00:21:04,480 --> 00:21:05,480 version. 585 00:21:06,160 --> 00:21:08,379 Mm. Hopefully not, because you 586 00:21:08,380 --> 00:21:10,749 kind of remove the 587 00:21:10,750 --> 00:21:12,879 symptom that the checksum was wrong from 588 00:21:12,880 --> 00:21:14,979 the packet. So we need to keep it bad if 589 00:21:14,980 --> 00:21:17,169 it was bad, but keep it correct 590 00:21:17,170 --> 00:21:18,369 or recalculate it 591 00:21:19,420 --> 00:21:21,049 if it was correct. 592 00:21:21,050 --> 00:21:23,029 So something else that you need to keep 593 00:21:23,030 --> 00:21:24,329 in mind, like, oh, what's the checksum, 594 00:21:24,330 --> 00:21:26,419 OK. Well, replace it, 595 00:21:26,420 --> 00:21:28,009 stuff like this. Well, this is something 596 00:21:28,010 --> 00:21:29,689 you can do with Wireshark, but only in 597 00:21:29,690 --> 00:21:31,869 the UK was not the new Kutty version. 598 00:21:34,410 --> 00:21:36,659 OK, then the other thing we have 599 00:21:36,660 --> 00:21:38,969 is why I edit, why edit 600 00:21:38,970 --> 00:21:40,619 is a relatively new tool. 601 00:21:42,480 --> 00:21:45,029 You can use it to as my desktop. 602 00:21:45,030 --> 00:21:47,309 Oh, it can only work with pickup and 603 00:21:47,310 --> 00:21:49,539 kepp father doesn't know pickup energy, 604 00:21:49,540 --> 00:21:51,659 so I need to save this 605 00:21:51,660 --> 00:21:53,639 as pick up first. 606 00:21:53,640 --> 00:21:55,289 I should have kept an example 607 00:21:56,430 --> 00:21:58,469 and pick and pick up for it, but I 608 00:21:58,470 --> 00:21:59,470 didn't. 609 00:22:00,070 --> 00:22:01,070 Test 610 00:22:02,230 --> 00:22:03,569 scores justify conversion. 611 00:22:03,570 --> 00:22:05,919 So, no, there it is, 612 00:22:05,920 --> 00:22:08,109 and now you can go in here and say, well, 613 00:22:08,110 --> 00:22:09,110 I want to. 614 00:22:12,050 --> 00:22:13,999 Added the package, well, it's kind of 615 00:22:14,000 --> 00:22:15,589 confusing because I think you need to 616 00:22:15,590 --> 00:22:17,149 edit something here, but down here, 617 00:22:17,150 --> 00:22:19,419 there's everything in that packet and 618 00:22:19,420 --> 00:22:20,959 now you can say, well, I want to change 619 00:22:20,960 --> 00:22:21,960 the host. 620 00:22:22,600 --> 00:22:24,099 And want to write in here. 621 00:22:25,450 --> 00:22:27,819 To picket for dot com, let's say, 622 00:22:27,820 --> 00:22:29,170 I want to transit to. 623 00:22:30,180 --> 00:22:32,609 Log dot com. 624 00:22:32,610 --> 00:22:33,749 OK. 625 00:22:33,750 --> 00:22:35,819 And the good thing about why I hate it 626 00:22:35,820 --> 00:22:38,609 is it will automatically fix the checksum 627 00:22:38,610 --> 00:22:40,259 so you don't have to worry about it. 628 00:22:40,260 --> 00:22:42,869 You can also add stuff, remove stuff, 629 00:22:42,870 --> 00:22:44,969 and you will run into the 630 00:22:44,970 --> 00:22:46,289 same problem with the sequence number. 631 00:22:47,360 --> 00:22:48,920 OK, so that is why our edit. 632 00:22:52,920 --> 00:22:55,019 And again, if you do 633 00:22:55,020 --> 00:22:57,239 the manual stuff, you 634 00:22:57,240 --> 00:22:59,699 need to have Bill Murray on your side and 635 00:22:59,700 --> 00:23:01,379 stay in the time loop because it will 636 00:23:01,380 --> 00:23:02,729 take a lot of time to do this. 637 00:23:04,290 --> 00:23:06,629 OK, if you do better editing, which means 638 00:23:06,630 --> 00:23:08,699 you're looking at replacing stuff 639 00:23:08,700 --> 00:23:11,459 in an automated way to a lot of packett 640 00:23:11,460 --> 00:23:14,649 to many packets, and 641 00:23:14,650 --> 00:23:16,139 there's a couple of things that you need 642 00:23:16,140 --> 00:23:18,359 to keep in mind, like if 643 00:23:18,360 --> 00:23:20,429 you replace an IP address with another IP 644 00:23:20,430 --> 00:23:22,919 address, you need to keep replacing 645 00:23:22,920 --> 00:23:24,569 the same original with the same 646 00:23:24,570 --> 00:23:26,009 replacement. 647 00:23:26,010 --> 00:23:28,049 You cannot just replace it with anything 648 00:23:28,050 --> 00:23:29,879 you want. It needs to be consistent. 649 00:23:29,880 --> 00:23:31,109 And there's a couple of problems with 650 00:23:31,110 --> 00:23:32,639 that, because if you have a lot of IP 651 00:23:32,640 --> 00:23:34,769 addresses, you need sort of a database 652 00:23:34,770 --> 00:23:36,989 to store stuff or you do 653 00:23:36,990 --> 00:23:39,059 a hash kind of thing so that you hash 654 00:23:39,060 --> 00:23:40,769 the original and used the hash as an 655 00:23:40,770 --> 00:23:42,809 output for the new IP address. 656 00:23:42,810 --> 00:23:44,699 But very often that gives you funny IP 657 00:23:44,700 --> 00:23:46,829 addresses so you can end up 658 00:23:46,830 --> 00:23:48,899 with 127 zero zero 659 00:23:48,900 --> 00:23:50,579 one as the replacement when the original 660 00:23:50,580 --> 00:23:52,679 was 10 or something else, if you 661 00:23:52,680 --> 00:23:54,539 like. Really, someone's someone sending 662 00:23:54,540 --> 00:23:56,219 stuff from localhost? 663 00:23:56,220 --> 00:23:57,269 I don't think so. 664 00:23:57,270 --> 00:23:58,479 And then you look at the original. 665 00:23:58,480 --> 00:23:59,709 Oh, no. 666 00:23:59,710 --> 00:24:01,499 OK, so these are problems that you can 667 00:24:01,500 --> 00:24:03,809 read into between the TCAP 668 00:24:03,810 --> 00:24:06,059 rewrite our basically command 669 00:24:06,060 --> 00:24:07,949 line tools that are used to prepare 670 00:24:07,950 --> 00:24:10,319 packets for reinjection 671 00:24:10,320 --> 00:24:12,959 into the network. So they're basically 672 00:24:12,960 --> 00:24:15,329 designed to help you modify packets 673 00:24:15,330 --> 00:24:16,710 for replay stuff. 674 00:24:17,730 --> 00:24:19,799 So they're not sanitizing tools 675 00:24:19,800 --> 00:24:21,419 by trade. 676 00:24:21,420 --> 00:24:23,789 But you can use them, of course, also for 677 00:24:23,790 --> 00:24:25,259 kind of sanitization. 678 00:24:25,260 --> 00:24:27,149 Then this packet and these are the guys 679 00:24:27,150 --> 00:24:30,449 with the defensive transformation, 680 00:24:30,450 --> 00:24:32,759 then there's a new project 681 00:24:32,760 --> 00:24:35,339 basically pack in as a 682 00:24:35,340 --> 00:24:37,529 Linux tool that is using XML 683 00:24:37,530 --> 00:24:40,139 files to do automatic conversions 684 00:24:40,140 --> 00:24:41,639 on packets. 685 00:24:41,640 --> 00:24:43,889 It's also quite nice because you can pipe 686 00:24:43,890 --> 00:24:46,079 stuff from TGP directly into Pacard. 687 00:24:46,080 --> 00:24:47,549 And on that we're right, never the 688 00:24:47,550 --> 00:24:49,799 original to disk, but only 689 00:24:49,800 --> 00:24:51,899 the senator stuff that is kind of 690 00:24:51,900 --> 00:24:52,900 nice. 691 00:24:53,430 --> 00:24:55,739 And you can define how strong 692 00:24:55,740 --> 00:24:57,089 the replacement should be. If you want to 693 00:24:57,090 --> 00:24:58,409 replace the Mac addresses, the IP 694 00:24:58,410 --> 00:24:59,869 addresses and everything else, 695 00:25:01,050 --> 00:25:03,239 let's pick up Flip, which from my 696 00:25:03,240 --> 00:25:06,149 point of view is not such a good name 697 00:25:06,150 --> 00:25:07,499 because I don't know if you know this 698 00:25:07,500 --> 00:25:09,629 Lepic cap is the library that reads and 699 00:25:09,630 --> 00:25:11,729 writes Bucephalus and these guys are 700 00:25:11,730 --> 00:25:13,680 from China. They probably didn't realize 701 00:25:14,700 --> 00:25:17,189 they wrote a paper on 702 00:25:17,190 --> 00:25:19,439 it, anonymization and use that 703 00:25:19,440 --> 00:25:20,549 kind of name. 704 00:25:20,550 --> 00:25:22,049 So if you want to take a look at it, 705 00:25:22,050 --> 00:25:23,639 they're basically use the Wireshark 706 00:25:23,640 --> 00:25:25,769 sources to read and write packets 707 00:25:25,770 --> 00:25:27,569 in an automated kind of way. 708 00:25:27,570 --> 00:25:29,759 So they have a nice 709 00:25:29,760 --> 00:25:32,009 project that hasn't 710 00:25:32,010 --> 00:25:34,529 continued. And since 2012, 711 00:25:34,530 --> 00:25:35,519 I think so. 712 00:25:35,520 --> 00:25:37,679 Most Pécas sanitization 713 00:25:37,680 --> 00:25:39,419 things that you can find on the network 714 00:25:39,420 --> 00:25:41,249 are research papers. 715 00:25:41,250 --> 00:25:43,589 And as soon as people have turned 716 00:25:43,590 --> 00:25:46,259 in their research papers, the 717 00:25:46,260 --> 00:25:47,579 development stops, of course. 718 00:25:47,580 --> 00:25:49,589 So well, it's out there, it's open 719 00:25:49,590 --> 00:25:51,629 source. Go and use it and modify it. 720 00:25:51,630 --> 00:25:53,699 But it doesn't seem that many people 721 00:25:53,700 --> 00:25:56,249 do OK. 722 00:25:56,250 --> 00:25:57,419 And then there's the last one, which is 723 00:25:57,420 --> 00:25:58,769 called Trece Ringler, and that is my 724 00:25:58,770 --> 00:25:59,669 tool. 725 00:25:59,670 --> 00:26:01,739 So I'm going to show it 726 00:26:01,740 --> 00:26:02,639 to you. 727 00:26:02,640 --> 00:26:04,919 It's in it's a bit different 728 00:26:04,920 --> 00:26:07,259 because it doesn't run on Linux, except 729 00:26:07,260 --> 00:26:08,609 you use one because it's written in 730 00:26:08,610 --> 00:26:09,509 Delphi, which is. 731 00:26:09,510 --> 00:26:10,589 Yeah, I know. 732 00:26:10,590 --> 00:26:12,599 Not a great language. 733 00:26:12,600 --> 00:26:14,150 Only Russians use it, I'm told. 734 00:26:15,990 --> 00:26:18,329 So Ringler is for 735 00:26:18,330 --> 00:26:20,969 automated replacement of stuff. 736 00:26:20,970 --> 00:26:23,310 And I'm going to show you a little demo. 737 00:26:24,630 --> 00:26:26,700 What you can do here is that 738 00:26:27,720 --> 00:26:28,720 up here. 739 00:26:31,930 --> 00:26:34,269 So you had a peek at file 740 00:26:34,270 --> 00:26:35,270 or let's say. 741 00:26:36,860 --> 00:26:39,170 It's just one and then you had a. 742 00:26:41,020 --> 00:26:42,039 Randomization TASC. 743 00:26:43,500 --> 00:26:45,209 And then you can tell it well, what do 744 00:26:45,210 --> 00:26:47,339 you want replaced and 745 00:26:47,340 --> 00:26:48,749 one of the most important ones is this 746 00:26:48,750 --> 00:26:50,999 one telling it to remove everything 747 00:26:51,000 --> 00:26:53,309 that you don't recognize. 748 00:26:53,310 --> 00:26:55,259 So if that doesn't know how a protocol 749 00:26:55,260 --> 00:26:57,479 works, please remove it completely 750 00:26:57,480 --> 00:26:59,639 that way. Everything usually after TCP 751 00:26:59,640 --> 00:27:01,979 will be dropped because 752 00:27:01,980 --> 00:27:04,289 I cannot pass that many protocols yet 753 00:27:04,290 --> 00:27:06,639 that are above UDP or TCP, 754 00:27:06,640 --> 00:27:07,559 but I'm working on it. 755 00:27:07,560 --> 00:27:09,659 So I'm not a research paper guy and I'm 756 00:27:09,660 --> 00:27:12,029 continuing my work so it will improve. 757 00:27:13,230 --> 00:27:14,909 Who can also tell it to truncate after a 758 00:27:14,910 --> 00:27:16,859 certain layer or after a certain offset 759 00:27:16,860 --> 00:27:18,479 or replace some strengthening here. 760 00:27:18,480 --> 00:27:20,549 But the more important things usually are 761 00:27:20,550 --> 00:27:22,619 replacing IP addresses so 762 00:27:22,620 --> 00:27:25,379 it can be replaced by a list 763 00:27:25,380 --> 00:27:28,079 telling it like, well, 192 764 00:27:28,080 --> 00:27:30,209 168 start zero that want to replace 765 00:27:30,210 --> 00:27:32,039 it by 10 or zero zero one. 766 00:27:32,040 --> 00:27:33,869 And it will do that for every IP that it 767 00:27:33,870 --> 00:27:35,669 finds, no matter where it is, if it's in 768 00:27:35,670 --> 00:27:38,519 a packet or in IP packet or 769 00:27:38,520 --> 00:27:40,329 in a payload, it doesn't matter. 770 00:27:40,330 --> 00:27:42,419 It finds that it will replace it. 771 00:27:42,420 --> 00:27:44,189 Or you can go in, say, well, replace 772 00:27:44,190 --> 00:27:46,409 subnets, replace everything 773 00:27:46,410 --> 00:27:48,719 that is in 192 168 zero 774 00:27:48,720 --> 00:27:50,939 zero 24 by 10 zero 775 00:27:50,940 --> 00:27:52,530 zero zero slash 24, 776 00:27:53,910 --> 00:27:55,649 which is good because then all IP 777 00:27:55,650 --> 00:27:57,899 addresses from the original net will 778 00:27:57,900 --> 00:28:00,029 end up in a new net and not 779 00:28:00,030 --> 00:28:02,009 in completely different networks, because 780 00:28:02,010 --> 00:28:04,439 very often if you randomize stuff, 781 00:28:04,440 --> 00:28:06,419 everything will end up in different crazy 782 00:28:06,420 --> 00:28:08,549 networks. And you're like, 783 00:28:08,550 --> 00:28:10,649 why are these two apiarists talking to 784 00:28:10,650 --> 00:28:12,389 each other? They're like the ones in USA. 785 00:28:12,390 --> 00:28:14,069 The other one is in Germany. 786 00:28:15,730 --> 00:28:17,979 What are they doing with one hop between 787 00:28:17,980 --> 00:28:19,809 them or something, so that doesn't make 788 00:28:19,810 --> 00:28:22,719 any sense, it will do a lot of this also 789 00:28:22,720 --> 00:28:24,609 automatically if you randomize IP 790 00:28:24,610 --> 00:28:26,769 addresses, it will keep multicast 791 00:28:26,770 --> 00:28:28,509 addresses, multicast, because that's 792 00:28:28,510 --> 00:28:29,829 another problem. 793 00:28:29,830 --> 00:28:31,869 If you have a multicast address and the 794 00:28:31,870 --> 00:28:34,089 randomizing it, it could end 795 00:28:34,090 --> 00:28:36,339 up like a Lubic address or other zero 796 00:28:36,340 --> 00:28:38,559 address or a private address, which is 797 00:28:38,560 --> 00:28:40,539 not the same anymore. 798 00:28:40,540 --> 00:28:42,669 It's completely different than 799 00:28:42,670 --> 00:28:43,659 other people. 800 00:28:43,660 --> 00:28:45,429 I don't know if many have heard the term 801 00:28:45,430 --> 00:28:47,049 that is the automatic private IP 802 00:28:47,050 --> 00:28:48,729 addressing thingee. 803 00:28:48,730 --> 00:28:51,789 If you do the ISP, but you don't get one 804 00:28:51,790 --> 00:28:54,519 169 dot 254, 805 00:28:54,520 --> 00:28:56,139 something everybody has seen. 806 00:28:56,140 --> 00:28:58,329 And Kirsten, if you have 807 00:28:58,330 --> 00:29:00,039 something like this in a trace, it's 808 00:29:00,040 --> 00:29:02,229 quite interesting because that means the 809 00:29:02,230 --> 00:29:04,029 IP didn't work. So for analysis, you 810 00:29:04,030 --> 00:29:05,199 don't want to replace them. 811 00:29:06,280 --> 00:29:07,869 And on the other hand, they're like 812 00:29:07,870 --> 00:29:09,969 randomly generated anyway, so 813 00:29:09,970 --> 00:29:12,039 they then don't post any kind of threat 814 00:29:12,040 --> 00:29:13,509 if you expose them. 815 00:29:13,510 --> 00:29:15,099 It doesn't make any sense to replace them 816 00:29:15,100 --> 00:29:17,079 normally, but if you want to, you can 817 00:29:17,080 --> 00:29:18,519 tell it to. 818 00:29:18,520 --> 00:29:20,499 And then documentation, IP addresses are 819 00:29:20,500 --> 00:29:23,109 a special IP address that is specifically 820 00:29:23,110 --> 00:29:24,039 for documentation. 821 00:29:24,040 --> 00:29:25,959 So replacing those doesn't make any sense 822 00:29:25,960 --> 00:29:26,960 again. 823 00:29:27,250 --> 00:29:29,139 Yeah, that's one for IP before too. 824 00:29:29,140 --> 00:29:30,150 Not only IP six, 825 00:29:31,420 --> 00:29:33,519 but few people know this. 826 00:29:33,520 --> 00:29:35,649 OK, and then there's something here 827 00:29:35,650 --> 00:29:37,119 that is called the private arrangement, 828 00:29:37,120 --> 00:29:39,519 which means I told transferring that to 829 00:29:39,520 --> 00:29:41,679 if you find an IP address 830 00:29:41,680 --> 00:29:43,839 that is 192 something or 831 00:29:43,840 --> 00:29:45,909 10 or something or 172 or 832 00:29:45,910 --> 00:29:47,440 something, it's already private. 833 00:29:48,820 --> 00:29:51,009 Please keep it private, because 834 00:29:51,010 --> 00:29:52,599 I want to see in the end that it was 835 00:29:52,600 --> 00:29:54,939 private and don't change it into a public 836 00:29:54,940 --> 00:29:57,279 IP by mistake, because 837 00:29:57,280 --> 00:29:59,379 then again, and I have something that 838 00:29:59,380 --> 00:30:01,059 it wasn't before. 839 00:30:01,060 --> 00:30:02,499 You can also go in and say, well. 840 00:30:04,010 --> 00:30:06,109 Randomize it over the full address 841 00:30:06,110 --> 00:30:08,389 range or do not randomize 842 00:30:08,390 --> 00:30:09,859 it at all and keep all the private IP 843 00:30:09,860 --> 00:30:11,959 addresses private because 844 00:30:11,960 --> 00:30:12,960 it doesn't matter. 845 00:30:15,650 --> 00:30:17,989 OK, similar things you can do for RPV six 846 00:30:19,160 --> 00:30:21,739 for S&P, you can decide which 847 00:30:21,740 --> 00:30:24,109 kind of Pécas you want to remove 848 00:30:24,110 --> 00:30:25,609 if you choose to. 849 00:30:27,320 --> 00:30:29,509 Then there's S&P six, and that 850 00:30:29,510 --> 00:30:30,409 is quite interesting. 851 00:30:30,410 --> 00:30:31,459 And I'm sure trace 852 00:30:32,780 --> 00:30:35,210 why IPV six is such a big problem. 853 00:30:37,060 --> 00:30:39,279 Fifteen. OK, this is the last time, 854 00:30:39,280 --> 00:30:41,259 I think if you take a look at this 855 00:30:41,260 --> 00:30:42,999 package, which is IPV six, so if you 856 00:30:43,000 --> 00:30:44,529 haven't seen up to six before, I know you 857 00:30:44,530 --> 00:30:45,530 do. 858 00:30:47,520 --> 00:30:50,849 This packet is kind of problematic 859 00:30:50,850 --> 00:30:52,949 because if you know a bit 860 00:30:52,950 --> 00:30:55,139 about the destination 861 00:30:55,140 --> 00:30:57,269 IP address here, f f zero 862 00:30:57,270 --> 00:30:58,270 to 863 00:30:59,740 --> 00:31:02,009 call on, call on one and so on, 864 00:31:02,010 --> 00:31:04,559 it's a very special multicast address 865 00:31:04,560 --> 00:31:06,869 that is created for research. 866 00:31:06,870 --> 00:31:08,219 Kind of I want to know where my 867 00:31:08,220 --> 00:31:10,469 neighbors, which used to be our 868 00:31:10,470 --> 00:31:12,569 before our doesn't exist anymore. 869 00:31:12,570 --> 00:31:14,459 And IPV six for those of you who don't 870 00:31:14,460 --> 00:31:15,359 know. 871 00:31:15,360 --> 00:31:17,729 So use ISP physics for this. 872 00:31:17,730 --> 00:31:20,639 This IP address is based on 873 00:31:20,640 --> 00:31:21,749 that IP address. 874 00:31:21,750 --> 00:31:23,579 You can tell by looking at the last 875 00:31:23,580 --> 00:31:25,109 couple of bytes here, you see they are 876 00:31:25,110 --> 00:31:26,110 the same. 877 00:31:26,640 --> 00:31:29,039 So this one and that one, if you replace 878 00:31:29,040 --> 00:31:31,109 any of them, you need to keep the 879 00:31:31,110 --> 00:31:32,309 two of them consistent. 880 00:31:32,310 --> 00:31:34,589 But there are different classes, so that 881 00:31:34,590 --> 00:31:35,590 is a problem. 882 00:31:36,590 --> 00:31:38,689 OK, and the other thing, which is 883 00:31:38,690 --> 00:31:40,999 even worse, and by 884 00:31:41,000 --> 00:31:43,189 putting that fire in 885 00:31:43,190 --> 00:31:45,199 here, every IPV six administrator will 886 00:31:45,200 --> 00:31:47,269 tell you this, this IP 887 00:31:47,270 --> 00:31:49,879 address was created from 888 00:31:49,880 --> 00:31:51,679 the Mac address. 889 00:31:51,680 --> 00:31:53,989 So look at the Macarius up there 890 00:31:53,990 --> 00:31:56,240 and you will see it again that 891 00:31:57,470 --> 00:32:00,079 this is 026 F5 892 00:32:00,080 --> 00:32:02,269 somewhere up there on the 893 00:32:02,270 --> 00:32:04,849 wall. You know, from there 894 00:32:04,850 --> 00:32:06,860 at the destination, it's kind of 895 00:32:08,330 --> 00:32:09,359 replaced here. 896 00:32:09,360 --> 00:32:10,249 It's like this. 897 00:32:10,250 --> 00:32:12,619 So you need to look at the IP address, 898 00:32:12,620 --> 00:32:14,239 the multicast address and the Mac 899 00:32:14,240 --> 00:32:15,709 address. And if you press any of them, 900 00:32:15,710 --> 00:32:17,149 replace all of them. 901 00:32:17,150 --> 00:32:18,719 So you need to change the Mac address, 902 00:32:18,720 --> 00:32:20,539 then the IP address and the other IP 903 00:32:20,540 --> 00:32:22,340 address. And that is something 904 00:32:23,510 --> 00:32:25,009 that I can do. 905 00:32:25,010 --> 00:32:27,379 But nobody else so far I've seen, 906 00:32:27,380 --> 00:32:29,719 which is it was something where I thought 907 00:32:29,720 --> 00:32:31,549 this is easy. And then it was a weekend 908 00:32:31,550 --> 00:32:32,929 of coding. 909 00:32:32,930 --> 00:32:34,639 So it took a lot more time than I 910 00:32:34,640 --> 00:32:35,640 thought. 911 00:32:36,220 --> 00:32:38,389 OK, and transmen can 912 00:32:38,390 --> 00:32:40,609 even do work on crazy stuff 913 00:32:40,610 --> 00:32:41,610 like this. 914 00:32:42,410 --> 00:32:43,619 I don't know if you've ever seen a 915 00:32:43,620 --> 00:32:44,620 package like this. 916 00:32:49,120 --> 00:32:51,309 Yae is an ambulance 917 00:32:51,310 --> 00:32:53,469 and is an IP UDP 918 00:32:53,470 --> 00:32:56,079 GPU, which is a tunneling protocol 919 00:32:56,080 --> 00:32:57,309 IP again TDP. 920 00:32:58,510 --> 00:33:00,470 And if you want to sanitize this, 921 00:33:01,510 --> 00:33:04,329 good luck because it's a lot of stuff. 922 00:33:04,330 --> 00:33:06,129 But I can read all of them interest right 923 00:33:06,130 --> 00:33:08,369 now and do the Senate version for you. 924 00:33:10,060 --> 00:33:11,769 And it should work if it doesn't send me 925 00:33:11,770 --> 00:33:13,689 an email, I fix it. 926 00:33:13,690 --> 00:33:15,519 OK, so transferring that can be 927 00:33:15,520 --> 00:33:17,710 downloaded and that's. 928 00:33:18,920 --> 00:33:21,229 The last show before going 929 00:33:21,230 --> 00:33:22,640 to questions if there are any. 930 00:33:24,930 --> 00:33:26,069 It's downloadable here, 931 00:33:27,120 --> 00:33:29,369 if you want to, I didn't open source 932 00:33:29,370 --> 00:33:30,719 it yet, but I will. 933 00:33:30,720 --> 00:33:32,219 I'm still looking at the licenses. 934 00:33:32,220 --> 00:33:33,989 I'm getting crazy. I already asked you 935 00:33:33,990 --> 00:33:35,969 about it, like how much money I'm going 936 00:33:35,970 --> 00:33:37,679 to use while I'm going to use probably 937 00:33:37,680 --> 00:33:38,789 GPL or something. 938 00:33:40,080 --> 00:33:42,269 Then you can look at the trace as a 939 00:33:42,270 --> 00:33:45,089 regular code also and. 940 00:33:45,090 --> 00:33:47,189 Well, all of this already did. 941 00:33:47,190 --> 00:33:49,529 Talking and 942 00:33:49,530 --> 00:33:50,729 thanks and questions. 943 00:34:00,670 --> 00:34:01,670 Right. 944 00:34:02,050 --> 00:34:03,819 Anyone with questions? 945 00:34:03,820 --> 00:34:06,240 There are four microphones in the room. 946 00:34:08,400 --> 00:34:11,099 You can go to the microphones now, 947 00:34:11,100 --> 00:34:13,229 if not, send me an email later that works 948 00:34:13,230 --> 00:34:14,800 to Hartford or whatever. 949 00:34:15,880 --> 00:34:18,388 Yeah, yeah. 950 00:34:18,389 --> 00:34:19,479 There we go. Right here. 951 00:34:19,480 --> 00:34:21,689 You talk about the problem 952 00:34:21,690 --> 00:34:24,549 with HTP, analyzing HGP. 953 00:34:24,550 --> 00:34:25,948 Could you get a little closer to the 954 00:34:25,949 --> 00:34:27,928 microphone? Sure. 955 00:34:27,929 --> 00:34:31,169 The problem with anonymizing HTP, 956 00:34:31,170 --> 00:34:33,569 the IP wasn't there four 957 00:34:33,570 --> 00:34:35,158 or five, six. 958 00:34:35,159 --> 00:34:37,529 That's not something you can address with 959 00:34:37,530 --> 00:34:38,849 Pegatron. 960 00:34:38,850 --> 00:34:41,009 Not right now. No, I'm working on it. 961 00:34:41,010 --> 00:34:43,259 I wrote a well, basically 962 00:34:43,260 --> 00:34:45,388 what that does it it reads the 963 00:34:45,389 --> 00:34:47,129 packet from Internet up to the highest 964 00:34:47,130 --> 00:34:49,349 level. It can pass right 965 00:34:49,350 --> 00:34:51,569 now that stop that TCP, but I'm 966 00:34:51,570 --> 00:34:54,059 working on it hdb poza already 967 00:34:54,060 --> 00:34:56,189 and then it replaces everything that 968 00:34:56,190 --> 00:34:58,379 it finds and reconstructs the packets 969 00:34:58,380 --> 00:34:59,399 from top to bottom. 970 00:34:59,400 --> 00:35:01,259 So basically put it deposit, replace 971 00:35:01,260 --> 00:35:02,559 everything, puts it back together. 972 00:35:02,560 --> 00:35:04,559 That's the only way that you can do this. 973 00:35:06,030 --> 00:35:08,339 And I've started working on the 974 00:35:08,340 --> 00:35:10,649 deposit and try to get it done 975 00:35:10,650 --> 00:35:13,079 for C.C.C., but I didn't 976 00:35:13,080 --> 00:35:15,539 because I didn't have enough time. 977 00:35:15,540 --> 00:35:17,429 It will be the next thing that I do and 978 00:35:17,430 --> 00:35:19,559 then you can 979 00:35:19,560 --> 00:35:19,889 do it. 980 00:35:19,890 --> 00:35:21,329 Interesting. 981 00:35:21,330 --> 00:35:23,459 It's a lot of work because there is 982 00:35:23,460 --> 00:35:25,559 the reassembly coming into play. 983 00:35:25,560 --> 00:35:26,879 Most of you know probably what this 984 00:35:26,880 --> 00:35:27,869 viewer assembly means. 985 00:35:27,870 --> 00:35:29,879 That means that you have to recombine all 986 00:35:29,880 --> 00:35:32,009 the payloads first because an 987 00:35:32,010 --> 00:35:34,349 Entity B request can spend 988 00:35:34,350 --> 00:35:36,239 across multiple packets. 989 00:35:36,240 --> 00:35:38,309 There are sometimes very long URLs that 990 00:35:38,310 --> 00:35:40,619 go from one packet over four 991 00:35:40,620 --> 00:35:42,689 or five more, and you need 992 00:35:42,690 --> 00:35:45,089 to reconstruct it first 993 00:35:45,090 --> 00:35:47,179 and then replace stuff. 994 00:35:47,180 --> 00:35:49,399 And things can get longer or shorter, 995 00:35:49,400 --> 00:35:51,139 they need to cut it into pieces again, 996 00:35:51,140 --> 00:35:53,059 but they need to be the same size or they 997 00:35:53,060 --> 00:35:54,060 should be. 998 00:35:54,530 --> 00:35:55,879 So we need to remember where the cuts 999 00:35:55,880 --> 00:35:56,880 were. 1000 00:35:57,510 --> 00:35:59,129 And what happens if you have packet loss 1001 00:35:59,130 --> 00:36:00,869 and something's missing in the middle and 1002 00:36:00,870 --> 00:36:02,399 then it's like, oh, there must be a 1003 00:36:02,400 --> 00:36:03,869 retransmissions somewhere, but where is 1004 00:36:03,870 --> 00:36:06,059 it? I have to look here, get 1005 00:36:06,060 --> 00:36:08,189 it here, put it in there, reconstruct 1006 00:36:08,190 --> 00:36:10,199 it, put it back there when they write the 1007 00:36:10,200 --> 00:36:12,449 file again. So I cannot even read 1008 00:36:12,450 --> 00:36:13,769 and write stuff sequentially. 1009 00:36:13,770 --> 00:36:15,929 I need to read it, try to 1010 00:36:15,930 --> 00:36:17,669 put it together and then remember where 1011 00:36:17,670 --> 00:36:19,769 everything was before I read it and write 1012 00:36:19,770 --> 00:36:21,449 it out like in the same order that I read 1013 00:36:21,450 --> 00:36:24,119 it. So that's why it's a nightmare 1014 00:36:24,120 --> 00:36:25,769 to work on TCBY stuff. 1015 00:36:25,770 --> 00:36:27,869 It's really not easy because otherwise I 1016 00:36:27,870 --> 00:36:28,799 would have done it already. 1017 00:36:28,800 --> 00:36:30,239 I'm working on this too for three years 1018 00:36:30,240 --> 00:36:32,279 now and I haven't got there yet, but I 1019 00:36:32,280 --> 00:36:34,739 will in some well, far 1020 00:36:34,740 --> 00:36:36,899 future maybe, but 1021 00:36:36,900 --> 00:36:38,609 I will do this for one Peckford stuff 1022 00:36:38,610 --> 00:36:40,979 already. So most HDB requests 1023 00:36:40,980 --> 00:36:42,929 are in a single packet unless they're 1024 00:36:42,930 --> 00:36:44,789 very long and that will be something that 1025 00:36:44,790 --> 00:36:46,859 I will do in the next couple of weeks, 1026 00:36:46,860 --> 00:36:47,860 probably. 1027 00:36:49,830 --> 00:36:51,419 Do we have any questions from the 1028 00:36:51,420 --> 00:36:52,420 Internet? 1029 00:36:55,830 --> 00:36:58,079 Yes, there was one question, do you 1030 00:36:58,080 --> 00:37:00,149 also anonymized domain 1031 00:37:00,150 --> 00:37:02,219 names right 1032 00:37:02,220 --> 00:37:03,149 now? 1033 00:37:03,150 --> 00:37:04,139 No, I don't. 1034 00:37:04,140 --> 00:37:05,909 But I'm really close to this because I 1035 00:37:05,910 --> 00:37:08,579 can already read DNS. 1036 00:37:08,580 --> 00:37:10,769 But DNS is another big problem. 1037 00:37:10,770 --> 00:37:11,909 I have one site on this. 1038 00:37:13,380 --> 00:37:15,659 If you're replacing Epicureans and 1039 00:37:15,660 --> 00:37:17,489 you have something like test package, dot 1040 00:37:17,490 --> 00:37:19,109 com, and you replace it with something 1041 00:37:19,110 --> 00:37:21,089 secret dot com, that means that you 1042 00:37:21,090 --> 00:37:23,369 replaced it with a secret com 1043 00:37:23,370 --> 00:37:25,739 with com and test with something. 1044 00:37:25,740 --> 00:37:28,049 And if you then have abcde, if 1045 00:37:28,050 --> 00:37:29,759 packaged food, you need to remember that 1046 00:37:29,760 --> 00:37:32,309 you replaced this with secret. 1047 00:37:32,310 --> 00:37:34,259 But this year and it's replaced with 1048 00:37:34,260 --> 00:37:36,029 something else. So again, you need to 1049 00:37:36,030 --> 00:37:37,829 remember part of the code and you need to 1050 00:37:37,830 --> 00:37:39,689 pull it apart, put it back together. 1051 00:37:39,690 --> 00:37:41,669 It takes a long time to get that right 1052 00:37:41,670 --> 00:37:43,829 and I haven't gotten there yet, but 1053 00:37:43,830 --> 00:37:45,149 it's one of the next things that I have 1054 00:37:45,150 --> 00:37:47,519 to do, because for the thing to work, 1055 00:37:47,520 --> 00:37:49,649 I need to be able to sanitize 1056 00:37:49,650 --> 00:37:52,199 the hostname in the request. 1057 00:37:52,200 --> 00:37:53,909 So that means first I need to be able to 1058 00:37:53,910 --> 00:37:56,259 sanitize Epicureans. 1059 00:37:56,260 --> 00:37:57,929 That is the first step that I have to do 1060 00:37:57,930 --> 00:37:59,999 and then I can do the rest. 1061 00:38:00,000 --> 00:38:01,799 So yeah, I will do that. 1062 00:38:01,800 --> 00:38:03,419 I'm not there yet. 1063 00:38:03,420 --> 00:38:05,219 Too much work in Dallas. 1064 00:38:05,220 --> 00:38:06,299 Thanks. 1065 00:38:06,300 --> 00:38:07,300 Thank you. 1066 00:38:07,940 --> 00:38:10,349 On the left side right here, 1067 00:38:10,350 --> 00:38:12,889 is there a command line interface? 1068 00:38:12,890 --> 00:38:14,959 Uh, not right now. 1069 00:38:14,960 --> 00:38:17,329 The problem with that is that 1070 00:38:17,330 --> 00:38:18,499 if you look at the replacement 1071 00:38:18,500 --> 00:38:20,569 parameters, interestingly, and you 1072 00:38:20,570 --> 00:38:22,729 see it's a big 1073 00:38:22,730 --> 00:38:23,730 dialog here 1074 00:38:26,600 --> 00:38:28,699 to add all these options 1075 00:38:28,700 --> 00:38:30,979 as a command line version would make 1076 00:38:30,980 --> 00:38:32,809 it very long or it needs some sort of a 1077 00:38:32,810 --> 00:38:35,119 perimeter file that you give 1078 00:38:35,120 --> 00:38:36,259 into the program. 1079 00:38:36,260 --> 00:38:38,869 I put a lot of code into the government 1080 00:38:38,870 --> 00:38:40,999 to be able to make 1081 00:38:41,000 --> 00:38:42,589 sure that the user doesn't do anything 1082 00:38:42,590 --> 00:38:44,510 crazy that will mess with my program. 1083 00:38:45,590 --> 00:38:47,899 And that's why I don't have a command 1084 00:38:47,900 --> 00:38:49,279 line version yet, because then I need to 1085 00:38:49,280 --> 00:38:50,689 sanitize the input first. 1086 00:38:50,690 --> 00:38:52,099 And that is a nightmare in its own, as 1087 00:38:52,100 --> 00:38:53,599 everybody knows. Right. 1088 00:38:53,600 --> 00:38:55,849 So sanitizing inputs are not 1089 00:38:55,850 --> 00:38:57,979 so much fun, even less fun than writing 1090 00:38:57,980 --> 00:38:59,469 a GUI, which is no fun at all. 1091 00:39:02,220 --> 00:39:03,570 OK, next question. 1092 00:39:05,130 --> 00:39:07,229 What's the Wireshark you usually try to 1093 00:39:07,230 --> 00:39:10,049 find a problem just just. 1094 00:39:10,050 --> 00:39:12,089 Whatever, not working or whatever 1095 00:39:13,770 --> 00:39:15,839 and worthwhile. Like, we did a lot of 1096 00:39:15,840 --> 00:39:18,269 work to actually 1097 00:39:18,270 --> 00:39:20,459 get it bulletproof, to 1098 00:39:20,460 --> 00:39:22,019 actually do the IP addressing and 1099 00:39:22,020 --> 00:39:24,299 whatever correctly dissect 1100 00:39:24,300 --> 00:39:25,300 it. 1101 00:39:25,530 --> 00:39:27,299 How often does that happen to you that 1102 00:39:27,300 --> 00:39:28,469 you actually. 1103 00:39:28,470 --> 00:39:29,470 Well. 1104 00:39:30,620 --> 00:39:32,749 May introduce new problems 1105 00:39:32,750 --> 00:39:34,999 into the countryside 1106 00:39:35,000 --> 00:39:37,129 and how easy or how hard 1107 00:39:37,130 --> 00:39:39,199 it is to actually detect detect 1108 00:39:39,200 --> 00:39:39,909 this. 1109 00:39:39,910 --> 00:39:42,169 OK, so if I get you right, 1110 00:39:42,170 --> 00:39:44,399 you mean when I read a pick up and write 1111 00:39:44,400 --> 00:39:46,519 again and do something wrong when writing 1112 00:39:46,520 --> 00:39:48,769 it, how often do I put problems 1113 00:39:48,770 --> 00:39:49,699 in there? 1114 00:39:49,700 --> 00:39:51,169 I mean, you actually trying to 1115 00:39:51,170 --> 00:39:53,449 troubleshoot something and you 1116 00:39:53,450 --> 00:39:55,819 try to sanitize the pick up and 1117 00:39:55,820 --> 00:39:57,019 then you send it to someone? 1118 00:39:57,020 --> 00:39:59,269 Mm hmm. And then he tried to analyze 1119 00:39:59,270 --> 00:40:00,109 it. 1120 00:40:00,110 --> 00:40:01,249 And then you find something that I 1121 00:40:01,250 --> 00:40:02,659 introduced by sanitizing it. 1122 00:40:02,660 --> 00:40:04,759 Exactly. OK, yes, that 1123 00:40:04,760 --> 00:40:05,760 is a problem. 1124 00:40:06,500 --> 00:40:08,089 And there's something that I live in 1125 00:40:08,090 --> 00:40:10,369 constant fear about, because if I 1126 00:40:10,370 --> 00:40:12,289 insert problems into a captcha far that 1127 00:40:12,290 --> 00:40:14,179 hasn't been there before, I may lose 1128 00:40:14,180 --> 00:40:16,639 reputation quite fast because basically 1129 00:40:16,640 --> 00:40:19,249 I'm more of a problem than helping you. 1130 00:40:19,250 --> 00:40:21,529 So I try to make sure that this doesn't 1131 00:40:21,530 --> 00:40:23,209 happen. And one of the first thing I 1132 00:40:23,210 --> 00:40:25,249 usually do is when I'm able to read and 1133 00:40:25,250 --> 00:40:27,769 write packet's files, I don't sanitize 1134 00:40:27,770 --> 00:40:29,209 them at all. I just read them, 1135 00:40:29,210 --> 00:40:31,279 deconstruct them and write them back 1136 00:40:31,280 --> 00:40:32,539 out again if that works. 1137 00:40:32,540 --> 00:40:35,089 And I figure if I get an identical copy, 1138 00:40:35,090 --> 00:40:37,589 I'm relatively sure that I'm 1139 00:40:37,590 --> 00:40:38,590 OK. 1140 00:40:40,220 --> 00:40:41,959 And then I need to do the replacement and 1141 00:40:41,960 --> 00:40:43,909 then there's a lot of checking if this is 1142 00:40:43,910 --> 00:40:46,249 correct, the good thing is I'm doing 1143 00:40:46,250 --> 00:40:48,679 it for over ten years now. 1144 00:40:48,680 --> 00:40:51,139 So I'm one of the most feared guys 1145 00:40:51,140 --> 00:40:52,819 when it comes to Wireshark, because I 1146 00:40:52,820 --> 00:40:55,099 very often am in contact with the 1147 00:40:55,100 --> 00:40:57,169 developers and giving them hell about how 1148 00:40:57,170 --> 00:40:58,669 wireshark this doesn't and doing things 1149 00:40:58,670 --> 00:40:59,670 wrong. 1150 00:41:00,140 --> 00:41:02,359 I can spot stuff going wrong by looking 1151 00:41:02,360 --> 00:41:04,459 at Pécas and the first thing I 1152 00:41:04,460 --> 00:41:06,589 always ask my service is why am I 1153 00:41:06,590 --> 00:41:08,449 wrong or am I wrong? 1154 00:41:08,450 --> 00:41:10,820 And very often it's 50 50. 1155 00:41:21,240 --> 00:41:22,799 I'm going to ask the Internet, is there 1156 00:41:22,800 --> 00:41:23,969 another question coming from the 1157 00:41:23,970 --> 00:41:26,359 Internet? No question from the Internet. 1158 00:41:26,360 --> 00:41:28,499 OK, then we have one right over 1159 00:41:28,500 --> 00:41:30,029 here. Thank you. 1160 00:41:30,030 --> 00:41:32,139 Yeah, it's been, I think, 1161 00:41:32,140 --> 00:41:34,259 the gates and since I looked at it. 1162 00:41:34,260 --> 00:41:37,199 But, uh, do you know about Argo's. 1163 00:41:37,200 --> 00:41:39,259 Yeah. And, um, run on 1164 00:41:39,260 --> 00:41:40,169 nimbies. 1165 00:41:40,170 --> 00:41:41,879 Not stuff. 1166 00:41:41,880 --> 00:41:42,899 I haven't really used it. 1167 00:41:42,900 --> 00:41:45,149 I have to admit. Um, the thing is 1168 00:41:45,150 --> 00:41:46,150 that 1169 00:41:47,670 --> 00:41:49,799 I was is I think I've 1170 00:41:49,800 --> 00:41:51,989 seen it to be Web based, uh, 1171 00:41:51,990 --> 00:41:53,999 from the front end kind of thing. 1172 00:41:54,000 --> 00:41:56,279 Um, I have to try to 1173 00:41:56,280 --> 00:41:57,899 take a look at it, but I haven't used it 1174 00:41:57,900 --> 00:41:58,879 yet. 1175 00:41:58,880 --> 00:42:01,159 OK, it's I think it's 1176 00:42:01,160 --> 00:42:03,409 mainly command line based, but it uses 1177 00:42:03,410 --> 00:42:05,659 a known capture format and 1178 00:42:05,660 --> 00:42:07,909 OK, does a lot of 1179 00:42:07,910 --> 00:42:09,369 analysis itself. 1180 00:42:09,370 --> 00:42:10,370 Hmm. 1181 00:42:10,670 --> 00:42:12,559 The problem with that would be if you can 1182 00:42:12,560 --> 00:42:13,560 you convert it to pick up. 1183 00:42:14,750 --> 00:42:16,399 Yes. OK, then it is OK. 1184 00:42:16,400 --> 00:42:17,779 Because what I don't like is somebody is 1185 00:42:17,780 --> 00:42:19,819 writing an arbitrary protocol and nobody 1186 00:42:19,820 --> 00:42:21,979 else can read and then you want to 1187 00:42:21,980 --> 00:42:24,079 give it away for somebody who only 1188 00:42:24,080 --> 00:42:25,039 can we pick up. 1189 00:42:25,040 --> 00:42:26,299 So if you can do that, well I have to 1190 00:42:26,300 --> 00:42:27,300 take a look at it. 1191 00:42:28,130 --> 00:42:30,199 I wanted to write a tool that is 1192 00:42:30,200 --> 00:42:32,269 fully under my control that I can tell to 1193 00:42:32,270 --> 00:42:34,939 do everything I like and 1194 00:42:34,940 --> 00:42:36,349 do not do stuff that I don't like. 1195 00:42:36,350 --> 00:42:38,479 So maybe I'm doing stuff that I already 1196 00:42:38,480 --> 00:42:39,589 can do. 1197 00:42:39,590 --> 00:42:41,029 I have to take a look at it, but thank 1198 00:42:41,030 --> 00:42:42,030 you. 1199 00:42:43,770 --> 00:42:46,800 OK, if there are no more questions. 1200 00:42:48,030 --> 00:42:50,489 Then, as you said, you can 1201 00:42:50,490 --> 00:42:51,479 email him. 1202 00:42:51,480 --> 00:42:53,969 But for now, please help me to 1203 00:42:53,970 --> 00:42:54,999 thank Jasper. 1204 00:42:55,000 --> 00:42:56,759 Thank you for the talk today. 1205 00:42:56,760 --> 00:42:57,760 Thank you.