Académique Documents
Professionnel Documents
Culture Documents
in
a
Satellite
environment
1.2
Christian
Martorella
Leonardo
Nve
cmartorella@s21sec.com
Meteorological
HAM
(Amateur
Radio
Operator)
GPS
Satellite GEO
ssss
ATLAS Agency to TV
feeds
Find feeds:
Dr HANS: http://drhans.jinak.cz/news/index.php
Zackyfiles: http://www.zackyfiles.com (in spanish
Satplaza: http://www.satplaza.com
Blind
Scan
Visual
representations
of
the
signal
Two scenarios
Satmodem
INTERNET
CLIENT
ISP
POTS/GPRS/3G UPLINK
INTERNET
CLIENT
UPLINK
ISP
POTS/GPRS/3G UPLINK
INTERNET
CLIENT
UPLINK
ISP
POTS/GPRS/3G UPLINK
INTERNET
CLIENT
UPLINK
ISP
INTERNET
CLIENT ISP
linuxtv-‐dvb-‐apps
http://www.fastsatfinder.com/transponders.html
Find a PID
Activate it
We
can
have
more
than
one
PID
assigned
to
an
interface,
this
will
be
very
useful.
Reminder:
In
satellite
communications
we
have
two
scenarios:
(¿¿??)
47
Wednesday, November 11, 2009
Wardriving?
no
way...
SatDriving
47
Wednesday, November 11, 2009
Active
Attacks
DNS Spoofing
TCP hijacking
Attacking GRE
It´s
trivial
to
see
that
if
we
sniff
a
DNS
request
we
have
all
that
information
and
we
can
spoof
the
answer.
Phishing attacks
DNS Spoofing
TCP hijacking
Attacking GRE
If
we
sniff
1
we
can
predict
Seq
and
Ack
of
2
and
we
can
send
the
payload
we
want
in
2
A
1
Se
q=
S1
AC
K=A
3 Se
1
D
at
Da q=S ale
ta 1+ n=
len L1 L1
=L
A
3 CK
=A
1
B
+L
2
DNS Spoofing
TCP hijacking
Attacking GRE
Original
paper:
http://www.phenoelit-‐us.org/irpas/gre.html
INTERNET
Remote
Office
Remote
Office Remote
Office
Find a target:
GRE
Packet
IP
dest
1 IP
source
1
GRE header
Payload Data
1.1.1.1
1.1.1.2
INTERNET
(*)
10.0.0.54 10.0.0.5
10.0.0.5 10.0.0.54
Payload Data
1.1.1.2
(1) 1.1.1.1
10.0.0.54 10.0.0.5
10.0.0.5 10.0.0.54
Payload Data
(1)
1.1.1.1
1.1.1.2 (2,3)
10.0.0.54 10.0.0.5
IP header IP header 2
Data Data 2
(4)
1.1.1.2
(1) 1.1.1.1
(2,3)
10.0.0.54 10.0.0.5
(4)
1.1.1.2
(1) 1.1.1.1
(2,3)
10.0.0.54 10.0.0.5
10.0.0.54 10.0.0.5
Payload Data 2
How
To
Scan
NSA
And
Cannot
Be
Traced
Wednesday, November 11, 2009
HTSNACBT
Attack
VERY EASY!!!
A receiver, a card….
Let’s
rock!
Find
a
satellite
IP
not
used,
I
ping
IPs
next
to
another
sniffable
satellite
IP
to
find
a
non
responding
IP.
We
must
sniff
our
ping
with
the
DVB
Card
(you
must
save
the
packets).
The
IP
is
the
one
we
have
selected
and
in
the
ICMP
scan,
we
must
get
the
destination
MAC
sniffed.
CLIENT
INTERNET
The
DNS
server
you
use
must
allow
request
from
any
IP
or
you
must
use
the
satellite
ISP
DNS
server.
All the things you make can be sniffed by others users.
http://www.google.es/search?
rlz=1C1GPEA_en___ES312&sourceid=chrome&ie=UTF-‐8&q=configuring
+GRE+linux
We
can
capture
the
downlink
and
the
uplink
so
all
these
attacks
are
easier
to
do.
We
can
capture
all
traffic
in
a
TCP
connection,
we
can
hijack
easily
in
any
direction.