The Way of Hacking

10 November 2015

In the Japanese martial art of Aikido it is said that "Kurai Dori" is the ability of a skilled practitioner, or "aikidoka", to control the consciousness of an opponent. A more prosaic translation could be "positioning". Rather than just relying on strikes (“atemi”), the masterful aikidoka can defeat an opponent through a commanding position. The same exists in (offensive) security, the most dangerous attackers do not solely rely on exploits (even 0days), they use their network position to gain dominance. Whether it is the Chinese government's Great Cannon or the NSA's QUANTUMINSERT program or the “SYNful Knock" Cisco router implant, the most capable attackers use their control of the network to compromise organizations.

This kind of attack is part of what is known as an Active Man-in-the-Middle (MitM). Control of the network allows the attacker to have a global view of traffic flowing through an organization, which means that any unencrypted information on the network is also known to the attacker. This can be usernames, passwords, session cookies or other data which could be useful to an attacker for gaining further access. Network traffic can also contain documents or images which can be extracted through file carving. Additionally, attacks like POODLE against the SSLv3 protocol can be achieved through this position.

An Active MitM attack can also inject traffic like in QUANTUMINSERT whereby an attacker-controlled server is used to "race" against a legitimate server reply and thereby cause a victim to connect to a malicious server rather than the intended one. What is so powerful about this technique is that it circumvents most known security solutions (certificate pinning may protect against this kind of attack, for example) and does not rely on exploits. Exploits can be mitigated by patching and security products such as Microsoft’s Enhanced Exploit Mitigation Toolkit (EMET), but an attacker who controls network traffic simply bypasses these protections. Cyber criminals, however, have to rely on exploits as they often lack the network position of nation state actors.

China's Great Cannon also achieved significant impact by injecting malicious code into the webpages viewed by a subset of viewers of a popular website. The effect of this was an enormous Distributed Denial of Service (DDoS) attack. This attack did not require the creation and maintenance of a vast botnet but instead used the power of network position to perform its attack.

Subversion of network traffic through MitM is not the only attack afforded to dominant network position though. “SYNful Knock” implant demonstrated how compromise of network infrastructure allows an attacker to also shatter the perimeter protecting an organization. One module of SYNful Knock allowed access to computers on private IP address ranges by external attackers, effectively neutralizing the organization's perimeter defences. Furthermore, SYNful Knock could potentially be used to backdoor applications being downloaded through the compromised device without the protection of HTTPS, redirect internal users to malicious sites and provide a cut-out for C2 traffic emanating from inside of organization to avoid detection.

Superior positioning, “Kuari Dori”, allows an attacker to comprehensively dominate a target organization to an extent which is difficult to protect against. Rather than relying on exploits to gain access, network position can be used to stealthily redirect users, view and manipulate their network traffic and open up an organization’s network perimeter. Effective security for an organization needs to take this threat into account.