Dr. Patrick Engebretson Mr. Kyle Cronin Dr. Josh Pauli 1. - - PowerPoint PPT Presentation

• Dr. Patrick Engebretson
• Mr. Kyle Cronin
• Dr. Josh Pauli

1

Introductions

• 1. Introductions
• 2. Why we all need a PAL

3

Building our PAL

• 3. Building our PAL
• 4. Spray it - don’t say it

5

Community PAL

• 5. Community PAL
• 6. Bros spraying bros

7

Good night Black Hat!

• 7. Good night, Black Hat!

2

SprayPAL: How capturing and replaying attack traffic can save your IDS

• Dr. Patrick Engebretson
• Dr. Patrick Engebretson
• Asst. Prof. of Info. Assurance at Dakota State Univ.
• Network security
• Mr. Kyle Cronin
• Doctoral student at Dakota State Univ.

S Ad i ft

• SysAdmin ftw
• Dr. Josh Pauli
• Assoc. Prof. of Info. Assurance at Dakota State Univ.
• Software Security

SprayPAL: How capturing and replaying attack traffic can save your IDS

3

IDS/IPS need to be tested but shizzle can’t IDS/IPS need to be tested, but shizzle can t

break

SprayPAL: How capturing and replaying attack traffic can save your IDS

4

Not to learn ONLY offensive techniques kids! Not to learn ONLY offensive techniques, kids!

SprayPAL: How capturing and replaying attack traffic can save your IDS

5

Dr E is a CAPEC fanboi from his research

• Dr. E is a CAPEC fanboi from his research

No need to reinvent attack descriptions Just use them for more than “we just read about Just use them for more than we just read about

attacks and…..”

SprayPAL: How capturing and replaying attack traffic can save your IDS

6

So fresh & so clean So fresh & so clean

VMs are good too VMs are good, too SNORT Wireshark BT4

Vi i ( i )

Victim (various)

SprayPAL: How capturing and replaying attack traffic can save your IDS

7

• 1. Identify CAPEC Attack that you want to

d l model

• 2. Craft Attack Traffic to Mimick CAPEC

Att k 'Att k ' Attack on 'Attacker'

• 3. Ensure SNORT is running with up-to-date

l t th t t h h ID f t #1 ruleset that matches chosen ID from step #1

• 4. Ensure Wireshark is running with no other

t ffi t d ( l l t ) traffic captured (clean slate)

• 5. Execute attack on 'Victim'

SprayPAL: How capturing and replaying attack traffic can save your IDS

8

• 5. Execute attack on Victim

Easy manipulation

who doesn’t want that?

Easy manipulation - who doesn t want that? Level 2 and 3 of the packets Level 2 and 3 of the packets

SprayPAL: How capturing and replaying attack traffic can save your IDS

9

One victim? One victim? Several victims? One attack? Piggy-backed attacks? Piggy-backed attacks? You have choices folks You have choices, folks…

SprayPAL: How capturing and replaying attack traffic can save your IDS

10

1 Ensure SNORT rule(s) fired; comment

• 1. Ensure SNORT rule(s) fired; comment

with specific CAPEC ID number

• 2. Stop and "cleanse" .pcap in Wireshark
• 2. Stop and cleanse .pcap in Wireshark

as needed

• 3. Save .pcap with the same ID number as

p p chosen CAPEC attack

• 4. Save .pcap in the correct directory to be

il bl t S PAL available to SprayPAL

• 5. Test .pcap in SprayPAL with specific

layer 2 & 3 attributes

SprayPAL: How capturing and replaying attack traffic can save your IDS

11

layer 2 & 3 attributes

Get it while it’s hot, get it while it’s buttered…. , g

• Pound it here: http://ia.dsu.edu/spraypal
• Pound him here: Pat.Engebretson@dsu.edu

SprayPAL: How capturing and replaying attack traffic can save your IDS

12

Epic Fabulous Incredible Hilarious Epic, Fabulous, Incredible, Hilarious, Ridiculous, Remarkable, Excellent, Phenomenal Demo Phenomenal Demo

SprayPAL: How capturing and replaying attack traffic can save your IDS

13

? ?

• ☺
• SprayPAL: How capturing and replaying attack traffic can save your IDS

14