creating the bro rfb vnc parser
play

Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT - PowerPoint PPT Presentation

Jan 21, 2023 •206 likes •1.04k views

Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT Agenda Introduction Context: How we use Bro The dangers of VNC VNC protocol Dev Deploy Future work Introduction Martin van Hensbergen - Fox-IT

  1. Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT

  2. Agenda • Introduction • Context: How we use Bro • The dangers of VNC • VNC protocol • Dev • Deploy • Future work

  3. Introduction • Martin van Hensbergen - Fox-IT • Studied Mathematics at University of Delft • Worked at Fox-IT 2001-2011 + 2016-? • Mostly as developer but also in few other areas • 2007-2011, worked on FoxReplay • Software for full-content reconstruction of network data • Lawful interception & forensics purposes • Required network protocol knowledge

  4. Bro at Fox-IT

  5. Bro at Fox-IT • We use Bro in three major services: • Passive Audits - 🤕 • Compromise Assessments - 😩 • Incident Response - 😶

  6. Bro at Fox-IT • We use Bro in three major services: • Passive Audits - network 🤕 • Compromise Assessments - 😩 • Incident Response - 😶

  7. Bro at Fox-IT • We use Bro in three major services: • Passive Audits - network 🤕 • Compromise Assessments - network+hosts 😩 • Incident Response - 😶

  8. Bro at Fox-IT • We use Bro in three major services: • Passive Audits - network 🤕 • Compromise Assessments - network+hosts 😩 • Incident Response - network+hosts 😶

  9. Bro at Fox-IT - Passive Audit • We take a ‘photograph’ of the network by passively monitoring 4 weeks of network traffic • Combination of: • Bro • Suricata • Custom tooling

  10. Bro at Fox-IT - Passive Audit • Bro gives us a very detailed run-down on: • Protocols used in a network • Flow data • Suricata gives us alerting on known-bad

  11. Bro at Fox-IT - Passive Audit Bro Use strengths of multiple products Suricata Wireshark

  12. Bro at Fox-IT - Passive Audit • Mix: Automated and manual analysis • Deliver report on security of the network

  13. Bro at Fox-IT - Passive Audit • Some things we look for: • Weak protocols (security wise) / SSL configs / Plaintext passwords • ‘Weird’ traffic / Context surrounding alerts • Network segmentation • Services exposed to e.g. outside world • Remote administration tools • RDP ... why not RFB/VNC?

  14. VNC basics • Versatile protocol to view and control GUI’s over a network connection. • Original spec (v3.3) by Olivetti Research Lab in 1998, later maintained by RealVNC: v3.7 in 2003 and v3.8 in 2007. • Protocol published under RFC6143 by RealVNC in 2011

  15. VNC basics • Server runs RFB server ( e.g. RealVNC server ); listens on (default) TCP port 5900 • RFB client connects over network • Client can control server over network

  16. The dangers of VNC

  17. The dangers of VNC • My colleague Yonathan Klijnsma did some research on publicly reachable VNC servers • It's 2016 .... VNC IS EVERYWHERE!

  18. The dangers of VNC

  19. The dangers of VNC

  20. Dangers of VNC • All good and fun until…

  21. The dangers of VNC - IoT

  22. Dangers of VNC • All good and fun untill:

  23. Dangers of VNC • VNC connections open to: • Medical devices • SCADA systems • Factories • Homes

  24. Dangers of VNC • VNC: • no- or weak authentications • unencrypted

  25. Bro Wishlist • What would we want to see from a security perspective: • are there RFB servers in the network? • from where and when are they accessed, for how long? • which software is used? • what kind of authentication is used, was it successful? • other useful information? • Bonus exercise: can we get a screenshot? 😈

  26. VNC protocol

  27. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  28. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  29. VNC protocol - Identification Server Version Client Server Client Version

  30. VNC protocol - Identification Server Version Client Server Client Version 12 byte string “RFB xxx.yyy\n” RFB 003.003 - RFB 003.007 - RFB 003.008

  31. RFB 002.000 Identified RFB RFB 003.002 headers in the wild. RFB 003.003 RFB 003.004 RFB 003.005 RFB 003.006 RFB 003.007 RFB 003.008 RFB 003.010 RFB 003.016 RFB 003.033 RFB 003.039 RFB 003.043 Apple Remote Desktop RFB 003.130 RFB 003.236 RFB 003.889 RealVNC Personal RFB 004.000 RFB 004.001 RealVNC Enterprise RFB 005.000 RFB 009.123 RFB 009.221 Source: Y. Klijnsma RFB 009.963 RFB 103.006

  32. VNC protocol - Identification • Certain version numbers can be attributed to certain software

  33. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  34. VNC protocol security • Server sends a list of supported ‘security types’ • These determine form of authentication (examples): • 1 = No authentication • 2 = VNC authentication • 30 = Apple Remote Desktop authentication

  35. VNC protocol - VNC authentication 16 byte challenge Client Server 16 byte response DES(challenge) with password derived key

  36. VNC protocol - VNC authentication • Custom authentication types possible • Found VNC server implementation that does send username/password in cleartext over wire • 😴

  37. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  38. VNC protocol - Security result • Server always sends an explicit acknowledgment if authentication succeeded. • If not successful: connection aborted

  39. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  40. VNC protocol - Init messages • Client sends ClientInit message with a ‘shared_flag’ • Shared flag determines mode of operation: • 1 = Allow other connections to remain if present • 0 = Disconnect other connections for exclusive access

  41. VNC protocol - Init messages • Server sends ServerInitMsg, containing: • name of the server • width/height of shared screen in pixels • 16 bytes of pixel information encoding information

  42. VNC protocol ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  43. VNC protocol - frame messages • After the initial handshake, the server sends a complete representation of the server’s screen to the client • One should be able to reconstruct a complete screenshot from the screen using this first message!

  44. VNC protocol - frame messages

  45. VNC protocol - frame messages 120x120 1160x960 120x840

  46. VNC protocol - frame messages 120x120 1160x960 120x840 Compress & Encode

  47. VNC protocol - frame messages Header

  48. VNC protocol - frame messages • Complete screen update first! • Then: Client and Server can send messages at will: • containing keystrokes, mouse pointer movements, screen updates. • For our purpose too much effort at this stage

  49. VNC protocol - Recap ProtocolVersion Handshake Security Handshake SecurityResult Handshake Client/Server Init messages Frames!

  50. Bro Wishlist • What would we want to see from a security perspective: • are there RFB servers in the network? • from where and when are they accessed, for how long? • which software is used? • what kind of authentication is used, was it successful? • other useful information Server name, screen dimensions? • Bonus exercise: can we get a screenshot? 😈

  51. Dev/test/deploy

  52. Dev/test/deploy • Ingredients for creating a protocol parser: • wireshark and loads of sample PCAPs • knowledge of BinPac and Bro policy writing • knowledge of the protocol (obviously)

  53. Dev • Define events to emit • Define protocol messages BinPac (protocol parsing) • BinPac creates C++ parser Define DPD to identify streams to process Scripts Connect events from parser to log output Create tests based on pcaps Testing Supply suspected output of your parser

  54. Dev - where to start • documentation on-line • learn from existing protocol parsers • https://github.com/grigorescu/binpac_quickstart • creates some boilerplate code for you to get your parser up and running • bro-dev mailinglist • great supportive community!

  55. Dev - be prepared • #1 - No matter how simple the protocol, there's always a catch • #2 - No matter how well your protocol parser is, someone will always present you with a pcap that doesn't parse

  56. Dev - be prepared • #1 - No matter how simple the protocol, there's always a catch

  57. BinPac (protocol parsing) • Ideally, we would like to have something like this: Each message self-descriptive (SMB!)

  58. Dev BinPac

  59. Dev BinPac

  60. Dev BinPac • RFB messages do not contain e.g. a command identifier, or total size of the message • How to interpret a set of bytes depends on the messages before it • rfb-protocol-analyzer.pac implements state machine

  61. State machine BinPac ‘state’ - defines step in our protocol. After successfully parsing a message, ‘state’ gets updated accordingly.

  62. State machine BinPac Awaiting Server Banner Awaiting Client Banner 3.3 3.7 Awaiting Server Auth Types 3.3 Awaiting Server Auth Types 3.7 ... ... Finish

Recommend

Building a Predictive Parser I.e., How to build the parse table for a recursive-descent parser 1

Building a Predictive Parser I.e., How to build the parse table for a recursive-descent parser 1

Building a Predictive Parser I.e., How to build the parse table for a recursive-descent parser 1 Last Time: Intro LL(1) Predictive Parser Predict the parse tree top-down Parser structure 1 token of lookahead A stack tracking the

519 views • 37 slides
https://bazel.build/ Inputs /usr/bin/cc Action Outputs ./parser.h cc -I. -c parser.c -o

https://bazel.build/ Inputs /usr/bin/cc Action Outputs ./parser.h cc -I. -c parser.c -o

https://bazel.build/ Inputs /usr/bin/cc Action Outputs ./parser.h cc -I. -c parser.c -o parser.o ./parser.o ./parser.c Inputs /usr/bin/cc Action Outputs ./parser.h cc -I. -c parser.c -o parser.o ./parser.o ./parser.c Workspace

206 views • 19 slides
Parser Larissa von Witte Institut fr Softwaretechnik und Programmiersprachen 11. Januar 2016

Parser Larissa von Witte Institut fr Softwaretechnik und Programmiersprachen 11. Januar 2016

Parser Larissa von Witte Institut fr Softwaretechnik und Programmiersprachen 11. Januar 2016 L. v. Witte 11. Januar 2016 1/23 Contents Introduction Taxonomy Recursive Descent Parser Shift Reduce Parser Parser Generators Parse Tree

638 views • 24 slides
Keep Calm Keep Calm and Use Parser and Use Parser Nov, 2015 Howard Huang, Huawei Julien

Keep Calm Keep Calm and Use Parser and Use Parser Nov, 2015 Howard Huang, Huawei Julien

Keep Calm Keep Calm and Use Parser and Use Parser Nov, 2015 Howard Huang, Huawei Julien Zhang, ZTE How would OPNFV attract more open source software developers ? 2 I wrote the script based on the instructions in ETSI NFV documents, but

293 views • 15 slides
Tasks of a Parser Tasks of a Parser Document Parser Interfaces Document Parser Interfaces

Tasks of a Parser Tasks of a Parser Document Parser Interfaces Document Parser Interfaces

2. XML Processor APIs Document Parser Interfaces 2. XML Processor APIs Document Parser Interfaces (See, e.g., Leventhal (See, e.g., Leventhal, Lewis & Fuchs: Designing XML , Lewis & Fuchs: Designing XML How can (Java) applications

746 views • 4 slides
Saving Data in iOS Using XML NSXMLParser It is the default XML parser included in iOS It is a

Saving Data in iOS Using XML NSXMLParser It is the default XML parser included in iOS It is a

Saving Data in iOS Using XML NSXMLParser It is the default XML parser included in iOS It is a SAX (Simple API for XML) based XML parser. It is fast and must be tuned for the XML feed that you are parsing. Uses a delegate to handle events as

698 views • 14 slides
A Transition-Based Directed Acyclic Graph Parser for Universal Conceptual Cognitive Annotation

A Transition-Based Directed Acyclic Graph Parser for Universal Conceptual Cognitive Annotation

1 A Transition-Based Directed Acyclic Graph Parser for Universal Conceptual Cognitive Annotation Daniel Hershcovich, Omri Abend and Ari Rappoport ACL 2017 2 TUPA Transition-based UCCA Parser The first parser to support the combination of

872 views • 71 slides
Parser Evaluation and the BNC Standard Parser Evaluation The Parsers Jennifer Foster and Josef

Parser Evaluation and the BNC Standard Parser Evaluation The Parsers Jennifer Foster and Josef

Parser Evaluation and the BNC Jennifer Foster and Josef van Genabith BNC Gold Parser Evaluation and the BNC Standard Parser Evaluation The Parsers Jennifer Foster and Josef van Genabith The Metrics Evaluation Results National Centre

1.18k views • 69 slides
Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning

Ensemble Models for Dependency Parsing: Cheap and Good? Mihai Surdeanu and Christopher D. Manning Stanford University June 3, 2010 Ensemble Parsing Parser 2 Parser 1 Parser 3 Ensemble Parser Parser 4

195 views • 18 slides
A Protocol for Leibowitz Travis Goodspeed, Sergey Bratus You say a radio, I say a parser You

A Protocol for Leibowitz Travis Goodspeed, Sergey Bratus You say a radio, I say a parser You

A Protocol for Leibowitz Travis Goodspeed, Sergey Bratus You say a radio, I say a parser You say a parser , I say a weird machine to be programmed Radios are parsers too! They're machines driven by input we can craft They are just

660 views • 65 slides
Models of Human Parsing Experimental Data 2 Informatics 2A: Lecture 22 Eye-tracking Reading

Models of Human Parsing Experimental Data 2 Informatics 2A: Lecture 22 Eye-tracking Reading

Human Parsing Human Parsing Experimental Data Experimental Data Bottom-Up Parser Bottom-Up Parser Left Corner Parser Left Corner Parser Human Parsing 1 Cognitive Constraints Garden Paths Dimensions of Parsing Models of Human Parsing

537 views • 9 slides
Staging Parser Combinators for Efficient Data Processing Parsing @ SLE, 14 September 2014

Staging Parser Combinators for Efficient Data Processing Parsing @ SLE, 14 September 2014

Staging Parser Combinators for Efficient Data Processing Parsing @ SLE, 14 September 2014 Manohar Jonnalagedda What are they good for? Composable Each combinator builds a new parser from a previous one Context-sensitive We can

728 views • 35 slides
A Fast and Accurate Dependency Parser using Neural Networks Danqi Chen, Christopher D. Manning.

A Fast and Accurate Dependency Parser using Neural Networks Danqi Chen, Christopher D. Manning.

A Fast and Accurate Dependency Parser using Neural Networks Danqi Chen, Christopher D. Manning. EMNLP 2014 Presented by Jessie Le (kle11), Spring 2020 Dependency Parser Problem Statement Conventional feature-based discriminative dependency

1.04k views • 103 slides
Earley Parser Christopher Millar and Ekaterina Volkova Seminar fr Sprachwissenschaft

Earley Parser Christopher Millar and Ekaterina Volkova Seminar fr Sprachwissenschaft

Earley Parser Christopher Millar and Ekaterina Volkova Seminar fr Sprachwissenschaft Universitt Tbingen January 2007 Earley Parser: Bottom-up parsers In general, breadth-first bottom-up parsers are attractive since: they work

709 views • 59 slides
Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1:

Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1:

Project1: Build A Small Scanner/Parser Introducing Lex, Yacc, and POET cs5363 1 Project1: Building A Scanner/Parser Parse a subset of the C language Support two types of atomic values: int float Support one type of compound

904 views • 30 slides
7. Building Compilers with Coco/R 7.1 Overview 7.2 Scanner Specification 7.3 Parser

7. Building Compilers with Coco/R 7.1 Overview 7.2 Scanner Specification 7.3 Parser

7. Building Compilers with Coco/R 7.1 Overview 7.2 Scanner Specification 7.3 Parser Specification 7.4 Error Handling 7.5 LL(1) Conflicts 7.6 Example 1 Coco/R - Compiler Compiler / Recursive Descent Generates a scanner and a parser from an

884 views • 39 slides
Syntax Analyzer Parser ALSU Textbook Chapter 4.14.7 Tsan-sheng Hsu

Syntax Analyzer Parser ALSU Textbook Chapter 4.14.7 Tsan-sheng Hsu

Syntax Analyzer Parser ALSU Textbook Chapter 4.14.7 Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Main tasks if it is a legal program, a program represented then output some ab- parser

1.26k views • 110 slides
Outline LR Parsing Review of bottom-up parsing LALR Parser Generators Computing the

Outline LR Parsing Review of bottom-up parsing LALR Parser Generators Computing the

Outline LR Parsing Review of bottom-up parsing LALR Parser Generators Computing the parsing DFA Using parser generators 2 Bottom-up Parsing (Review) The Shift and Reduce Actions (Review) A bottom-up parser rewrites the

348 views • 14 slides
What to do with a parser ? Learn ! ric de la Clergerie INRIA Paris & University

What to do with a parser ? Learn ! ric de la Clergerie INRIA Paris & University

What to do with a parser ? Learn ! ric de la Clergerie INRIA Paris & University Paris-Diderot http://alpage.inria.fr NLP Meetup Paris, November 23rd 2016 INRIA INRIA ric de la Clergerie What to do with a parser ? Learn !

604 views • 22 slides
3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A

3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A

Grammars and Parsing C H A P T E R 3 3.1 Grammars and Sentence Structure 3.2 What Makes a Good Grammar 3.3 A Top-Down Parser 3.4 A Bottom-Up Chart Parser 3.5 Transition Network Grammars 3.6 Top-Down Chart Parsing 3.7 Finite State

643 views • 43 slides
The Unger Parser brought to you today by: Anne Brock Outline Unger - the man Unger - the

The Unger Parser brought to you today by: Anne Brock Outline Unger - the man Unger - the

The Unger Parser brought to you today by: Anne Brock Outline Unger - the man Unger - the parser Unger's method, simple version some improvements Unger's method, including - rules 1. Unger: The man Stephen H. Unger -

388 views • 22 slides
Dependently Typed Grammars MPC 2010 Kasper Brink, Stefan Holdermans, Andres L oh June 22,

Dependently Typed Grammars MPC 2010 Kasper Brink, Stefan Holdermans, Andres L oh June 22,

Dependently Typed Grammars MPC 2010 Kasper Brink, Stefan Holdermans, Andres L oh June 22, 2010 Parser Combinators Expression Grammar E E B N | N B + | N 0 | 1 pExpr , pNum :: Parser Int pBin :: Parser (Int Int

848 views • 48 slides
Context-Free Grammars 19 March 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser

Context-Free Grammars 19 March 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser

Context-Free Grammars 19 March 2019 OSU CSE 1 BL Compiler Structure Code Tokenizer Parser Generator string of string of abstract string of characters tokens program integers (source code) (words) (object code) The parser is

580 views • 47 slides
Combining Unsupervised and Supervised Parser Mar$n Riedl, Irina

Combining Unsupervised and Supervised Parser Mar$n Riedl, Irina

Combining Unsupervised and Supervised Parser Mar$n Riedl, Irina Alles and Chris Biemann Language Technology Technische Universitt Darmstadt, Germany COLING

493 views • 21 slides

More recommend