. c- W' GCHQ ~ ~ W TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL PROFILING SSL AND ATTRIBUTING PRIVATE NETWORKS An introduction to FLYING PIG and HUSH PUPPY ICTR - Network Exploitation GCHQ TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL ? n 3922 ' §9!21 rr rtf 55 urn ;;pq snn !It '? ORMATION L~OaLATON TH>a ON.ORMATOON oa EXEM~ENRO!:vT~:·~'!~!'~N~':.M,;'~ CONTAIN. IN Tt:LLt;CTUAL PR OPE RTY OWN£0 AND / OR MANAtJIED BV GCHQ . THE MATCRIAL MAY EIIE OISIIEM I NATIIEO THROUGHOUT THE RECI~IE:NT OROANIIIATION, BUT GCHQ PE:RMIII .ION MUaT BE OBTAINED F"OR OI •• EMINATION OUTSIDE. THE OROANIBATION . _ _
TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL Outline - Two separate prototypes- FLYING PIG and HUSH PUPPY - Both are cloud analytics which work on bulk unselected data - FLYING PIG is a knowledge base for investigating TLS/ SSL traffic - HUSH PUPPY is a tool for attributing private network traffic TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL
cH ~ filc TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL FLYING PIG - TLS/SSL Background - TLS/SSL (Transport Layer Security I Secure Sockets Layer) provides encrypted communication over the internet - Simple TLS/SSL handshake: Client Server Client hello Server hello c Certificate c Server hello done c : Client key exchange : Change cipher spec Handshake finished Change cipher spec c Handshake finished c Application data c TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL . . . . w THia INJ'"ORMATION Ia EXEMPT UNDER THE f'"RI:E:OOM OF" INF'"ORMATI . . . . . . . - .. . . MATtON LC:OiaLATION . R EF""E A ANY F"CIA QUERIE. TO GC H Q 0 CONTAINa IN Tt:LLI';CTUAL PR O P E RTY QWN£0 AND / OR MANAtJIED BV GCHQ . THE MATCRIAL MAY EIIE OISIIEM I NATIIEO THROUGHOUT THE "ECI~IE:NT OROANIIIATION , BU T GCHQ PE:RM IBai ON MUaT BE OBTAINED F"OR OI •• EMINATION OUTSIDE. T HE OROANIBATION , _ _
W' '-'-"- GCHQ ~ ~ ~ ~ c- ~ - TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL Motivations for FLYING PIG - More and more services used by GCHQ targets are moving to TLS/SSL to increase user confidence, e.g. Hotmail, Yahoo, Gmail, etc. - Terrorists and cyber criminals are common users of TLS/SSL to hide their comms (not necessarily using the big providers). - A TLS/SSL knowledge base could provide a means to extract as much information from the unencrypted traffic as possible. TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL OFT 2000 'f RIO! ? g o MOl p r r g FMPI ¥ 7557 ?T i E? Hi INJ"O?MATION Lt:OiaL?TION . THia INJ"ORMATION Ia t:Xt:M~ENAD!:vT~R~'!~N~M;~N CONTAtNa IN Tt:LLt;CTUAL PR OPE RTY OWN£0 AN0 / 07 MANAtJIED BI GCHQ . THE MATC?IAL MAY EIIE OISIIEM I NATIIEO TH70UDHDUT THE 7ECI~IE:NT OROANIIIATION, BUT GCHQ PE:?MIII atON MUaT Bt: OBTAINED F"O? Ola.EMINATION OUTSIDE. THE 070ANIBATION , _ _
~ ~ W c- . GCHQ W' '-'-"'-~- TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL FLYING PIG implementation • Federated QFD approach - Multiple separate cloud analytics, each of which produce a QFD (Query Focussed Dataset). - Analytics are run once a week, on approximately 20 billion events. - A single query in the web interface results in calls to multiple QFDs, which are returned to the user in separate panels. - Results in: (a) fast queries, (b) easy-to-maintain modular code, and importantly (c) easy to add future TLS/SSL QFDs. TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL ? n 3922 ' §9!21 rr rtf 55 urn ;;pq snn !It 'P ORMATOON L~OaLATON TH>a ON.ORMATOON oa EXEM~ENRO!:vT~:·~'!~!'~N~':.M,;'"c: CONTAIN. IN Tt:LLt;CTUAL PR OPE RTY OWN£0 AND / OR MANAtJIED BV GCHQ . THE MATCRIAL MAY EIIE OISIIEM I NATIIEO THROUGHOUT THE RECI~IE:NT OROANIIIATION, BUT GCHQ PE:RMIII.ION MUaT BE OBTAINED F"OR OI •• EMINATION OUTSIDE. THE OROANIBATION . _ _
mail IENT I~ ~ Advanced . r Ul TOP SECRET // SI // REL TO USA, AUS, CAN, GBR, NZL Query by certificate metadata FLYING PIG TL5 / 55 L KNOWLEDGE BASE Prototype owner: IIIIIIIIIIII I CTR-NE HRA Justification Query FL YI NG PI G - oenera l SSL too l kit Query QUI CK ANT - Tor events QFD Query FL YI NG PI G Se rve r c ertifi c at e fi e ld s to se ar ch w i th i n: PJ S ubject common name IP I network I certif ic ate field %m ail. ru Subject organis ation name Li Q ue ry as: O Cl ient IP O Se rv er IP O Both 0 Is suer common name or: 0 Ne twork [e.g. 1.2.3.012 4] I ssuer organisation name 0 or: @ Se rv er C ertifi c ate [e.g. Ofoexam ple .com (use o/o fo r wildcards)] 0 RSA modulus Run Query I 0 !c ertifi cat e fi eld se arch : ~ 0 All HlTP reque st s mat c hing your query ( . ) 10 I 25 I so I 1 00 1 - 5 of 500 items 1 234567 > ., . Server IP Host nam e Fi r st see n Last seen C ount w/ e Count a ll ti m e 25t h No v 1 84 .105 swa.mail.ru 20 11-10 -13 1 6:05:53.0 2011- 11- 25 21:11 : 59.0 6 0856 63 42640739 18 4.104 sw a.mail.ru 2011-10-13 1 7:29:18.0 2011 -11- 25 21 :11: 55.0 6073183 36825411 fc.ef.d4.cf . bd .a1.top .mail.ru 20 11-11- 25 2 1:10 : 49 .0 134 .201 2011 - 10-13 21:43: 1 0.0 4049 743 19 360920 135.13 topS .mail.ru 2011-10-14 20:00:00.0 2011- 11- 25 21 :12 : 05.0 14 168963 3006868 1 35 .12 top3 .mail.ru 2011-10- 14 20:00:00.0 2011- 11 -25 21: 10 : 48.0 2480950 1 2386999 A ll ce rtific at es mat c hing your qu e ry ( ? Se rv er IP s ( ? ): Tip 1: Right click on a row to find all server IPs that serve that certifica te ! Tip 1: Right d i ck on a server IP to explore it furthe r! Tip 2: Cl ick on the disk icon in the title ba r to do wnload data in CSV format I Tip 3: Double-click on a f ield to enable copy and paste l 1 - 25 of 500 1 2 3 4 5 6 7 • " items T ip 4: Chanoe displayed col umns ('Basic' is default; 'Adv an ced' adds RSA Modulus and cipher suite dis tr ibu tion columns): Basic co lumns columns , Se rv er IP Ce rt Cert 10 I 25 I so I 100 1 - 10 of 70 items 1 234567 >". c ount co unt all t ime w/e First s een S ubj ect com mo n S ubj ect S ub ject org I ssuer c ommo n Issu er Issue r org F ull Last seen C ount Co unt all Valid from Valid to S el f 25 th co unt r y name name co un try name Ce rtif icate w / e tim e name si on e Nov 25 th N ov Exp l ore th iS se!Ver IP furtherl * .mail.ru 308203CD3082 1 20 11-09 - 22 20 11-11 -25 1 6638958 2011 - 01-31 20 12- 03 - 27 thawte, i nc . 2952729 ru lie mail.ru tha wte ssl ca us N 177.1 333592 1052618 1 3:17 :32 19:0 1:5 9 00:00:00 23:59 : 59 191.2 13 330212 1388 617 308203613082( 20 11-Q9-22 2011-11-25 2 49926 1085232 2010 - 01-2 1 2011-02-20 • .mail.ru ru lie mail. ru thawte premium za th a wte N 184.16 308599 2496916 1 4:05 : 50 1 8:58:32 00:00:00 23:59:59 server ca consulting cc 184.17 297282 2226133 308203033082( 2011 -10- 07 20 11-11- 25 20 11-0 9- 25 20 13 -11- 23 * .money .mail.ru ru lie mail.ru thawte ssl ca thawte, in c. 1 0059 30520 us N 20:29 : 55 18 :5 3:40 00 :00:00 23: 59 : 59 184 . 15 294437 2395012 189. 160 1 68414 659 037 308203513082( 20 11-Q9-23 2011-11-25 976 8517 20 10- 01-25 20 1 2-0 1- 27 mai l.ru.is is mail.ru.is us equif ax N 1 7:01:58 15 :40:05 1 5:42:05 1 8: 12:59 184. 77 1 20533 560336 y 308202C83082( 20 11-Q8-22 20 11 -Q9 - 06 0 14 82 2011 -0 3-o 4 20 12- 03 - 03 mai l.ru-sib . ru us mail.ru- sib.ru us 184 . 74 11 3555 515169 08:14 : 21 06:15:36 06:42:12 06:42 :12 184. 75 1125 74 538512 308204383082( 2011-10-17 2011-11-25 22 1236 20 11-05- 27 20 1 2-07-25 mai l.ru-com .ru mail.ru-com . ru thawte dv ssl ca us th a wte, inc. N 184.76 11 0325 690098 1 4:09: 52 18:50: 10 00 :00: 00 2 3:59 : 59 135. 55 3779 6023 308203C 4 3082( 201 1-10- 08 20 11-11- 25 30 1 1150 2010 - 02-13 20 12 -11- 08 mx 1.shooo-ma il.ru ru shooo shooo . ru ru shooo N 135. 56 37 40 7358 00:05 :24 1 7:0 4:0 2 14 :1 9:06 1 4:19 : 06 134.151 3564 8498 308204153082(2011-11-01 2011-11-25 2 46 693 20 11-0 9-15 20 1 2-09- 14 limos .mail.ru ru isp .c egedim .fr fr cegedim N 63. 121 2532 4887 07:36:53 1 4:26:29 11 :47:5 1 11 :47 :5 1 y 136. 43 2523 9226 308202E 43082C20 11-1 0-14 20 11-11- 21 20 1 306 2011 -1 0- 05 20 14-1 0-0 4 moder.fo t o.ma il. ru ru mail.ru moder .toto .mail.ru ru ma il.ru 1 8:20 :34 05:13:34 08:07:34 08:07 :34 134 . 98 2360 9165 30820 415 3082( 2011-10-31 2011-11-25 99 259 2011-09-15 20 1 2-09- 14 auth .mail. ru ru isp .c eoed im .fr fr ceoedim N 179.89 2227 7600 1 4:14: 12 1 5:45:50 11 :47:5 1 11 :47 :51 17 9.90 205 1 7320 g 136.84 1981 84 42 TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL THia INJ'"ORMATION 1a EXEMPT U N DER THI: f'"RI:E:DOM OF" INF'" ORMAT I O ] !II!IIIijlllllll!,lllliilililliillll ' iii " I 'I RMATION LI:OI.LATION . REF""EA ANY F'C IA QUER I E. TO GCHQ ON CONTAIN. IN TI[LLI';CTUAL PAOPEATV OWNED AN D OR MANACiiED BV THE MATERIAL MAV EIIE OISIIEM I NATIEO TH .. OUDHDUT THE "EC ORGANISATION, BUT GCHQ P ERMI8810N MUaT BE OBTAINED F"OR OI •• EMINA.TION OUTSIDE. THE O"DANIBATION ,
Recommend
More recommend
