1 tcp/ip perversion rares stefan, third brigade inc. sector 2007
TRANSCRIPT
![Page 1: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/1.jpg)
1
TCP/IP TCP/IP PerversionPerversion
Rares Stefan, Third Brigade Rares Stefan, Third Brigade Inc.Inc.
SecTor 2007SecTor 2007
![Page 2: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/2.jpg)
2
IntroductionIntroduction
Perspective from a researcher focused on Perspective from a researcher focused on protecting hosts from malwareprotecting hosts from malware
Implementing kernel-based protection Implementing kernel-based protection mechanismsmechanisms Insight into a potential class of network driver Insight into a potential class of network driver
malwaremalware
![Page 3: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/3.jpg)
3
The Rise of Silent MalwareThe Rise of Silent Malware
Three main areas of interest in malware Three main areas of interest in malware R&D:R&D:
Delivery and activationDelivery and activation
Hiding presence - rootkit techniquesHiding presence - rootkit techniques
Evasion - Minimize operating noiseEvasion - Minimize operating noise Show no signs of activity on the infected systemShow no signs of activity on the infected system Show no traces of network activity on the wireShow no traces of network activity on the wire
![Page 4: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/4.jpg)
4
Operational ChallengesOperational Challenges
Operate on wire dataOperate on wire data
Active at a layer that guarantees transparency Active at a layer that guarantees transparency to the hostto the host
Correctly perform inline IP reassembly and Correctly perform inline IP reassembly and TCP stream reassemblyTCP stream reassembly
Allow for arbitrary injection/removal of data in Allow for arbitrary injection/removal of data in TCP sessionsTCP sessions
![Page 5: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/5.jpg)
5
Operational Challenges…part Operational Challenges…part deuxdeux
Maintain silence on the host:Maintain silence on the host: Never initiate TCP sessionsNever initiate TCP sessions Never receive TCP open-session requestsNever receive TCP open-session requests Do not rely on TCP port splicing if the infected Do not rely on TCP port splicing if the infected
host is a serverhost is a server Do not rely on static motherships if the Do not rely on static motherships if the
infected host is a workstationinfected host is a workstation Packet modifications should not be easily Packet modifications should not be easily
visible in local network tracesvisible in local network traces
![Page 6: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/6.jpg)
6
Operational Challenges…Operational Challenges…part troispart trois
Maintain silence on the wireMaintain silence on the wire
Only make use of legitimate TCP sessionsOnly make use of legitimate TCP sessions
Do not alter protocol semantics - Do not alter protocol semantics - resistance to network anomaly detection resistance to network anomaly detection enginesengines
Piggyback on encrypted channels (SSL) Piggyback on encrypted channels (SSL) and multiple TCP sessions for large data and multiple TCP sessions for large data transferstransfers
![Page 7: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/7.jpg)
7
Miniport driverMiniport driver
NDISNDIS NDIS.SYSNDIS.SYS
Intermediate driverIntermediate driver
PF hook PF hook
FW hook FW hook
TDI TDI
User LandUser Land
TCP/IPTCP/IP
Driver Implementation Pre-Driver Implementation Pre-VistaVista
Never
Access to data stream, not packets
Some interesting areas
No guaranteed access to outbound payload
NDIS hooking
- Some delivery challenges- Most flexibility - Driver signing issues- Complete control over hardware drivers to transport protocol communications
![Page 8: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/8.jpg)
8
Rogue Network Driver Rogue Network Driver FrameworkFramework
Firewall hook kernel module for basic Firewall hook kernel module for basic packet header operations packet header operations
IM Filter driver:IM Filter driver: Inline IP reassemblyInline IP reassembly Inline TCP stream reassemblyInline TCP stream reassembly TCP session normalizationTCP session normalization
![Page 9: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/9.jpg)
9
Packet Header ModificationsPacket Header Modifications
![Page 10: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/10.jpg)
10
Infected WorkstationInfected Workstation
BOB
ALICE
server
DNAT – DstIP_server -> DstIP_Bob
SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server
Translated request reaches server
https://server
10.0.1.124
10.0.1.26
![Page 11: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/11.jpg)
11
Infected WorkstationInfected Workstation
BOB
ALICE
server
DNAT – DstIP_server -> DstIP_Bob
SNAT/DNAT – SrcIP_Alice -> SrcIP_Bob DstIP_Bob -> dstIP_server
Translated request reaches server
https://server
10.0.1.124
10.0.1.26
![Page 12: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/12.jpg)
12
Infected ServerInfected Server
ALICE
Server
https://serverhttps request served
telnet server:80
Selective DN(P)AT:
SrcIP_Alice SrcIP_serverDst_Port_443 DstPort_135
![Page 13: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/13.jpg)
13
Infected ServerInfected Server
ALICE
Server
https://serverhttps request served
telnet server:80
Selective DN(P)AT:
SrcIP_Alice SrcIP_serverDst_Port_443 DstPort_135
![Page 14: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/14.jpg)
14
Packet Header OpportunitiesPacket Header Opportunities Passive covert channelsPassive covert channels
http://www.invisiblethings.org/papers/http://www.invisiblethings.org/papers/passivepassive--covertcovert--channelschannels-linux.pdf-linux.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://www.ouah.org/neural_networks_vs_NUSHU.pdf http://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdfhttp://staff.science.uva.nl/~delaat/snb-2005-2006/p27/report.pdf
Port splicing Port splicing Most significant; communicating the original Most significant; communicating the original
intent:intent: DNAT on outgoing SYN – change destination address DNAT on outgoing SYN – change destination address
to that of the MIMto that of the MIM Insert original dstIP in header fields Insert original dstIP in header fields MIM double NATMIM double NAT
![Page 15: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/15.jpg)
15
Why Payload InjectionWhy Payload Injection ??
Access to packet dataAccess to packet data
High bandwidth channelHigh bandwidth channel
Bypass application proxiesBypass application proxies
Altering TCP data length on the wire is not Altering TCP data length on the wire is not trivial!trivial!
![Page 16: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/16.jpg)
16
Inline InjectionInline Injection
Support for IP reassembly on incoming Support for IP reassembly on incoming traffic and IP fragmentation on outbound traffic and IP fragmentation on outbound traffictraffic
Support for TCP stream reassembly – Support for TCP stream reassembly – datagram reordering, injection of datagram reordering, injection of acknowledgements and resets, among acknowledgements and resets, among other thingsother things
![Page 17: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/17.jpg)
17
Inline TCP ReassemblyInline TCP Reassembly
Maintain two edges (pre and post modification):Maintain two edges (pre and post modification): ISNISN MaxSeqMaxSeq MaxAckMaxAck WindowWindow Maximum SeqNo of Filtered DataMaximum SeqNo of Filtered Data Maximum AckNo of Filtered DataMaximum AckNo of Filtered Data Queue/counter for non Ack-ed datagramsQueue/counter for non Ack-ed datagrams Queue/counter for not sent datagramsQueue/counter for not sent datagrams Needed Window ScaleNeeded Window Scale Actual Window ScaleActual Window Scale
![Page 18: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/18.jpg)
18
SMTP Injection – Eliminating SMTP Injection – Eliminating Bob from the EquationBob from the Equation
Reduces the complexity of MIM and random Reduces the complexity of MIM and random redirectionredirection
Works with application level proxiesWorks with application level proxies
Replace RCPT TO argument or inject additional Replace RCPT TO argument or inject additional RCPT TO (BCC)RCPT TO (BCC)
Increases the probability detection – SMTP Increases the probability detection – SMTP server logsserver logs
![Page 19: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/19.jpg)
19
SMTP InjectionSMTP Injection
BOB
SMTP Server
Alice
Sends Bob message
Driver injects BCC to Eva
Eva
So does Eva
Bob receives original message
![Page 20: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/20.jpg)
20
SMTP Injection DemoSMTP Injection DemoVid1
![Page 21: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/21.jpg)
21
![Page 22: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/22.jpg)
22
![Page 23: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/23.jpg)
23
HTTP InjectionHTTP Injection TCP Headers useless – need to find workaroundTCP Headers useless – need to find workaround
Easy workaround but we need to be careful:Easy workaround but we need to be careful: Transparent proxies (Initial HTTP request looks Transparent proxies (Initial HTTP request looks
normal, so we’ll always assume we may be normal, so we’ll always assume we may be transparently “proxied”)transparently “proxied”)
Direct proxies – easy to spot in HTTP(s) requestsDirect proxies – easy to spot in HTTP(s) requests
URI & Headers will help us redirect/leak dataURI & Headers will help us redirect/leak data Make use of Authorization, Cookies headers – they Make use of Authorization, Cookies headers – they
won’t be scrubbedwon’t be scrubbed POST data also presents injection opportunitiesPOST data also presents injection opportunities
![Page 24: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/24.jpg)
24
HTTP InjectionHTTP Injection
BOB
ALICE
http://www.google.com
Web Proxy – Content Filtering
Change request; Inject Data
google.com
![Page 25: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/25.jpg)
25
HTTP InjectionHTTP Injection
BOB
ALICE
http://www.google.com
Web Proxy – Content Filtering
Change request; Inject Data
google.com
![Page 26: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/26.jpg)
26
BOB
SSL Injection DemoSSL Injection Demo
https://somebank.com
Perimeter Security
Inject Data
somebank.com
ALICE
![Page 27: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/27.jpg)
27
BOB
SSL Injection DemoSSL Injection Demo
https://somebank.com
Perimeter Security
Inject Data
somebank.com
ALICE
![Page 28: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/28.jpg)
28
SSL Alice – browser videoSSL Alice – browser video
![Page 29: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/29.jpg)
29
Detecting Network Driver Detecting Network Driver MalwareMalware
Conventional detection mechanismsConventional detection mechanisms AV, AS signatures; configuration mgmtAV, AS signatures; configuration mgmt
New detection mechanismsNew detection mechanisms Traffic based detection?Traffic based detection?
Malicious destinations, ISN analysisMalicious destinations, ISN analysis Network trace diff – local vs. remoteNetwork trace diff – local vs. remote NDIS based sniffer for better visibility?NDIS based sniffer for better visibility?
OtherOther Host based application control ineffectiveHost based application control ineffective DLP?DLP? … …
![Page 30: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/30.jpg)
30
ConclusionsConclusions
Passive kernel malware difficult to spotPassive kernel malware difficult to spot
There are significant implementation There are significant implementation challenges for coderschallenges for coders
Prevention remains key approachPrevention remains key approach
![Page 31: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/31.jpg)
31
Thank YouThank You
![Page 32: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/32.jpg)
32
Infected WorkstationInfected Workstation
![Page 33: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/33.jpg)
33
Alice – Browser CaptureAlice – Browser Capture
![Page 34: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/34.jpg)
34
Alice-Bob Network TracesAlice-Bob Network Traces
![Page 35: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/35.jpg)
35
Alice Driver_SNATAlice Driver_SNAT
![Page 36: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/36.jpg)
36
Alice_SNATAlice_SNAT
![Page 37: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/37.jpg)
37
Back to Infected WorkstationBack to Infected Workstation
![Page 38: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/38.jpg)
38
Bob_Double_NATBob_Double_NAT
![Page 39: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/39.jpg)
39
Bob_Double_NATBob_Double_NAT
![Page 40: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/40.jpg)
40
Bob_Double_NATBob_Double_NAT
![Page 41: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/41.jpg)
41
Bob_Double_NATBob_Double_NAT
![Page 42: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/42.jpg)
42
Back to Infected WorkstationBack to Infected Workstation
![Page 43: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/43.jpg)
43
Infected ServerInfected Server
![Page 44: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/44.jpg)
44
Server network traceServer network trace
![Page 45: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/45.jpg)
45
Server SNAT&DPATServer SNAT&DPAT
![Page 46: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/46.jpg)
46
Back to Infected ServerBack to Infected Server
![Page 47: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/47.jpg)
47
HTTP InjectionHTTP Injection
![Page 48: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/48.jpg)
48
Alice – browser videoAlice – browser video
![Page 49: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/49.jpg)
49
Alice – network traceAlice – network trace
![Page 50: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/50.jpg)
50
Alice - original dataAlice - original data
![Page 51: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/51.jpg)
51
Alice – driver workAlice – driver work
![Page 52: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/52.jpg)
52
Alice – driver workAlice – driver work
![Page 53: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/53.jpg)
53
Alice – driver workAlice – driver work
![Page 54: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/54.jpg)
54
Alice – driver workAlice – driver work
![Page 55: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/55.jpg)
55
Back to HTTP InjectionBack to HTTP Injection
![Page 56: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/56.jpg)
56
Bob – driver workBob – driver work
![Page 57: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/57.jpg)
57
Bob – modified requestBob – modified request
![Page 58: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/58.jpg)
58
Bob – driver workBob – driver work
![Page 59: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/59.jpg)
59
Bob – driver workBob – driver work
![Page 60: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/60.jpg)
60
Back to HTTP InjectionBack to HTTP Injection
![Page 61: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/61.jpg)
61
SSL InjectionSSL Injection
![Page 62: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/62.jpg)
62
Alice – original dataAlice – original data
![Page 63: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/63.jpg)
63
Post Insert – Wire Noise!Post Insert – Wire Noise!
![Page 64: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/64.jpg)
64
Alice – SSL cleanAlice – SSL clean
![Page 65: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/65.jpg)
65
Back to SSL InjectionBack to SSL Injection
![Page 66: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/66.jpg)
66
Bob – Post modification. Clean!!Bob – Post modification. Clean!!
![Page 67: 1 TCP/IP Perversion Rares Stefan, Third Brigade Inc. SecTor 2007](https://reader038.vdocuments.net/reader038/viewer/2022103100/56649e7f5503460f94b827d0/html5/thumbnails/67.jpg)
67
Back to SSL InjectionBack to SSL Injection