Part1 Preface
Hello everyone, my name is ABC_123. The official account has been officially renamed "Xitan Laboratory", please stay tuned . Not long ago, I spent time studying the quantum injection attack method of the US NSA and shared it at the Hackingclub Shandong Jinan Station Technology Salon. Some netizens sneered at this attack method, thinking that it was a gimmick by the United States and that it was highly exaggerated. However, this statement did not make sense because this quantum injection attack method and the "Acid Fox" 0day attack platform were developed by Snowden in the United States . As mentioned repeatedly in the English version of the PPT leaked in the "Prism Gate" incident, the level of confidentiality is very high , so there is no need for the United States to engage in internal stunts.
This attack method has the following difficulties: It must be supported by various browser remote overflow 0day vulnerabilities, and it must also be supported by a large number of intermediate network device permissions, which is difficult for ordinary APT organizations to implement. ABC_123 has briefly introduced this attack method. Based on the thinking of " how to defend against unknown attacks ", let's share the traffic characteristics and detection methods of quantum injection attacks in the United States.
It is recommended that everyone set the public account "Xitan Laboratory" as a star, otherwise you may not see it! Because official accounts can now display large image push only for frequently read and starred official accounts. How to operate: Click [...] in the upper right corner, and then click [Set as Star].
Part2 Technical Research Process
First, let’s release a schematic diagram of the US NSA quantum injection attack drawn by ABC_123.
Normal access process: When an ordinary user normally accesses the test111.com website, the request packet sent by the browser will be forwarded through multiple network devices until it reaches the test111.com server. test111.com returns the Hello World web page, and then returns through multiple network devices. To the user's browser, the browser renders the web page and displays the beautiful page to the user.
Quantum injection process: The U.S. NSA uses the 0day vulnerability of the network device or the password collected by the previous APT attack to gain access to a network device, and then installs the "second date" man-in-the-middle hijacking tool. This tool can forge return packets than the test111.com website The returned normal packet reaches the user's browser in advance , and malicious links such as Location: http://fox-exploit.com/ are inserted into the returned packet, forcing the user to visit the fox-exploit.com malicious URL without their knowledge. The URL is the "Sour Fox" 0day attack platform built in the United States. The platform first determines the target user's browser version, operating system version, etc. through the information collection module, and then sends the corresponding browser remote overflow 0day vulnerability to obtain the user's computer permissions. , and then implement monitoring.
Traffic characteristic analysis
This kind of attack can basically only be detected in the traffic, so it is very necessary to be familiar with the traffic characteristics. Next, ABC_123 will talk about the traffic characteristics of quantum injection attacks from the network layer, transport layer, and application layer .
Both returned packets have the same sequence number
First, let’s take a look at the characteristics of the transport layer : This is seen from an analysis article abroad. It can be said to be a fatal shortcoming of quantum injection attacks. As shown in the figure below, through wireshark packet capture, you can see that there are two return packets for the same request, and the value of Sequence Number (raw) is the same, and the latter return packet is obviously discarded.
There are differences in survival time TTL values
Next, let’s take a look at the characteristics of the network layer : After comparing the two return packets, we found that since the tampered and malicious return packet will arrive at the user’s browser earlier than the return data packet from the normal website, the TTL value is usually larger because Normal return data packets are forwarded through more network devices, causing the TTL value to gradually decrease by 1.
The returned data packet contains a malicious URL
Finally, let’s take a look at the characteristics of the application layer : Generally speaking, there are two main types of return data packets for quantum injection attacks: one is to directly return a 302 redirect, and then add a malicious URL after the Location to redirect the user’s browser to Malicious URL; the other is to directly insert the iframe tag into the return page and embed the malicious URL. For this situation, it is more difficult to detect. It is best to combine the threat intelligence system to identify malicious domain names .
Part3 Summary
1. At present, some domestic security equipment can already detect quantum injection attacks, but how high the success rate is, ABC_123 has not practiced it and cannot comment.
2. The above characteristics can basically determine the quantum injection attack, but it may be confused with the common TCP link hijacking attack. It is still necessary to combine the experience of technical personnel to distinguish .
3. Quantum injection attacks may also forge the source TTL value. In this case, it is very difficult to solve. However, there are still ways to trace the source to the failed routing node. ABC_123 will write a special article to share his research experience in the future, so stay tuned .
The public account focuses on sharing network security technology, including APT event analysis, red team attack and defense, blue team analysis, penetration testing, code audit, etc. One article per week, 99% original, so stay tuned.
Contact me: 0day123abc#gmail.com(replace # with @)