Jumat, 11 Juli 2008

Packet Anonymization with PktAnon


I noticed a new tool on Packetstorm recently: PktAnon by Christoph P. Mayer, Thomas Gamer, and Dr. Marcus Schöller.

This tool seems powerful because you can apply a variety of anonymization policies based on settings you apply in an XML configuration file.

It was easy to install the tool on Debian 4.0:


tws:~# cd /usr/local/src
tws:/usr/local/src# wget http://www.tm.uka.de/pktanon/download/pktanon-1.2.0-dev .tar.gz
...edited...
tws:/usr/local/src# tar -xzf pktanon-1.2.0-dev.tar.gz
tws:/usr/local/src# http://www.tm.uka.de/pktanon/download/pktanon-1.2.0-dev.tar. gz
tws:/usr/local/src# sudo apt-get install libxerces27-dev libboost-dev
-su: sudo: command not found
tws:/usr/local/src# apt-get install libxerces27-dev libboost-dev
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
libicu36 libxerces27
Suggested packages:
libboost-doc libboost-date-time-dev libboost-filesystem-dev
libboost-graph-dev libboost-iostreams-dev libboost-program-options-dev
libboost-python-dev libboost-regex-dev libboost-serialization-dev
libboost-signals-dev libboost-test-dev libboost-thread-dev libboost-wave-dev
xalan libxerces27-doc
The following NEW packages will be installed:
libboost-dev libicu36 libxerces27 libxerces27-dev
0 upgraded, 4 newly installed, 0 to remove and 3 not upgraded.
Need to get 9259kB of archives.
After unpacking 44.7MB of additional disk space will be used.
Do you want to continue [Y/n]? y
...edited...
tws:/usr/local/src# cd pktanon-1.2.0-dev
tws:/usr/local/src/pktanon-1.2.0-dev# mkdir /usr/local/pktanon
tws:/usr/local/src/pktanon-1.2.0-dev# ./configure --prefix=/usr/local/pktanon
tws:/usr/local/src/pktanon-1.2.0-dev# make
tws:/usr/local/src/pktanon-1.2.0-dev# make install

Next you choose which of the anonymization profiles we want. Here we use settings_high.xml. To use this configuration file we just tell it where the Input is and where the Output is.

For example, here is the first, original packet.

tws:/tmp# tcpdump -c 1 -r sample.ftp.pcap -neXvvv

reading from file sample.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 00:0c:29:2d:6a:a0 > 00:50:56:ee:e5:fc, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 192.168.255.131.1385 > 62.243.72.50.21: S, cksum 0x7890 (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 3542 c0a8 ff83 E..<.(@.@.5B....
0x0010: 3ef3 4832 0569 0015 ac25 b4e2 0000 0000 >.H2.i...%......
0x0020: a002 16d0 7890 0000 0204 05b4 0402 080a ....x...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

Here is the settings_low profile output.

tws:/tmp# tcpdump -c 1 -r anon.low.ftp.pcap -neXvvv

reading from file anon.low.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 00:0c:29:2d:6a:a0 > 00:50:56:ee:e5:fc, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 246.142.91.186.1385 > 90.113.151.13.21: S, cksum 0x7c1a (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 38cc f68e 5bba E..<.(@.@.8...[.
0x0010: 5a71 970d 0569 0015 ac25 b4e2 0000 0000 Zq...i...%......
0x0020: a002 16d0 7c1a 0000 0204 05b4 0402 080a ....|...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

I decided I wanted a low profile that also modified MAC addresses, so I copied the low setting and then made this change:

<configitem anon="AnonBytewiseHashSha1" name="MacSource"/>
<configitem anon="AnonBytewiseHashSha1" name="MacDest"/>

This was the result.

tws:/tmp# tcpdump -c 1 -r anon.low-mac.ftp.pcap -neXvvv
reading from file anon.low-mac.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 da:cb:dc:54:d2:51 > da:28:8d:39:ef:7b, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 246.142.91.186.1385 > 90.113.151.13.21: S, cksum 0x7c1a (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 38cc f68e 5bba E..<.(@.@.8...[.
0x0010: 5a71 970d 0569 0015 ac25 b4e2 0000 0000 Zq...i...%......
0x0020: a002 16d0 7c1a 0000 0204 05b4 0402 080a ....|...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

Finally I ran the medium and high settings.

tws:/tmp# tcpdump -c 1 -r anon.medium.ftp.pcap -neXvvv
reading from file anon.medium.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 da:cb:dc:54:d2:51 > da:28:8d:39:ef:7b, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl 116, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 40) 21.248.227.61.19357 > 172.148.57.189.56062: S, cksum 0x31e7
(correct), 2888152290:2888152290(0) win 5840
0x0000: 4500 0028 be28 4000 7406 6920 15f8 e33d E..(.(@.t.i....=
0x0010: ac94 39bd 4b9d dafe ac25 b4e2 0000 0000 ..9.K....%......
0x0020: 5002 16d0 31e7 0000 0000 0000 0000 P...1.........

tws:/tmp# tcpdump -c 1 -r anon.high.ftp.pcap -neXvvv
reading from file anon.high.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 55:3e:4d:bf:1f:e8 > 55:35:a0:67:f1:3a, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl 126, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 40) 162.131.129.172.20319 > 97.102.43.234.21842: S, cksum 0xb113
(correct), 2888279266:2888279266(0) win 5907
0x0000: 4500 0028 be28 4000 7e06 8d27 a283 81ac E..(.(@.~..'....
0x0010: 6166 2bea 4f5f 5552 ac27 a4e2 2080 2000 af+.O_UR.'......
0x0020: 5002 1713 b113 0000 0000 0000 0000 P.............

We should be able to try this tool with OpenPacket.org. Let me know what you think.

For details on the anonimization policies please read the documentation.

0 komentar:

Posting Komentar