SlideShare a Scribd company logo

Nsa and vpn

Download as PPTX, PDF
A
antitree

The NSA has a program called OTP that targets VPN users. It has a team called OTTERCREAK that looks up VPN metadata of targets in repositories like TOYGRIPPE to define attacks. The team works with other NSA groups like TAO to decrypt traffic if they have exploits for the VPN protocols (e.g. recovering PSKs for IPsec) or can implant devices. They have decrypted traffic from services like PPTP, IPSec and SSH tunnels in the past by exploiting routers, protocols or gaining private keys. Running your own private VPN or using a service like PIA provides some protection but risks being targeted if the VPN is popular or if your ISP/network is exploited.

Technology
1 of 15
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
NSA and VPN
NSA and VPNs A recent article on [Der Spiegel] show lots of new attacks SSL/TLS PPTP IPSEC SSH http://www.spiegel.de/international/world/nsa-documents-attacks-on- vpn-ssl-tls-ssh-tor-a-1010525.html
The Program Falls under the "Office of Target Pursuit" (OTP) Named OTP VPN Exploitation Team Now called OTTERCREAK TOYGRIPPE: repository of VPN metadata of systems of interest • includes machine fingerprint and the VPN service connected to (e.g. PIA) BLEAKINQUIRY: repository of potentially exploitable VPNs • unclear if this means list of VPNs on the internet, or common configurations XKEYSCORE: common source of VPNs to exploit but includes random people like you and I • don't use it as a primary attack source unless necessary due to legal hoops they have to go through
The Workflow Analyst targets someone (e.g. me) and find that it's using a VPN Analyst must come up with a way to collect inbound and outbound traffic of the target Calls up OTP VPN Exploit Team They look at the metadata (traffic fingerprinting), define the attacks, and search through collection sources • TOYGRIPPE: has a list of all the VPN metadata • PINWALE: long term collection of “SIGINT” • XKEYSCORE: raw packet captures from everyone • VULCANDEATHGRIP: raw packet captures for VPNs • FOURSCORE: repo for PPTP • CORALREEF: database of PSKs for VPNs Decrypt traffic and return the results (passive or active)
TOYGRIPPE Lets an analyst search through tons of metadata from a variety of collection sources • MUSCULAR • UKJ-260D?? Focused on IPSec, PPTP, and ViPNet (Vodaphone)
Example of using TOYGRIPPE to find VPN metadata IR = IRAN S = source port 1037 Sites where the data was collected
IPSEC Review IPSEC VPNs are the most common in enterprise environments Uses a Pre Shared Key (PSK) or a Public Key cert (PK) ISAKMP/IKE packets perform a handshake for a temporary key for your session ESP packets are the actual encrypted data
Example IPSEC: FTM 1 “Follow the Money” FTM target 1 Implanted keyloggers and other hardware but it didn’t work Called up TAO who owned them and recovered the configuration files of the VPN including PSKs • Can now “passively exploit” which should mean decrypt VPN traffic
Example IPSEC: FTM 2 TAO owns the router Network Security Products “implant” allows passive exploitation • This implies that it’s a way of collecting the temporary keys (IKE/ISAKMP) values • Maybe making them predictable or fucking up their handshake Results in ESP packets being decrypted raw
PPTP Review Microsoft Point To Point Tunneling Protocol Owned years ago by Moxie and others Outdated but still used Control channel operates on 1723 Data channel is sometimes port 47 (GRE-Next Protol)
Example PPTP: Airlines, Telcos, Governments The slides just list all of these sites that have been owned, implying that they have a protocol level exploit Iran Air Royal Jordanian Air Transaero Airlines Mexican Embassy Pakistani General Intelligence Turkish Embassy Afghanistan Government (apparently the whole thing)
More Example PPTP Zaad Financial bank Kabul lBank BNI Banking Indonesia And so on…
TL;DL These files are from at around 4-2011 and some of them are older Most of the exploitations are not VPN destroying, just concerning The team seems mainly to implement attacks using other people’s exploits • Decrypt TLS when TAO collects the private keys • Decrypt IPSEC when the PSK is discovered • Decrypt SSH when the private keys are found They (probably) can’t… • Own all VPNs with a single click • Own your personal VPN • Own SSH and TLS automatically
TL;DL: They Can…probably See that you are on a VPN, which VPN, and if that VPN has an exploit Own you completely via PPTP Capture your VPN traffic and try to decrypt it later Call up TAO or NSP to implant something on your network that would make your VPN owned Decrypt SSH tunnels with the help of TAO or NSP Decrypt SSL/TLS tunnels with the help of TAO or NSP Lookup your router and see if there is an exploit for it Pay attention to large VPN providers to exploit them including your traffic
Defense 1. Run your own private VPN on VPS • Good for increasing the effort to exploit you • Bad because it’s cloud • Bad because all your traffic is directly attributed to you 2. Use a VPN service like PIA • Good because it’s cheap and difficult (>0) to tell which is your traffic and which is someone else’s • Good because it doesn’t allow your ISP to see your traffic • Bad because the bigger the target the more likely you will “tasked” 3. Tor • Good because anonymity • Bad because un-realistically slow

More Related Content

What's hot (20)

PPT
Backtrack os 5
Ayush Goyal
 
PDF
Csw2016 wang docker_escapetechnology
CanSecWest
 
PPTX
Sticky Keys to the Kingdom
Dennis Maldonado
 
PPTX
Outlook and Exchange for the bad guys
Nick Landers
 
PDF
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
PDF
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
PPTX
Kali presentation
Zain Ul abadin
 
KEY
Netscreen Policy Based Routing
Bart Jansens
 
PDF
XFLTReat: a new dimension in tunnelling
Shakacon
 
PPTX
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
PDF
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
PPTX
Backtrack
One97 Communications Limited
 
PPTX
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
PDF
Penetration Testing Resource Guide
Bishop Fox
 
ODP
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
PPTX
BackTrack5 - Linux
mariuszantal
 
PPTX
2014 Security Onion Conference
DefensiveDepth
 
PDF
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 
PPTX
Backtrack
n|u - The Open Security Community
 
PPTX
Kali Linux - Falconer - ISS 2014
TGodfrey
 
Backtrack os 5
Ayush Goyal
 
Csw2016 wang docker_escapetechnology
CanSecWest
 
Sticky Keys to the Kingdom
Dennis Maldonado
 
Outlook and Exchange for the bad guys
Nick Landers
 
Docker Security - Secure Container Deployment on Linux
Michael Boelen
 
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Kali presentation
Zain Ul abadin
 
Netscreen Policy Based Routing
Bart Jansens
 
XFLTReat: a new dimension in tunnelling
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
Backtrack
One97 Communications Limited
 
A Distributed Malware Analysis System Cuckoo Sandbox
Andy Lee
 
Penetration Testing Resource Guide
Bishop Fox
 
OpenShift & SELinux with Dan Walsh @rhatdan
OpenShift Origin
 
BackTrack5 - Linux
mariuszantal
 
2014 Security Onion Conference
DefensiveDepth
 
All Things Open 2017: How to Treat a Network as a Container
Rosemary Wang
 
Backtrack
n|u - The Open Security Community
 
Kali Linux - Falconer - ISS 2014
TGodfrey
 

Viewers also liked (11)

PPTX
Salander v bond 2600
antitree
 
PDF
Just Mouse Jack Init
antitree
 
ODP
State of wifi_2016
antitree
 
PDF
A brief history of teledildonics
Db Cooper
 
ODP
Rtlsdr presentation by alex 1/3/2014
Db Cooper
 
PPTX
How [not] to throw a b sides
antitree
 
PPTX
28c3 in 15
antitree
 
PPTX
Image based automation
antitree
 
PPTX
0x20 hack
antitree
 
PPTX
Meek and domain fronting public
antitree
 
PDF
Android Hacking
antitree
 
Salander v bond 2600
antitree
 
Just Mouse Jack Init
antitree
 
State of wifi_2016
antitree
 
A brief history of teledildonics
Db Cooper
 
Rtlsdr presentation by alex 1/3/2014
Db Cooper
 
How [not] to throw a b sides
antitree
 
28c3 in 15
antitree
 
Image based automation
antitree
 
0x20 hack
antitree
 
Meek and domain fronting public
antitree
 
Android Hacking
antitree
 
Ad

Similar to Nsa and vpn (20)

PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PPTX
VPN
Ketan Paithankar
 
PDF
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
PDF
CNIT 121: 9 Network Evidence
Sam Bowne
 
PDF
CNIT 152: 9 Network Evidence
Sam Bowne
 
PPTX
Vpn(virtual private network)
sonangrai
 
PDF
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
PDF
ION Santiago: Lock It Up: TLS for Network Operators
Deploy360 Programme (Internet Society)
 
PPT
Week 10 - Packet Sssdssssssssniffers.ppt
fzbshf
 
PPT
Blug Talk
guestb9d7f98
 
PPT
Blug talk
Swarup Kumar Mall
 
PPTX
Tunneling
Ilan Mindel
 
PPT
Module 3 Scanning
leminhvuong
 
PPTX
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
PPTX
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 
PPTX
Cyber_Threat_Intelligent_Cyber_Operation_Contest
nkrafacyberclub
 
PPTX
IP Protocol Security
David Barker
 
PPT
Network Security
Jaya sudha
 
DOCX
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
PPTX
Tcp Anonymous Authenticated ID
Jim MacLeod
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
VPN
Ketan Paithankar
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
SBWebinars
 
CNIT 121: 9 Network Evidence
Sam Bowne
 
CNIT 152: 9 Network Evidence
Sam Bowne
 
Vpn(virtual private network)
sonangrai
 
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
ION Santiago: Lock It Up: TLS for Network Operators
Deploy360 Programme (Internet Society)
 
Week 10 - Packet Sssdssssssssniffers.ppt
fzbshf
 
Blug Talk
guestb9d7f98
 
Blug talk
Swarup Kumar Mall
 
Tunneling
Ilan Mindel
 
Module 3 Scanning
leminhvuong
 
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 
Cyber_Threat_Intelligent_Cyber_Operation_Contest
nkrafacyberclub
 
IP Protocol Security
David Barker
 
Network Security
Jaya sudha
 
For your final step, you will synthesize the previous steps and la
ShainaBoling829
 
Tcp Anonymous Authenticated ID
Jim MacLeod
 
Ad

More from antitree (12)

ODP
Hardening ssh configurations
antitree
 
PPTX
Salander v bond b sides detroit final v3
antitree
 
PPTX
Pentesting embedded
antitree
 
PPTX
Tor
antitree
 
PPTX
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
PPTX
Lock picking barcamp
antitree
 
PPTX
Lock picking 2600
antitree
 
PPTX
Anti tree firesheep
antitree
 
PPTX
Hackerspaces
antitree
 
PDF
Intro to IPv6 by Ben Woodruff
antitree
 
PPTX
Anonymity Systems: Tor
antitree
 
PPTX
Dll hijacking
antitree
 
Hardening ssh configurations
antitree
 
Salander v bond b sides detroit final v3
antitree
 
Pentesting embedded
antitree
 
Tor
antitree
 
Corporate Intelligence: Bridging the security and intelligence community
antitree
 
Lock picking barcamp
antitree
 
Lock picking 2600
antitree
 
Anti tree firesheep
antitree
 
Hackerspaces
antitree
 
Intro to IPv6 by Ben Woodruff
antitree
 
Anonymity Systems: Tor
antitree
 
Dll hijacking
antitree
 

Recently uploaded (20)

PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PDF
introduction to computer hardware and sofeware
chauhanshraddha2007
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PPTX
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
PDF
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
PPTX
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
PDF
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
PPTX
The Future of AI & Machine Learning.pptx
pritsen4700
 
PDF
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
PPTX
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PPTX
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
PDF
Per Axbom: The spectacular lies of maps
Nexer Digital
 
PDF
The Future of Artificial Intelligence (AI)
Mukul
 
PPTX
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
PDF
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
RAT Builders - How to Catch Them All [DeepSec 2024]
malmoeb
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
introduction to computer hardware and sofeware
chauhanshraddha2007
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
AI in Daily Life: How Artificial Intelligence Helps Us Every Day
vanshrpatil7
 
GDG Cloud Munich - Intro - Luiz Carneiro - #BuildWithAI - July - Abdel.pdf
Luiz Carneiro
 
Farrell_Programming Logic and Design slides_10e_ch02_PowerPoint.pptx
bashnahara11
 
A Strategic Analysis of the MVNO Wave in Emerging Markets.pdf
IPLOOK Networks
 
The Future of AI & Machine Learning.pptx
pritsen4700
 
Research-Fundamentals-and-Topic-Development.pdf
ayesha butalia
 
Introduction to Flutter by Ayush Desai.pptx
ayushdesai204
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
Applied-Statistics-Mastering-Data-Driven-Decisions.pptx
parmaryashparmaryash
 
Per Axbom: The spectacular lies of maps
Nexer Digital
 
The Future of Artificial Intelligence (AI)
Mukul
 
Agile Chennai 18-19 July 2025 Ideathon | AI Powered Microfinance Literacy Gui...
AgileNetwork
 
TrustArc Webinar - Navigating Data Privacy in LATAM: Laws, Trends, and Compli...
TrustArc
 

Nsa and vpn

  • 2. NSA and VPNs A recent article on [Der Spiegel] show lots of new attacks SSL/TLS PPTP IPSEC SSH http://www.spiegel.de/international/world/nsa-documents-attacks-on- vpn-ssl-tls-ssh-tor-a-1010525.html
  • 3. The Program Falls under the "Office of Target Pursuit" (OTP) Named OTP VPN Exploitation Team Now called OTTERCREAK TOYGRIPPE: repository of VPN metadata of systems of interest • includes machine fingerprint and the VPN service connected to (e.g. PIA) BLEAKINQUIRY: repository of potentially exploitable VPNs • unclear if this means list of VPNs on the internet, or common configurations XKEYSCORE: common source of VPNs to exploit but includes random people like you and I • don't use it as a primary attack source unless necessary due to legal hoops they have to go through
  • 4. The Workflow Analyst targets someone (e.g. me) and find that it's using a VPN Analyst must come up with a way to collect inbound and outbound traffic of the target Calls up OTP VPN Exploit Team They look at the metadata (traffic fingerprinting), define the attacks, and search through collection sources • TOYGRIPPE: has a list of all the VPN metadata • PINWALE: long term collection of “SIGINT” • XKEYSCORE: raw packet captures from everyone • VULCANDEATHGRIP: raw packet captures for VPNs • FOURSCORE: repo for PPTP • CORALREEF: database of PSKs for VPNs Decrypt traffic and return the results (passive or active)
  • 5. TOYGRIPPE Lets an analyst search through tons of metadata from a variety of collection sources • MUSCULAR • UKJ-260D?? Focused on IPSec, PPTP, and ViPNet (Vodaphone)
  • 6. Example of using TOYGRIPPE to find VPN metadata IR = IRAN S = source port 1037 Sites where the data was collected
  • 7. IPSEC Review IPSEC VPNs are the most common in enterprise environments Uses a Pre Shared Key (PSK) or a Public Key cert (PK) ISAKMP/IKE packets perform a handshake for a temporary key for your session ESP packets are the actual encrypted data
  • 8. Example IPSEC: FTM 1 “Follow the Money” FTM target 1 Implanted keyloggers and other hardware but it didn’t work Called up TAO who owned them and recovered the configuration files of the VPN including PSKs • Can now “passively exploit” which should mean decrypt VPN traffic
  • 9. Example IPSEC: FTM 2 TAO owns the router Network Security Products “implant” allows passive exploitation • This implies that it’s a way of collecting the temporary keys (IKE/ISAKMP) values • Maybe making them predictable or fucking up their handshake Results in ESP packets being decrypted raw
  • 10. PPTP Review Microsoft Point To Point Tunneling Protocol Owned years ago by Moxie and others Outdated but still used Control channel operates on 1723 Data channel is sometimes port 47 (GRE-Next Protol)
  • 11. Example PPTP: Airlines, Telcos, Governments The slides just list all of these sites that have been owned, implying that they have a protocol level exploit Iran Air Royal Jordanian Air Transaero Airlines Mexican Embassy Pakistani General Intelligence Turkish Embassy Afghanistan Government (apparently the whole thing)
  • 12. More Example PPTP Zaad Financial bank Kabul lBank BNI Banking Indonesia And so on…
  • 13. TL;DL These files are from at around 4-2011 and some of them are older Most of the exploitations are not VPN destroying, just concerning The team seems mainly to implement attacks using other people’s exploits • Decrypt TLS when TAO collects the private keys • Decrypt IPSEC when the PSK is discovered • Decrypt SSH when the private keys are found They (probably) can’t… • Own all VPNs with a single click • Own your personal VPN • Own SSH and TLS automatically
  • 14. TL;DL: They Can…probably See that you are on a VPN, which VPN, and if that VPN has an exploit Own you completely via PPTP Capture your VPN traffic and try to decrypt it later Call up TAO or NSP to implant something on your network that would make your VPN owned Decrypt SSH tunnels with the help of TAO or NSP Decrypt SSL/TLS tunnels with the help of TAO or NSP Lookup your router and see if there is an exploit for it Pay attention to large VPN providers to exploit them including your traffic
  • 15. Defense 1. Run your own private VPN on VPS • Good for increasing the effort to exploit you • Bad because it’s cloud • Bad because all your traffic is directly attributed to you 2. Use a VPN service like PIA • Good because it’s cheap and difficult (>0) to tell which is your traffic and which is someone else’s • Good because it doesn’t allow your ISP to see your traffic • Bad because the bigger the target the more likely you will “tasked” 3. Tor • Good because anonymity • Bad because un-realistically slow