[Noisebridge-discuss] what if: network forensics class

Josh Juran jjuran at gmail.com
Sun Jun 14 22:14:49 UTC 2015


On Jun 14, 2015, at 12:51 PM, David Stainton <dstainton415 at gmail.com> wrote:

> 1. every popular TCP analyzer software needs to be rewritten to handle
> TCP injection attacks properly. Here are all the TCP injection attacks
> that are possible:
> https://github.com/david415/HoneyBadger_docs/blob/hackpad1/source/how-to-badger-the-puppet-masters.rst#tcp-injection-attack-categories

What about protocols that provide their own reliability on top of UDP?  Can these attacks be generalized to target them as well?

> 2. I'd like to start a class/group that regularly meets in person or
> online; collectively writes network forensics tools.

I'm interested in learning more about this, although I won't be able to meet in person after this week.

> I'm not sure if there's enough technical interest on this subject...
> but if there is then I'd like to teach about TCP protocol
> analysis/anomaly detection, low level network programming, ethernet
> sniffer packet capture methods, offensive packet spraying for
> detecting Great Cannon MITM etc.

I for one would love to learn more about the nuts and bolts, so to speak.

> Those of you that know me might've noticed that in the past year I've
> become completely obsessed with network protocol anomaly detection,
> forensics, attack detection etc. especially when it comes to the
> subject of NSA attacks on TCP mentioned in Snowden documents.

I'm glad someone's working on this.  For my own part, I've recently taken an interest in langsec, and my first step is designing a new programming language so I can stop using C++ as my workhorse.

http://www.vcode.org/

> Are others interested in getting together to talk about the gory
> technical details of writing "network forensics software"?
> If the answer is no then I'd like to just move to Germany forever and
> find actual hackers over there to work with. Your move.

Well, I'm leaving the Bay Area so I can't help you there. :-/

Josh




More information about the Noisebridge-discuss mailing list