Wireshark-dev: Re: [Wireshark-dev] [Full-disclosure] SniffJoke 0.3 releaseandrequestfor feedbac

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Wed, 29 Apr 2009 00:06:12 +0200
On Mon, Apr 27, 2009 at 10:14:03PM +0200, Sake Blok wrote:
> Unfortunately SniffJoke does a lot more (sending RST with bogus seq numbers, sending SYN/FIN/RST frames, etc, I have not looked at all the frames yet). It would take quite some effort and code to analyse the frames and consider the context to disregard them when doing a "follow TCP stream". Even if we succeed in doing so, the sole purpose of SniffJoke is to be evasive, so they will definitely come up with new tricks and we end up in a battle writing code. 

If WS falls for RSTs with out of window sequence numbers, then that should really be considered a bug and needs to be fixed.

> Regarding the Expert Info, since there are packets with all kinds of TTL's and it would take a broader look at all frames to discover the right TTL, I would say it would be a bit tricky to create such an expert info item. Also, filtering on TTL alone won't do it, as you would need to save these frames to a new file first, otherise the bogus frames will still be used for reassembly.

Adding an expert item should be easy: If there's more than one TTL value seen in a single TCP stream, that either means that there are alternate paths with different amounts of hops in there (which is perfectly possible but still worth an info item) or it is some sort of obfuscation, which is also worth an info item.  Whether/how to handle that case in the reassemble code is another thing.

Last but not least: Deobfuscation is not cracking.

 Ciao
       Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.