This year, I took a special-offer class in Computer Security, in which each individual was required to develop an application over the course of the semester to demonstrate a vulnerability in network security; one that we had discussed and explored as a class. For my part, I wrote an application to perform mobile remote session monitoring and management for TCP-based protocols — which is a bit of a mouthful, so here’s a bit more elaboration from the documentation:

KillJoy is a mobile TCP session monitor which allows for termination of specific sessions in addition to complete denial of service to a specific computer on the network. In its current implementation, KillJoy is designed to run for and has been tested on the Nokia n810 Internet Tablet, running Maemo 4 (Diablo); however, a minimalistic version also runs as a desktop application (both are experimental works in progress).

KillJoy’s main strength and distinction is that it does its work as a normal computer on the network, without needing to redirect all traffic through itself or act as a gateway in the form of an Intrusion Detection System (IDS). Instead, it accomplishes this via TCP and ARP packet injection. Furthermore, KillJoy is a flexible tool, allowing both interactive (manual) termination of sessions and automated control based on preset rules.

Some initial goals for the project included:

• Maximum portability (application must run on a handheld device)
• The ability to perform passive monitoring and when necessary, assert active control over an existing TCP session on the network without elevated privileges, provided that access to the network itself has been established (i.e., the network is unprotected or we have previously retrieved the network key)
• The capability to automatically detect and terminate sessions (connections between a local client and a remote host) that have been previously detected and “blacklisted” by the user
• The capacity to perform higher-level protocol analysis, in order to distinguish between traffic which uses the TCP protocol (Bittorrent, Windows Media, etc.). This goal was not achieved by the culmination of the project.

My original intent for this project was to be able to selectively exclude certain traffic from a network; ultimately this goal was achieved to the extent that the user can control the who, but not the what, since time did not permit the integration of higher protocol analysis into the product. Of course, it should go without saying that the project was intended for educational, and not nefarious purposes!

The implementation makes use of the technologies listed below. For more information on the development details, please refer to the presentation linked to at the end of this post.

• Python 2.5
• Scapy from SecDev.org (provides low-level packet inspection, modification, etc. from Python)
• The PyGTK library (Python bindings for the GTK+ user interface toolkit)

Let’s look at an example of KillJoy’s workflow on the Nokia n810. The application begins to monitor network traffic via packet inspection immediately upon startup, listing all detected sessions for every local IP on the network.

The above menu is displayed upon right-clicking on a session (note that right-clicking on a target, or the parent node in the treeview will display only the second and fourth options, as these operate on child sessions for the local IP in aggregate).

Upon selecting the Terminate session menu item, the remote connection is forcibly terminated. To accomplish this, KillJoy hijacks the TCP session and sends in-sequence RST packets to the remote host. (Note that the session will only be removed from view when a certain amount of traffic has passed without any further indication that the connection still exists.)

Towards the end of the project, I began to realize that KillJoy was not picking up all traffic from the wireless access point; instead, the only packets being detected and processed were only those sent from or received by the device itself. This was puzzling, since the network interface is supposedly capable of being dropped into monitor mode — and indeed, executing iwconfig wlan0 mode monitor returns without any error, but tcpdump is still not able to pick up any third-party traffic thereafter. Eventually this led me to the conclusion that the NIC hardware on the Nokia n810 (or the driver used for it) is not able to support true promiscuous / monitor mode, so to work around it, I implemented the capability to perform a Man-in-the-Middle (MiTM) attack on any number of devices on the network in order to view their traffic. Here’s how this might go:

1. The user, realizing that not all traffic is being picked up by the device, uses KillJoy to perform an ARP scan on the network to discover all active devices.
2. From this list of local active devices, the user chooses a subset of IPs to add to the MiTM list.
3. From this point on, an ARP spoof attack will be performed and maintained on each of the devices, positioning the attacker between the devices and the gateway, thus allowing him or her to view all traffic previously undetectable.
4. When the user exits the application, KillJoy automatically restores the ARP caches on all the devices from the MiTM list, resulting with (hopefully) minimally-detectable intrusion.

Note that it is also possible to manually specify and IP for ARP redirection if the IP is known.

I tested this approach with an off-the-shelf Netgear home router and it worked well; however, on other networks the ARP attacks were thwarted by presumably up-to-date router firmware intended to prevent such a well-known attack. However, the features provide an additional level of built-in capability to the user, should the program be used on a network device that does not support full promiscuous monitoring of packets.

Finally, without further jabber: a demo of KillJoy in action! Warning: mild drama.

For a more detailed and complete description of KillJoy’s features, or to inspect its internals, please refer to the following links:

• Download page
• Presentation (as given at Hope College on the 21st of April, 2010)
• Installation & Getting Started Guide (PDF, 2MB)
• Source code (SVN, archive [0.1])