Hacker News new | past | comments | ask | show | jobs | submit login
Stealthy Passive Spliced Network Tap (janitha.com)
45 points by janitha on Dec 24, 2009 | hide | past | favorite | 12 comments



I am surprised at how good this post is, given the topic. Something corporate security consultants become painfully aware of very quickly: it is startlingly easy to compromise the physical network of a huge company, and, having done so, an attacker has essentially limitless access to the victim's business processes.

The notion that a network team would actually use a TDR to find passive spliced taps on their network --- or, for that matter, even take the time to spot unexpected 802.11 wireless activity --- is laughable. Pick any company in the Fortune 100. Put on a dress shirt and a tie. Follow someone with a proxcard in through the side door after their smoke break. You will have their mainframe batch apps for months or years afterwards.


TDR?


Time Domain Reflectometer


Shouldn't it be possible to do an inductive tap? You should be able to pick the signals up without severing any wires or actually connecting anything to the wires themselves. You would have to split the outer jacket of the cat5 cable, but once you isolate the pairs you should be able to get something going. The pairs are differential loops, so you should need only one inductive pickup per pair. Just an idea, not sure how feasible it would be, but I would have thought that this would be a standard way to do a tap. You'd need power for this though, so maybe that limits its usefulness. Could use PoE to power it though.


They're not differential pairs for no reason. They're differential pairs because they need to be, to keep the signal integrity at the edge rates needed for that bandwidth at those distances.

The system is not that over-engineered, that you can throw away a bunch of the engineering and still have a working link. To look at a single line on a scope is often to see almost no signal at all. It's all noise. Only by looking at the signal differentially, does the data appear.

As for inductive coupling. Even if you used the entire differential signal, you still will fail, I think. The currents are quite low, which means your inductive pickup will need to be extremely sensitive. So sensitive, that I would anticipate the system noise of your inductive pickup to be on the same level as the signal you're trying to read, resulting in too much misread data to do anything with.

Plus, it's not worth it. There's no way to tell that another high impedance device has been added to the system, It won't change the impedance that some hypothetical tamper detection system would be able to measure, in any measurable way, so why not just add it using a direct connection?


Looking at one side of a balanced transmission line is not really very useful on a scope since there is no reference that is meaningful other than the other side of the line. Of course there would be lots of noise looking at only one side, since the whole idea of a twisted pair line is to take advantage of common-mode noise rejection at the receiving end.

Thinking about things more, you'd need to do the same common mode rejection in the tap in order to not be overwhelmed by line noise, necessitating the use of two pickups per pair. Careful physical design could allow a very sensitive pickup to be designed while canceling noise common to both. However, as you pointed out, low current could make things impossible still. But... the line is driving an inductive coupling in the form of a transformer at the end in order for things to work in normal operation though, so instinctively I think that something could be made to work.

As for not being worth it, you are probably right, especially since both approaches could be detected with the proper equipment.


An old coworker of mine wanted to use a tap like this to set up a secondary tamper-resistant syslog server alongside our central syslog server.

The secondary syslog server would only be connected to the "receive" pair of the primary syslog server and therefore only physically able to receive data - making it difficult to tamper with logs.


You could, but for a legit purpose such a logging traffic on a network, doing a tap like this is not the best way to go. Use a switch with a SPAN port, or alternatively there are commercial taps (for example from NetOptics) that does exactly what you want... just in a much nicer/cleaner/proper way.


Reminds me of this story that surfaced around the time of the AT&T vandals

> Within minutes of cutting the cable, three black SUV’s pulled up carrying men in suits who complained that their line was severed.

“The construction manager was shocked,” a worker told the Washington Post. “He had never seen a line get cut and people show up within seconds. Usually you’ve got to figure out whose line it is. To garner that kind of response that quickly was amazing.”

AT&T crews arrived the same day to fix the line, an unusually prompt response.

http://www.wired.com/threatlevel/2009/06/blackline/


What a cool, brief but informative, post. I want to try it out now!


Some firewalls, like the open-source, FreeBSD based pfSense can operate in bridge mode, and thus not addressable via IP.


I approve of this article. ;)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: