Difference between revisions of "PoisonTap solution"

From Organic Design wiki
(new event)
m
Line 3: Line 3:
  
 
It's done by having the simple Perl script below run when the screen saver activates and de-activates - well actually a user session event is used since the screen saver events fires before the password to unlock the screen is entered.
 
It's done by having the simple Perl script below run when the screen saver activates and de-activates - well actually a user session event is used since the screen saver events fires before the password to unlock the screen is entered.
 +
<div style="clear:both"></div>
 
<source lang="perl">
 
<source lang="perl">
 
#!/usr/bin/perl
 
#!/usr/bin/perl
 
if( $ARGV[0] eq 'start' ) {
 
if( $ARGV[0] eq 'start' ) {
qx( dbus-monitor --session "type=signal,interface=org.gnome.SessionManager.Presence" | $0 & );
+
qx( dbus-monitor --session "type=signal,interface=org.gnome.SessionManager.Presence,member=StatusChanged" | $0 & );
 
} else {
 
} else {
 
while( <> ) {
 
while( <> ) {
Line 23: Line 24:
 
The event or values used by the event system may vary across different GNU/Linux distros. To figure out the appropriate ''dbus-monitor'' filter and the values to use in the regular expression matches that run the network commands,  
 
The event or values used by the event system may vary across different GNU/Linux distros. To figure out the appropriate ''dbus-monitor'' filter and the values to use in the regular expression matches that run the network commands,  
  
Once you've found your networking starting and stopping commands, next you need to find the event that your desktop uses to broadcast changes of the screen-locking status. All modern distros use the DBus system so you can use the following command to observe all events and then lock and unlock the screen and check the output to see which events it used.
+
All modern distros use the DBus system so you can use the following command to observe all events and then lock and unlock the screen and check the output to see which events it used.
  
 
Here's the command to observe all the DBus signals being emitted by the system:
 
Here's the command to observe all the DBus signals being emitted by the system:
Line 32: Line 33:
 
On my system this a snippet of what was outputted (it was actually about 4 times as much as this), I've highlighted the relevant lines:
 
On my system this a snippet of what was outputted (it was actually about 4 times as much as this), I've highlighted the relevant lines:
 
<source>
 
<source>
todo...
+
signal sender=org.freedesktop.DBus -> dest=:1.63 serial=2 path=/org/freedesktop/DBus;
 +
  interface=org.freedesktop.DBus; member=NameAcquired
 +
  string ":1.63"
 +
signal sender=:1.19 -> dest=(null destination) serial=1931 path=/org/Cinnamon/LookingGlass;
 +
  interface=org.Cinnamon.LookingGlass; member=WindowListUpdate
 +
signal sender=:1.37 -> dest=(null destination) serial=20 path=/org/cinnamon/ScreenSaver;
 +
  interface=org.cinnamon.ScreenSaver; member=ActiveChanged
 +
  boolean true
 +
{!signal sender=:1.1 -> dest=(null destination) serial=119 path=/org/gnome/SessionManager/Presence;
 +
  interface=org.gnome.SessionManager.Presence; member=StatusChanged
 +
  uint32 3!}
 +
signal sender=:1.24 -> dest=(null destination) serial=892 path=/org/ayatana/NotificationItem/nm_applet/Menu;
 +
  interface=com.canonical.dbusmenu; member=LayoutUpdated
 +
  uint32 608
 +
  int32 0
 +
signal sender=:1.24 -> dest=(null destination) serial=893 path=/org/ayatana/NotificationItem/nm_applet;
 +
  interface=org.kde.StatusNotifierItem; member=NewIcon
 +
signal sender=:1.24 -> dest=(null destination) serial=901 path=/org/ayatana/NotificationItem/nm_applet/Menu;
 +
  interface=com.canonical.dbusmenu; member=LayoutUpdated
 +
  uint32 635
 +
  int32 0
 +
signal sender=:1.37 -> dest=(null destination) serial=22 path=/org/cinnamon/ScreenSaver;
 +
  interface=org.cinnamon.ScreenSaver; member=ActiveChanged
 +
  boolean false
 +
{!signal sender=:1.1 -> dest=(null destination) serial=123 path=/org/gnome/SessionManager/Presence;
 +
  interface=org.gnome.SessionManager.Presence; member=StatusChanged
 +
  uint32 0!}
 +
signal sender=:1.19 -> dest=(null destination) serial=2055 path=/org/Cinnamon/LookingGlass;
 +
  interface=org.Cinnamon.LookingGlass; member=WindowListUpdate
 
</source>
 
</source>
This shows that the event used on my machine for screensaver status changes has ''interface=org.cinnamon.ScreenSaver'' and ''member=ActiveChanged'' and that the value is ''boolean true'' or ''boolean false'' depending on whether the screensaver is starting or stopping. We cn use this to construct a more specific observation command that only outputs screensaver state changes like this:
+
This shows that the event used on my machine for screensaver status changes has ''interface=org.gnome.SessionManager.Presence'' and ''member=StatusChanged'' and that the value is ''boolean true'' or ''boolean false'' depending on whether the screensaver is starting or stopping. We cn use this to construct a more specific observation command that only outputs screensaver state changes like this:
 
<source>
 
<source>
 
dbus-monitor --session "type=signal,{!interface=org.cinnamon.ScreenSaver,member=ActiveChanged!}"
 
dbus-monitor --session "type=signal,{!interface=org.cinnamon.ScreenSaver,member=ActiveChanged!}"
Line 40: Line 69:
  
  
We then need to make a small script that enables or disables the networking using the command you found above depending on whether the DBus output says the screensaver is starting or stopping. I found Perl simplest for this job, because my shell scripting skills are pretty lame. In my case the start/stop depends on the value being ''boolean true'' or ''boolean false'' so I've used the simple regular expressions highlighted in the script below.
+
We then need to make a small script that enables or disables the networking using the command you found above depending on whether the DBus output says the session status us changing. I found Perl simplest for this job, because my shell scripting skills are pretty lame. In my case the start/stop depends on the value being ''uint 0'' and ''uint 3'' so I've used the simple regular expressions to match this which you can see in the ''while'' loop that scans the ''dbus-monitor'' output.
<source lang="perl">
 
#!/usr/bin/perl
 
while( <> ) {
 
`nmcli nm enable false` if {!/true/!};
 
`nmcli nm enable true` if {!/false/!};
 
}
 
</source>
 
  
  

Revision as of 09:47, 19 November 2016

Poisontap.jpg

PoisonTap is a Raspberry Pi based device that siphons cookies, exposes internal router & installs web backdoor on locked computers. It works by posing as a USB network adapter that sets itself up as an IP gateway via DHCP. This article provides instructions to set up a simple protection for this attack vector by disabling networking when the screen is locked. It works for GNU/Linux but should be easy to implement in other operating systems.

It's done by having the simple Perl script below run when the screen saver activates and de-activates - well actually a user session event is used since the screen saver events fires before the password to unlock the screen is entered.

#!/usr/bin/perl
if( $ARGV[0] eq 'start' ) {
	qx( dbus-monitor --session "type=signal,interface=org.gnome.SessionManager.Presence,member=StatusChanged" | $0 & );
} else {
	while( <> ) {
		`nmcli nm enable false` if /uint32 3/;
		`nmcli nm enable true` if /uint32 0/;
	}
}

Installation

NoPoisonTap.jpg

Just save the script anywhere and ensure that it has executable permissions, then add it to your startup programs with the start parameter. E.g. if you saved it as /home/foo/NoPoison.pl, you'd add /home/foo/NoPoison.pl start as the command in your start up apps.

Note that it must be launched from your desktop start up applications rather than from init.d or rc.local because it needs to run under the user session otherwise dbus-monitor can't get the information about session events.

Different distros

The event or values used by the event system may vary across different GNU/Linux distros. To figure out the appropriate dbus-monitor filter and the values to use in the regular expression matches that run the network commands,

All modern distros use the DBus system so you can use the following command to observe all events and then lock and unlock the screen and check the output to see which events it used.

Here's the command to observe all the DBus signals being emitted by the system:

dbus-monitor --session "type=signal"

On my system this a snippet of what was outputted (it was actually about 4 times as much as this), I've highlighted the relevant lines:

signal sender=org.freedesktop.DBus -> dest=:1.63 serial=2 path=/org/freedesktop/DBus;
   interface=org.freedesktop.DBus; member=NameAcquired
   string ":1.63"
signal sender=:1.19 -> dest=(null destination) serial=1931 path=/org/Cinnamon/LookingGlass;
   interface=org.Cinnamon.LookingGlass; member=WindowListUpdate
signal sender=:1.37 -> dest=(null destination) serial=20 path=/org/cinnamon/ScreenSaver;
   interface=org.cinnamon.ScreenSaver; member=ActiveChanged
   boolean true
signal sender=:1.1 -> dest=(null destination) serial=119 path=/org/gnome/SessionManager/Presence;
   interface=org.gnome.SessionManager.Presence; member=StatusChanged
   uint32 3
signal sender=:1.24 -> dest=(null destination) serial=892 path=/org/ayatana/NotificationItem/nm_applet/Menu;
   interface=com.canonical.dbusmenu; member=LayoutUpdated
   uint32 608
   int32 0
signal sender=:1.24 -> dest=(null destination) serial=893 path=/org/ayatana/NotificationItem/nm_applet;
   interface=org.kde.StatusNotifierItem; member=NewIcon
signal sender=:1.24 -> dest=(null destination) serial=901 path=/org/ayatana/NotificationItem/nm_applet/Menu;
   interface=com.canonical.dbusmenu; member=LayoutUpdated
   uint32 635
   int32 0
signal sender=:1.37 -> dest=(null destination) serial=22 path=/org/cinnamon/ScreenSaver;
   interface=org.cinnamon.ScreenSaver; member=ActiveChanged
   boolean false
signal sender=:1.1 -> dest=(null destination) serial=123 path=/org/gnome/SessionManager/Presence;
   interface=org.gnome.SessionManager.Presence; member=StatusChanged
   uint32 0
signal sender=:1.19 -> dest=(null destination) serial=2055 path=/org/Cinnamon/LookingGlass;
   interface=org.Cinnamon.LookingGlass; member=WindowListUpdate

This shows that the event used on my machine for screensaver status changes has interface=org.gnome.SessionManager.Presence and member=StatusChanged and that the value is boolean true or boolean false depending on whether the screensaver is starting or stopping. We cn use this to construct a more specific observation command that only outputs screensaver state changes like this:

dbus-monitor --session "type=signal,interface=org.cinnamon.ScreenSaver,member=ActiveChanged"


We then need to make a small script that enables or disables the networking using the command you found above depending on whether the DBus output says the session status us changing. I found Perl simplest for this job, because my shell scripting skills are pretty lame. In my case the start/stop depends on the value being uint 0 and uint 3 so I've used the simple regular expressions to match this which you can see in the while loop that scans the dbus-monitor output.


First you need to find out the best way to turn the network on and off. On most distros these days the network is controlled by the Network Manager and you can turn it on and off with:

nmcli nm enable [true|false]

Some other possible options are:

service [start|stop] networking
/etc/init.d/networking [start|stop]
if[up|down] -a

You need something that disables it and prevents a new device that's plugged in from functioning, but when re-enabled all devices are seen to be functioning normally again.

See also