BSides Iowa 2018: " Investigating the FBI’s use of Network Investigative Techniques (NIT)"

so I'm dr. Matt Miller and today I'm going to talk about testing Network investigative techniques as you can see I'm amazing pull myself out of a drawer at times if I need to although the cable management in this situation if you can see it is not maybe the greatest right so I worked as a programmer for five years for a company that sells shower bases and laboratories at that time I was working on my PhD I got that from Kansas State University and right now I am a professor of computer science at the University of Nebraska at Kearney and I'm one of the co-leaders of our cyber operations degree which will start this fall in

addition to this over the past four years or so I've been an expert witness under the CJA or criminal justice act I've worked on over a dozen different cases and the some of my hobbies are parallel computing reverse engineering doing reverse engineering challenges baseball woodworking all that fun stuff so enough about me all right so this is a little bit of background on law enforcement to get investigations so you guys probably you ever watch something like law and order right you have some of the ideas of what goes on right so for example we have wiretapping right so with the old phones right they actually would get on the poles or I can connect the wires and listen in to your

conversations as we've moved into the digital age right we have websites clearly right in so what website providers will have to provide our IP addresses I don't know if anybody here has gotten a subpoena for somebody's IP address I don't think we have any ISPs here but that is something that they will get issued subpoenas for and they have to provide that information if they do have it and then we have peer-to-peer file-sharing right so in that case right you know the IP address of both parties that because the peers are talking in plaintext and then a second bit of background is search warrants so a search warrant is issued by a judge and judges have jurisdiction which means

have a particular area where they are allowed to issue search warrants so you don't have more than one judge issuing warrants for the same area in the in the US again some more background so we got different types of anonymization right so people get their IP addresses right they get the search warrant and they say well I don't like that okay so what do we they do they try and add different techniques to master their IP addresses so we've got two different flavours generally there what every more that I don't know about but these are the two general ones so we got I to P or the invisible Internet project that is maybe a little bit complicated for your

average person to set up right so they don't typically use that now tour offers there tor browser bundle which you just download that right and then you can get on the Tor network and here's a diagram from the uff on how and the core website as to how tor works right so in general Alice right here can browse the internet without alice's IP address being exposed but then she makes a plain connection you see the red dotted line to Bob's server right so Bob still knows who he he doesn't know who alice is but we can go look up where bob is right and if he's hosting a legal content then we can issue a search warrant for Bob and take

down his site and people wanted to get around that so then they invented hidden services right so hidden services is basically the server and the client don't know who each other are and you can't tell who is who and so this sort of breaks down law enforcement model right okay I get an IP address I get a search warrant I knock on their door I investigate them to see yes they did or did not do something that is bad or illegal and so they've had to go to more sort of extreme techniques now the first step is generally right they need to find the actual hidden service and so for that right they basically kind of

have to get lucky right so if it's a hidden service it's hard to find they need to figure out some way of D anonymizing that server this is typically done through a Miss configuration like maybe leaving HTTP open on Greg as well as tour and then somebody can connect to that or by IP leakage through different D anonymization techniques and so once they found where the server is right the FBI finds a server it's hosting a legal contact then what they do is they deploy a nit to that server and so an it isn't is their term for networking investigative technique meaning there is some investigation that we need to do it's on a network right so

we have to invent a technique right to D anonymize those people now first one I'm going to talk about is code from by HD more right in his Metasploit ste cloaking engine so this is really kind of a proof of concept of well how could we do naanum eyes somebody that is on tour using hidden services how could we leak their IP address and if you go and look for it right it's been taken down because it's not useful but it was actually used so this is what this is the first case that I worked at USA versus Cottam you can google it if you really need to but they D anonymize a server located in Omaha Nebraska and it

was hosting illegal content and so then they decided that they were going to deploy as many NIT techniques in order to daeun Onam eyes the users of this server as they could so there are three basic ones where we have SWF or flash we have Java and then we have JavaScript I can say with deploy then it using all of those different methods and then they would also always try DNS right so if somebody wasn't smart enough to configure their DNS right they figured well maybe we can get a DNS leak right so they would always try that and then I was given access to the servers that were modified right so they modified them to deploy this NIT and then they

gave us copies of these and these are all virtual servers and we're in VMware they were encrypted images right so that they were a little bit more difficult alright so hopefully this is legible from the back if it's not you're there are lots of seats in the front and you're more than what to come up here but that may not happen all right so I'll use my pen here to hopefully draw some pictures so one of the first things that we're going to see in here is this hex encoded API key this is a going to be a symmetric key that's going to be used to encrypt the a blob of data and we're going to see what that

blob is here in a second it's going to encrypt it and then the only way to decrypt it is going to if you have that key now Blowfish is symmetric meaning you use the same key to encrypt as the key to decrypt and so we have this method here called generate cookie it takes three different methods it takes the key which I just talked about it takes a method which is what manner are we D anonymizing this user and then a session ID right so for those of you who do web stuff right a session ID tracks the session of a particular user in a web browser and so what it does is and this is PHP code it concatenates all of

those together using some delimiter so it's using a sign and then we can also see that it's actually using a 1 here and actually there are three different websites and so you use one two three digit note which website was it that the user was visiting right so that they could look into that and then we get down just a little bit farther and you're gonna see that it does use Blowfish to encrypt a message right using and the data that was created on that line above and at the bottom then it also splits that into 40 character chunks separated by dots right so that it kind of looks like something that's random it's got 40 characters in length

approximately all right and sorry I should mention this is all PHP code right so that gallery that that key is not visible to the user who visits the web page right so it's a hidden key that you don't have access to because this is all in PHP and again a PhD it goes ahead and fetches what the browser session or the session I need where the user is and then using a couple cases to decide okay when what method should I try and deploy to anonymize this user and again it always uses DNS but they try to decide am I going to use JavaScript Java or flash in order to do that because it knows that

some of these work on certain platforms and some of them don't and then for each one of the types of methods right we saw they calls generate key right so the method is the second item so we got WS SWF and and Java right I don't know why it's the ws for JavaScript but whatever right now uses the session ID and then the bottom is okay well it decided that it's going to use SWF and so it sets an ID in here to the cookie at the cookie for SWF right so I'm doing flash and I'm gonna go ahead and set that cookie in there and then so this is the reason that I was brought in right so when I

was in the pre-trial motion we sat there for probably four hours describing how the source code for the exploit was lost you can see the source code is not very long right but it got lost right they couldn't find it they couldn't figure it out and as a computer science major it as my bachelor's my masters and my doctorate I had a lot of background and when I went to Dakota State I decided to specialize in reverse engineering so I took a reverse engineering course with the Ida Pro book and Chris Eagle a black hat and I started reversing stuff and all of a sudden they came to me and they said can you reverse engineer something

and I said I suppose right so this is flash which is a little bit out of my wheelhouse right I was more in the type of reverse engineering and so I said sure and there is a D compiler for flash called jpx which is the one that we use and so one thing you'll notice in this source code right we don't have any comments right because comments if you know anything about compilation write comments get thrown out the window also variable names right so you'll see down here I got Barlow underscore lock 1 and underscore low to right he just picked random names for those variables so again that information is also lost but what I would do is it would build a

domain to make a connection to which had a hard-coded IP address right there and then this is the domain that would connect you and location 1 is that parameter that we just got alright so when it makes a DNS query it has its own IP address it has the domain that it's actually going to and then we have embedded in the middle of that is a bunch of characters which is our encrypted cookie right that verifies who made the connection to the website and then in this middle on connect right you can read it again that's really tiny text but it's all of the code so I put it all on here there's information about

what OS were they running what CPU architecture are they running and then what is that parameter right so when it makes a connection it actually sends all of that information there right so if they only have DNS then the bottom one will work right we'll get their IP address right from the DNS request otherwise if it makes a successful one not getting the DNS will still get information about what oh us they're running what architecture and then what that session ID and all of that encrypted information is and so our process was to generate this flash code and then recompile it and make sure that it did work right that we we compiled it we didn't see any significant

differences between what we compiled and what we reverse engineered so that gave us a pretty good idea that this was indeed the source code and again this is only I don't know 50 lines long right so it's not real hard in order to to go and verify that that works all right so here's an example of the domain that it's going to make a connection to and as we can see in between this dot and this dot is the encrypted cookie that has been sent right and so trying to make a connection I went ahead and did this locally right so I can make sure that yes indeed if it did a DNS connection you'd get that

cookie and then so on the back end day we're running the twisted Python framework does anybody ever used twisted for anything no hands so it's a framework that allows you to basically run any type of sort of server that you want and let you respond to different events and you can do it very quickly so that's what the FBI used when they were running this in the backend and they named a Cornhusker clearly because we were in the Cornhusker state so they thought hey what a great name we can name the Cornhusker I mean it does take in the shared key right so you guys saw the key earlier that exact data is in the shared

key txt right and so I just incorporated that as a command line parameter inside the server so now what we're looking at is the actual server that when the FBI got a connection right they would they wanted to log this information right and so there are a couple things that they had to do at the top of this we can see a policy request so if anybody knows anything about flash if you're trying to make a connection to an outside entity it may ask for a policy file saying what's allowed to be connected to again we can see in here comment right because this is actual code from the FBI so if the browser made a policy request it

would oblige and give it a policy right so that it could make the connection otherwise if it wasn't a policy request which means we jump down here it would go ahead and try and figure out okay is this a legitimate query to this right because we have some encrypted text we also have some keywords right we have [Music] there's a see inside of the cookie right if we looked at the previous one make sure that that character actually exists in there and then we'll see this method down here decrypt cookie so decrypt cookie is gonna go ahead and try and take that cookie that we were given and using the symmetric key right so symmetric cryptography you use the same

key to encrypt as to decrypt right so if they can decrypt it then they'll look at the text and see okay is this a legitimate example so and then I have some of the command line output from doing this right you can see that it actually Goods heads and woggels logs all of this information it logs it both to a database and to a log file I don't know why they decided to do both I guess a database is probably easier because you can just run a SQL query against it

and then here we can look and see they have a table right and they do a nice insertion statement on that table to go ahead and say what their IP address was which is one of the key things right so once they have the IP address then they go through the rest of the process there we go okay so we also have the DNS server right so I said that they will do DNS right and again they go through and they basically take off the ends of it and then we should see again the decrypt cookie method right so they have one method in order to decrypt it no matter what way they use in order to do naanum

eyes the user and so it's a little bit blown out on your screen so this is the decrypted cookie one right so goes through and make sure that the cookie is the right length make sure that the cookie has it needs to have right it has to have a dollar sign in it right if you looked at our previous page we had a dollar sign we had the first part of that cookie was the number right the number tells you okay which website were they connecting to and then the second two parts are going to be the type of method and then the session ID for that user right and so if it couldn't decrypt it right it

doesn't log it so you could send garbage to the server and if you didn't know what the key was right now no likelihood you're gonna generate garbage on this and so it's going to be Krypton nothing and so you won't get a result from that

okay so some of the questions we have were that how do we link that NIT Co great so I you go to my website I'm hosting bad things right so I send you a payload and you download that but there also right it has to be a correlation if I make a connection back to you and how do I prove that the person who downloaded the file was the person who ran that request right and that really boils down to time right so maybe I download the file online I block out outgoing connections and then I send this data to another user and let them execute it and now they get to run it now this is the theoretical right

limitation right we I didn't see in practice that somebody was doing this but if you knew that it was there then you could do things like monitor the traffic coming out of your network and block everything that's going out that's not going out over tor and then you would see that some NIT was trying to run and you had the ability to do that and that's one of the things that how this got found right people found it in the while saying hey I saw that this was making an outbound connection what do I need to do about that and then the exploit right anybody as we generally know right if you run an exploit against

some box right anybody who receives that exploit has the ability to log that and then they can use it for whatever their purposes were now we're looking at flash coders an exploit right and the reason right this even work is that flash ignores the proxy settings set by the browser right so the browser says okay my proxy is going to go through tor flash sees that it's going to make this request out and it just ignores those right and makes a direct connection which thus violates the property of Tor that you're not supposed to be Oh figure out what your IP address is so that was the first case that I did and that was one operation that the FBI

ran and then subsequently there was another operation that they ran called playpen and again this there was a website that was hosting illegal content and they decided that they were going to try and D an anonymizing users and the case that I worked was USA versus Michelle in Washington and below here is is my version of the diagram and I have asked the FBI if this is correct and they haven't said that it's not correct they also haven't said that it is correct right so they can neither confirm nor deny that this is correct but in general right what is going to happen is the FBI is going to generate some unique identifier for each user

that wants to connect to that to this that is logged into the server so one of the requirements was you had to be logged on to the server for this to get deployed so they would generate a unique identifier and then when they would take that unique identifier and they would embed it within the payload that they were sending to the user so that way each user got a different version of the exploit and after they had generated it right in theory right they logged this information I'm guessing they logged it because they have they say they have a database full of all of the unique identifiers I haven't been given and then what happens is that nick code

is pushed to the client the client basically runs the you know the exploit leverages some vulnerability in the browser and starts executing the net code what the Nick code does then is make a direct connection right thus bypassing all of tor and connects to a government server so it makes a direct TCP connection right with three-way handshakes and then the government sees that information logs that information writes down what the IP address is saves that to a hard disk and then does some packet captures so I wrote a declaration I did a very limited amount of analysis for several different cases related to this out there and it got published by the e FF and the ACLU in their guide to

to hacking saying okay here are some of the issues that you need to be need to understand actually in the Michele case which to my knowledge is the only case they threw out threw it out because the FBI did not produce the exploit code all the rest of the cases the judges have said it was done in what was called good faith unless they are allowed to use that information that they have so conference this is actually all over the world right so people from all over the world we're using this off top of my head I think it was around 200,000 people logged on to the website during the three weeks that they were running

it in the United States there I think maybe a couple thousand have been from the United States rest world worldwide and they've had 137 plus cases that are currently either were litigated or are in litigation within the United States and so the evidence that they the federal government provides is they provide the knit code that they use they provide a dead listing right so a dead listing is where you just start at the top and you just start disassembling all of the code and you spit it out well that's not actually the source code which they claim it is because a dead listing there's also data inside of the mint code and so you can

argue that maybe that's not quite code right it's data within there and then they also provide a peek app showing just the single connection that the user made to the government site showing what their public IP address is and once they have that public IP address right they go to the ISP and they say okay who had this IP at this exact time they'll go and do that lookup and then they all get a search warrant in order to search all of the digital devices that that person owns right because they are charged with viewing right illegal material which even receipt meaning you get something or viewing right is considered illegal when it comes to CP material and then

charges get filed and then promotion pretrial motions are generally where I come in because this is is evidence included or not included inside the case right and the judge makes that decision and typically if they say it's included right the person generally tries them do a plea bargain because that gives them a better deal than if they try to go to court so some of the issues that we have so I don't know how many of you under dove rule 41 and the changes to rule 41 nobody okay so rule 41 basically talks about how a judge issues a warrant now pre-internet right if I knew a crime took place in a certain location like

besides Iowa right I would know there's a judge who has a jurisdiction over that area so I can go to that judge and go ahead and get a warrant but the change that they made I think in 2016 was that now a judge can issue a warrant anywhere in the country and easier in jurisdiction and that's to deal with this issue of tor right so if I'm going if I know the server is in Virginia how do I know who is going to connect to that server right there are people like I said connecting all around the United States and all around the world right so they've changed this rule so now now you can issue a warrant anywhere but this is

one of the issues that is brought up in these cases is who has jurisdiction to issue that warrant did the judge there was one judge who issued it in Virginia did he have jurisdiction in order to issue that warrant yes or no so and generally they say yes you did have you did have jurisdiction to issue a warrant for the entire United States we also have Fourth Amendment issues so illegal search and seizure so here are some questions right so is the IP is your IP address public right should anybody be able to know well are you can argue yes and no right that's kind of up for debate the other stuff right use your MAC address public is

your username public is the architecture on your computer public right so generally like we think of those things as not being public things but they were things that were collected right and now as those are all listed inside of the search warrant to say you are allowed to collect these five things and that is it right you're not allowed to collect anything else other than that and then testing right so so with these cases right I haven't been able to test any of the code except for the nit right so they gave me the nit the part that goes ahead and figures out what their MAC address is what their username is what OS they're running on right and

then it makes a connection out right so I can test that but they haven't released the FBI has not released the exploit code and one of the agents said that he tested it on his home computer and did not make any changes to his security settings right he ran one test to see if it worked right is that going to apply to every single computer how would I know right I'm not allowed to test it I don't have access to that and some of the legal questions are is there a known error rate for the exploit running right yes or no we don't know what that is are the unique identifiers is unique right so if usually the same

unique identifiers to a bunch of people you might attribute access that was not maybe the person access it once versus access that 20 times right and that sort of impacts what the thing is that he can get for that and again none of the server software was included so I can test that to verify it so one of the things that I proposed and I really doubt that the FBI is going to agree with me on is that we should have a framework for deciding how we actually test this software right they're going they're not gonna stop using nits 2d anonymize users and so if you think about it right the entire system setup should be something that's

included right now that could be a virtual machine that has all the software that they used when they deployed it or it could be that they specify okay here's the OS that we were running here's the patches here's the configuration files that we modified in order to get it up to the stage all log files right who had access to that right did an agent have access to that and have the ability to add additional entries of somebody he didn't like inside of there yes or no right again things that I really can't verify and then all the source codes that they have and then different testing procedures for exactly how do you test your code and make sure

that it does work or doesn't work what situations would it break in it so those are things that are key when you when you're actually going through the legal process all right so any questions I kind of talk fast clearly and we started early so didn't help that

yes so whatever their public IP address was so the search warrant very specifically told them right they went Nass right the FBI so they're the one issuing the the warrant in the first place in getting a judge to sign it and so they very specifically said okay here's the information we want to collect and they had to give a reason why do you want to collect that and the reasoning is well we need the IP address so that we know whose door to knock on all right and then the additional information so if you have multiple people inside of a house okay which computer is it well I mean their basic idea is to get low-hanging fruit right

and a lot of the people right so if you were blocking all outgoing connections that the outside of Tor right this wouldn't work yeah so there are lots of ways that you could get around this but this will definitely catch all of the low-hanging fruit of people who downloaded the the tor browser bundle and just hit hit run right that's how it's gonna catch and they like oh I want JavaScript right so they enable JavaScript in it yeah so one of the things right flash was not something that was a default thing right you were supposed to disable flash if you're using the tor browser and in the first case that's what they were using for the

the client that I was working for was using

other questions

I do have some references that you know I'll post the slides but all of the stuff I talked about here is the the stuff that's publicly available they so when you work on one of these cases they also will give you a not a nondisclosure agreement they'll give you an agreement you have to sign to say that you will not talk about information that you've received you will not disseminate it you only talk with the lawyer and their team so so I all the stuff I put in here again is public stuff right there's other stuff where the actual code right that they give me very clearly I can't share that with you until they decide

that that's something that's publicly available

you know [Applause]