Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sniffing cable modems Guy Martin Defcon 16 - Aug 2008 – Las Vegas.

Published byJanis Reed Modified over 7 years ago

Similar presentations

Presentation on theme: "Sniffing cable modems Guy Martin Defcon 16 - Aug 2008 – Las Vegas."— Presentation transcript:

1 Sniffing cable modems Guy Martin gmsoft@tuxicoman.be Defcon 16 - Aug 2008 – Las Vegas

2 Agenda What is DOCSIS ? – Use of DOCSIS – General architecture – Registration process – Encryption on the link How to sniff it – DVB-C / ATSC card – Packet-o-matic to the rescue

3 Agenda Doable things – Privacy – Modem SNMP hacks – Misc References – DOCSIS – MPEG – Packet-o-matic

4 What is DOCSIS Use of DOCSIS – Internet : The most known application of the DOCSIS protocol – Telephony : Most cable modems have a built-in ATA (Analog Telephone Adapter) – Digital TV decoders : built-in cable modems to monitor/feedback data from end users

5 What is DOCSIS General architecture – CMTS on the ISP side broadcast packets to end users on a common single frequency – Modems on end user side sends packets back to CMTS on another frequency during its timeslot – A CMTS serves from a small neighborhood to a whole city – Downstream frequency is in the same range than TV ones – Uses MPEG packets like normal digital TV to encapsulate data

6 What is DOCSIS Registration process – Aquire and lock the downstream frequency – From this, find out the upstream parameters – Get an IP address – Download the modem configuration via TFTP – Apply the configuration and enable forwarding of packets

7 What is DOCSIS Encryption on the link – Encryption and authentication are NOT mandatory – BPI (Baseline Privacy Interface) provides a mechanism for authentication and/or encryption – DES and AES are the two possible encryption algorithms

8 How to sniff it DVB-C / ATSC card – Possible because protocols and frequencies are purposely similar to digital TV ones – Inexpensive – Only the downstream traffic can be captured – Different hardware like USRP could be used to capture both upstream and downstream

9 How to sniff it Packet-o-matic to the rescue – Input module capture the traffic – Packets are processed and matched using match, helpers and conntrack modules – Eventually the target module process the packets to produce the desired output – Everything occurs real-time – Telnet and XML-RPC interface available

10 Doable things Privacy – Sniff data destinated to all ISP users – Reassemble streams real-time and extract useable files on the fly (mail, phone and IM conversations,...) – DoS by reinjecting TCP RST (tcpkill) packets or ICMP error packets

11 Doable things Modem SNMP hacks – Change IP filters of the modem's ethernet bridge – Deny access to the server polling the download/upload quota – Reboot the modem – Anything else the modem's SNMP interface allows

12 Doable things Misc – Bypass modem filters by reinjecting sniffed packets in the LAN – Create a virtual network interface (tap device) so other tools can be used

13 References DOCSIS – http://www.cablelabs.com/ – http://www.cablemodem.com/specifications/ MPEG – ISO/IEC 13818-1 Packet-o-matic – http://www.packet-o-matic.com

Download ppt "Sniffing cable modems Guy Martin Defcon 16 - Aug 2008 – Las Vegas."

Similar presentations

Copyright ©Universalinet.Com, LLC 2009 Internet To connect a subscriber to Cable Services, Internet connectivity serves as the endpoint to the subscriber.

Copyright ©Universalinet.Com, LLC 2009 Internet To connect a subscriber to Cable Services, Internet connectivity serves as the endpoint to the subscriber.
1 Welcome Overview of DOCSIS. 2 Data Over Cable Service Interface Specification.

1 Welcome Overview of DOCSIS. 2 Data Over Cable Service Interface Specification.
By the end of this section, you will know and understand the hardware and software involved in making a LAN!

By the end of this section, you will know and understand the hardware and software involved in making a LAN!
1 ZIP 4x5 The world’s most functional telephone. 2 PSTN Internet Dallas, TX Sunnyvale, CA VPN Outside callers dial a single extension - phone at the office.

1 ZIP 4x5 The world’s most functional telephone. 2 PSTN Internet Dallas, TX Sunnyvale, CA VPN Outside callers dial a single extension - phone at the office.
1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.

1 Linux Networking and Security Chapter 2. 2 Configuring Basic Networking Describe how networking devices differ from other Linux devices Configure Linux.
Introduction to Network Analysis and Sniffer Pro

Introduction to Network Analysis and Sniffer Pro
3 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Getting Connected  First,you need to subscribe to an Internet service provider.

3 C H A P T E R © 2001 The McGraw-Hill Companies, Inc. All Rights Reserved1 Getting Connected  First,you need to subscribe to an Internet service provider.
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
Lecturer: Tamanna Haque Nipa

Lecturer: Tamanna Haque Nipa
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
CCNA 1 Module1. Objectives Internet Connections Physical – NIC card to connect to local net Logical – Use a standard set of protocols (TCP/IP) Applications.

CCNA 1 Module1. Objectives Internet Connections Physical – NIC card to connect to local net Logical – Use a standard set of protocols (TCP/IP) Applications.
For more notes and topics visit: www.eITnotes.com eITnotes.com.

For more notes and topics visit: eITnotes.com.
4 Network Hardware & Software Network Operating systems: software controlling traffic on the network 2 types of s.ware: server software &client software.

4 Network Hardware & Software Network Operating systems: software controlling traffic on the network 2 types of s.ware: server software &client software.
CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.
Overview, Circuit & Packet Switching, Addressing

Overview, Circuit & Packet Switching, Addressing
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
1 Telecommunications, the Internet, Intranets, and Extranets CSC101 SECTIONS 01 & 02.

1 Telecommunications, the Internet, Intranets, and Extranets CSC101 SECTIONS 01 & 02.
Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.

Lecture 2 TCP/IP Protocol Suite Reference: TCP/IP Protocol Suite, 4 th Edition (chapter 2) 1.
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
Cable Modem Overview EEL 4930 – Computer Networks Fall 2002 Bradley C. Spatz.

Cable Modem Overview EEL 4930 – Computer Networks Fall 2002 Bradley C. Spatz.

Similar presentations

Ads by Google