Friday, July 11, 2008

Packet Anonymization with PktAnon


I noticed a new tool on Packetstorm recently: PktAnon by Christoph P. Mayer, Thomas Gamer, and Dr. Marcus Schöller.

This tool seems powerful because you can apply a variety of anonymization policies based on settings you apply in an XML configuration file.

It was easy to install the tool on Debian 4.0:


tws:~# cd /usr/local/src
tws:/usr/local/src# wget http://www.tm.uka.de/pktanon/download/pktanon-1.2.0-dev .tar.gz
...edited...
tws:/usr/local/src# tar -xzf pktanon-1.2.0-dev.tar.gz
tws:/usr/local/src# http://www.tm.uka.de/pktanon/download/pktanon-1.2.0-dev.tar. gz
tws:/usr/local/src# sudo apt-get install libxerces27-dev libboost-dev
-su: sudo: command not found
tws:/usr/local/src# apt-get install libxerces27-dev libboost-dev
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
libicu36 libxerces27
Suggested packages:
libboost-doc libboost-date-time-dev libboost-filesystem-dev
libboost-graph-dev libboost-iostreams-dev libboost-program-options-dev
libboost-python-dev libboost-regex-dev libboost-serialization-dev
libboost-signals-dev libboost-test-dev libboost-thread-dev libboost-wave-dev
xalan libxerces27-doc
The following NEW packages will be installed:
libboost-dev libicu36 libxerces27 libxerces27-dev
0 upgraded, 4 newly installed, 0 to remove and 3 not upgraded.
Need to get 9259kB of archives.
After unpacking 44.7MB of additional disk space will be used.
Do you want to continue [Y/n]? y
...edited...
tws:/usr/local/src# cd pktanon-1.2.0-dev
tws:/usr/local/src/pktanon-1.2.0-dev# mkdir /usr/local/pktanon
tws:/usr/local/src/pktanon-1.2.0-dev# ./configure --prefix=/usr/local/pktanon
tws:/usr/local/src/pktanon-1.2.0-dev# make
tws:/usr/local/src/pktanon-1.2.0-dev# make install

Next you choose which of the anonymization profiles we want. Here we use settings_high.xml. To use this configuration file we just tell it where the Input is and where the Output is.

For example, here is the first, original packet.

tws:/tmp# tcpdump -c 1 -r sample.ftp.pcap -neXvvv

reading from file sample.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 00:0c:29:2d:6a:a0 > 00:50:56:ee:e5:fc, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 192.168.255.131.1385 > 62.243.72.50.21: S, cksum 0x7890 (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 3542 c0a8 ff83 E..<.(@.@.5B....
0x0010: 3ef3 4832 0569 0015 ac25 b4e2 0000 0000 >.H2.i...%......
0x0020: a002 16d0 7890 0000 0204 05b4 0402 080a ....x...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

Here is the settings_low profile output.

tws:/tmp# tcpdump -c 1 -r anon.low.ftp.pcap -neXvvv

reading from file anon.low.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 00:0c:29:2d:6a:a0 > 00:50:56:ee:e5:fc, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 246.142.91.186.1385 > 90.113.151.13.21: S, cksum 0x7c1a (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 38cc f68e 5bba E..<.(@.@.8...[.
0x0010: 5a71 970d 0569 0015 ac25 b4e2 0000 0000 Zq...i...%......
0x0020: a002 16d0 7c1a 0000 0204 05b4 0402 080a ....|...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

I decided I wanted a low profile that also modified MAC addresses, so I copied the low setting and then made this change:

<configitem anon="AnonBytewiseHashSha1" name="MacSource"/>
<configitem anon="AnonBytewiseHashSha1" name="MacDest"/>

This was the result.

tws:/tmp# tcpdump -c 1 -r anon.low-mac.ftp.pcap -neXvvv
reading from file anon.low-mac.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 da:cb:dc:54:d2:51 > da:28:8d:39:ef:7b, ethertype IPv4 (0x0800),
length 74: (tos 0x0, ttl 64, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 60) 246.142.91.186.1385 > 90.113.151.13.21: S, cksum 0x7c1a (correct),
2888152290:2888152290(0) win 5840 <mss 1460,sackOK,timestamp 199370 0,nop,wscale 2>
0x0000: 4500 003c be28 4000 4006 38cc f68e 5bba E..<.(@.@.8...[.
0x0010: 5a71 970d 0569 0015 ac25 b4e2 0000 0000 Zq...i...%......
0x0020: a002 16d0 7c1a 0000 0204 05b4 0402 080a ....|...........
0x0030: 0003 0aca 0000 0000 0103 0302 ............

Finally I ran the medium and high settings.

tws:/tmp# tcpdump -c 1 -r anon.medium.ftp.pcap -neXvvv
reading from file anon.medium.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 da:cb:dc:54:d2:51 > da:28:8d:39:ef:7b, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl 116, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 40) 21.248.227.61.19357 > 172.148.57.189.56062: S, cksum 0x31e7
(correct), 2888152290:2888152290(0) win 5840
0x0000: 4500 0028 be28 4000 7406 6920 15f8 e33d E..(.(@.t.i....=
0x0010: ac94 39bd 4b9d dafe ac25 b4e2 0000 0000 ..9.K....%......
0x0020: 5002 16d0 31e7 0000 0000 0000 0000 P...1.........

tws:/tmp# tcpdump -c 1 -r anon.high.ftp.pcap -neXvvv
reading from file anon.high.ftp.pcap, link-type EN10MB (Ethernet)
09:38:37.565642 55:3e:4d:bf:1f:e8 > 55:35:a0:67:f1:3a, ethertype IPv4 (0x0800),
length 60: (tos 0x0, ttl 126, id 48680, offset 0, flags [DF], proto: TCP (6),
length: 40) 162.131.129.172.20319 > 97.102.43.234.21842: S, cksum 0xb113
(correct), 2888279266:2888279266(0) win 5907
0x0000: 4500 0028 be28 4000 7e06 8d27 a283 81ac E..(.(@.~..'....
0x0010: 6166 2bea 4f5f 5552 ac27 a4e2 2080 2000 af+.O_UR.'......
0x0020: 5002 1713 b113 0000 0000 0000 0000 P.............

We should be able to try this tool with OpenPacket.org. Let me know what you think.

For details on the anonimization policies please read the documentation.

9 comments:

Wesley Shields said...

There is a similar tool out there called BitTwist (it's in ports, maintained by yours truely) that can do a similar thing. It's not as configurable (I think, have not really compared the two in detail) as PktAnon but it may be worth looking into if you're doing this kind of stuff.

I'll see about getting PktAnon into the ports tree.

Joe said...

FreeBSD -> Ubuntu -> Debian.

Didn't know you were using Debian now. How do you like versus Ubuntu?

James Turnbull said...

Thanks Richard. Very well timed as I was searching for exactly this last week.

Christoph P. Mayer said...

Hi,

we, the PktAnon developers, would be very happy to help getting PktAnon into OpenPacket.org!

If there is an interest in this, we would like to kick off discussion about mainly three points:

1. What protocols need to be supported? PktAnon supports a wide range of standard protocol. But it needs extensions in higher layer protocols for layer >= 5. Due to the architecture new protocols are quite easy to add.

2. What additional anonymization primitives are needed and how can anonymized traces be verified?

3. Will we find a way to define community standardized anonymization profiles? From our point of view this requires cooperation from network engineers, researchers, and lawyers. There is still no consensus after quite some research done in this area about what anonymization is "right". Having the community in discussing about a standard set of anonymization profiles would be a huge step forward! Having standardized profiles also helps e.g. OpenPacket.org to mark traces in saying what profile has been used.

I would be very happy if there is interest in discussing these points and getting the community further in sharing network traces.

Best regards,
Christoph P. Mayer

Richard Bejtlich said...

WXS, PktAnon in the ports tree would be great.

Joe, I still use FreeBSD on my servers, Ubuntu on my non-work desktop, and Debian for my class images. I decided to demo PktAnon on Debian because I wanted to try it in a VM first.

Christoph, I am cc'ing your message to our openpacket-devel list. Would you like to join it?

Anthony S. Policastro said...

Hi Richard,
Would you be interested in taking a look at my book on digital terrorism? Let me know.

Wesley Shields said...

It's broken under FreeBSD. The authors have said they will look into fixing it soon.

Pinoy Computer Programming said...

i find it hard to understand... hehe

Jon Oberheide said...

Richard,

Interesting tool! It's design goals are very similar to flowscrub:

http://code.google.com/p/flowscrub/

"flowscrub provides multi-format (pcap, netflow, silk), multi-layer (link, network, transport, application), and multi-attribute (ethernet.src, ip.ttl, tcp.sport, http.uri, etc) transformations (set, zero, mask, rand, hash, etc) for flexible and powerful flow anonymization using simple configuration files."

It has the advantage of piggy-backing on dpkt so any parsing models supported by dpkt can be transparently used.

Now I just need to get off my ass and implement some anonymization transformations! ;-)

Regards,
Jon Oberheide