Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
qi_internet_SYNACK_curl_jsonip.pcap
qi_local_GET_slashdot_redirect.pcap
qi_local_SYNACK_curl_jsonip.pcap
qi_local_SYNACK_imgur_qdp.pcap
qi_local_SYNACK_linkedin_redirect.pcap
qi_local_SYNACK_putty_dl.pcap
qi_local_SYNACK_slashdot_redirect.pcap

README.md

Quantum Insert PCAPS

Example pcaps containing QUANTUMINSERT attacks created in a controlled environment.

PCAPS or it didn't happen!

We have shared the annotated pcapng files with CloudShark.

curl jsonip.com

We shot on our client making a request to jsonip.com using curl. The payload is a simple textual payload containing BANG!. We shot on the SYN+ACK of the server.

The following pcap is the same but over the real internet:

putty.exe download

We shot on a client downloading putty.exe from the official PuTTY website. The inserted payload contains a redirect to a different url and executable, namely that of 7zip. Browser sucessfully downloaded the 7z938.exe instead of putty.exe. The shot was performed on the SYN+ACK of the PuTTY download server (the.earth.li).

The Content-Length: 0 header ensures that the original response is ignored after our inserted content.

302 HTTP Redirects

The following pcaps contains a HTTP 302 redirect to http://www.fox-it.com, which we shot on the SYN+ACK of slashdot.org and www.linkedin.com. The browser was succesfully redirected as can be seen in the pcaps.

The following pcap is also a redirect, but shot on the client's actual HTTP GET request after checking the unique identifier in the Cookie header:

The Content-Length: 0 header ensures that the original response is ignored after our inserted content.

Malicious Javascript

The following pcap contains a malicious javascript response that is inserted when the browser visits imgur.com. The shot is done on the SYN+ACK of the following url http://platform.twitter.com/widgets.js, which is loaded by imgur.com.

The Content-Length: 108 header ensures that the original response is ignored after our inserted javascript payload.