Merge pull request #3 from StrangeRanger/dev

LaTeX Writeup/abstract.tex

@@ -0,0 +1 @@
+This paper introduces a Bash script designed as a Moving Target Defense (MTD) mechanism for dynamically assigning a random IP address to a computer’s network interface, thereby complicating lateral movement reconnaissance. The IP-shuffle script generates a random IP address within a specified range, verifies its availability, and ensures proper configuration. By unpredictably rotating IP addresses within a subnet, the IP-shuffle script disrupts attackers’ ability to establish a static view of the network, making reconnaissance challenging. This paper evaluates the impact of IP-shuffle in mitigating network reconnaissance and lateral movement, offering insights into its effectiveness as a proactive defense strategy.

LaTeX Writeup/conclusion.tex

@@ -1,3 +1,3 @@
-Moving Target Defense (MTD) is proposed as one of the "game-changing" themes in cybersecurity. Its vision is described as follows: to create, evaluate, and deploy mechanisms and strategies that are diverse, continually shifting, and changing over time to increase complexity and costs for attackers, limit the exposure of vulnerabilities and opportunities for attack, and increase system resiliency~\cite{cai2016introduction}.
-The IP-shuffle script provides a robust solution for dynamically allocating random IP addresses to network interfaces, a critical component of network security strategies to deter potential attackers. Leveraging Bash scripting, it offers functionalities for generating IP addresses, checking availability, and validating network configurations, ensuring efficient and reliable IP address assignment. Its error-handling capabilities and responsiveness to Unix signals improve reliability during execution, strengthening network resilience against errors or disruptions. Additionally, its modular design allows for easy adaptation to different network setups and environments, making it a valuable tool for automating tasks related to network interface configuration.
-Furthermore, IP-shuffle embodies the concept of IP shuffling, a technique designed to complicate attackers' reconnaissance efforts by constantly changing IP addresses unpredictably. By dynamically assigning random IP addresses, IP-shuffle enhances organizations' proactive defense stance, increasing the difficulty for attackers to identify and exploit vulnerabilities. In essence, IP-shuffle represents a sophisticated yet user-friendly approach to managing dynamic IP addresses, empowering organizations to enhance their overall security posture and mitigate the impact of cyber threats.
+Moving Target Defense (MTD) has been hailed as a revolutionary strategy in cybersecurity that increases complexity and costs for attackers while reducing the exposure of vulnerabilities and enhancing system resilience \cite{cai2016network}. This paper introduced the \texttt{ip-shuffle} script, a robust solution for dynamically allocating random IP addresses to network interfaces, thereby impeding attackers' reconnaissance efforts.
+The \texttt{ip-shuffle} script provides a systematic approach to dynamic IP address assignment through its modular design and comprehensive functionalities, including generating random IP addresses, verifying availability, and validating network configurations. By leveraging error-handling mechanisms and Unix signal responsiveness, the script ensures reliable execution and strengthens network resilience. The evaluation demonstrated the impact of \texttt{ip-shuffle} in complicating reconnaissance and lateral movement by continually altering IP addresses within a subnet, making it challenging for attackers to establish a static network view.
+In future work, the potential of integrating this technique with Software Defined Networking (SDN) could offer more robust and flexible defense mechanisms. Additionally, addressing the limitations of MAC address fingerprinting and evaluating the impact on legitimate network users will further improve this Moving Target Defense strategy. Overall, the \texttt{ip-shuffle} script exemplifies proactive defense strategies that make it increasingly difficult for attackers to identify and exploit vulnerabilities.

LaTeX Writeup/evaluation.tex

@@ -1 +1,63 @@
-This is our evaluation.
+To evaluate the effectiveness of our IP shuffling script, we'll be adding an extra system to the virtual network with a static IP address of \texttt{192.168.1.10}. We'll set up an OPNsense instance as the default gateway for all virtual machines. This instance will be assigned the IP address \texttt{192.168.1.1}, acting as a simulated router that provides the DHCP service. As shown in Figure~\ref{fig:network-topology}, there will be two Ubuntu Linux machines and one instance of FreeBSD. Each machine will receive an IP address on initial startup starting at \texttt{192.168.1.100}, assigned by OPNsense. We'll give each system six minutes after startup to begin changing its IP address, after which we'll use an arp-scan using our extra machine to obtain the following output:
+\begin{verbatim}
+192.168.1.1     00:1c:42:c1:e4:da       (Unknown)
+192.168.1.103   00:1c:42:c6:34:d1       (Unknown)
+192.168.1.200   00:1c:42:98:99:4d       (Unknown)
+192.168.1.236   00:1c:42:76:c0:7e       (Unknown)
+\end{verbatim}
+We can observe that the IP addresses, with the exception of the OPNsense instance, have been altered from their initially assigned addresses through DHCP. To check if the systems have changed their IPs once more, let's wait for another six minutes and then conduct another ARP scan. Here are the results of the said scan:
+\begin{verbatim}
+192.168.1.1     00:1c:42:c1:e4:da       (Unknown)
+192.168.1.71    00:1c:42:76:c0:7e       (Unknown)
+192.168.1.199   00:1c:42:c6:34:d1       (Unknown)
+192.168.1.211   00:1c:42:98:99:4d       (Unknown)
+\end{verbatim}
+Let's cross-check the modified IP addresses with their respective MAC addresses to better understand their altered IPs.
+
+\begin{tikzpicture}[ 
+  node distance=1cm and 1.5cm,
+  box/.style={rectangle, draw, minimum height=1cm, minimum width=4cm, align=center},
+  arrow/.style={-Stealth, thick},
+  scale=\linewidth/10cm, transform shape
+]
+
+  % Original IP-MAC pairs
+  \node[box] (old1) {192.168.1.1\\00:1c:42:c1:e4:da};
+  \node[box, below=of old1] (old2) {192.168.1.103\\00:1c:42:c6:34:d1};
+  \node[box, below=of old2] (old3) {192.168.1.200\\00:1c:42:98:99:4d};
+  \node[box, below=of old3] (old4) {192.168.1.236\\00:1c:42:76:c0:7e};
+
+  % New IP-MAC pairs
+  \node[box, right=of old1] (new1) {192.168.1.1\\00:1c:42:c1:e4:da};
+  \node[box, below=of new1] (new2) {192.168.1.199\\00:1c:42:c6:34:d1};
+  \node[box, below=of new2] (new3) {192.168.1.211\\00:1c:42:98:99:4d};
+  \node[box, below=of new3] (new4) {192.168.1.71\\00:1c:42:76:c0:7e};
+
+  % Arrows showing changes
+  \draw[arrow] (old1) -- (new1);
+  \draw[arrow] (old2) -- (new2);
+  \draw[arrow] (old3) -- (new3);
+  \draw[arrow] (old4) -- (new4);
+
+  % Labels
+  \node[above=of old1] (labelOld) {\textbf{Initial ARP Scan}};
+  \node[above=of new1] (labelNew) {\textbf{ARP Scan After Six Minutes}};
+
+\end{tikzpicture}
+
+\subsection{Analysis and Observations}
+Analyzing the IP shuffling technique involves evaluating its ability to prevent attackers from gaining valuable network reconnaissance information. Here’s a summary of our observations:
+\begin{itemize}
+\item \textbf{IP Address Changes:} The IP addresses changed significantly over the two arp-scans, making it difficult for an attacker to establish a static network view.
+\item \textbf{MAC Address Consistency:} Each machine retained its MAC address throughout the scans, but the association between MAC addresses and IP addresses changed dynamically.
+\item \textbf{Impact on Reconnaissance:} An attacker may struggle to perform effective reconnaissance and lateral movement as the IP addresses of potential targets keep changing, requiring constant rescanning of the subnet.
+\end{itemize}
+
+\subsection{Future Work and Limitations}
+
+\begin{itemize}
+\item \textbf{MTD Evasion Analysis:} Attackers may attempt to fingerprint devices based on other network characteristics like latency or open ports. Future work could include an analysis of such evasion techniques.
+\item \textbf{MAC Address Fingerprinting Mitigation:} Although the IP addresses of the machines are shuffled, each machine retains its MAC address, which can be used to fingerprint it. Investigating ways to obscure MAC addresses or to randomly change them in addition to IP shuffling could significantly improve the effectiveness of the Moving Target Defense (MTD) strategy.
+\item \textbf{Impact on Legitimate Users:} Changing IP addresses might also impact legitimate network users. Evaluating how legitimate users handle these changes could be a valuable direction for research.
+\item \textbf{Integration with SDN:} Integration of this MTD technique with Software Defined Networking (SDN) could provide more robust and flexible defense mechanisms.
+\end{itemize}

LaTeX Writeup/introduction.tex

@@ -0,0 +1,2 @@
+In the rapidly evolving field of cybersecurity, attackers constantly refine their reconnaissance and lateral movement techniques to compromise networked systems. Moving Target Defense (MTD) strategies have emerged as a proactive solution to complicate and thwart such attacks by introducing uncertainty and unpredictability into network operations.
+One such MTD technique is known as IP shuffling, which involves dynamically changing the IP addresses of systems within a network to impede reconnaissance. This paper introduces the \texttt{ip-shuffle} script, a Bash-based tool that dynamically assigns random IP addresses to a computer’s network interface within a specified range, verifies its availability, and ensures proper configuration. By unpredictably rotating IP addresses within a subnet, the \texttt{ip-shuffle} script disrupts attackers’ ability to establish a static view of the network, making reconnaissance challenging. The script achieves efficient and reliable IP address assignment through distinct functions for IP address generation, availability verification, network configuration validation, and gateway reachability testing. The \texttt{ip-shuffle} script incorporates comprehensive error handling and compatibility with Linux and BSD systems to provide a basic solution for scenarios requiring dynamic IP address allocation.

LaTeX Writeup/system-design.tex

@@ -0,0 +1,41 @@
+The \texttt{ip-shuffle} script provides a systematic approach to dynamic IP address assignment for network interfaces in Linux and FreeBSD environments. Built around Bash scripting, it orchestrates the IP address allocation process seamlessly. By default, the program runs every three minutes based on a cronjob, dynamically configuring the IP address, gateway, and network interface details. This ensures an efficient and flexible network configuration.
+
+\subsection{Components and Functions}
+The core of the \texttt{ip-shuffle} script relies on modular functions that handle IP address generation, availability verification, and network configuration validation. The primary functions include:
+\begin{itemize}
+    \item \textbf{\texttt{generate\_random\_ip()}:}  
+        Generates a random IP address within a specified subnet range.
+    \item \textbf{\texttt{check\_ip\_availability()}:}  
+        Verifies whether the generated IP address is available using the \texttt{ping} command.    
+    \item \textbf{\texttt{validate\_network\_config()}:}  
+        Validates that the newly assigned IP address works correctly within the network by checking gateway reachability.
+    \item \textbf{\texttt{reset\_network()}:}  
+        Resets network configurations in case of errors to restore connectivity.
+\end{itemize}
+
+\subsection{IP Address Assignment Workflow}
+The workflow of the \texttt{ip-shuffle} script follows these steps:
+\begin{enumerate}
+    \item \textbf{Generate a Random IP Address:} 
+    	The script uses \texttt{generate\_random\_ip()} to produce a new IP address.
+    \item \textbf{Check Availability:} 
+    	The script verifies if the generated IP address is available using \texttt{check\_ip\_availability()}.
+    \item \textbf{Configure Network Interface:}
+    	Depending on the OS, the script will either configure a specified interface using \texttt{ip} or \texttt{ifconfig}.
+    \item \textbf{Validate Network Configuration:}
+    	The script ensures proper network configuration by testing gateway reachability via \texttt{validate\_network\_config()}.
+    \item \textbf{Reset Network if Needed:} 
+    	If the new IP address is invalid or unreachable, the \texttt{reset\_network()} function is called to restore network connectivity.
+\end{enumerate}
+
+\subsection{Scheduling with Cron}
+To ensure regular IP address rotation, the \texttt{ip-shuffle} script is scheduled with a cronjob that runs every three minutes:
+\begin{verbatim}
+# Recommended placement: /usr/local/sbin/ip-shuffle
+*/3 * * * * /path/to/ip-shuffle
+\end{verbatim}
+This systematic rotation of IP addresses complicates reconnaissance and lateral movement for potential attackers, forcing them to continually rescan the network.
+
+\subsection{Error Handling and Signal Support}
+The \texttt{ip-shuffle} script incorporates error-trapping mechanisms and Unix signal support to enhance reliability and resilience. Common Unix signals such as \texttt{SIGINT} and\texttt{SIGTERM} are handled gracefully, allowing the script to clean up network configurations if interrupted unexpectedly.
+This ensures that network configurations remain intact even in the face of unexpected interruptions.

LaTeX Writeup/threat-model.tex

@@ -0,0 +1,16 @@
+\begin{figure}
+ \caption{Network Topology Diagram}
+  \centering
+   \includegraphics[width=0.5\textwidth]{diagram.png}
+   \label{fig:network-topology}
+\end{figure}
+
+%-------------------------------------------------------------------------------
+
+Our threat model involves a scenario where an adversary has successfully compromised a company device within a subnet on the company network. Figure~\ref{fig:network-topology} depicts the network topology in which this threat model takes place: three interconnected computers form a subnet, with one of these computers already compromised. In this scenario, the attacker is assumed to possess the following capabilities:
+\begin{itemize}
+    \item \textbf{Basic User Access:} The attacker has basic user privileges on the compromised system.
+    \item \textbf{Network Reconnaissance:} The attacker can perform network reconnaissance by scanning the network.
+    \item \textbf{System Persistence:} The attacker can maintain persistent access to the compromised device.
+\end{itemize}
+Given these capabilities, the attacker seeks to gain valuable reconnaissance information, identify other devices on the network, and exploit any discovered vulnerabilities that could facilitate lateral movement. The \texttt{ip-shuffle} script aims to counter these activities by dynamically assigning random IP addresses to network interfaces, making it difficult for the attacker to establish a static view of the network and impeding their ability to conduct effective reconnaissance.