Your SlideShare is downloading. ×
0
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Power Point
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Power Point

177

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
177
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Rain Forest Puppy Fingerprinting Port 80 [email_address] www.wiretrip.net/rfp/
  2. Note: updated slides are available at: http://www.wiretrip.net/rfp/talks/hivercon-2002/
  3. What is application fingerprinting? <ul><li>Unique set of characteristics, or ‘fingerprint’ </li></ul><ul><li>Can be used to identify the application </li></ul><ul><li>Similar to TCP/IP stack fingerprinting (a la nmap) </li></ul>
  4. How can we use app fingerprinting? <ul><li>Identify an application, and even it’s version </li></ul><ul><li>Can pierce anonymity (removal of banners, etc) </li></ul><ul><li>Can detect real vs fake applications (emulated honeypots) </li></ul>
  5. Who can use app fingerprinting? <ul><li>Consultants: pen-tests, assessments </li></ul><ul><li>Attackers  </li></ul><ul><li>More importantly, admins need to be aware that obscuring version banners can be circumvented </li></ul>
  6. What can be fingerprinted? <ul><li>Anything that interacts with the user (i.e. most network services) </li></ul><ul><li>More interaction yields a better fingerprint </li></ul><ul><li>Version identification depends on how code changes between versions </li></ul>
  7. HTTP fingerprinting <ul><li>Some web application assessment tools rely on the HTTP banner </li></ul><ul><li>Admins are removing the banner (Urlscan, source tweak, etc) </li></ul><ul><li>HTTP protection devices are removing banners (web app firewalls, security proxies, load balancers, etc) </li></ul><ul><li>Some HTTP servers have same banner for multiple versions (IIS and the various service pack levels) </li></ul>
  8. HTTP fingerprinting—lots to fingerprint <ul><li>rfp.labs scanned 3 class A networks looking for web servers </li></ul><ul><li>Found many hundreds of web servers, and many dozens of web server software </li></ul>
  9. HTTP fingerprinting—the request
  10. HTTP fingerprinting—the request
  11. HTTP fingerprinting—other stuff <ul><li>Headers: special and invalid encodings, plus the return order </li></ul><ul><li>Page responses: returned HTML on 404, 302, etc responses </li></ul><ul><li>Abnormalities: characteristics due to implementation or other weirdness </li></ul><ul><li>HTTP 0.9 requests: mixed bag of support </li></ul><ul><li>Filename encodings: unicode, double-encode, etc </li></ul><ul><li>Cookies: can reveal what’s in the processing stream </li></ul>
  12. HTTP fingerprinting for identification <ul><li>No banner? Use a fingerprint to determine what it is </li></ul><ul><li>Provides a banner? Use a fingerprint to see if it’s truthful or lying </li></ul><ul><li>File extension identified as ASP/PHP? Verify the file handler </li></ul>
  13. HTTP fingerprinting for versioning <ul><li>Remotely identify which service packs/SRPs on an IIS system </li></ul><ul><li>Be able to determine patch/vulnerability level without running an exploit </li></ul>
  14. HTTP fingerprinting—what’s on the horizon <ul><li>Emulated honeypots and services are not good enough </li></ul><ul><li>Vulnerability testing/assessment without triggering the vuln </li></ul><ul><li>HTTP obscurity techniques will be pierced </li></ul><ul><li>Patch level determination through port 80 (for Windows/IIS) </li></ul><ul><li>Potential identification of inline HTTP devices </li></ul>
  15. Questions? http://www.wiretrip.net/rfp/talks/hivercon-2002/
  16. Bonus tool updates!
  17. Libwhisker 1.6 <ul><li>Latest libwhisker version </li></ul><ul><li>Features various bugfixes beyond version 1.5 </li></ul>
  18. Whisker 2.1 <ul><li>Latest whisker version </li></ul><ul><li>Updated signature database </li></ul><ul><li>Documentation! </li></ul><ul><li>Incorporates some of the identification techniques discussed </li></ul>
  19. Available for download at: http://www.wiretrip.net/rfp/talks/hivercon-2002/

×