The art of disguise - Antifingerprinting techniques

5,954
-1

Published on

Slides of course about how to evade the fingerprinting test with FreeBSD and some services, like: nginx, ftp and openssh.

Also explore the techniques to securize WordPress.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,954
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

The art of disguise - Antifingerprinting techniques

  1. 1. The art of disguise Anti-fingerprinting techniques 1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  2. 2. Creative Commons LicenseThe art of disguise - Anti-fingerprinting techniquesby Daniel García García a.k.a. cr0hn is licensed under a:Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.Permissions beyond the scope of this license may be available at: dani@iniqua.com. 2Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  3. 3. Index 1. FreeBSD: A brief introduction. 2. How fingerprint works? 3. How to defeat it? 3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  4. 4. FreeBSD… A brief introduction 4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  5. 5. 1 - FreeBSD: A brief introduction1. How install it?2. How manage the software?3. How install program?4. Main differences between GNU/Linux. 5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  6. 6. How install it?Simple… With a wizard 6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  7. 7. Software management• What is a port system?• Why port is a good idea?• How port works? 7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  8. 8. Installing new software Compiling… 8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  9. 9. Installing new softwareFrom binaries… 9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  10. 10. Main differences with GNU/Linux FreeBSD GNU/Linux General config file: /etc/rc.conf Multiple config files and directories Services start • /etc/rc.d/ Service start: /etc/init.d/ • /usr/local/etc/rc.d/ User directories: /usr/home User directories: /home Kernel config: about 200 lines Kernel config file: very complicated Only some distribution can do it, like Software, natively, can be compiled Gentoo. 10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  11. 11. The fingerprinting… How it works? 11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  12. 12. 2 – Fingerprinting: How it works?1. Why hide your systems?2. Operating system level.3. Service level.4. Application level. 12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  13. 13. Why hide your OS and services?1. To hide of known (and unknown!) exploits.2. Necessaries unpatched versions of software.3. If somebody knows OS you’re running also may guess the application that run in.4. Privacy: nobody needs to know the systems youve got running 13Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  14. 14. Operating System level mmm ... fish• TTL OpenBSD: 255 Linux/*BSD: 64 Windows: 128 AIX: 30 14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  15. 15. Operating System level• Common TCP Initial Windows size *BSD: FFFF OpenBSD: 4000 Linux: 16A0 Windows: 2000 AIX: 4470/FFFF 15Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  16. 16. Operating System level• IP ID sequence generation algorithm.• Invalid TCP flags combination.• Answer to closed port: RST, nothing, ICMP unreachable.• TCP max send/receive window sizes.• Port ranges 16Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  17. 17. Service level• Banners 17Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  18. 18. Application level• Session ID var (PHPSESID/JSESSIONID)• Hidden/lost files.• Meta headers.• Vars and methods names. 18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  19. 19. Application levelA practical example: Metadata. 19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  20. 20. Application levelA practical example: Lost files. 20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  21. 21. The fight… How to defeat it? 21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  22. 22. 3 – Defeating fingerprinting• Kernel parameters• Changing banners• Modifying applications 22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  23. 23. Kernel parametersDisable (if you don’t need)• SCTP• IPv6 23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  24. 24. Kernel parametersIn your /etc/sysctl.conf 24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  25. 25. Service levelHow to defeat it?• Changing configuration files• Changing source code of software* 25Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  26. 26. How to make a patchStep to make a patch:1. Download the source code of app you want to patch.2. Extract code an create a copy of code.3. From your copy, make the changes you need.4. Apply a diff to extract changes.5. Save change into a patch-* file. 26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  27. 27. How to make a patch: NginxStep 1 and 2:1. Download the source code of Nginx.2. Creating a copy of source. 27Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  28. 28. How to make a patch: NginxStep 3:• Locate file that contains information of version:• Change file information: 28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  29. 29. How to make a patch: NginxStep 4 and 5:• Make a diff with original file and save into patch. 29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  30. 30. FreeBSD patching methodWhat need FreeBSD to apply our path?• Put your file into: /usr/ports/CATEGORY/PROG/files• Your patch must be named like: patch-ORIGINAL_FILE_NAME• Change relative path in your patch: 30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  31. 31. FreeBSD patching method And now, how compile our patched software…? 31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  32. 32. FreeBSD patching methodEven an idiot can do it! 32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  33. 33. Service levelLearning with examples:• Nginx• OpenSSH• PureFTPd 33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  34. 34. Service level: NginxWhere is version information?• In nginx.h 34Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  35. 35. Service level: Nginx Yes! I use a publicThe result: IP for my LAN 35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  36. 36. Service level: OpenSSHWhere is version information?• In Makefile:• Or in version.h: 36Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  37. 37. Service level: OpenSSHThe result: 37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  38. 38. Service level: PureFTPdWhere is version information?• In pure-ftphow.c• In altlog.c• In ftp_parser.c• In ftpd.c 38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  39. 39. Service level: PureFTPdThe result: 39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  40. 40. Service level: nmapWhat think nmap? 40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  41. 41. Service level: fingerprinting databaseWhere can we find a database of fingerprintings? 41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  42. 42. Application levelLearning with examples… …Testing WordPress 42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  43. 43. Application level: WordPressHiding our WordPress information:1. WordPress version.2. WordPress’s plugins versions.3. Session ID4. Custom error pages.5. Metadata info6. Hash of static and common files. 43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
  44. 44. Application level: WordPressStep 1: WordPress version. 44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  45. 45. Application level: WordPressStep 2: Plugins versions. 45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  46. 46. Application level: WordPressStep 1 and 2: Hiding versions. 46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  47. 47. Application level: WordPressStep 3: Session ID var. 47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  48. 48. Application level: WordPressStep 3: Hiding session ID var. 48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  49. 49. Application level: WordPressStep 4: Custom error pages… of IIS 49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  50. 50. Application level: WordPressStep 5: Metadata info. 50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  51. 51. Application level: WordPressStep 5: Hiding metadata info. 51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  52. 52. Application level: WordPressStep 6: Hash of static and common files.• Site.com/wp-includes/css/admin-bar.css:• Some programs have a database of hashes: 52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  53. 53. Application level: WordPressStep 6: Hiding common hashes:1. Modify our static files, like css:2. Check the new hash: 53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  54. 54. Application level: WordPressThe result:• Plecost (http://www.iniqua.com/labs/plecost/ ) No plugins found!! 54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  55. 55. Application level: WordPressThe result:• WP-scan (http://code.google.com/p/wpscan/) wp-scan don’t like our filters 55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  56. 56. Application level: WordPressThe result:• Nmap 56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  57. 57. Application level: WordPressFinal result…. Weve earned a beer! 57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  58. 58. Questions? 58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

×