PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

PRADS PASSIVE REAL-TIME ASSET DETECTION SYSTEM Edward Fjellskål & Kacper Wysocki PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Who are we? Edward Fjellskål Kacper Wysocki  Redpill Linpro (4 years)  Redpill Linpro (1 year)  First computer in 1983  Born 31337  Siv.Ing IKT  B.A. Comp. Sci  Linux and security since 98  Norman Anti-Virus  Network Security Monotoring  Forensics  Kernelpatching '01  Pen testing  Packet sniffing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

What is PRADS? Detection via:  Hosts - ARP and IP  Services - UDP and TCP  OS - IP(TCP/UDP/ICMP)  MAC - ARP PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Why PRADS  Existing open source tools do similar things but  Want to combine data to do a fast assesment  Designed for big networks and high bandwidth  Automatically create host attribute table for Snort  Exciting and educational PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Ways to use PRADS Overview over  Machines (IP)  Operating Systems and patch levels (Windows/Linux/Solaris/Mac/*BSD...)  Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)  Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Ways to use PRADS ... so one can:  Automate monitoring of a network in constant change.  Improve protection of your network with IDS/IPS.  Policy & Compliance  Know your assets at any given time. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP fingerprinting?  TCP used for (almost) everything.  Nothing new here (nmap, p0f, SinPF, netfilter!, pf)  Nmap is active. (p0f can too!)  Active scanning is not always acceptable.  P0f – a proof of concept  Fingerprint fuzzing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth  Transmission Control Protocol: Crash course TCP is reliable communication of data streams. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth A typical TCP connection: 3-way handshake 1) Client sends SYN "Hello, I want to talk to you" 2) Server sends SYN+ACK "Hi, ok I'm listening" 3) Client sends ACK Communication is established. Interesting fields already in first packet! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth  Signatures: known patterns Guess the OS on the basis of packet fields WindowSize : TTL : DontFrag : SYNsize : Options : Quirks  Fingerprints: describe packets – Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth Interesting fields in 1st packet  Window Size  Reserved field  TCP Flags  TCP Options Data?  PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth  Signatures: known patterns WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ 65535:64:1:48:M1460,S:.:FreeBSD:7.0  Fingerprints: describe packets [5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)  Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth  TCP Options: WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++  Read the RFCs  Quirks – weird things some OS's do Z: no ID, I: IP opts, U: URG flag, X: reserved, A: ACK flag, F: other flags, D: data in SYN packet, T: extra timestamp, P: options after EOL PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

UDP/ICMP fingerprinting  Not 100%, only used as indication  Easy to implement compared to IP/TCP FP  Good alternative if can't use TCP for some reason PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

ARP Fingerprinting/Detection  Catch ARP Request/Reply  Registrer MAC and IP  Look up MAC vendor who made the NIC? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Detection: Clients and Services  Look for signatures in traffic flow  Expensive to look at each byte of each packet  Signature is usually at start of connection (think magic numbers)  Signatures can be manipulated. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

DEMO PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

PRADS – future work  More detection methods – (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)  even better optimizations (OpenCL, SIMD etc)  GUI / network mapping  Policy & Compliance  Alarms  CVE  OSSIM integration PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Thank you for your time  edward@redpill-linpro.com  kwy@redpill-linpro.com  http://gamelinux.github.com/prads/ Questions? Yes please! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

by huayrass

Accessibility

Categories

Upload Details

Usage Rights

Statistics

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy Presentation Transcript