Your SlideShare is downloading. ×
  • Like
  • Save
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

  • 929 views
Published

Presentation of PRADS: the "Passive Realtime Asset Detection System" given to student at Dagen@IFI at UiO. Rights reserved to kwy and Ebf0.

Presentation of PRADS: the "Passive Realtime Asset Detection System" given to student at Dagen@IFI at UiO. Rights reserved to kwy and Ebf0.

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
929
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. PRADS PASSIVE REAL-TIME ASSET DETECTION SYSTEM Edward Fjellskål & Kacper Wysocki PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 2. Who are we? Edward Fjellskål Kacper Wysocki  Redpill Linpro (4 years)  Redpill Linpro (1 year)  First computer in 1983  Born 31337  Siv.Ing IKT  B.A. Comp. Sci  Linux and security since 98  Norman Anti-Virus  Network Security Monotoring  Forensics  Kernelpatching '01  Pen testing  Packet sniffing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 3. What is PRADS? Detection via:  Hosts - ARP and IP  Services - UDP and TCP  OS - IP(TCP/UDP/ICMP)  MAC - ARP PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 4. Why PRADS  Existing open source tools do similar things but  Want to combine data to do a fast assesment  Designed for big networks and high bandwidth  Automatically create host attribute table for Snort  Exciting and educational PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 5. Ways to use PRADS Overview over  Machines (IP)  Operating Systems and patch levels (Windows/Linux/Solaris/Mac/*BSD...)  Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)  Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 6. Ways to use PRADS ... so one can:  Automate monitoring of a network in constant change.  Improve protection of your network with IDS/IPS.  Policy & Compliance  Know your assets at any given time. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 7. TCP fingerprinting?  TCP used for (almost) everything.  Nothing new here (nmap, p0f, SinPF, netfilter!, pf)  Nmap is active. (p0f can too!)  Active scanning is not always acceptable.  P0f – a proof of concept  Fingerprint fuzzing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 8. TCP Fingerprinting in depth  Transmission Control Protocol: Crash course TCP is reliable communication of data streams. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 9. TCP Fingerprinting in depth A typical TCP connection: 3-way handshake 1) Client sends SYN "Hello, I want to talk to you" 2) Server sends SYN+ACK "Hi, ok I'm listening" 3) Client sends ACK Communication is established. Interesting fields already in first packet! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 10. TCP Fingerprinting in depth  Signatures: known patterns Guess the OS on the basis of packet fields WindowSize : TTL : DontFrag : SYNsize : Options : Quirks  Fingerprints: describe packets – Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 11. TCP Fingerprinting in depth Interesting fields in 1st packet  Window Size  Reserved field  TCP Flags  TCP Options Data?  PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 12. TCP Fingerprinting in depth  Signatures: known patterns WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ 65535:64:1:48:M1460,S:.:FreeBSD:7.0  Fingerprints: describe packets [5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)  Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 13. TCP Fingerprinting in depth PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 14. TCP Fingerprinting in depth  TCP Options: WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++  Read the RFCs  Quirks – weird things some OS's do Z: no ID, I: IP opts, U: URG flag, X: reserved, A: ACK flag, F: other flags, D: data in SYN packet, T: extra timestamp, P: options after EOL PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 15. UDP/ICMP fingerprinting  Not 100%, only used as indication  Easy to implement compared to IP/TCP FP  Good alternative if can't use TCP for some reason PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 16. ARP Fingerprinting/Detection  Catch ARP Request/Reply  Registrer MAC and IP  Look up MAC vendor who made the NIC? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 17. Detection: Clients and Services  Look for signatures in traffic flow  Expensive to look at each byte of each packet  Signature is usually at start of connection (think magic numbers)  Signatures can be manipulated. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 18. DEMO PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 19. PRADS – future work  More detection methods – (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)  even better optimizations (OpenCL, SIMD etc)  GUI / network mapping  Policy & Compliance  Alarms  CVE  OSSIM integration PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  • 20. Thank you for your time  edward@redpill-linpro.com  kwy@redpill-linpro.com  http://gamelinux.github.com/prads/ Questions? Yes please! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING