PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

•

2 likes•962 views

Presentation of PRADS: the "Passive Realtime Asset Detection System" given to student at Dagen@IFI at UiO. Rights reserved to kwy and Ebf0.

Technology

PRADS
PASSIVE REAL-TIME ASSET DETECTION SYSTEM

Edward Fjellskål & Kacper Wysocki

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Who are we?
Edward Fjellskål Kacper Wysocki
 Redpill Linpro (4 years)
 Redpill Linpro (1 year)
 First computer in 1983
 Born 31337
 Siv.Ing IKT
 B.A. Comp. Sci
 Linux and security since 98
 Norman Anti-Virus
 Network Security Monotoring

 Forensics  Kernelpatching '01

 Pen testing  Packet sniffing

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

What is PRADS?
Detection via:

 Hosts - ARP and IP

 Services - UDP and TCP

 OS - IP(TCP/UDP/ICMP)

 MAC - ARP

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Why PRADS
 Existing open source tools do similar things but

 Want to combine data to do a fast assesment

 Designed for big networks and high bandwidth

 Automatically create host attribute table for Snort

 Exciting and educational

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Ways to use PRADS
Overview over

 Machines (IP)

 Operating Systems and patch levels
(Windows/Linux/Solaris/Mac/*BSD...)

 Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)

 Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...)

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Ways to use PRADS
... so one can:

 Automate monitoring of a network in constant change.

 Improve protection of your network with IDS/IPS.

 Policy & Compliance

 Know your assets at any given time.

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP fingerprinting?
 TCP used for (almost) everything.

 Nothing new here (nmap, p0f, SinPF, netfilter!, pf)

 Nmap is active. (p0f can too!)

 Active scanning is not always acceptable.

 P0f – a proof of concept

 Fingerprint fuzzing

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth
 Transmission Control Protocol: Crash course

TCP is reliable communication of data streams.

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth

A typical TCP connection: 3-way handshake

1) Client sends SYN

"Hello, I want to talk to you"
2) Server sends SYN+ACK

"Hi, ok I'm listening"
3) Client sends ACK

Communication is established.
Interesting fields already in first packet!

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth
 Signatures: known patterns

Guess the OS on the basis of packet fields

WindowSize : TTL : DontFrag : SYNsize : Options : Quirks

 Fingerprints: describe packets

– Fingerprints match one or more signatures

sig and fp are concise, not readable :-)

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth
Interesting fields in 1st packet


Window Size

Reserved field

TCP Flags

TCP Options

Data?


PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth
 Signatures: known patterns

WindowSize : TTL : DontFrag : SYNsize : Options : Quirks

S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6

S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+

65535:64:1:48:M1460,S:.:FreeBSD:7.0

 Fingerprints: describe packets

[5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)

 Fingerprints match one or more signatures

sig and fp are concise, not readable :-)

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

TCP Fingerprinting in depth
 TCP Options:

WindowSize : TTL : DontFrag : SYNsize : Options : Quirks

S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6

MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++


Read the RFCs
 Quirks – weird things some OS's do

Z: no ID, I: IP opts, U: URG flag, X: reserved,

A: ACK flag, F: other flags, D: data in SYN packet,

T: extra timestamp, P: options after EOL

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

UDP/ICMP fingerprinting
 Not 100%, only used as indication

 Easy to implement compared to IP/TCP FP

 Good alternative if can't use TCP for some reason

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

ARP Fingerprinting/Detection
 Catch ARP Request/Reply

 Registrer MAC and IP

 Look up MAC vendor

who made the NIC?

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Detection: Clients and Services
 Look for signatures in traffic flow

 Expensive to look at each byte of each packet

 Signature is usually at start of connection (think
magic numbers)

 Signatures can be manipulated.

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

DEMO

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

PRADS – future work
 More detection methods

– (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)

 even better optimizations (OpenCL, SIMD etc)

 GUI / network mapping

 Policy & Compliance

 Alarms

 CVE

 OSSIM integration

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Thank you for your time
 edward@redpill-linpro.com

 kwy@redpill-linpro.com

 http://gamelinux.github.com/prads/

Questions? Yes please!

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

Similar to PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

2018 FRSecure CISSP Mentor Program- Session 7

FRSecure

Sculpturing SIP World

Daniel-Constantin Mierla

Splunk App for Stream

Splunk

This presentation will demonstrate our recent progress in developing advanced computer vision algorithms using embedded platforms for video-based face recognition, vehicle attribute analysis, urban management event detection, and high-density crowd counting. These algorithms combine the traditional CV approach with recent advances in deep learning to make high-performance computer vision systems practical and enable products in several vertical markets including intelligent transportation systems (ITS), business intelligence (BI), and smart video surveillance. We will demonstrate algorithm design and optimization scheme for several recently available processors from Movidius, Nvidia, and ARM.

Hai Tao at AI Frontiers: Deep Learning For Embedded Vision System

AI Frontiers

network-management Web base.ppt

AssadLeo1

Packet analysis using wireshark

Basaveswar Kureti

2020 FRSecure CISSP Mentor Program - Class 7

FRSecure

Slide Deck – Session 9 – FRSecure CISSP

FRSecure

The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats. https://www.infosectrain.com/courses/soc-analyst-expert-training/

Soc analyst course content v3

ShivamSharma909

Soc analyst course content

ShivamSharma909

In my topic I’ll share my experience in analysis of most popular open and vendor’s specific proprietary industrial protocols. For each protocol I will present packet structure, real examples, (in)secure features and possible hacks. At the end of the topic I’ll share my practial approach, methodology and useful scripts. During the presentation we will talk about: Well-known protocols: Profinet, Modbus, DNP3 IEC 61850-8-1 (MMS) IEC 61870-5-101/104 FTE (Fault Tolerant Ethernet) Siemens S7

CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...

PROIDEA

SCADA deep inside: protocols and security mechanisms

Aleksandr Timorin

Today’s networks are waging a ceaseless battle against an army of ingenious and fast-evolving advanced threats. Companies must be well-provisioned to deploy a quick, decisive and network-wide response to attacks. Protecting the network demands robust monitoring that is actually built into the network architecture. Learn how to build scalable network protection and improve overall security and performance of network. Blind spots are commonly caused by these common issues: lack of SPAN ports, dropped and duplicated packets, oversubscribed security and performance tools, unseen inter-VM traffic and more. Ixia developed a highly scalable Visibility Architecture that helps eliminate those blind spots while providing resilience and control without complexity. Ixia's new Visibility Architecture, is founded on a comprehensive product portfolio which includes: - Network TAPs (aggregation, regeneration, 1/10/40/100G) - Bypass Switches (for inline security deployments, 1/10/40G) - Network Packet Brokers (intelligent filtering, load-balancing, de-duplication, matrix switching) - Virtual TAPs (for full Virtual Network visibility) Join NPC and Ixia to learn how Visibility Architecture helps speed application delivery and enables effective troubleshooting and monitoring for network security, application performance, and service level agreement (SLA) fulfilment — and allows IT to meet compliance mandates.

A new perspective on Network Visibility - RISK 2015

Network Performance Channel GmbH

Chinmay Padhye

chinmaypadhye1985

Cumulus networks - Overcoming traditional network limitations with open source

Nat Morris

Minimizing Information Transparency

Usman Arshad

Divyanjali Resume

divyanjali joshi

COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1t9t5VE Data communication is given high priority in today’s industrial environment. This workshop is designed to be hands-on, providing the participants with essential knowledge and helping them to understand and troubleshoot systems. This is a comprehensive two-day hands-on workshop that covers practical aspects of data communication such as serial communications, Ethernet networking, TCP/IP, Modbus, wireless communications and security. This workshop is for enthusiastic engineers and technicians who wish to develop and enhance their practical knowledge in the field of data communications and networking. It will help them to understand the concepts behind data transmission, the various protocols involved, and the topologies that govern data exchange among various systems in industry. It will also equip them with the skills and tools to design and/or maintain these systems on an ongoing basis. WHO SHOULD ATTEND? This workshop is designed for personnel with a need to understand the techniques required to use and apply industrial communications technology as productively and economically as possible. This includes engineers and technicians involved with: Consulting Control and instrumentation Control systems Design Electrical installations Instrumentation Maintenance supervisors Process control Process development Project management SCADA and telemetry systems COPY THIS LINK INTO YOUR BROWSER FOR MORE INFORMATION: bit.ly/1t9t5VE

Hands on Data Communication, Networking & TCP/IP Troubleshooting

Living Online

tutorialsruby

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Six Myths about Ontologies: The Basics of Formal Ontology

johnbeverley2021

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Elevate Developer Efficiency & build GenAI Application with Amazon Q

Bhuvaneswari Subramani

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Retrieval augmented generation (RAG) is the most popular style of large language model application to emerge from 2023. The most basic style of RAG works by vectorizing your data and injecting it into a vector database like Milvus for retrieval to augment the text output generated by an LLM. This is just the beginning. One of the ways that we can extend RAG, and extend AI, is through multilingual use cases. Typical RAG is done in English using embedding models that are trained in English. In this talk, we’ll explore how RAG could work in languages other than English. We’ll explore French, Chinese, and Polish.

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Zilliz

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf

FWD Group - Insurer Innovation Award 2024

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

WSO2's API Vision: Unifying Control, Empowering Developers

AWS Community Day CPH - Three problems of Terraform

Six Myths about Ontologies: The Basics of Formal Ontology

Strategies for Landing an Oracle DBA Job as a Fresher

How to Troubleshoot Apps for the Modern Connected Worker

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

Artificial Intelligence Chap.5 : Uncertainty

Elevate Developer Efficiency & build GenAI Application with Amazon Q

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

presentation ICT roal in 21st century education

Introduction to Multilingual Retrieval Augmented Generation (RAG)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Corporate and higher education May webinar.pptx

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Why Teams call analytics are critical to your entire business

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

1. PRADS PASSIVE REAL-TIME ASSET DETECTION SYSTEM Edward Fjellskål & Kacper Wysocki PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

2. Who are we? Edward Fjellskål Kacper Wysocki  Redpill Linpro (4 years)  Redpill Linpro (1 year)  First computer in 1983  Born 31337  Siv.Ing IKT  B.A. Comp. Sci  Linux and security since 98  Norman Anti-Virus  Network Security Monotoring  Forensics  Kernelpatching '01  Pen testing  Packet sniffing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

3. What is PRADS? Detection via:  Hosts - ARP and IP  Services - UDP and TCP  OS - IP(TCP/UDP/ICMP)  MAC - ARP PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

4. Why PRADS  Existing open source tools do similar things but  Want to combine data to do a fast assesment  Designed for big networks and high bandwidth  Automatically create host attribute table for Snort  Exciting and educational PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

5. Ways to use PRADS Overview over  Machines (IP)  Operating Systems and patch levels (Windows/Linux/Solaris/Mac/*BSD...)  Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)  Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

6. Ways to use PRADS ... so one can:  Automate monitoring of a network in constant change.  Improve protection of your network with IDS/IPS.  Policy & Compliance  Know your assets at any given time. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

7. TCP fingerprinting?  TCP used for (almost) everything.  Nothing new here (nmap, p0f, SinPF, netfilter!, pf)  Nmap is active. (p0f can too!)  Active scanning is not always acceptable.  P0f – a proof of concept  Fingerprint fuzzing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

8. TCP Fingerprinting in depth  Transmission Control Protocol: Crash course TCP is reliable communication of data streams. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

9. TCP Fingerprinting in depth A typical TCP connection: 3-way handshake 1) Client sends SYN "Hello, I want to talk to you" 2) Server sends SYN+ACK "Hi, ok I'm listening" 3) Client sends ACK Communication is established. Interesting fields already in first packet! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

10. TCP Fingerprinting in depth  Signatures: known patterns Guess the OS on the basis of packet fields WindowSize : TTL : DontFrag : SYNsize : Options : Quirks  Fingerprints: describe packets – Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

11. TCP Fingerprinting in depth Interesting fields in 1st packet  Window Size  Reserved field  TCP Flags  TCP Options Data?  PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

12. TCP Fingerprinting in depth  Signatures: known patterns WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ 65535:64:1:48:M1460,S:.:FreeBSD:7.0  Fingerprints: describe packets [5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)  Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

13. TCP Fingerprinting in depth PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

14. TCP Fingerprinting in depth  TCP Options: WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++  Read the RFCs  Quirks – weird things some OS's do Z: no ID, I: IP opts, U: URG flag, X: reserved, A: ACK flag, F: other flags, D: data in SYN packet, T: extra timestamp, P: options after EOL PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

15. UDP/ICMP fingerprinting  Not 100%, only used as indication  Easy to implement compared to IP/TCP FP  Good alternative if can't use TCP for some reason PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

16.

17. ARP Fingerprinting/Detection  Catch ARP Request/Reply  Registrer MAC and IP  Look up MAC vendor who made the NIC? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

18. Detection: Clients and Services  Look for signatures in traffic flow  Expensive to look at each byte of each packet  Signature is usually at start of connection (think magic numbers)  Signatures can be manipulated. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

19. DEMO PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

20. PRADS – future work  More detection methods – (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)  even better optimizations (OpenCL, SIMD etc)  GUI / network mapping  Policy & Compliance  Alarms  CVE  OSSIM integration PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

21. Thank you for your time  edward@redpill-linpro.com  kwy@redpill-linpro.com  http://gamelinux.github.com/prads/ Questions? Yes please! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

Recommended

Recommended

More Related Content

Similar to PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

Similar to PRADS presentation (English) @ University of Oslo by Ebf0 and kwy (20)

Recently uploaded

Recently uploaded (20)

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy