PRADS
   PASSIVE REAL-TIME ASSET DETECTION SYSTEM




                        Edward Fjellskål & Kacper Wysocki


PRODUCTS...
Who are we?
Edward Fjellskål                                Kacper Wysocki
   Redpill Linpro (4 years)
                  ...
What is PRADS?
Detection via:

   Hosts - ARP and IP

   Services - UDP and TCP

   OS - IP(TCP/UDP/ICMP)

   MAC - AR...
Why PRADS
   Existing open source tools do similar things but

   Want to combine data to do a fast assesment

   Desig...
Ways to use PRADS
Overview over

   Machines (IP)

   Operating Systems and patch levels
    (Windows/Linux/Solaris/Mac/...
Ways to use PRADS
... so one can:

   Automate monitoring of a network in constant change.

   Improve protection of you...
TCP fingerprinting?
   TCP used for (almost) everything.

   Nothing new here (nmap, p0f, SinPF, netfilter!, pf)

   Nm...
TCP Fingerprinting in depth
   Transmission Control Protocol: Crash course

TCP is reliable communication of data streams...
TCP Fingerprinting in depth

A typical TCP connection: 3-way handshake

      1) Client sends SYN

            "Hello, I w...
TCP Fingerprinting in depth
   Signatures: known patterns

Guess the OS on the basis of packet fields

WindowSize : TTL :...
TCP Fingerprinting in depth
     Interesting fields in 1st packet





 Window Size

 Reserved field

 TCP Flags

 TCP...
TCP Fingerprinting in depth
   Signatures: known patterns

WindowSize : TTL : DontFrag : SYNsize : Options : Quirks

S4 :...
TCP Fingerprinting in depth




PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
TCP Fingerprinting in depth
   TCP Options:

WindowSize : TTL : DontFrag : SYNsize : Options : Quirks

 S4 : 64 : 1 : 60 ...
UDP/ICMP fingerprinting
   Not 100%, only used as indication

   Easy to implement compared to IP/TCP FP

   Good alter...
ARP Fingerprinting/Detection
   Catch ARP Request/Reply

   Registrer MAC and IP

   Look up MAC vendor

      who made...
Detection: Clients and Services
   Look for signatures in traffic flow

   Expensive to look at each byte of each packet...
DEMO




PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
PRADS – future work
   More detection methods

       –   (DNS / DHCP / SNMP / retransmission timings / phase plane analy...
Thank you for your time
   edward@redpill-linpro.com

   kwy@redpill-linpro.com

   http://gamelinux.github.com/prads/
...
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
Upcoming SlideShare
Loading in …5
×

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

1,304 views

Published on

Presentation of PRADS: the "Passive Realtime Asset Detection System" given to student at Dagen@IFI at UiO. Rights reserved to kwy and Ebf0.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,304
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

PRADS presentation (English) @ University of Oslo by Ebf0 and kwy

  1. 1. PRADS PASSIVE REAL-TIME ASSET DETECTION SYSTEM Edward Fjellskål & Kacper Wysocki PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  2. 2. Who are we? Edward Fjellskål Kacper Wysocki  Redpill Linpro (4 years)  Redpill Linpro (1 year)  First computer in 1983  Born 31337  Siv.Ing IKT  B.A. Comp. Sci  Linux and security since 98  Norman Anti-Virus  Network Security Monotoring  Forensics  Kernelpatching '01  Pen testing  Packet sniffing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  3. 3. What is PRADS? Detection via:  Hosts - ARP and IP  Services - UDP and TCP  OS - IP(TCP/UDP/ICMP)  MAC - ARP PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  4. 4. Why PRADS  Existing open source tools do similar things but  Want to combine data to do a fast assesment  Designed for big networks and high bandwidth  Automatically create host attribute table for Snort  Exciting and educational PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  5. 5. Ways to use PRADS Overview over  Machines (IP)  Operating Systems and patch levels (Windows/Linux/Solaris/Mac/*BSD...)  Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)  Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  6. 6. Ways to use PRADS ... so one can:  Automate monitoring of a network in constant change.  Improve protection of your network with IDS/IPS.  Policy & Compliance  Know your assets at any given time. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  7. 7. TCP fingerprinting?  TCP used for (almost) everything.  Nothing new here (nmap, p0f, SinPF, netfilter!, pf)  Nmap is active. (p0f can too!)  Active scanning is not always acceptable.  P0f – a proof of concept  Fingerprint fuzzing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  8. 8. TCP Fingerprinting in depth  Transmission Control Protocol: Crash course TCP is reliable communication of data streams. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  9. 9. TCP Fingerprinting in depth A typical TCP connection: 3-way handshake 1) Client sends SYN "Hello, I want to talk to you" 2) Server sends SYN+ACK "Hi, ok I'm listening" 3) Client sends ACK Communication is established. Interesting fields already in first packet! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  10. 10. TCP Fingerprinting in depth  Signatures: known patterns Guess the OS on the basis of packet fields WindowSize : TTL : DontFrag : SYNsize : Options : Quirks  Fingerprints: describe packets – Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  11. 11. TCP Fingerprinting in depth Interesting fields in 1st packet  Window Size  Reserved field  TCP Flags  TCP Options Data?  PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  12. 12. TCP Fingerprinting in depth  Signatures: known patterns WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ 65535:64:1:48:M1460,S:.:FreeBSD:7.0  Fingerprints: describe packets [5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)  Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  13. 13. TCP Fingerprinting in depth PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  14. 14. TCP Fingerprinting in depth  TCP Options: WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++  Read the RFCs  Quirks – weird things some OS's do Z: no ID, I: IP opts, U: URG flag, X: reserved, A: ACK flag, F: other flags, D: data in SYN packet, T: extra timestamp, P: options after EOL PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  15. 15. UDP/ICMP fingerprinting  Not 100%, only used as indication  Easy to implement compared to IP/TCP FP  Good alternative if can't use TCP for some reason PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  16. 16. ARP Fingerprinting/Detection  Catch ARP Request/Reply  Registrer MAC and IP  Look up MAC vendor who made the NIC? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  17. 17. Detection: Clients and Services  Look for signatures in traffic flow  Expensive to look at each byte of each packet  Signature is usually at start of connection (think magic numbers)  Signatures can be manipulated. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  18. 18. DEMO PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  19. 19. PRADS – future work  More detection methods – (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)  even better optimizations (OpenCL, SIMD etc)  GUI / network mapping  Policy & Compliance  Alarms  CVE  OSSIM integration PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
  20. 20. Thank you for your time  edward@redpill-linpro.com  kwy@redpill-linpro.com  http://gamelinux.github.com/prads/ Questions? Yes please! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

×