Using system fingerprints to track attackers
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Using system fingerprints to track attackers

  • 354 views
Uploaded on

Using system fingerprints to track attackers. ...

Using system fingerprints to track attackers.
Talk at B-Sides SF 2014 by Lance Cottrell
Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
354
On Slideshare
352
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 2

https://twitter.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Because most attackers are smart enough not to use their own home IP address <br />
  • When you look at any attacker activity, you can see the immediate source. <br />
  • That source is likely a relay or innocent compromised bystander <br />
  • You identify the visible attacker <br /> Then track who connected there <br /> then who connected there, and who … <br />
  • Imagine what you could do if you knew with certainty which of your visitors was doing so anonymously. <br />
  • Even better, what if you could actually identify them? <br />
  • There are a number of tools attackers will use to hide their identity <br />
  • The question is, how can you identify and recognize the people using these tools? <br />
  • Overtly Anonymous activity <br /> Addresses of public privacy services are easily discovered. <br />
  • If the machine visiting you has server characteristics, or proxy or VPN ports, it is almost certainly a relay. <br />
  • Easy to see that an IP addresses is from a data center not consumer - likely relay. <br /> Bulletproof hosting providers even more likely to be dubious. <br />
  • The speed of light and causality are unavoidable. Using relays will have impacts. <br /> VM on the relay harder to detect. <br />
  • DNS mismatch indicates effort to hide. <br /> Use wildcard DNS and unique dynamic hostnames to detect this. <br />
  • Now lets move from recognizing that someone is being anonymous to trying to identify who they actually are. <br />
  • Often only the browser is hidden. <br /> Side doors may exit more directly. <br /> Flash, Active X, Media Players, Apps, <br />
  • Human error is your best friend. <br /> Few if any have the needed discipline <br />
  • Conventional Cookies / Super cookies / flash cookies. Yours and others. <br /> Browser history cookies. Third party trackers and identifiers. <br /> Look for teleportation. Good for forensics. <br />
  • Known fingerprint from other activity - hard to change <br /> Odd, unusual or impossible fingerprints suggest fakes. <br />
  • Attacker use of VM can be very effective <br /> Still some tell tale indicators. <br />
  • Ross Ulbricht. Forged IDs sent to his house <br /> account “altoid” linked to his silk road blog in some posts and to his real name email in others. Used characteristic language and rant topics. <br />
  • Taking the next step, you may want to go on the “offensive” which will require you to use anonymity yourself. <br />

Transcript

  • 1. Using system fingerprints to track attackers Lance Cottrell Ntrepid/Anonymizer ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 1
  • 2. When You Are Under Attack You may ask: Who was that masked man? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 2
  • 3. As a Defender, You See... IP: 37.123.118.67 Lat / Long: +54 / -2 Country: UK Ping: 110ms ISP: as13213.net (AKA UK2.net) server hosting Open Ports: SSH, HTTP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 3
  • 4. Is THIS Really the Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 4
  • 5. Which is the “Real” Attacker? It’s Turtles All the Way Down ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 5
  • 6. What If You Could Spot People Hiding? Block Web Access DETOUR Redirect to Honeypot NO TRESPASSING Add Firewall Rule Deny Credit Card Flag in Logs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 6
  • 7. What If You Could Identify Your Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 7
  • 8. How Do They Hide? Proxies VPNs Chained VPNs / TOR Botnets / Compromised Hosts Tradecraft ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 8
  • 9. How Can You Spot Them? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 9
  • 10. Known Anonymous IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 10
  • 11. Anon IPs are well known ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 11
  • 12. Open Proxy / Ports ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 12
  • 13. Obviously not a home PC HTTP X11 FTP SSH ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 13
  • 14. Non-Consumer IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 14
  • 15. Identifying non-consumer IP 9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms 10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms VS 13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms 14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 15
  • 16. Latency vs. Ping Time HTTP / Javascript DHCP Ping ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 16
  • 17. DNS Mismatch HTTP from Chicago DNS from Nigeria ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 17
  • 18. Identify the Attacker ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 18
  • 19. Identity Leakage Embedded Media Apps bypass proxy / VPN Phone home ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 19
  • 20. Fortunately (for you), Good OPSEC is Hard Tools can be slow and cumbersome May go direct for “innocent” activity / reconnaissance May forget to use it Accidentally cross the streams of personas Correlate attacker print with all previous activity ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 20
  • 21. Cookies and Bugs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 21
  • 22. Browser Fingerprints ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 22
  • 23. Fingerprint Entropy 12.3 - User Agent 5.4 - HTTP_ACCEPT Headers 21.9+ - Browser Plugin Details 5.0 - Time Zone 7.5 - Screen Size and Color Depth 21.9 - System Fonts 0.4 - Cookie Test ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 0.9 - Super Cookie Test 23
  • 24. Attacker Use of Virtualization Advantages Disadvantages Easy to Clean Cloned Each Time No Cookies or Super-Cookies Too Clean or Outdated Cruft Detection as VM Requires Local Execution Can Be Detected as VM ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 24
  • 25. Dread Pirate Roberts ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 25
  • 26. Why Should YOU be Stealthy Lurk in IRC and Forums Discover Plans Learn Techniques Hide your interest & activity Bait Honeypots Drop False Leads and Links Government Has Other More Aggressive Options ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 26
  • 27. Thanks Contact me at: Email: lance.cottrell@ntrepidcorp.com Commercial / Gov: http://ntrepidcorp.com Consumer: http://anonymizer.com Blog: http://theprivacyblog.com Twitter: @LanceCottrell LinkedIn: http://linkedin.com/in/LanceCottrell ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 27