Charla antifingerprinting

  • 1,460 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,460
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
23
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. The art of disguise Anti-fingerprinting techniques 1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 2. Creative Commons LicenseThe art of disguise - Anti-fingerprinting techniquesby Daniel García García a.k.a. cr0hn is licensed under a: Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.Permissions beyond the scope of this license may be available at: dani@iniqua.com. 2Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 3. Index 2.FreeBSD: A brief introduction. 3.How fingerprint works? 4.How to defeat it? 3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 4. FreeBSD… A brief introduction 4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 5. 1 - FreeBSD: A brief introduction 2.How install it? 3.How manage the software? 4.How install program? 5.Main differences between GNU/Linux. 5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 6. How install it? Simple… With a wizard 6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 7. Software management • What is a port system? • Why port is a good idea? • How port works? 7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 8. Installing new software Compiling… 8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 9. Installing new softwareFrom binaries… 9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 10. Main differences with GNU/Linux FreeBSD GNU/Linux General config file: /etc/rc.conf Multiple config files and directories Services start •/etc/rc.d/ Service start: /etc/init.d/ •/usr/local/etc/rc.d/ User directories: /usr/home User directories: /home Kernel: Kernel: - config: about 200 lines - config file: very complicated - Many security features included - Extra features via patches Only some distribution can do it, like Software, natively, can be compiled Gentoo. 10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 11. The fingerprinting… How it works? 11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 12. 2 – Fingerprinting: How it works? 1. Why hide your systems? 2. Operating system level. 3. Service level. 4. Application level. 12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 13. Why hide your OS and services? 1. To hide of known (and unknown!) exploits. 2. Necessaries unpatched versions of software. 3. If somebody knows OS you’re running also may guess the application that run in. 4. Privacy: nobody needs to know the systems youve got running 13Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 14. Fingerprinting: Risk demo Risk demo 14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 15. Operating System level mmm ... fish • TTL OpenBSD: 255 Linux/*BSD: 64 Windows: 128 AIX: 30 15Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 16. Operating System level • Common TCP Initial Windows size *BSD: FFFF OpenBSD: 4000 Linux: 16A0 Windows: 2000 AIX: 4470/FFFF 16Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 17. Operating System level • IP ID sequence generation algorithm. • Invalid TCP flags combination. • Answer to closed port: RST, nothing, ICMP unreachable. • TCP send/receive window sizes. • Port ranges 17Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 18. Service level • Banners 18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 19. Application level • Session ID var (PHPSESID/JSESSIONID) • Hidden/lost files. • Meta headers. • Vars and methods names. 19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 20. Application level A practical example: Metadata. 20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 21. Application level A practical example: Lost files. 21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 22. The fight… How to defeat it? 22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 23. 3 – Defeating fingerprinting • Kernel parameters • Changing banners • Modifying applications 23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 24. Kernel parameters Disable (if you don’t need) • SCTP • IPv6 24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 25. Kernel parameters In your /etc/sysctl.conf 25Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 26. Service level How to defeat it? • Changing configuration files • Changing source code of software 26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 27. How to make a patch Step to make a patch: 2. Download the source code of app you want to patch. 3. Extract code an create a copy of code. 4. From your copy, make the changes you need. 5. Apply a diff to extract changes. 6. Save change into a patch-* file. 27Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 28. How to make a patch: Nginx Step 1 and 2: 2. Download the source code of Nginx. 3. Creating a copy of source. 28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 29. How to make a patch: Nginx Step 3: • Locate file that contains information of version: • Change file information: 29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 30. How to make a patch: Nginx Step 4 and 5: • Make a diff with original file and save into patch. 30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 31. FreeBSD patching method What need FreeBSD to apply our path? • Put your file into: /usr/ports/CATEGORY/PROG/files • Your patch must be named like: patch-ORIGINAL_FILE_NAME • Change relative path in your patch: 31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 32. FreeBSD patching method And now, how compile our patched software…? 32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 33. FreeBSD patching method Even an idiot can do it! 33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 34. Service level Learning with examples: Nginx • OpenSSH • PureFTPd • Apache Tomcat 34Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 35. Service level: Nginx Where is version information? • In nginx.h 35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 36. Service level: Nginx Yes! I use a public The result: IP for my LAN 36Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 37. Service level: OpenSSH Where is version information? • In Makefile: • Or in version.h: 37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 38. Service level: OpenSSH The result: 38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 39. Service level: PureFTPd Where is version information? • In pure-ftphow.c • In altlog.c • In ftp_parser.c • In ftpd.c 39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 40. Service level: PureFTPd The result: 40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 41. Service level: Tomcat Where is version information: • /usr/local/apache-tomcat-7.0/conf/server.xml 41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 42. Service level: Tomcat The result: 42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 43. Service level: nmap What think nmap? 43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 44. Service level: fingerprinting databaseWhere can we find a database of fingerprintings? 44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 45. Application levelLearning with examples……Testing WordPress 45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 46. Application level: WordPress Hiding our WordPress information: 2.WordPress version. 3.WordPress’s plugins versions. 4.Session ID 5.Custom error pages. 6.Metadata info 7.Hash of static and common files. 46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
  • 47. Application level: WordPress Step 1: WordPress version. 47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 48. Application level: WordPress Step 2: Plugins versions. 48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 49. Application level: WordPress Step 1 and 2: Hiding versions. 49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 50. Application level: WordPress Step 3: Session ID var. 50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 51. Application level: WordPress Step 3: Hiding session ID var. 51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 52. Application level: WordPress Step 4: Custom error pages… of IIS 52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 53. Application level: WordPress Step 5: Metadata info. 53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 54. Application level: WordPress Step 5: Hiding metadata info. 54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 55. Application level: WordPress Step 6: Hash of static and common files. • Site.com/wp-includes/css/admin-bar.css: • Some programs have a database of hashes: 55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 56. Application level: WordPress Step 6: Hiding common hashes: 2.Modify our static files, like css: 4.Check the new hash: 56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 57. Application level: WordPress The result: • Plecost (http://www.iniqua.com/labs/plecost/ ) No plugins found!! 57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 58. Application level: WordPress The result: • WP-scan (http://code.google.com/p/wpscan/) wp-scan don’t like our filters 58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 59. Application level: WordPress The result: • Nmap 59Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 60. Application level: WordPress Final result…. Weve earned a beer! 60Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  • 61. Questions? 61Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel