• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Stealth servers need Stealth Packets - Derbycon 3.0
 

Stealth servers need Stealth Packets - Derbycon 3.0

on

  • 1,169 views

Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to ...

Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure.

You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.

This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them:
- Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile)
- Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile)
- Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop)

There will be a many live demos, and will release OSfoller, that have some interesting features:
- No need for kernel modification or patches
- Highly portable and configurable
- Will emulate any OS
- Capable of handling nmap and p0f fingerprint database (beta phase)
- Transparent for the user
- Undetectable for the attacker
- Available for your Linux laptop, server and mobile device

Sorry guys, remote OS fingerprinting is over…

Statistics

Views

Total Views
1,169
Views on SlideShare
467
Embed Views
702

Actions

Likes
2
Downloads
14
Comments
0

9 Embeds 702

http://www.seguridadofensiva.com 628
http://74.220.219.72 49
http://translate.googleusercontent.com 9
https://www.linkedin.com 5
http://8212444198868605578_7826c2a494a941e8cf07898b84a2af82751c4527.blogspot.com 4
http://www.linkedin.com 3
https://twitter.com 2
http://webcache.googleusercontent.com 1
https://translate.googleusercontent.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Stealth servers need Stealth Packets - Derbycon 3.0 Stealth servers need Stealth Packets - Derbycon 3.0 Presentation Transcript

    • 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
    • 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $  WHO  I  AM   §  Passionate  about  computer  security. §  Computer  Engineering  degree   and  an  Execu7ve   MBA.   §   In   my   free   8me   I   conduct   research   on   security   and  work  as  an  independent  consultant. §  I’m  from  Spain;  We’re  sexy  and  you  know  it. §    Other  conferences: §  RootedCON  in  Spain §  Nuit  Du  Hack  in  Paris   §  Black  Hat  Arsenal  USA §  Defcon  21  USA §  Next  conferences:  Hack7vity,  NoConName  and   Black  Hat  Sao  Paulo
    • FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera+ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera+ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica+ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term  USER  LAND  refers  to  all  applica+on  soKware  that  runs  in  user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera+ng  system  uses   to  interact  with  the  kernel:  soKware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • 8 How Imet your packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • 9 NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des8ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op+onal  extension  to  iptables  to   provide  new  command  line  op+ons. There  are  several  extensions  in  the  default  NeQilter  distribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un+l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • SOME  PRACTICAL EXAMPLES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  Predic7on   -­‐  OS  Details       -­‐  IP  ID  Sequence  Genera7on   -­‐  Up7me  Guess Device  Type:  general  purpose Running:  MicrosoK  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoK_7::professional OS  details:  MicrosoK  Windows  7  Professional,  MicrosoK   Windows  Vista  SP0  or  SP1 Up7me  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  Predic7on:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  Genera7on:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoK:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • 17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)      RELEVANT  FIELDS
    • ECN  CWN  ECE,  WS(10),  NOP,  MSS(1460),  SACK,  NOP,  NOP  and  W3 IP  DF  bit,  TOS(0),  CODE=9,  SEQ=295,  120  bytes  of  0x00  for  payload no  flags,  IP  DF  and  W(128)  to  an  open  port SYN,  FIN,  URG,  PSH  and  W(256)  to  an  open  port ACK  with  IP  DF  and  W(1024)  to  an  open  port SYN  with  W(31337)  to  a  closed  port ACK  with  IP  DF  and  W(32768)  to  a  closed  port FIN,  PSH,  URG  and  W(65535)  to  a  closed  port WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.  Tsecr:0),  SACK  and  W(1) MSS(1400),  WS(0),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),EOL  and  W(63) TS(Tval:0xFFFFFFFF.  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)  and  W(4) SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),WS(10),EOL  and  W(4) MSS(536),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),  WS(10),EOL  and  W(16) MSS(265),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0)  and  W(512) NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) ‘C’  (0x43)  x  300  for  data  field.  IP  ID  value  0x1042   TOS(4),  CODE=0,  150  bytes  data,  ICMP  request  ID  and  SEQ  are  incremented
    • Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera8on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges8on  no8fica8on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera8on  alg  (TI) §  TCP  8mestamp  op8on  alg  (TS) §  TCP  Op8ons  (O,  O1-­‐O6) §  TCP  ini8al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini8al  8me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels  of   version  2.4.,  that  modifies   characteris+cs  of  network   traffic IP  PERSONALITY Simple  TCP  packets   iden+fica+on  solu+on  as  a   Kenel 2.2-­‐2.4  core  module  patch,   allowing  ignore  some  kind   of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of  version   2.2.  that  also  tries  to  hide   the  original  OS  and  act  as  a   different  one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op+ons,  allowing   to  respec+vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  soKware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐   p0f   is  a  tool  that  u+lizes  an  array   of  sophis+cated,   purely   passive,   traffic   fingerprin+ng   mechanisms  to  iden+fy  the  players  behind  any  ini7al  TCP/IP  communica7on  (oKen  as  limle   as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Emercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐   Passive   fingerprin+ng   is   like   a   packet   sniffer.   Examines   network   traffic,   making   a   copy   of   the   data   but   without   redirec+ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.   As   stealthy   fingerprin7ng,   bypassing   the   need   for   using  an  ac+ve  tool  that  can  be  detected  by  various  IDS   systems. 2.  To  iden7fy  remote  proxy  firewalls.   3.  Organiza+ons  can  use  it  to  iden7fy  rogue  systems  on   their  network. NUIT DU HACK 2013 Sniffer OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op8ons  a]er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op8ons  decode TCP  op+ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul8ple      -­‐  Sxx  MSS  Mul8ple      -­‐  Txx  MTU  Mul8ple      -­‐  xxx  Constant  value Ini+al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa+ons.  We  hide  our  machine,   faking  the  detector  engine  and  recognizing  us  like  another  OS,  to  amack  another  host  and   leading  administrator  to  think  it  may  be  a  false  posi+ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example: key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip8on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  +me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen   so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the   desired  TCP/IP  header  values. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • (  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL  OUTBOUND   CONNECTIONS  ) From  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • SPOOF  NON  EXISTING   HOSTS HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
    • How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)