Power Point

273 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
273
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Power Point

  1. 1. Rain Forest Puppy Fingerprinting Port 80 [email_address] www.wiretrip.net/rfp/
  2. 2. Note: updated slides are available at: http://www.wiretrip.net/rfp/talks/hivercon-2002/
  3. 3. What is application fingerprinting? <ul><li>Unique set of characteristics, or ‘fingerprint’ </li></ul><ul><li>Can be used to identify the application </li></ul><ul><li>Similar to TCP/IP stack fingerprinting (a la nmap) </li></ul>
  4. 4. How can we use app fingerprinting? <ul><li>Identify an application, and even it’s version </li></ul><ul><li>Can pierce anonymity (removal of banners, etc) </li></ul><ul><li>Can detect real vs fake applications (emulated honeypots) </li></ul>
  5. 5. Who can use app fingerprinting? <ul><li>Consultants: pen-tests, assessments </li></ul><ul><li>Attackers  </li></ul><ul><li>More importantly, admins need to be aware that obscuring version banners can be circumvented </li></ul>
  6. 6. What can be fingerprinted? <ul><li>Anything that interacts with the user (i.e. most network services) </li></ul><ul><li>More interaction yields a better fingerprint </li></ul><ul><li>Version identification depends on how code changes between versions </li></ul>
  7. 7. HTTP fingerprinting <ul><li>Some web application assessment tools rely on the HTTP banner </li></ul><ul><li>Admins are removing the banner (Urlscan, source tweak, etc) </li></ul><ul><li>HTTP protection devices are removing banners (web app firewalls, security proxies, load balancers, etc) </li></ul><ul><li>Some HTTP servers have same banner for multiple versions (IIS and the various service pack levels) </li></ul>
  8. 8. HTTP fingerprinting—lots to fingerprint <ul><li>rfp.labs scanned 3 class A networks looking for web servers </li></ul><ul><li>Found many hundreds of web servers, and many dozens of web server software </li></ul>
  9. 9. HTTP fingerprinting—the request
  10. 10. HTTP fingerprinting—the request
  11. 11. HTTP fingerprinting—other stuff <ul><li>Headers: special and invalid encodings, plus the return order </li></ul><ul><li>Page responses: returned HTML on 404, 302, etc responses </li></ul><ul><li>Abnormalities: characteristics due to implementation or other weirdness </li></ul><ul><li>HTTP 0.9 requests: mixed bag of support </li></ul><ul><li>Filename encodings: unicode, double-encode, etc </li></ul><ul><li>Cookies: can reveal what’s in the processing stream </li></ul>
  12. 12. HTTP fingerprinting for identification <ul><li>No banner? Use a fingerprint to determine what it is </li></ul><ul><li>Provides a banner? Use a fingerprint to see if it’s truthful or lying </li></ul><ul><li>File extension identified as ASP/PHP? Verify the file handler </li></ul>
  13. 13. HTTP fingerprinting for versioning <ul><li>Remotely identify which service packs/SRPs on an IIS system </li></ul><ul><li>Be able to determine patch/vulnerability level without running an exploit </li></ul>
  14. 14. HTTP fingerprinting—what’s on the horizon <ul><li>Emulated honeypots and services are not good enough </li></ul><ul><li>Vulnerability testing/assessment without triggering the vuln </li></ul><ul><li>HTTP obscurity techniques will be pierced </li></ul><ul><li>Patch level determination through port 80 (for Windows/IIS) </li></ul><ul><li>Potential identification of inline HTTP devices </li></ul>
  15. 15. Questions? http://www.wiretrip.net/rfp/talks/hivercon-2002/
  16. 16. Bonus tool updates!
  17. 17. Libwhisker 1.6 <ul><li>Latest libwhisker version </li></ul><ul><li>Features various bugfixes beyond version 1.5 </li></ul>
  18. 18. Whisker 2.1 <ul><li>Latest whisker version </li></ul><ul><li>Updated signature database </li></ul><ul><li>Documentation! </li></ul><ul><li>Incorporates some of the identification techniques discussed </li></ul>
  19. 19. Available for download at: http://www.wiretrip.net/rfp/talks/hivercon-2002/

×