Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Using system
fingerprints to
track attackers
Lance Cottrell
Ntrepid/Anonymizer
®
©2014 Ntrepid Corporation. All rights res...
When You Are Under Attack
You may
ask:

Who was that masked man?
®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid...
As a Defender, You See...

IP: 37.123.118.67
Lat / Long: +54 / -2
Country: UK
Ping: 110ms
ISP: as13213.net (AKA UK2.net) s...
Is THIS Really the Attacker?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary informatio...
Which is the “Real” Attacker?

It’s Turtles All the Way
Down

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Co...
What If You Could
Spot People Hiding?
Block Web Access

DETOUR

Redirect to Honeypot
NO
TRESPASSING

Add Firewall Rule
Den...
What If You Could
Identify Your Attacker?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprieta...
How Do They Hide?
Proxies
VPNs
Chained VPNs / TOR
Botnets / Compromised Hosts
Tradecraft

®
©2014 Ntrepid Corporation. All...
How Can You Spot Them?

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

9
Known Anonymous IP

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

10
Anon IPs are well known

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

1...
Open Proxy / Ports

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

12
Obviously not a home PC
HTTP
X11
FTP
SSH

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietar...
Non-Consumer IP

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

14
Identifying non-consumer IP
9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.u...
Latency vs. Ping Time
HTTP / Javascript
DHCP Ping

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation p...
DNS Mismatch
HTTP from Chicago
DNS from Nigeria

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation pro...
Identify the Attacker

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

18
Identity Leakage

Embedded Media
Apps bypass proxy / VPN
Phone home

®
©2014 Ntrepid Corporation. All rights reserved. Ntr...
Fortunately (for you),
Good OPSEC is Hard
Tools can be slow and cumbersome
May go direct for “innocent”
activity / reconna...
Cookies and Bugs

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

21
Browser Fingerprints

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

22
Fingerprint Entropy
12.3 - User Agent
5.4 - HTTP_ACCEPT Headers
21.9+ - Browser Plugin Details
5.0 - Time Zone
7.5 - Scree...
Attacker Use of Virtualization
Advantages

Disadvantages

Easy to Clean

Cloned Each Time

No Cookies or Super-Cookies

To...
Dread Pirate Roberts

®
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.

25
Why Should YOU be Stealthy
Lurk in IRC and Forums
Discover Plans
Learn Techniques
Hide your interest & activity

Bait Hone...
Thanks
Contact me at:
Email: lance.cottrell@ntrepidcorp.com
Commercial / Gov: http://ntrepidcorp.com
Consumer: http://anon...
Upcoming SlideShare
Loading in …5
×

Using system fingerprints to track attackers

679 views

Published on

Using system fingerprints to track attackers.
Talk at B-Sides SF 2014 by Lance Cottrell
Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using system fingerprints to track attackers

  1. 1. Using system fingerprints to track attackers Lance Cottrell Ntrepid/Anonymizer ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 1
  2. 2. When You Are Under Attack You may ask: Who was that masked man? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 2
  3. 3. As a Defender, You See... IP: 37.123.118.67 Lat / Long: +54 / -2 Country: UK Ping: 110ms ISP: as13213.net (AKA UK2.net) server hosting Open Ports: SSH, HTTP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 3
  4. 4. Is THIS Really the Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 4
  5. 5. Which is the “Real” Attacker? It’s Turtles All the Way Down ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 5
  6. 6. What If You Could Spot People Hiding? Block Web Access DETOUR Redirect to Honeypot NO TRESPASSING Add Firewall Rule Deny Credit Card Flag in Logs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 6
  7. 7. What If You Could Identify Your Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 7
  8. 8. How Do They Hide? Proxies VPNs Chained VPNs / TOR Botnets / Compromised Hosts Tradecraft ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 8
  9. 9. How Can You Spot Them? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 9
  10. 10. Known Anonymous IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 10
  11. 11. Anon IPs are well known ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 11
  12. 12. Open Proxy / Ports ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 12
  13. 13. Obviously not a home PC HTTP X11 FTP SSH ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 13
  14. 14. Non-Consumer IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 14
  15. 15. Identifying non-consumer IP 9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms 10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms VS 13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms 14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 15
  16. 16. Latency vs. Ping Time HTTP / Javascript DHCP Ping ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 16
  17. 17. DNS Mismatch HTTP from Chicago DNS from Nigeria ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 17
  18. 18. Identify the Attacker ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 18
  19. 19. Identity Leakage Embedded Media Apps bypass proxy / VPN Phone home ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 19
  20. 20. Fortunately (for you), Good OPSEC is Hard Tools can be slow and cumbersome May go direct for “innocent” activity / reconnaissance May forget to use it Accidentally cross the streams of personas Correlate attacker print with all previous activity ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 20
  21. 21. Cookies and Bugs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 21
  22. 22. Browser Fingerprints ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 22
  23. 23. Fingerprint Entropy 12.3 - User Agent 5.4 - HTTP_ACCEPT Headers 21.9+ - Browser Plugin Details 5.0 - Time Zone 7.5 - Screen Size and Color Depth 21.9 - System Fonts 0.4 - Cookie Test ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 0.9 - Super Cookie Test 23
  24. 24. Attacker Use of Virtualization Advantages Disadvantages Easy to Clean Cloned Each Time No Cookies or Super-Cookies Too Clean or Outdated Cruft Detection as VM Requires Local Execution Can Be Detected as VM ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 24
  25. 25. Dread Pirate Roberts ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 25
  26. 26. Why Should YOU be Stealthy Lurk in IRC and Forums Discover Plans Learn Techniques Hide your interest & activity Bait Honeypots Drop False Leads and Links Government Has Other More Aggressive Options ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 26
  27. 27. Thanks Contact me at: Email: lance.cottrell@ntrepidcorp.com Commercial / Gov: http://ntrepidcorp.com Consumer: http://anonymizer.com Blog: http://theprivacyblog.com Twitter: @LanceCottrell LinkedIn: http://linkedin.com/in/LanceCottrell ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 27

×