The art of disguise                            Anti-fingerprinting techniques                                             ...
Creative Commons LicenseThe art of disguise - Anti-fingerprinting techniquesby Daniel García García a.k.a. cr0hn is licens...
Index 2.FreeBSD: A brief introduction. 3.How fingerprint works? 4.How to defeat it?                                       ...
FreeBSD… A brief introduction                                                                                        4Dani...
1 - FreeBSD: A brief introduction 2.How install it? 3.How manage the software? 4.How install program? 5.Main differences b...
How install it? Simple… With a wizard                                                                                     ...
Software management • What is a port system? • Why port is a good idea? • How port works?                                 ...
Installing new software     Compiling…                                                                                    ...
Installing new softwareFrom binaries…                                                                                     ...
Main differences with GNU/Linux                          FreeBSD                                                       GNU...
The fingerprinting… How it works?                                                                                        1...
2 – Fingerprinting: How it works? 1. Why hide your systems? 2. Operating system level. 3. Service level. 4. Application le...
Why hide your OS and services? 1. To hide of known (and unknown!) exploits. 2. Necessaries unpatched versions of software....
Fingerprinting: Risk demo                   Risk demo                                                                     ...
Operating System level                                                                                        mmm ... fish...
Operating System level • Common TCP Initial Windows size                               *BSD: FFFF                         ...
Operating System level • IP ID sequence generation algorithm. • Invalid TCP flags combination. • Answer to closed port: RS...
Service level • Banners                                                                                        18Daniel Ga...
Application level • Session ID var (PHPSESID/JSESSIONID) • Hidden/lost files. • Meta headers. • Vars and methods names.   ...
Application level A practical example: Metadata.                                                                          ...
Application level A practical example: Lost files.                                                                        ...
The fight… How to defeat it?                                                                                        22Dani...
3 – Defeating fingerprinting • Kernel parameters • Changing banners • Modifying applications                              ...
Kernel parameters Disable (if you don’t need) • SCTP • IPv6                                                               ...
Kernel parameters In your /etc/sysctl.conf                                                                                ...
Service level How to defeat it? • Changing configuration files • Changing source code of software                         ...
How to make a patch Step to make a patch: 2. Download the source code of app you want to    patch. 3. Extract code an crea...
How to make a patch: Nginx Step 1 and 2: 2. Download the source code of Nginx. 3. Creating a copy of source.              ...
How to make a patch: Nginx Step 3: • Locate file that contains information of version: • Change file information:         ...
How to make a patch: Nginx Step 4 and 5: • Make a diff with original file and save into patch.                            ...
FreeBSD patching method What need FreeBSD to apply our path? • Put your file into:        /usr/ports/CATEGORY/PROG/files •...
FreeBSD patching method  And now, how compile our patched software…?                                                      ...
FreeBSD patching method Even an idiot can do it!                                                                          ...
Service level Learning with examples: Nginx • OpenSSH • PureFTPd • Apache Tomcat                                          ...
Service level: Nginx Where is version information? • In nginx.h                                                           ...
Service level: Nginx                                                                        Yes! I use a public The result...
Service level: OpenSSH Where is version information? • In Makefile: • Or in version.h:                                    ...
Service level: OpenSSH The result:                                                                                        ...
Service level: PureFTPd Where is version information? • In pure-ftphow.c • In altlog.c • In ftp_parser.c • In ftpd.c      ...
Service level: PureFTPd The result:                                                                                       ...
Service level: Tomcat Where is version information: • /usr/local/apache-tomcat-7.0/conf/server.xml                        ...
Service level: Tomcat The result:                                                                                        4...
Service level: nmap What think nmap?                                                                                      ...
Service level: fingerprinting databaseWhere can we find a database of fingerprintings?                                    ...
Application levelLearning with examples……Testing WordPress                                                                ...
Application level: WordPress Hiding our WordPress information: 2.WordPress version. 3.WordPress’s plugins versions. 4.Sess...
Application level: WordPress Step 1: WordPress version.                                                                   ...
Application level: WordPress Step 2: Plugins versions.                                                                    ...
Application level: WordPress Step 1 and 2: Hiding versions.                                                               ...
Application level: WordPress Step 3: Session ID var.                                                                      ...
Application level: WordPress Step 3: Hiding session ID var.                                                               ...
Application level: WordPress Step 4: Custom error pages… of IIS                                                           ...
Application level: WordPress Step 5: Metadata info.                                                                       ...
Application level: WordPress Step 5: Hiding metadata info.                                                                ...
Application level: WordPress Step 6: Hash of static and common files. • Site.com/wp-includes/css/admin-bar.css: • Some pro...
Application level: WordPress Step 6: Hiding common hashes: 2.Modify our static files, like css: 4.Check the new hash:     ...
Application level: WordPress The result: • Plecost (http://www.iniqua.com/labs/plecost/ )                                 ...
Application level: WordPress The result: • WP-scan (http://code.google.com/p/wpscan/)                                     ...
Application level: WordPress The result: • Nmap                                                                           ...
Application level: WordPress Final result….                                                                      Weve earn...
Questions?                                                                                        61Daniel García a.k.a. c...
Upcoming SlideShare
Loading in …5
×

Charla antifingerprinting

1,867 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,867
On SlideShare
0
From Embeds
0
Number of Embeds
826
Actions
Shares
0
Downloads
28
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Charla antifingerprinting

  1. 1. The art of disguise Anti-fingerprinting techniques 1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  2. 2. Creative Commons LicenseThe art of disguise - Anti-fingerprinting techniquesby Daniel García García a.k.a. cr0hn is licensed under a: Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.Permissions beyond the scope of this license may be available at: dani@iniqua.com. 2Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  3. 3. Index 2.FreeBSD: A brief introduction. 3.How fingerprint works? 4.How to defeat it? 3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  4. 4. FreeBSD… A brief introduction 4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  5. 5. 1 - FreeBSD: A brief introduction 2.How install it? 3.How manage the software? 4.How install program? 5.Main differences between GNU/Linux. 5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  6. 6. How install it? Simple… With a wizard 6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  7. 7. Software management • What is a port system? • Why port is a good idea? • How port works? 7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  8. 8. Installing new software Compiling… 8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  9. 9. Installing new softwareFrom binaries… 9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  10. 10. Main differences with GNU/Linux FreeBSD GNU/Linux General config file: /etc/rc.conf Multiple config files and directories Services start •/etc/rc.d/ Service start: /etc/init.d/ •/usr/local/etc/rc.d/ User directories: /usr/home User directories: /home Kernel: Kernel: - config: about 200 lines - config file: very complicated - Many security features included - Extra features via patches Only some distribution can do it, like Software, natively, can be compiled Gentoo. 10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  11. 11. The fingerprinting… How it works? 11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  12. 12. 2 – Fingerprinting: How it works? 1. Why hide your systems? 2. Operating system level. 3. Service level. 4. Application level. 12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  13. 13. Why hide your OS and services? 1. To hide of known (and unknown!) exploits. 2. Necessaries unpatched versions of software. 3. If somebody knows OS you’re running also may guess the application that run in. 4. Privacy: nobody needs to know the systems youve got running 13Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  14. 14. Fingerprinting: Risk demo Risk demo 14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  15. 15. Operating System level mmm ... fish • TTL OpenBSD: 255 Linux/*BSD: 64 Windows: 128 AIX: 30 15Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  16. 16. Operating System level • Common TCP Initial Windows size *BSD: FFFF OpenBSD: 4000 Linux: 16A0 Windows: 2000 AIX: 4470/FFFF 16Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  17. 17. Operating System level • IP ID sequence generation algorithm. • Invalid TCP flags combination. • Answer to closed port: RST, nothing, ICMP unreachable. • TCP send/receive window sizes. • Port ranges 17Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  18. 18. Service level • Banners 18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  19. 19. Application level • Session ID var (PHPSESID/JSESSIONID) • Hidden/lost files. • Meta headers. • Vars and methods names. 19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  20. 20. Application level A practical example: Metadata. 20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  21. 21. Application level A practical example: Lost files. 21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  22. 22. The fight… How to defeat it? 22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  23. 23. 3 – Defeating fingerprinting • Kernel parameters • Changing banners • Modifying applications 23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  24. 24. Kernel parameters Disable (if you don’t need) • SCTP • IPv6 24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  25. 25. Kernel parameters In your /etc/sysctl.conf 25Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  26. 26. Service level How to defeat it? • Changing configuration files • Changing source code of software 26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  27. 27. How to make a patch Step to make a patch: 2. Download the source code of app you want to patch. 3. Extract code an create a copy of code. 4. From your copy, make the changes you need. 5. Apply a diff to extract changes. 6. Save change into a patch-* file. 27Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  28. 28. How to make a patch: Nginx Step 1 and 2: 2. Download the source code of Nginx. 3. Creating a copy of source. 28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  29. 29. How to make a patch: Nginx Step 3: • Locate file that contains information of version: • Change file information: 29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  30. 30. How to make a patch: Nginx Step 4 and 5: • Make a diff with original file and save into patch. 30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  31. 31. FreeBSD patching method What need FreeBSD to apply our path? • Put your file into: /usr/ports/CATEGORY/PROG/files • Your patch must be named like: patch-ORIGINAL_FILE_NAME • Change relative path in your patch: 31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  32. 32. FreeBSD patching method And now, how compile our patched software…? 32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  33. 33. FreeBSD patching method Even an idiot can do it! 33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  34. 34. Service level Learning with examples: Nginx • OpenSSH • PureFTPd • Apache Tomcat 34Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  35. 35. Service level: Nginx Where is version information? • In nginx.h 35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  36. 36. Service level: Nginx Yes! I use a public The result: IP for my LAN 36Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  37. 37. Service level: OpenSSH Where is version information? • In Makefile: • Or in version.h: 37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  38. 38. Service level: OpenSSH The result: 38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  39. 39. Service level: PureFTPd Where is version information? • In pure-ftphow.c • In altlog.c • In ftp_parser.c • In ftpd.c 39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  40. 40. Service level: PureFTPd The result: 40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  41. 41. Service level: Tomcat Where is version information: • /usr/local/apache-tomcat-7.0/conf/server.xml 41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  42. 42. Service level: Tomcat The result: 42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  43. 43. Service level: nmap What think nmap? 43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  44. 44. Service level: fingerprinting databaseWhere can we find a database of fingerprintings? 44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  45. 45. Application levelLearning with examples……Testing WordPress 45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  46. 46. Application level: WordPress Hiding our WordPress information: 2.WordPress version. 3.WordPress’s plugins versions. 4.Session ID 5.Custom error pages. 6.Metadata info 7.Hash of static and common files. 46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
  47. 47. Application level: WordPress Step 1: WordPress version. 47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  48. 48. Application level: WordPress Step 2: Plugins versions. 48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  49. 49. Application level: WordPress Step 1 and 2: Hiding versions. 49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  50. 50. Application level: WordPress Step 3: Session ID var. 50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  51. 51. Application level: WordPress Step 3: Hiding session ID var. 51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  52. 52. Application level: WordPress Step 4: Custom error pages… of IIS 52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  53. 53. Application level: WordPress Step 5: Metadata info. 53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  54. 54. Application level: WordPress Step 5: Hiding metadata info. 54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  55. 55. Application level: WordPress Step 6: Hash of static and common files. • Site.com/wp-includes/css/admin-bar.css: • Some programs have a database of hashes: 55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  56. 56. Application level: WordPress Step 6: Hiding common hashes: 2.Modify our static files, like css: 4.Check the new hash: 56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  57. 57. Application level: WordPress The result: • Plecost (http://www.iniqua.com/labs/plecost/ ) No plugins found!! 57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  58. 58. Application level: WordPress The result: • WP-scan (http://code.google.com/p/wpscan/) wp-scan don’t like our filters 58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  59. 59. Application level: WordPress The result: • Nmap 59Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  60. 60. Application level: WordPress Final result…. Weve earned a beer! 60Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
  61. 61. Questions? 61Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

×