SlideShare a Scribd company logo
1 of 57
Download to read offline
Derevolutionizing OS Fingerprinting:
The Cat and Mouse Game
Jaime Sánchez

@segofensiva
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
$ WHO I AM
* Jaime Sánchez
@segofensiva
https://seguridadofensiva.com
* Passionate about computer security and
occasional Rockstar ;)
* In my free time I conduct research on
security and work as an independent
consultant
* From Spain :)
* Speaker in many other conferences:
* RootedCON in Spain
* Nuit du Hack in Paris
* BlackHat in Sao Paulo
* Defcon in Las Vegas
* etc.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
WHAT IS OS FINGERPRINTING?
OS fingerprinting describes the method of utilising gathered information of a
target host to find out what OS the machine is running on.
Wikipedia describes it as:
“ TCP/IP stack fingerprinting is the passive collection of configuration
attributes from a remote device during standard layer 4 network communications.
The combination of parameters may then be used to infer the remote machine's
operating system (aka, OS fingerprinting), or incorporated into a device
fingerprint ”
There are multiple approaches for finding out the OS of an unknown host without
having an account, or any way of logging on the machine:
• Banner Information & Manual Reconnaissance
• Active Fingerprinting: transmitting packets to a remote host and analysing
corresponding replies.
• Passive Fingerprinting: analysing packets from a host on a network. We act as
a sniffer, and don’t put any traffic on a network.
• Timing Analysis Fingerprinting
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
BANNER GRABBING / MANUAL RECONNAISSANCE
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Other services that send back ‘free’ useful information include IMAP,POP2, POP3,
SMTP, SSH, NNTP and FINGER. This technique is reasonably reliable even now and
automated tools exist to make the process simple and painless.
Even, with access to remote host, you could play
with the following commands until you get what you
want:
• uname -a, or uname -o or uname -v
• lsb_release -a
• cat /proc/version
• cat /etc/*-release
• cat /etc/issue*
A more primitive approach is to port scan the machine using any of the common
port scanners freely available and examine the returned list of listening ports
for patterns common to a particular OS.

Finally, it may be possible to determine the OS of a system by a non-technical
solution, such as social engineering. Learning about the target through phone
calls, chatting to the System Administrator, or even a public site tour are all
possibilities
BANNER GRABBING / MANUAL RECONNAISSANCE
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Banners can also be revealed in an indirect way too, for example email headers
often contain the version string of the client that is used by a user, and
sometimes the OS version also.

Another example could be the SYST commando in FTP; a SYST request asks for
information about the server's operating system. The server accepts this request
with code 215. For example:
Examples from other servers:

215 UNIX Type: L8 Version: BSD-44

215 NetWare system type.

215 MACOS Peter's Server

215 AmigaOS
BANNER GRABBING / MANUAL RECONNAISSANCE
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Another way to get more information is analysing offered files, like trying to
download:
• compress
• ls
• tar
• gzip
• gunzip
• compress
• zcat
• etc.
Then, use the file command to determine the file type:
BANNER GRABBING / MANUAL RECONNAISSANCE
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
ACTIVE OS
FINGERPRINTING
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
QUESO
•Hispanic shortcut to “Que Sistema Operativo”, with translates into “Which Operating
System”
•Sends 7 (0-6) different types of packets to open ports on targets hosts, each one
with different TCP headers, and compares the responses with the config file, where
the different ones are described, in a response-based way to each packet:
•SYN (valid packet)
•SYN+ACK
•FIN
•FIN+ACK
•SYN+FIN
•PSH
•SYN+XXX+YYY (XXX and YYY are unused flags)
•On response to to packet 0 (SYN), any LISTEN port must answer a SYN+ACK with a
nonzero ack_num, seq_num and window, or, in case of not being LISTEN, it'll send
back a RST+ACK with the valid ack_num.
•All packets with random seq_num and 0x0 ack_num.
•Signatures outdated and project archived.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Xprobe2
• The first version combined various remote
active operating system fingerprinting
methods using the ICMP protocol, which were
discovered during the ICMP Usage in Scanning
research project, into a simple, fast,
efficient and a powerful way to detect the
underlying operating system a targeted host
is using.
• Xprobe2 rely on fuzzy signature matching,
p r o b a b i l i s t i c g u e s s e s , m u l t i p l e
simultaneously matches, and a signature
database.
• Sends 4 different types of ICMP packets to target host
• UDP packet is sent for ICMP unreachable
• Final packet is vanilla SYN Uses a basic fuzzy logic scoring system to provide more than one guess
at the remote OS, along with a probabilistic score. This approach could even be extended to
attempt to discover the source of any packet manipulation.
• Designed to be extensible with an API to facilitate new test modules.
• Information request packet is basically obsolete
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: REMOTE OS DETECTION
DEVICE TYPE
All fingerprints are classified with one or more high-level device types, such as
router, printer, firewall, or (as in this case) general purpose.
Several device types may be shown, in which case they will be separated with the
pipe symbol as in “Device Type: router|firewall”.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
RUNNING
OS Family (Linux in this case) and OS generation (2.6.X) if available. If there are multiple OS
families, they are separated by commas. When Nmap can't narrow down OS generations to one specific
choice, options are separated by the pipe symbol ('|') Examples include OpenBSD 3.X, NetBSD 3.X|4.X
and Linux 2.4.X|2.5.X|2.6.X.
If Nmap finds too many OS families to print concisely, it will omit this line. When there are no
perfect matches, Nmap changes the field to Running (JUST GUESSING) and adds an accuracy percentage
(100% is a perfect match) in parentheses after each candidate family name. If no fingerprints are
close matches, the line is omitted.
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OS CPE
This shows a Common Platform Enumeration (CPE) representation of the operating system when
available. It may also have a CPE representation of the hardware type. A CPE name is a URL
that encodes seven ordered fields:
cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>
The main division of CPE names is in the <part> field; this can take on only three values:
a for applications,
h for hardware platforms, or
o for operating systems.
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OS DETAILS
Detailed description for each fingerprint that matches. While the Device type and Running lines are
from predefined enumerated lists that are easy to parse by a computer, the OS details line contains
free-form data which is useful to a human reading the report. This can include more exact version
numbers, device models, and architectures specific to a given fingerprint.
When there are multiple exact matches, they are comma-separated. If there aren't any perfect matches,
but some close guesses, the field is renamed Aggressive OS guesses and fingerprints are shown
followed by a percentage in parentheses which specifies how close each match was.
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
UPTIME GUESS
As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the
headers for a timestamp option. Many operating systems use a simple counter for this which
starts at zero at boot time then increments at a constant rate such as twice per second
NETWORK DISTANCE
As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the
headers for a timestamp option. Many operating systems use a simple counter for this which
starts at zero at boot time then increments at a constant rate such as twice per second
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
TCP SEQUENCE PREDICTION
Systems with poor TCP initial sequence number generation are vulnerable to blind TCP spoofing attacks.
In other words, you can make a full connection to those systems and send (but not receive) data while
spoofing a different IP address. The target's logs will show the spoofed IP, and you can take
advantage of any trust relationship between them. This attack was all the rage in the mid-nineties
when people commonly used rlogin to allow logins to their account without any password from trusted IP
addresses.
Kevin Mitnick is alleged to have used this attack to break into Tsutomu Shimomura's computers in
December 1994.
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
IP ID Sequence Generation
Many systems unwittingly give away sensitive information about their traffic levels based
on how they generate the lowly 16-bit ID field in IP packets. This can be abused to spoof
a port scan against other systems and for other mischievous purposes.
If Nmap does not receive sufficient responses during OS detection, it will omit the whole
line
NMAP: REMOTE OS DETECTION
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: VERSION SCAN (-sV)
DEALING WITH NAT GATEWAY BOXES
If there’s a gateway box that redirects ports to several different machines, TCP/IP
fingerprinting will identify the proxy while version scanning will generally detect the
server running the proxied application.
This technique offers:
• Determines application name and version number (if available)
• SSL support for services like HTTPS, POP3S etc. as well as providing version details
• IPv6 is supported, including TCP, UDP, and SSL over TCP
• Best case, using both techniques to get result more credible
• Application exclusivity. If we identify a service as Microsoft Exchange, we know the
operating system is Windows since Exchange doesn't run on anything else. This type of
OS detection is intended to complement Nmap's OS detection system (-O) and can
sometimes report differing results. For example, consider a Microsoft Exchange server
hidden behind a port-forwarding Unix firewall.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
REMOTE OS FINGERPRINTING
nmap OS fingerprinting works by sending up to 15 TCP, UDP, and ICMP probes to known
open and closed ports of the target machine.
These probes are specially designed to exploit various ambiguities in the standard
protocol RFC. Then nmap listens for the responses, as there could be dozens of
attributes in those responses that could lead to a fingerprint.
Every probe is tracked and resent at least once if there is no response.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
Fingerprint Microsoft Windows XP SP0/SP1
Class Microsoft | Windows | XP | general purpose
CPE cpe:/o:microsoft:windows_xp::-
CPE cpe:/o:microsoft:windows_xp::sp1
SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW
0NNT00NNS%O6=M5B4NNT00NNS)
WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E)
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=S%T=7B-85%TG=80%CD=Z)
SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00N
NS%O6=M5B4NNT00NNS)
WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
Six TCP probes, 110m apart (for initial SEQ numbers, IP IDs and TCP timestamps):
• Packet 1: WS10, NOP, MSS1460, TS, SACK. W1
• Packet 2: MSS1400, WS0, SACK, TS, EOL. W63
• Packet 3: TS, NOP, NOP. WS5, NOP, MSS640, W4
• Packet 4: SACK, TSm TS10, EOL. W4
• Packet 5: MSS536, SACK, T, WS10, EOL. W16
• Packet 6: MSS265, SACK, TS. W512
Sequence Number Analysis
Options received for each probe
Window size received for each probe
Responsiveness
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
SEQ number
Z 0
A same as ACK
A+ ACK+1
O other
ACK number
Z 0
S same as SEQ
S+ SEQ+1
O other
RST data checksum
TCP FLAGS
E ECN
U URG
A ACK
P PSH
R RST
S SYN
F FIN
QUIRKS
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=)
Test explicit congestion notification (ECN) support in the target TCP Stack.
Sends to an open port SYN packet (ECN CWR/ECE flags set), ACK=0, SEQ is random, WS=3 with
OPTIONS= WS10, NOP, MSS1460, SACK, NOP, NOP
Explicit Congestion Notification
Y ECE not CWR
N Neither of two bits
S Both bits
0 Other
ICMP test with two ICMP echo requests to target:
• Packet 1: IP DF bit, TOS=0, Code 9, SEQ=295, random IP ID and ICMP request id, and
payload random character repeated 120 times.
• Packet 2: similar, except TOS=4, Code 0, 150 bytes payload, and IP ID, request ID
and SEQ number incremented from previous values
IE(DFI=S%T=7B-85%TG=80%CD=Z)
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
ICMP Response Code
Z both zero
S both the same
<NN> same non-zero
0 Any other combination
OTHER POSSIBLE FIELDS
TOSI: type of service for response
SI: ICMP Sequence number

DLI: response data length
TCP FLAGS
E ECN
U URG
A ACK
P PSH
R RST
S SYN
F FIN
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
Six T2-T7 TCP probe packets, with Options WS10, NOP, MSS265, TS, SACK (T7 uses WS15):
• Packet T2: TCP null (no flags), IP DF, W128 to open port
• Packet T3: SYN, FIN, URG, PSH, W256 to open port
• Packet T4: ACK with DF, W1024 to open port
• Packet T5: SYN with DF, W31337 to closed port
• Packet T6: ACK with DF and W32768 to open port
• Packet T7: FIN, PSH, URG, W65535 to closed port
Responsiveness
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
SEQ number
Z 0
A same as ACK
A+ ACK+1
O other
ACK number
Z 0
S same as SEQ
S+ SEQ+1
O other
RST data checksum
QUIRKS
TCP options
Window Size
TCP OPTIONS
L EOL
N NOP
M MSS
W WS
T TS
S SACK
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
UDP packet to a closed port, character C (0x43) repeated 300 times for the data field, IP
ID 0x1042.
If port is closed (and no firewall), Nmap expects ICMP port unreachable.
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
IP Total length
U n u s e d p o r t
unreachable field
nonzero
IP total length
IP ID
I n t e g r i t y o f
r e t u r n e d I P
checksum
Integrity of returned UDP data
G same payload
I invalid
Returned probe
UDP checksum
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
PASSIVE OS
FINGERPRINTING
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
PASSIVE OS FINGERPRINTING
Passive fingerprinting is like a packet sniffer.
Examines network traffic, making a copy of the data but
without redirecting or altering it.
Can be used for several purposes:
•As stealthy fingerprinting, bypassing the need for
using an active tool that can detect various IDS
systems
•To identify remote proxy firewalls
•Organisations can use to identify rogue systems in
there organisation
-p0f is a tool that utilises an array of sophisticated, purely passive, traffic fingerprinting
machanisms to identify the players behind any initial TCP/IP communication (often as little as
single normal SYN) without interfering in any way.

-There are other tools like Ettercap, NetworkMiner, PRADS, Satori or PacketFence.
Window Size

* Any value

%n nn nn Multiple

%xx MSS Multiple
Txx MTU Multiple
Xxx Constant Value
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
P0Fv2 SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Initial TTL
DF Bit
Packet Size
Operating System

Family

Version
TCP Options/Order

N: NOP

E: EOL

Wnn: Window Scaling
Mnn: Maximum Segment Size

S: Selective SACK ok

T/T0: Timestamp (with 0 value)
?n: unrecognized option
Quirks

Data in SYN packets

Options after EOL

IP ID Field = 0
ACK different to 0
Unusual flags
Incorrect options decode
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
P0f v3
Version 3 was a complete rewrite of the original codebase, incorporating a
significant number of improvements to network-level fingerprinting, and introducing
the ability to reason about application-level payloads (eg, HTTP).


The brand new database of signatures started from scratch, focusing on:
•TCP SYN ("who is connecting to me?") signatures for a variety of systems -
especially from some of the older, more exotic, or more specialized platforms,
such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. The connection
does not need to succeed
•TCP SYN+ACK signatures ("who am I connecting to?"). The current database is
minimal
•HTTP request signatures - especially for older or more exotic browsers (e.g.
MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and
libraries.
•HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x
has any real coverage).
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
label = s:win:Windows:XP
*:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0
IPv4/IPv6/Both
Initial TTL
Length of IPV4
options or IPV6
extension
headers
Maximum Segment Size
Window Size
(fixed value, multiple of MSS/
MTU, or multiple or integer)
Window Scaling Factor
TCP options (ordered)
eol+n: explicit end of options + padding
nop: no-op option
mss: maximum segment size
ws: window scaling
sok: selective ACK permitted
sack: selective ACK
ts: timestamp
?n: unknown option
Quirks
df - "don't fragment" set (probably PMTUD);
id+ - DF set but IPID non-zero; ignored for IPv6
id- - DF not set but IPID is zero; ignored for IPv6
ecn - explicit congestion notification support
0+ - "must be zero" field not zero; ignored for IPv6
flow - non-zero IPv6 flow ID; ignored for IPv4
seq- - sequence number is zero
ack+ - ACK number is non-zero, but ACK flag not set
ack- - ACK number is zero, but ACK flag set
uptr+ - URG pointer is non-zero, but URG flag not set
urgf+ - URG flag used
pushf+ - PUSH flag used
ts1- - own timestamp specified as zero
ts2+ - non-zero peer timestamp on initial SYN
opt+ - trailing non-zero data in options segment
exws - excessive window scaling factor (> 14)
bad - malformed TCP options
Payload Size Classification
0: for zero
+: for non-zero
*: any
P0Fv3 SIGNATURES
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and
on Microsoft Windows.
It is capable of intercepting traffic on a network segment, capturing passwords, and conducting
active eavesdropping against a number of common protocols. Its original developers later
founded Hacking Team …
It works by putting the network interface into promiscuous mode and by ARP poisoning the target
machines. Thereby it can act as a 'man in the middle' and unleash various attacks on the
victims.
Some of the features:
• …
• OS fingerprinting: determine the OS of the victim host and its network adapter
• …
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
0000:_MSS:FF:WS:0:0:0:0:A:28:Windows XP
ETTERCAP SIGNATURES
Maximum Segment Size
4 digit hex field. If omitted/
unknown (_MSS)
Window Size
4 digit hex field
TTL
2 digit hex field.
Window Scale
2 digit hex field. If
omitted/unknown (WS)
SACK
NOP
DF
TS
Flag of the packet
S = SYN
A = SYN + ACK
Packet Length
2 d i g i t h e x f i e l d . I f
irrelevant/unknown (LT)
Operating System
Ascii string
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
0008:_MSS:40:WS:0:0:0:0:S:28:Red Hat Linux 7.2 Kernel 2.4.7-10
0008:64:0:28:.:.:Ettercap:Red Hat Linux 7.2 Kernel 2.4.7-10
Window Size
MSS
TTL
WS
SACK
NOP
DF
TS
SYN
SIZE
Window Size
TTL
DF
SIZE
OPTIONS
QUIRKS
ETTERCAP -> pofv2
We can’t read Ettercap’s database, we need to parse it from the beginning, like
the nmap or p0fv2 processor, o we can just try to convert the file to something
we are able to parse automagically.
We have migrated from Ettercap to
p0fv2 database…
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
COMMERCIAL ENGINES
These techniques can be used to avoid commercial implementations also. We hide our machine,
faking the detector engine and recognising us like another OS, to attack another host and
leading administrator to think that it may be a false positive.
Fingerprint value example:
Had no time to figure it out what each field means in all the commercial appliances I’ve seen
so far, so I decided to cross the data available with default Map and p0f database to get
desired TCP/IP header values.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
ONLINE WEBSITES
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OTHER TECHNIQUES
A device will generally issue a DHCP request on
the network upon connection.
It is the DHCP client of the operating system that
issues a DHCP request on the network. When doing
so, it asks for DHCP options (like DNS Server,
WINS server, default gateway, etc.).
The order in which the DHCP client asks for those
options is relatively unique and identifies the
specific operating system version.
The same principle applies to DHCPv6.
There is a great paper from Eric Kollmann, called Chatter on the Wire: a look at DHCP
traffic that explains this technique.
Also, Satori performs passive OS identification on any packets it sees. It can parse
and utilize the following packet types: DHCP, TCP (syn and syn/ack), ICMP, SMB, CDP,
plus many others.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OTHER TECHNIQUES
Vendors, like Apple or Sony have patterns
of MAC addresses, allowing to use that
information for device identification.
O r g a n i z a t i o n a l l y
Unique Identifier
4 digit hex field
Network Interface
Controller Specific
4 digit hex field
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
COUNTERMEASURES
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
IP PERSONALITY
The Linux IP Personality patch adds to Linux 2.4 kernel the ability to have
different 'personalities' network wise, that is to change some
characteristics of its network traffic, depending on different parameters
(anything you can specify in an iptables rule: src/dst IP address, TCP or UDP
port, etc.)
The characteristics that can be changed are:
• TCP Initial Sequence Number (ISN)
• TCP initial window size
• TCP options (their types, values and order in the packet)
• IP ID numbers
• answers to some pathological TCP packets
• answers to some UDP packets:
They are deeply configurable.
This patch relies on the framework created by Rusty Russel: netfilter. More
precisely, the patch adds a new iptables target (in a kernel module) that can
be used in the mangle table with a (patched) iptables.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
STEALPH PATCH
Another patch for Linux kernels of version 2.2.19 through 2.2.22 and of
version 2.4.19.
When this patch is applied, all packets with both FIN and SYN flag set are
discarded. Furthermore, all packets with one specific reserved bit set and
all packets that match nmaps probe 2 (this means the ACK, FIN, RST and SYN
flags are not set) are dropped
Also packets with with the FIN, PUSH and URG flag set are dropped, which
would equal to maps probe 7.
Though the Stealth Patch does not enable a host to fein being some other
operating system, it still can confuse a fingerprinting application by
droping specific packets that are typical for a OS detector
The downside of an unmodified Stealth Patch is, since only a few kernel
versions were supported, this behaviour could give away valuable info to a
fingerprinter again.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
IPlog
In contrary to the described methods up to now, iplog is not a kernel module
but a standalone application. Although mainly written for detecting port
scans, it includes the ability to try to fool nmap.
It detects TCP Null and FIN scans, UDP and ICMP ”smurf” attacks, bogus TCP
flags, TCP SYN and ”Xmas” scans.
BLACKHOLE
The blackhole is used to control system behaviour when connection requests
are received on SCTP, TCP, or UDP ports where there is no socket listening.
The TCP blackhole behaves as following: if the value is 0, whenever a packet
connects a TCP closed port, it returns a RST. If the value is 1, if a SYN
packet connects a TCP closed port, it's dropped; and if the value is 2, if
any packet tries to connect to a TCP closed port, it's dropped.
The UDP blackhole is similar. Enabling these settings, tests 5, 6, 7 and the
unreachable port test won't work when running Nmap to remotely guess the OS.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
FINGERPRINT FUCKER (2000 by |Cyrax|)
Kernel module available for version 2.2 that also tries to hide original OS
and act as a different one.
Per default, it will emulate the behaviour of a VAX device, but it can be
configured bu parsing a nmap signature file and hands over the values to the
module.
FINGERPRINT FUCKER (2001 by cthulhu)
There is another application called Fingerprint Fucker, but this time it is
for the FreeBSD operating system.
It rewrites the TCP/IP stack and sends reply packets with different settings,
like a different WS or TTL
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
MORPH
•Handle inbound and outbound packets and
change TCP, UDP, ICMP and IP headers to
reflect selected OS
•Worked under Linux, and under development
for OpenBSD, FreeBSD and NetBSD
•Built on Packet Purgatory Library (relies
on libpcap and libdnet libraries), that
acts as a wedge between OS kernel and
network interface running in user land.
Packet Purgatory provided fine-grained control of raw sockets, while still being able to use
helpful constructs like the TCP stack and preexisting software.
The main concept to packet purgatory is the idea of packet handlers.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
PROJECT HISTORY
* First work with NFqueue
* Alpha version in PERL
* Alpha version for Android in C (Building an Android IDS on Network Level
- DEFCON 21)
* Ported code to Python (Blackhat Arsenal USA)
* OSfooler
* Working with some nmap signatures
* Working with some p0f signatures
* Only worked with nmap or p0f, not both
* Started from the beginning
* Read and parse nmap database (almost done)
* Read and parse p0f v2 database (complete)
* Emulate nmap and p0f at the same time
* First OSfooler-ng release
* Started parsing ettercap database
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
ARCHITECTURE
Computer operating systems provide
different levels of access to
resources.

This is generally hardware-enforced
by some CPU architectures that
provide different CPU modes at the
hardware or microcode level.

Rings are arranged in a hierarchy
from most privileged (most trusted,
usually numbered zero) to least
privileged (least trusted, usually
with the highest ring number).
On most operating systems, RING 0 is the level with the most
privileges and interacts most directly with physical hardware such
as the CPU and the memory.
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Vs
KERNEL SPACE is strictly reserved for running the
kernel, kernel extensions and most device drivers.
USER SPACE usually refers to the various programs and
libraries that the operating system use to interact with
the kernel: software that performs input/output,
manipulates file systems, objects etc.
KERNEL SPACE USER SPACE
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
How I
met your
packets
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
- A target extension consists of a KERNEL MODULE,
and an optional extension to iptables to provide
new command line options.
- There are several extensions in the default
Netfilter distribution:
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
For this to be useful, two further components are
required:
• a QUEUE HANDLER which deals with the actual mechanics
of passing packets between the kernel and user space
• a USER SPACE APPLICATION to receive, possibly
manipulate, and issue verdicts on packets.
The default value for the maximum queue length is 1024.
Once this limit is reached, new packets will be dropped
until the length of the queue falls below the limit
again.
$ iptables -A INPUT -j NFQUEUE —queue-num 0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OSfooler was a practical approach presented at Black Hat Arsenal USA 2013. It could
be used to detect and defeat active and passive remote OS fingerprinting from tools
like nmap, p0f or commercial appliances (only some signatures worked…)
Written in Perl, but also some performance tests, ported to Python
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
OSfooler-ng
OSfooler-ng makes it possible to fool nmap into believing that the host runs an
operating system freely specified by the administrator.
Most test packets sent by nmap are abnormal, and the others are sent to closed
ports, therefore they have no influence on the local TCP/IP stack
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
DEMO TIME
Active OS Fingerprint:
- nmap
Passive OS Fingerprint:
- p0f
- ettercap
Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
LONG STORY SHORT
You can get OSfooler-ng at the oficial Github repository:

https://github.com/segofensiva/OSfooler-ng
SYN ACK FIN

More Related Content

What's hot

ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4MUSAAB HASAN
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisforensicEmailAnalysis
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)shwetha mk
 
Module 3 Scanning
Module 3   ScanningModule 3   Scanning
Module 3 Scanningleminhvuong
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)Molfar
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Rishabh Upadhyay
 
Email investigation
Email investigationEmail investigation
Email investigationAnimesh Shaw
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)Aj Maurya
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallHuda Seyam
 

What's hot (20)

Snort
SnortSnort
Snort
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
Cyber forensics lab 4
Cyber forensics lab 4Cyber forensics lab 4
Cyber forensics lab 4
 
OS Fingerprinting
OS FingerprintingOS Fingerprinting
OS Fingerprinting
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
Email Headers – Expert Forensic Analysis
Email Headers – Expert Forensic AnalysisEmail Headers – Expert Forensic Analysis
Email Headers – Expert Forensic Analysis
 
Nmap(network mapping)
Nmap(network mapping)Nmap(network mapping)
Nmap(network mapping)
 
MD5
MD5MD5
MD5
 
Malware vm setup
Malware vm setupMalware vm setup
Malware vm setup
 
Module 3 Scanning
Module 3   ScanningModule 3   Scanning
Module 3 Scanning
 
Port scanning
Port scanningPort scanning
Port scanning
 
What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)What is Open Source Intelligence (OSINT)
What is Open Source Intelligence (OSINT)
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
Email investigation
Email investigationEmail investigation
Email investigation
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense FirewallDetect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
Detect HTTP Brute Force attack using Snort IDS/IPS on PFSense Firewall
 

Similar to Derevolutionizing OS Fingerprinting: The cat and mouse game

Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetDavid Sweigert
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsJoseph Bugeja
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N NessusUtkarsh Verma
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Networking question
Networking questionNetworking question
Networking questionDEVBEJ
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffingMukul Sahu
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxMahdiHasanSowrav
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gleDug Song
 

Similar to Derevolutionizing OS Fingerprinting: The cat and mouse game (20)

Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Device finger printing
Device finger printingDevice finger printing
Device finger printing
 
NMAP1.ppt
NMAP1.pptNMAP1.ppt
NMAP1.ppt
 
Certified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheetCertified Ethical Hacker quick test prep cheat sheet
Certified Ethical Hacker quick test prep cheat sheet
 
NMap
NMapNMap
NMap
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Network Security Nmap N Nessus
Network Security Nmap N NessusNetwork Security Nmap N Nessus
Network Security Nmap N Nessus
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Networking question
Networking questionNetworking question
Networking question
 
Symbian OS
Symbian  OS Symbian  OS
Symbian OS
 
Honeynet Project View
Honeynet Project ViewHoneynet Project View
Honeynet Project View
 
Nmap & Network sniffing
Nmap & Network sniffingNmap & Network sniffing
Nmap & Network sniffing
 
Scanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptxScanning and Enumeration in Cyber Security.pptx
Scanning and Enumeration in Cyber Security.pptx
 
Network Situational Awareness with d00gle
Network Situational Awareness with d00gleNetwork Situational Awareness with d00gle
Network Situational Awareness with d00gle
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 

More from Jaime Sánchez

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...Jaime Sánchez
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)Jaime Sánchez
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...Jaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedJaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Jaime Sánchez
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPJaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 

More from Jaime Sánchez (13)

La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...La problemática de la identificación de los participantes en las plataformas ...
La problemática de la identificación de los participantes en las plataformas ...
 
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
I Know Your P4$$w0rd (And If I Don't, I Will Guess It...)
 
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
(In)Seguridad y Ataques de Mensajería Instantánea en Entornos Corporativos - ...
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014
 
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
Defeating WhatsApp’s Lack of Encryption - BH Sao Paulo 2013
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsApp
 
AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security Reloaded
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0Stealth servers need Stealth Packets - Derbycon 3.0
Stealth servers need Stealth Packets - Derbycon 3.0
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
Seguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IPSeguridad con la Pila TCP/IP
Seguridad con la Pila TCP/IP
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User Heaven
 

Derevolutionizing OS Fingerprinting: The cat and mouse game

  • 1. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game Jaime Sánchez
 @segofensiva
  • 2. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 $ WHO I AM * Jaime Sánchez @segofensiva https://seguridadofensiva.com * Passionate about computer security and occasional Rockstar ;) * In my free time I conduct research on security and work as an independent consultant * From Spain :) * Speaker in many other conferences: * RootedCON in Spain * Nuit du Hack in Paris * BlackHat in Sao Paulo * Defcon in Las Vegas * etc.
  • 3. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 WHAT IS OS FINGERPRINTING? OS fingerprinting describes the method of utilising gathered information of a target host to find out what OS the machine is running on. Wikipedia describes it as: “ TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint ” There are multiple approaches for finding out the OS of an unknown host without having an account, or any way of logging on the machine: • Banner Information & Manual Reconnaissance • Active Fingerprinting: transmitting packets to a remote host and analysing corresponding replies. • Passive Fingerprinting: analysing packets from a host on a network. We act as a sniffer, and don’t put any traffic on a network. • Timing Analysis Fingerprinting
  • 4. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 BANNER GRABBING / MANUAL RECONNAISSANCE
  • 5. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Other services that send back ‘free’ useful information include IMAP,POP2, POP3, SMTP, SSH, NNTP and FINGER. This technique is reasonably reliable even now and automated tools exist to make the process simple and painless. Even, with access to remote host, you could play with the following commands until you get what you want: • uname -a, or uname -o or uname -v • lsb_release -a • cat /proc/version • cat /etc/*-release • cat /etc/issue* A more primitive approach is to port scan the machine using any of the common port scanners freely available and examine the returned list of listening ports for patterns common to a particular OS.
 Finally, it may be possible to determine the OS of a system by a non-technical solution, such as social engineering. Learning about the target through phone calls, chatting to the System Administrator, or even a public site tour are all possibilities BANNER GRABBING / MANUAL RECONNAISSANCE
  • 6. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Banners can also be revealed in an indirect way too, for example email headers often contain the version string of the client that is used by a user, and sometimes the OS version also.
 Another example could be the SYST commando in FTP; a SYST request asks for information about the server's operating system. The server accepts this request with code 215. For example: Examples from other servers:
 215 UNIX Type: L8 Version: BSD-44
 215 NetWare system type.
 215 MACOS Peter's Server
 215 AmigaOS BANNER GRABBING / MANUAL RECONNAISSANCE
  • 7. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Another way to get more information is analysing offered files, like trying to download: • compress • ls • tar • gzip • gunzip • compress • zcat • etc. Then, use the file command to determine the file type: BANNER GRABBING / MANUAL RECONNAISSANCE
  • 8. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0
  • 9. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 ACTIVE OS FINGERPRINTING
  • 10. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 QUESO •Hispanic shortcut to “Que Sistema Operativo”, with translates into “Which Operating System” •Sends 7 (0-6) different types of packets to open ports on targets hosts, each one with different TCP headers, and compares the responses with the config file, where the different ones are described, in a response-based way to each packet: •SYN (valid packet) •SYN+ACK •FIN •FIN+ACK •SYN+FIN •PSH •SYN+XXX+YYY (XXX and YYY are unused flags) •On response to to packet 0 (SYN), any LISTEN port must answer a SYN+ACK with a nonzero ack_num, seq_num and window, or, in case of not being LISTEN, it'll send back a RST+ACK with the valid ack_num. •All packets with random seq_num and 0x0 ack_num. •Signatures outdated and project archived.
  • 11. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Xprobe2 • The first version combined various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the ICMP Usage in Scanning research project, into a simple, fast, efficient and a powerful way to detect the underlying operating system a targeted host is using. • Xprobe2 rely on fuzzy signature matching, p r o b a b i l i s t i c g u e s s e s , m u l t i p l e simultaneously matches, and a signature database. • Sends 4 different types of ICMP packets to target host • UDP packet is sent for ICMP unreachable • Final packet is vanilla SYN Uses a basic fuzzy logic scoring system to provide more than one guess at the remote OS, along with a probabilistic score. This approach could even be extended to attempt to discover the source of any packet manipulation. • Designed to be extensible with an API to facilitate new test modules. • Information request packet is basically obsolete
  • 12. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: REMOTE OS DETECTION DEVICE TYPE All fingerprints are classified with one or more high-level device types, such as router, printer, firewall, or (as in this case) general purpose. Several device types may be shown, in which case they will be separated with the pipe symbol as in “Device Type: router|firewall”.
  • 13. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 RUNNING OS Family (Linux in this case) and OS generation (2.6.X) if available. If there are multiple OS families, they are separated by commas. When Nmap can't narrow down OS generations to one specific choice, options are separated by the pipe symbol ('|') Examples include OpenBSD 3.X, NetBSD 3.X|4.X and Linux 2.4.X|2.5.X|2.6.X. If Nmap finds too many OS families to print concisely, it will omit this line. When there are no perfect matches, Nmap changes the field to Running (JUST GUESSING) and adds an accuracy percentage (100% is a perfect match) in parentheses after each candidate family name. If no fingerprints are close matches, the line is omitted. NMAP: REMOTE OS DETECTION
  • 14. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OS CPE This shows a Common Platform Enumeration (CPE) representation of the operating system when available. It may also have a CPE representation of the hardware type. A CPE name is a URL that encodes seven ordered fields: cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language> The main division of CPE names is in the <part> field; this can take on only three values: a for applications, h for hardware platforms, or o for operating systems. NMAP: REMOTE OS DETECTION
  • 15. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OS DETAILS Detailed description for each fingerprint that matches. While the Device type and Running lines are from predefined enumerated lists that are easy to parse by a computer, the OS details line contains free-form data which is useful to a human reading the report. This can include more exact version numbers, device models, and architectures specific to a given fingerprint. When there are multiple exact matches, they are comma-separated. If there aren't any perfect matches, but some close guesses, the field is renamed Aggressive OS guesses and fingerprints are shown followed by a percentage in parentheses which specifies how close each match was. NMAP: REMOTE OS DETECTION
  • 16. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 UPTIME GUESS As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the headers for a timestamp option. Many operating systems use a simple counter for this which starts at zero at boot time then increments at a constant rate such as twice per second NETWORK DISTANCE As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the headers for a timestamp option. Many operating systems use a simple counter for this which starts at zero at boot time then increments at a constant rate such as twice per second NMAP: REMOTE OS DETECTION
  • 17. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 TCP SEQUENCE PREDICTION Systems with poor TCP initial sequence number generation are vulnerable to blind TCP spoofing attacks. In other words, you can make a full connection to those systems and send (but not receive) data while spoofing a different IP address. The target's logs will show the spoofed IP, and you can take advantage of any trust relationship between them. This attack was all the rage in the mid-nineties when people commonly used rlogin to allow logins to their account without any password from trusted IP addresses. Kevin Mitnick is alleged to have used this attack to break into Tsutomu Shimomura's computers in December 1994. NMAP: REMOTE OS DETECTION
  • 18. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 IP ID Sequence Generation Many systems unwittingly give away sensitive information about their traffic levels based on how they generate the lowly 16-bit ID field in IP packets. This can be abused to spoof a port scan against other systems and for other mischievous purposes. If Nmap does not receive sufficient responses during OS detection, it will omit the whole line NMAP: REMOTE OS DETECTION
  • 19. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: VERSION SCAN (-sV) DEALING WITH NAT GATEWAY BOXES If there’s a gateway box that redirects ports to several different machines, TCP/IP fingerprinting will identify the proxy while version scanning will generally detect the server running the proxied application. This technique offers: • Determines application name and version number (if available) • SSL support for services like HTTPS, POP3S etc. as well as providing version details • IPv6 is supported, including TCP, UDP, and SSL over TCP • Best case, using both techniques to get result more credible • Application exclusivity. If we identify a service as Microsoft Exchange, we know the operating system is Windows since Exchange doesn't run on anything else. This type of OS detection is intended to complement Nmap's OS detection system (-O) and can sometimes report differing results. For example, consider a Microsoft Exchange server hidden behind a port-forwarding Unix firewall.
  • 20. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 REMOTE OS FINGERPRINTING nmap OS fingerprinting works by sending up to 15 TCP, UDP, and ICMP probes to known open and closed ports of the target machine. These probes are specially designed to exploit various ambiguities in the standard protocol RFC. Then nmap listens for the responses, as there could be dozens of attributes in those responses that could lead to a fingerprint. Every probe is tracked and resent at least once if there is no response.
  • 21. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: SIGNATURE DATABASE Fingerprint Microsoft Windows XP SP0/SP1 Class Microsoft | Windows | XP | general purpose CPE cpe:/o:microsoft:windows_xp::- CPE cpe:/o:microsoft:windows_xp::sp1 SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW 0NNT00NNS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T4(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=S%T=7B-85%TG=80%CD=Z)
  • 22. SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00N NS%O6=M5B4NNT00NNS) WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E) T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=) Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: SIGNATURE DATABASE Six TCP probes, 110m apart (for initial SEQ numbers, IP IDs and TCP timestamps): • Packet 1: WS10, NOP, MSS1460, TS, SACK. W1 • Packet 2: MSS1400, WS0, SACK, TS, EOL. W63 • Packet 3: TS, NOP, NOP. WS5, NOP, MSS640, W4 • Packet 4: SACK, TSm TS10, EOL. W4 • Packet 5: MSS536, SACK, T, WS10, EOL. W16 • Packet 6: MSS265, SACK, TS. W512 Sequence Number Analysis Options received for each probe Window size received for each probe Responsiveness DF bit N Neither S both echo value Y both bit set O other combination TTL / Guess SEQ number Z 0 A same as ACK A+ ACK+1 O other ACK number Z 0 S same as SEQ S+ SEQ+1 O other RST data checksum TCP FLAGS E ECN U URG A ACK P PSH R RST S SYN F FIN QUIRKS
  • 23. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: SIGNATURE DATABASE ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=) Test explicit congestion notification (ECN) support in the target TCP Stack. Sends to an open port SYN packet (ECN CWR/ECE flags set), ACK=0, SEQ is random, WS=3 with OPTIONS= WS10, NOP, MSS1460, SACK, NOP, NOP Explicit Congestion Notification Y ECE not CWR N Neither of two bits S Both bits 0 Other ICMP test with two ICMP echo requests to target: • Packet 1: IP DF bit, TOS=0, Code 9, SEQ=295, random IP ID and ICMP request id, and payload random character repeated 120 times. • Packet 2: similar, except TOS=4, Code 0, 150 bytes payload, and IP ID, request ID and SEQ number incremented from previous values IE(DFI=S%T=7B-85%TG=80%CD=Z) DF bit N Neither S both echo value Y both bit set O other combination TTL / Guess ICMP Response Code Z both zero S both the same <NN> same non-zero 0 Any other combination OTHER POSSIBLE FIELDS TOSI: type of service for response SI: ICMP Sequence number
 DLI: response data length
  • 24. TCP FLAGS E ECN U URG A ACK P PSH R RST S SYN F FIN Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: SIGNATURE DATABASE T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T4(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) Six T2-T7 TCP probe packets, with Options WS10, NOP, MSS265, TS, SACK (T7 uses WS15): • Packet T2: TCP null (no flags), IP DF, W128 to open port • Packet T3: SYN, FIN, URG, PSH, W256 to open port • Packet T4: ACK with DF, W1024 to open port • Packet T5: SYN with DF, W31337 to closed port • Packet T6: ACK with DF and W32768 to open port • Packet T7: FIN, PSH, URG, W65535 to closed port Responsiveness DF bit N Neither S both echo value Y both bit set O other combination TTL / Guess SEQ number Z 0 A same as ACK A+ ACK+1 O other ACK number Z 0 S same as SEQ S+ SEQ+1 O other RST data checksum QUIRKS TCP options Window Size TCP OPTIONS L EOL N NOP M MSS W WS T TS S SACK
  • 25. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 NMAP: SIGNATURE DATABASE U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) UDP packet to a closed port, character C (0x43) repeated 300 times for the data field, IP ID 0x1042. If port is closed (and no firewall), Nmap expects ICMP port unreachable. DF bit N Neither S both echo value Y both bit set O other combination TTL / Guess IP Total length U n u s e d p o r t unreachable field nonzero IP total length IP ID I n t e g r i t y o f r e t u r n e d I P checksum Integrity of returned UDP data G same payload I invalid Returned probe UDP checksum
  • 26. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0
  • 27. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 PASSIVE OS FINGERPRINTING
  • 28. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 PASSIVE OS FINGERPRINTING Passive fingerprinting is like a packet sniffer. Examines network traffic, making a copy of the data but without redirecting or altering it. Can be used for several purposes: •As stealthy fingerprinting, bypassing the need for using an active tool that can detect various IDS systems •To identify remote proxy firewalls •Organisations can use to identify rogue systems in there organisation -p0f is a tool that utilises an array of sophisticated, purely passive, traffic fingerprinting machanisms to identify the players behind any initial TCP/IP communication (often as little as single normal SYN) without interfering in any way.
 -There are other tools like Ettercap, NetworkMiner, PRADS, Satori or PacketFence.
  • 29. Window Size
 * Any value
 %n nn nn Multiple
 %xx MSS Multiple Txx MTU Multiple Xxx Constant Value Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 P0Fv2 SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Initial TTL DF Bit Packet Size Operating System
 Family
 Version TCP Options/Order
 N: NOP
 E: EOL
 Wnn: Window Scaling Mnn: Maximum Segment Size
 S: Selective SACK ok
 T/T0: Timestamp (with 0 value) ?n: unrecognized option Quirks
 Data in SYN packets
 Options after EOL
 IP ID Field = 0 ACK different to 0 Unusual flags Incorrect options decode
  • 30. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 P0f v3 Version 3 was a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (eg, HTTP). 
 The brand new database of signatures started from scratch, focusing on: •TCP SYN ("who is connecting to me?") signatures for a variety of systems - especially from some of the older, more exotic, or more specialized platforms, such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. The connection does not need to succeed •TCP SYN+ACK signatures ("who am I connecting to?"). The current database is minimal •HTTP request signatures - especially for older or more exotic browsers (e.g. MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and libraries. •HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x has any real coverage).
  • 31. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 label = s:win:Windows:XP *:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0 IPv4/IPv6/Both Initial TTL Length of IPV4 options or IPV6 extension headers Maximum Segment Size Window Size (fixed value, multiple of MSS/ MTU, or multiple or integer) Window Scaling Factor TCP options (ordered) eol+n: explicit end of options + padding nop: no-op option mss: maximum segment size ws: window scaling sok: selective ACK permitted sack: selective ACK ts: timestamp ?n: unknown option Quirks df - "don't fragment" set (probably PMTUD); id+ - DF set but IPID non-zero; ignored for IPv6 id- - DF not set but IPID is zero; ignored for IPv6 ecn - explicit congestion notification support 0+ - "must be zero" field not zero; ignored for IPv6 flow - non-zero IPv6 flow ID; ignored for IPv4 seq- - sequence number is zero ack+ - ACK number is non-zero, but ACK flag not set ack- - ACK number is zero, but ACK flag set uptr+ - URG pointer is non-zero, but URG flag not set urgf+ - URG flag used pushf+ - PUSH flag used ts1- - own timestamp specified as zero ts2+ - non-zero peer timestamp on initial SYN opt+ - trailing non-zero data in options segment exws - excessive window scaling factor (> 14) bad - malformed TCP options Payload Size Classification 0: for zero +: for non-zero *: any P0Fv3 SIGNATURES
  • 32. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team … It works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as a 'man in the middle' and unleash various attacks on the victims. Some of the features: • … • OS fingerprinting: determine the OS of the victim host and its network adapter • …
  • 33. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 0000:_MSS:FF:WS:0:0:0:0:A:28:Windows XP ETTERCAP SIGNATURES Maximum Segment Size 4 digit hex field. If omitted/ unknown (_MSS) Window Size 4 digit hex field TTL 2 digit hex field. Window Scale 2 digit hex field. If omitted/unknown (WS) SACK NOP DF TS Flag of the packet S = SYN A = SYN + ACK Packet Length 2 d i g i t h e x f i e l d . I f irrelevant/unknown (LT) Operating System Ascii string
  • 34. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 0008:_MSS:40:WS:0:0:0:0:S:28:Red Hat Linux 7.2 Kernel 2.4.7-10 0008:64:0:28:.:.:Ettercap:Red Hat Linux 7.2 Kernel 2.4.7-10 Window Size MSS TTL WS SACK NOP DF TS SYN SIZE Window Size TTL DF SIZE OPTIONS QUIRKS ETTERCAP -> pofv2 We can’t read Ettercap’s database, we need to parse it from the beginning, like the nmap or p0fv2 processor, o we can just try to convert the file to something we are able to parse automagically. We have migrated from Ettercap to p0fv2 database…
  • 35. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 COMMERCIAL ENGINES These techniques can be used to avoid commercial implementations also. We hide our machine, faking the detector engine and recognising us like another OS, to attack another host and leading administrator to think that it may be a false positive. Fingerprint value example: Had no time to figure it out what each field means in all the commercial appliances I’ve seen so far, so I decided to cross the data available with default Map and p0f database to get desired TCP/IP header values.
  • 36. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 ONLINE WEBSITES
  • 37. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0
  • 38. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OTHER TECHNIQUES A device will generally issue a DHCP request on the network upon connection. It is the DHCP client of the operating system that issues a DHCP request on the network. When doing so, it asks for DHCP options (like DNS Server, WINS server, default gateway, etc.). The order in which the DHCP client asks for those options is relatively unique and identifies the specific operating system version. The same principle applies to DHCPv6. There is a great paper from Eric Kollmann, called Chatter on the Wire: a look at DHCP traffic that explains this technique. Also, Satori performs passive OS identification on any packets it sees. It can parse and utilize the following packet types: DHCP, TCP (syn and syn/ack), ICMP, SMB, CDP, plus many others.
  • 39. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OTHER TECHNIQUES Vendors, like Apple or Sony have patterns of MAC addresses, allowing to use that information for device identification. O r g a n i z a t i o n a l l y Unique Identifier 4 digit hex field Network Interface Controller Specific 4 digit hex field
  • 40. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 COUNTERMEASURES
  • 41. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 IP PERSONALITY The Linux IP Personality patch adds to Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters (anything you can specify in an iptables rule: src/dst IP address, TCP or UDP port, etc.) The characteristics that can be changed are: • TCP Initial Sequence Number (ISN) • TCP initial window size • TCP options (their types, values and order in the packet) • IP ID numbers • answers to some pathological TCP packets • answers to some UDP packets: They are deeply configurable. This patch relies on the framework created by Rusty Russel: netfilter. More precisely, the patch adds a new iptables target (in a kernel module) that can be used in the mangle table with a (patched) iptables.
  • 42. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 STEALPH PATCH Another patch for Linux kernels of version 2.2.19 through 2.2.22 and of version 2.4.19. When this patch is applied, all packets with both FIN and SYN flag set are discarded. Furthermore, all packets with one specific reserved bit set and all packets that match nmaps probe 2 (this means the ACK, FIN, RST and SYN flags are not set) are dropped Also packets with with the FIN, PUSH and URG flag set are dropped, which would equal to maps probe 7. Though the Stealth Patch does not enable a host to fein being some other operating system, it still can confuse a fingerprinting application by droping specific packets that are typical for a OS detector The downside of an unmodified Stealth Patch is, since only a few kernel versions were supported, this behaviour could give away valuable info to a fingerprinter again.
  • 43. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 IPlog In contrary to the described methods up to now, iplog is not a kernel module but a standalone application. Although mainly written for detecting port scans, it includes the ability to try to fool nmap. It detects TCP Null and FIN scans, UDP and ICMP ”smurf” attacks, bogus TCP flags, TCP SYN and ”Xmas” scans. BLACKHOLE The blackhole is used to control system behaviour when connection requests are received on SCTP, TCP, or UDP ports where there is no socket listening. The TCP blackhole behaves as following: if the value is 0, whenever a packet connects a TCP closed port, it returns a RST. If the value is 1, if a SYN packet connects a TCP closed port, it's dropped; and if the value is 2, if any packet tries to connect to a TCP closed port, it's dropped. The UDP blackhole is similar. Enabling these settings, tests 5, 6, 7 and the unreachable port test won't work when running Nmap to remotely guess the OS.
  • 44. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 FINGERPRINT FUCKER (2000 by |Cyrax|) Kernel module available for version 2.2 that also tries to hide original OS and act as a different one. Per default, it will emulate the behaviour of a VAX device, but it can be configured bu parsing a nmap signature file and hands over the values to the module. FINGERPRINT FUCKER (2001 by cthulhu) There is another application called Fingerprint Fucker, but this time it is for the FreeBSD operating system. It rewrites the TCP/IP stack and sends reply packets with different settings, like a different WS or TTL
  • 45. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 MORPH •Handle inbound and outbound packets and change TCP, UDP, ICMP and IP headers to reflect selected OS •Worked under Linux, and under development for OpenBSD, FreeBSD and NetBSD •Built on Packet Purgatory Library (relies on libpcap and libdnet libraries), that acts as a wedge between OS kernel and network interface running in user land. Packet Purgatory provided fine-grained control of raw sockets, while still being able to use helpful constructs like the TCP stack and preexisting software. The main concept to packet purgatory is the idea of packet handlers.
  • 46. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 PROJECT HISTORY * First work with NFqueue * Alpha version in PERL * Alpha version for Android in C (Building an Android IDS on Network Level - DEFCON 21) * Ported code to Python (Blackhat Arsenal USA) * OSfooler * Working with some nmap signatures * Working with some p0f signatures * Only worked with nmap or p0f, not both * Started from the beginning * Read and parse nmap database (almost done) * Read and parse p0f v2 database (complete) * Emulate nmap and p0f at the same time * First OSfooler-ng release * Started parsing ettercap database
  • 47. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 ARCHITECTURE Computer operating systems provide different levels of access to resources.
 This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level.
 Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, RING 0 is the level with the most privileges and interacts most directly with physical hardware such as the CPU and the memory.
  • 48. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 Vs KERNEL SPACE is strictly reserved for running the kernel, kernel extensions and most device drivers. USER SPACE usually refers to the various programs and libraries that the operating system use to interact with the kernel: software that performs input/output, manipulates file systems, objects etc. KERNEL SPACE USER SPACE
  • 49. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0
  • 50. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 How I met your packets
  • 51. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 - A target extension consists of a KERNEL MODULE, and an optional extension to iptables to provide new command line options. - There are several extensions in the default Netfilter distribution:
  • 52. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 For this to be useful, two further components are required: • a QUEUE HANDLER which deals with the actual mechanics of passing packets between the kernel and user space • a USER SPACE APPLICATION to receive, possibly manipulate, and issue verdicts on packets. The default value for the maximum queue length is 1024. Once this limit is reached, new packets will be dropped until the length of the queue falls below the limit again. $ iptables -A INPUT -j NFQUEUE —queue-num 0
  • 53. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0
  • 54. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OSfooler was a practical approach presented at Black Hat Arsenal USA 2013. It could be used to detect and defeat active and passive remote OS fingerprinting from tools like nmap, p0f or commercial appliances (only some signatures worked…) Written in Perl, but also some performance tests, ported to Python
  • 55. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 OSfooler-ng OSfooler-ng makes it possible to fool nmap into believing that the host runs an operating system freely specified by the administrator. Most test packets sent by nmap are abnormal, and the others are sent to closed ports, therefore they have no influence on the local TCP/IP stack
  • 56. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 DEMO TIME Active OS Fingerprint: - nmap Passive OS Fingerprint: - p0f - ettercap
  • 57. Derevolutionizing OS Fingerprinting: The Cat and Mouse Game DEFCON CHINA 1.0 LONG STORY SHORT You can get OSfooler-ng at the oficial Github repository:
 https://github.com/segofensiva/OSfooler-ng SYN ACK FIN