SlideShare a Scribd company logo
1 of 31
Download to read offline
1
STEALTH SERVERS NEED STEALTH PACKETS
STEALTH SERVERS
NEED
STEALTH PACKETS
JAIME SANCHEZ (@SEGOFENSIVA)
WWW.SEGURIDADOFENSIVA.COM
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
$	
  WHO	
  I	
  AM	
  
§	
  Passionate	
  about	
  computer	
  security.
§	
  Computer	
  Engineering	
  degree	
   and	
  an	
  Execu7ve	
  
MBA.	
  
§	
   In	
   my	
   free	
   8me	
   I	
   conduct	
   research	
   on	
   security	
  
and	
  work	
  as	
  an	
  independent	
  consultant.
§	
  I’m	
  from	
  Spain;	
  We’re	
  sexy	
  and	
  you	
  know	
  it.
§	
  	
  Other	
  conferences:
§	
  RootedCON	
  in	
  Spain
§	
  Nuit	
  Du	
  Hack	
  in	
  Paris	
  
§	
  Black	
  Hat	
  Arsenal	
  USA
§	
  Defcon	
  21	
  USA
§	
  Next	
  conferences:	
  Hack7vity,	
  NoConName	
  and	
  
Black	
  Hat	
  Sao	
  Paulo
FROM KERNEL SPACE TO USER HEAVEN
3 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
The most important phases are RECONNAISSANCE and
SCANNING.
The less information the attacker has the better for our security.
If we can fool all network tools he’ll be using, we’ll be able to
prevent some attacks attempts
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
A	
  BRIEF	
  OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
4 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Devices
Devices
Devices
Kernel
Ring	
  0
Ring	
  1
Ring	
  2
Ring	
  3
Less
Privileged
More
Privileged
§	
  Computer	
  opera+ng	
  systems	
  provide	
  different	
  
levels	
  of	
  access	
  to	
  resources.
§	
  This	
  is	
  generally	
  hardware-­‐enforced	
  by	
  some	
  
CPU	
  architectures	
  hat	
  provide	
  different	
  CPU	
  
modes	
  at	
  the	
  hardware	
  or	
  microcode	
  level.
§	
  Rings	
  are	
  arranged	
  in	
  a	
  hierarchy	
  from	
  most	
  
privileged	
  (most	
  trusted,	
  usually	
  numbered	
  zero)	
  
to	
  least	
  privileged	
  (least	
  trusted,	
  usually	
  with	
  the	
  
highest	
  ring	
  number).
§	
  On	
  most	
  opera+ng	
  systems,	
  RING	
  0	
  is	
  the	
  level	
  
with	
  the	
  most	
  privileges	
  and	
  interacts	
  most	
  
directly	
  with	
  the	
  physical	
  hardware	
  such	
  as	
  the	
  
CPU	
  and	
  memory.
ARCHITECTURE
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
5
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
KERNEL	
  vs	
  USER	
  SPACE
KERNEL	
  SPACE USER	
  SPACE
KERNEL	
  SPACE	
  is	
  strictly	
  reserved	
  for	
  running	
  the	
  kernel,	
  kernel	
  extensions,	
  and	
  most	
  device	
  
drivers.	
  In	
  contrast,	
  user	
  space	
  is	
  the	
  memory	
  area	
  where	
  all	
  user	
  mode	
  applica+ons	
  work	
  
and	
  this	
  memory	
  can	
  be	
  swapped	
  out	
  when	
  necessary.
Similarly,	
   the	
  term	
  USER	
  LAND	
  refers	
  to	
  all	
  applica+on	
  soKware	
  that	
  runs	
  in	
  user	
   space.	
  
Userland	
  usually	
  refers	
  to	
  the	
  various	
  programs	
  and	
  libraries	
  that	
  the	
  opera+ng	
  system	
  uses	
  
to	
  interact	
  with	
  the	
  kernel:	
  soKware	
  that	
  performs	
  input/output,	
  manipulates	
  file	
  system,	
  
objects,	
  etc.
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
6
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
WTF	
  !?
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
8
How Imet your
packets
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
the NFQUEUE way
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
9
NIC	
  Memory
DMA	
  EngineInterrupt
Incoming	
  Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet	
  Data
IP	
  Layer
TCP	
  Process
TCP	
  recv	
  Buffer
APPLICATION
DEVICE	
  DRIVER
KERNEL	
  SPACE
USER	
  SPACE
Poll	
  List
so]irq
tcp_v4_rcv()
Pointer	
  to
Device
Socket
Backlog
ip_rcv()
read()
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NIC	
  Memory
DMA	
  EngineInterrupt
Incoming	
  Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet	
  Data
IP	
  Layer
TCP	
  Process
TCP	
  recv	
  Buffer
APPLICATION
DEVICE	
  DRIVER
KERNEL	
  SPACE
USER	
  SPACE
Poll	
  List
so]irq
tcp_v4_rcv()
Pointer	
  to
Device
Socket
Backlog
ip_rcv()
read()
locally	
  des8ned	
  packets	
  must	
  pass	
  the	
  
INPUT	
  chains	
  to	
  reach	
  listening	
  sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded	
  and	
  accepted	
  packets
Inbound	
  Packets
forwarded	
  
packets
local
packets
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
10
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
TARGET	
  EXTENSIONS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
	
  A	
  target	
  extension	
  consists	
  of	
  a	
  KERNEL	
  MODULE,	
  and	
  an	
  op+onal	
  extension	
  to	
  iptables	
  to	
  
provide	
  new	
  command	
  line	
  op+ons.
There	
  are	
  several	
  extensions	
  in	
  the	
  default	
  NeQilter	
  distribu+on:
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
QUEUE
§	
  QUEUE	
  is	
  an	
  iptables	
  and	
  ip6tables	
  target	
  which	
  which	
  queues	
  the	
  packet	
  for	
  userspace	
  
processing.
§	
  For	
  this	
  to	
  be	
  useful,	
  two	
  further	
  components	
  are	
  required:
• a	
  QUEUE	
  HANDLER	
  which	
  deals	
  with	
  the	
  actual	
  mechanics	
  of	
  passing	
  packets	
  between	
  
the	
  kernel	
  and	
  userspace;	
  and
• a	
  USERSPACE	
  APPLICATION	
  to	
  receive,	
  possibly	
  manipulate,	
  and	
  issue	
  verdicts	
  on	
  
packets.
§	
  The	
  default	
  value	
  for	
  the	
  maximum	
  queue	
  length	
  is	
  1024.	
  Once	
  this	
  limit	
  is	
  reached,	
  new	
  
packets	
  will	
  be	
  dropped	
  un+l	
  the	
  length	
  of	
  the	
  queue	
  falls	
  below	
  the	
  limit	
  again.	
  
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
12
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SOME	
  PRACTICAL
EXAMPLES
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
13
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
REMOTE	
  OS
FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
14
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
CLASSIC	
  TECHNIQUES
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
15
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NMAP
	
   -­‐	
  Device	
  Type	
   	
   	
   -­‐	
  Network	
  Distance
	
   -­‐	
  Running	
   	
   	
   -­‐	
  TCP	
  Sequence	
  Predic7on
	
   -­‐	
  OS	
  Details	
   	
   	
   -­‐	
  IP	
  ID	
  Sequence	
  Genera7on
	
   -­‐	
  Up7me	
  Guess
Device	
  Type:	
  general	
  purpose
Running:	
  MicrosoK	
  Windows	
  7|Vista|2000
OS	
  CPE:	
  cpe:/o:microsoK_7::professional
OS	
  details:	
  MicrosoK	
  Windows	
  7	
  Professional,	
  MicrosoK	
  
Windows	
  Vista	
  SP0	
  or	
  SP1
Up7me	
  guess:	
  2.196	
  days	
  (since	
  Mon	
  Feb	
  4	
  12:14:01	
  2013)
Network	
  Distance:	
  1	
  hop
TCP	
  Sequence	
  Predic7on:	
  Difficulty=262	
  (Good	
  Luck!)
IP	
  ID	
  Sequence	
  Genera7on:	
  Incremental
Service	
  Info:	
  OS:	
  Windows;	
  CPE:	
  cpe:/o:microsoK:windows
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
16
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
17
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
IPv4 UDP
TCP ICMP
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
	
  	
  	
  RELEVANT	
  FIELDS
ECN	
  CWN	
  ECE,	
  WS(10),	
  NOP,	
  MSS(1460),	
  SACK,	
  NOP,	
  NOP	
  and	
  W3
IP	
  DF	
  bit,	
  TOS(0),	
  CODE=9,	
  SEQ=295,	
  120	
  bytes	
  of	
  0x00	
  for	
  payload
no	
  flags,	
  IP	
  DF	
  and	
  W(128)	
  to	
  an	
  open	
  port
SYN,	
  FIN,	
  URG,	
  PSH	
  and	
  W(256)	
  to	
  an	
  open	
  port
ACK	
  with	
  IP	
  DF	
  and	
  W(1024)	
  to	
  an	
  open	
  port
SYN	
  with	
  W(31337)	
  to	
  a	
  closed	
  port
ACK	
  with	
  IP	
  DF	
  and	
  W(32768)	
  to	
  a	
  closed	
  port
FIN,	
  PSH,	
  URG	
  and	
  W(65535)	
  to	
  a	
  closed	
  port
WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.	
  Tsecr:0),	
  SACK	
  and	
  W(1)
MSS(1400),	
  WS(0),SACK,	
  TS(Tval:0xFFFFFFFF.	
  Tsecr:0),EOL	
  and	
  W(63)
TS(Tval:0xFFFFFFFF.	
  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)	
  and	
  W(4)
SACK,	
  TS(Tval:0xFFFFFFFF.	
  Tsecr:0),WS(10),EOL	
  and	
  W(4)
MSS(536),SACK,	
  TS(Tval:0xFFFFFFFF.	
  Tsecr:0),	
  WS(10),EOL	
  and	
  W(16)
MSS(265),SACK,	
  TS(Tval:0xFFFFFFFF.	
  Tsecr:0)	
  and	
  W(512)
NMAP	
  METHODS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
18
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE	
  GENERATION	
  (SEQ,	
  OPS,	
  WIN	
  &	
  T1)
ICMP	
  ECHO	
  (IE)
TCP	
  EXPLICIT	
  CONGESTION	
  NOTIFICATION	
  (ECN)
TCP	
  T2-­‐T7
UDP
	
  -­‐	
  Nmap	
  sends	
  15	
  TCP,	
  UDP	
  and	
  ICMP	
  tests,	
  to	
  open	
  and	
  closed	
  system	
  ports:
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
‘C’	
  (0x43)	
  x	
  300	
  for	
  data	
  field.	
  IP	
  ID	
  value	
  0x1042	
  
TOS(4),	
  CODE=0,	
  150	
  bytes	
  data,	
  ICMP	
  request	
  ID	
  and	
  SEQ	
  are	
  incremented
Although	
  there	
  are	
  others:
§	
  TCP	
  ISN	
  counter	
  rate	
  (ISR)
§	
  ICMP	
  IP	
  ID	
  sequence	
  genera8on	
  alg	
  (II)
§	
  Shared	
  IP	
  ID	
  sequence	
  Boolean	
  (SS)
§	
  Don’t	
  Fragment	
  ICMP	
  (DFI)
§	
  Explicit	
  conges8on	
  no8fica8on	
  (C)
§	
  TCP	
  miscellaneous	
  quirks	
  (Q)
§	
  TCP	
  sequence	
  number	
  (S)
§	
  etc.
NMAP	
  INTERNAL	
  PROBES
Most	
  important:
§	
  TCP	
  ISN	
  greatest	
  common	
  divisor	
  (GDC)
§	
  TCP	
  IP	
  ID	
  sequence	
  genera8on	
  alg	
  (TI)
§	
  TCP	
  8mestamp	
  op8on	
  alg	
  (TS)
§	
  TCP	
  Op8ons	
  (O,	
  O1-­‐O6)
§	
  TCP	
  ini8al	
  Window	
  Size	
  (W,	
  W1-­‐W6)
§	
  Responsiveness	
  (R)
§	
  IP	
  don’t	
  fragment	
  bit	
  (DF)
§	
  IP	
  ini8al	
  8me-­‐to-­‐live	
  guess	
  (TG)
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
19
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
OTHER	
  TOOLS
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
20
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
A	
  patch	
  for	
  Linux	
  kernels	
  of	
  
version	
  2.4.,	
  that	
  modifies	
  
characteris+cs	
  of	
  network	
  
traffic
IP	
  PERSONALITY
Simple	
  TCP	
  packets	
  
iden+fica+on	
  solu+on	
  as	
  a	
  
Kenel
2.2-­‐2.4	
  core	
  module	
  patch,	
  
allowing	
  ignore	
  some	
  kind	
  
of	
  packets.
STEALTH	
  PATCH
A	
  kernel	
  module	
  available	
  
for	
  Linux	
  kernel	
  of	
  version	
  
2.2.	
  that	
  also	
  tries	
  to	
  hide	
  
the	
  original	
  OS	
  and	
  act	
  as	
  a	
  
different	
  one.
FINGERPRINT	
  FUCKER
TCP	
  and	
  UDP	
  packets	
  
filtering	
  op+ons,	
  allowing	
  
to	
  respec+vely	
  block	
  RST	
  
and	
  ICMP	
  answers	
  on	
  
closed	
  ports
BLACKHOLE
Honeyd	
  is
able	
  to	
  simulate	
  Xprobe2	
  
and	
  Nmap	
  (previous	
  
version)	
  signatures	
  for	
  its
virtual	
  hosts.
HONEYD
Windows	
  soKware	
  that	
  
modifies	
  keys	
  in	
  the	
  
register,	
  to
change	
  some	
  TCP/IP	
  
parameters.
OSFUSCATE
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
21
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
22
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
PASSIVE	
  OS	
  FINGERPRINTING
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
23
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
-­‐	
   p0f	
   is	
  a	
  tool	
  that	
  u+lizes	
  an	
  array	
   of	
  sophis+cated,	
   purely	
   passive,	
   traffic	
   fingerprin+ng	
  
mechanisms	
  to	
  iden+fy	
  the	
  players	
  behind	
  any	
  ini7al	
  TCP/IP	
  communica7on	
  (oKen	
  as	
  limle	
  
as	
  a	
  single	
  normal	
  SYN)	
  without	
  interfering	
  in	
  any	
  way.
-­‐	
  There	
  are	
  other	
  tools	
  like	
  Emercap,	
  NetworkMiner,	
  PRADS,	
  Satori	
  or	
  PacketFence.
-­‐	
   Passive	
   fingerprin+ng	
   is	
   like	
   a	
   packet	
   sniffer.	
   Examines	
  
network	
   traffic,	
   making	
   a	
   copy	
   of	
   the	
   data	
   but	
   without	
  
redirec+ng	
  or	
  altering	
  it.
-­‐	
  Can	
  be	
  used	
  for	
  several	
  purposes:
1.	
   As	
   stealthy	
   fingerprin7ng,	
   bypassing	
   the	
   need	
   for	
  
using	
  an	
  ac+ve	
  tool	
  that	
  can	
  be	
  detected	
  by	
  various	
  IDS	
  
systems.
2.	
  To	
  iden7fy	
  remote	
  proxy	
  firewalls.	
  
3.	
  Organiza+ons	
  can	
  use	
  it	
  to	
  iden7fy	
  rogue	
  systems	
  on	
  
their	
  network.
NUIT DU HACK 2013
Sniffer
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera+ng	
  System
	
  	
  -­‐	
  Family
	
  	
  -­‐	
  Version
Quirks
	
  	
  	
  -­‐	
  Data	
  in	
  SYN	
  packets
	
  	
  	
  -­‐	
  Op8ons	
  a]er	
  EOL
	
  	
  	
  -­‐	
  IP	
  ID	
  Field	
  =	
  0
	
  	
  	
  -­‐	
  ACK	
  different	
  to	
  0
	
  	
  	
  -­‐	
  Unusual	
  flags
	
  	
  	
  -­‐	
  Incorrect	
  op8ons	
  decode
TCP	
  op+ons	
  and	
  order
	
  	
  	
  -­‐	
  N:	
  NOP
	
  	
  	
  -­‐	
  E:	
  EOL
	
  	
  	
  -­‐	
  Wnnn:	
  WS
	
  	
  	
  -­‐	
  Mnnn:	
  MSS
	
  	
  	
  -­‐	
  S:	
  SACK
	
  	
  	
  -­‐	
  T	
  /	
  T0:	
  Timestamp	
  	
  
	
  	
  	
  -­‐	
  ?n
Window	
  Size
	
  	
  	
  -­‐	
  *	
  Any	
  value
	
  	
  	
  -­‐	
  %nnn	
  nnn	
  Mul8ple
	
  	
  	
  -­‐	
  Sxx	
  MSS	
  Mul8ple
	
  	
  	
  -­‐	
  Txx	
  MTU	
  Mul8ple
	
  	
  	
  -­‐	
  xxx	
  Constant	
  value
Ini+al	
  TTL
DF	
  Bit	
  
Packet	
  
Size
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
24
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
25
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
26
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
COMMERCIAL	
  ENGINES
This	
  techniques	
  can	
  be	
  used	
  to	
  avoid	
  commercial	
  implementa+ons.	
  We	
  hide	
  our	
  machine,	
  
faking	
  the	
  detector	
  engine	
  and	
  recognizing	
  us	
  like	
  another	
  OS,	
  to	
  amack	
  another	
  host	
  and	
  
leading	
  administrator	
  to	
  think	
  it	
  may	
  be	
  a	
  false	
  posi+ve.
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
27
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint	
  value	
  example:
key=fp_id;value=100000
key=rna_fingerprint_type_id;value=9
key=rna_fingerprint_descrip8on;value=iPhone
key=rna_fingerprint_vendor_str;value=Apple
key=rna_fingerprint_product_str;value=iOS
key=rna_fingerprint_version_str;value=NULL
key=val1;value=340e4d28c315390d
key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1
66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a
f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5
03a4847e9c0fa22fe666cb1dc115309eb77
key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b
I	
  had	
  no	
  +me	
  to	
  figure	
  out	
  what	
  each	
  field	
  means	
  in	
  all	
  the	
  commercial	
  appliances	
  I’ve	
  seen	
  
so	
  far.	
  I	
  decided	
  to	
  cross	
  the	
  data	
  available	
  with	
  default	
  Nmap	
  and	
  p0f	
  database	
  to	
  get	
  the	
  
desired	
  TCP/IP	
  header	
  values.
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
(	
  WE’RE	
  RUNNING	
  OUR	
  PROGRAM	
  IN	
  
BACKGROUND	
  TO	
  CHANGE	
  ALL	
  OUTBOUND	
  
CONNECTIONS	
  )
From	
  kernel	
  Space	
  to	
  user	
  Heaven
28
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
NUIT DU HACK 2013
OS	
  FOOLED!	
  NOW	
  OUT	
  
LINUX	
  IS	
  AN	
  IOS	
  DEVICE
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SPOOF	
  NON	
  EXISTING	
  
HOSTS
HOST	
  CREATED	
  WITH	
  OUR
NEW	
  TOOL	
  :)
From	
  kernel	
  Space	
  to	
  user	
  Heaven
29
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
|	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |	
  	
  	
  S	
  C	
  R	
  E	
  E	
  N	
  S	
  H	
  O	
  T	
  	
  	
  |
NUIT DU HACK 2013
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenHow	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Long	
  	
  story	
  	
  short:
SYN ACK FIN
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
30
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  Heaven
31
How	
  i	
  met	
  your	
  packetFrom	
  kernel	
  Space	
  to	
  user	
  HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

More Related Content

What's hot

Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxNaoto MATSUMOTO
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Lalad
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
Manipulating the Network with PacketFu
Manipulating the Network with PacketFuManipulating the Network with PacketFu
Manipulating the Network with PacketFuKeith Lee
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Deathnitayart
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CMLnpsg
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 

What's hot (20)

Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on Linux
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Manipulating the Network with PacketFu
Manipulating the Network with PacketFuManipulating the Network with PacketFu
Manipulating the Network with PacketFu
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
Wireshark
WiresharkWireshark
Wireshark
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CML
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container Networks
 

Viewers also liked

AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedJaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
Improving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingImproving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingHargyo T. Nugroho
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 

Viewers also liked (13)

AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security Reloaded
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User Heaven
 
Improving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingImproving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device Polling
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsApp
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจ
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat Intelligence
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology Briefing
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by Zimperium
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
 

Similar to Stealth servers need Stealth Packets - Derbycon 3.0

Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms OverviewEL Bachir Nouni
 
Neural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningNeural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningAsim Jalis
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by  Dr. Ha...Computer Vision Powered by Heterogeneous System Architecture (HSA) by  Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...AMD Developer Central
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...RISC-V International
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoAlvaro Viebrantz
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Building Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsBuilding Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsZURB
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Databricks
 
App Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsApp Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsDataCore Software
 

Similar to Stealth servers need Stealth Packets - Derbycon 3.0 (20)

Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
 
(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
Neural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningNeural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep Learning
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by  Dr. Ha...Computer Vision Powered by Heterogeneous System Architecture (HSA) by  Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...Ziptillion   boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente Embarcado
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg Schad
 
Project
ProjectProject
Project
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Hack.lu 2016
Hack.lu 2016   Hack.lu 2016
Hack.lu 2016
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Troubleshooting Java HotSpot VM
Troubleshooting Java HotSpot VMTroubleshooting Java HotSpot VM
Troubleshooting Java HotSpot VM
 
Building Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsBuilding Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.js
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
 
App Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsApp Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized Workloads
 

Recently uploaded

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - AvrilIvanti
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Recently uploaded (20)

All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks  and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Français Patch Tuesday - Avril
Français Patch Tuesday - AvrilFrançais Patch Tuesday - Avril
Français Patch Tuesday - Avril
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Stealth servers need Stealth Packets - Derbycon 3.0

  • 1. 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
  • 2. 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $  WHO  I  AM   §  Passionate  about  computer  security. §  Computer  Engineering  degree   and  an  Execu7ve   MBA.   §   In   my   free   8me   I   conduct   research   on   security   and  work  as  an  independent  consultant. §  I’m  from  Spain;  We’re  sexy  and  you  know  it. §    Other  conferences: §  RootedCON  in  Spain §  Nuit  Du  Hack  in  Paris   §  Black  Hat  Arsenal  USA §  Defcon  21  USA §  Next  conferences:  Hack7vity,  NoConName  and   Black  Hat  Sao  Paulo
  • 3. FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 4. A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 5. Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera+ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera+ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 6. KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica+ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term  USER  LAND  refers  to  all  applica+on  soKware  that  runs  in  user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera+ng  system  uses   to  interact  with  the  kernel:  soKware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 7. WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 8. 8 How Imet your packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 9. 9 NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 10. NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des8ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 11. TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op+onal  extension  to  iptables  to   provide  new  command  line  op+ons. There  are  several  extensions  in  the  default  NeQilter  distribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 12. QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un+l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 13. SOME  PRACTICAL EXAMPLES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 14. REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 15. CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 16. NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  Predic7on   -­‐  OS  Details       -­‐  IP  ID  Sequence  Genera7on   -­‐  Up7me  Guess Device  Type:  general  purpose Running:  MicrosoK  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoK_7::professional OS  details:  MicrosoK  Windows  7  Professional,  MicrosoK   Windows  Vista  SP0  or  SP1 Up7me  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  Predic7on:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  Genera7on:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoK:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 17. 17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)      RELEVANT  FIELDS
  • 18. ECN  CWN  ECE,  WS(10),  NOP,  MSS(1460),  SACK,  NOP,  NOP  and  W3 IP  DF  bit,  TOS(0),  CODE=9,  SEQ=295,  120  bytes  of  0x00  for  payload no  flags,  IP  DF  and  W(128)  to  an  open  port SYN,  FIN,  URG,  PSH  and  W(256)  to  an  open  port ACK  with  IP  DF  and  W(1024)  to  an  open  port SYN  with  W(31337)  to  a  closed  port ACK  with  IP  DF  and  W(32768)  to  a  closed  port FIN,  PSH,  URG  and  W(65535)  to  a  closed  port WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.  Tsecr:0),  SACK  and  W(1) MSS(1400),  WS(0),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),EOL  and  W(63) TS(Tval:0xFFFFFFFF.  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)  and  W(4) SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),WS(10),EOL  and  W(4) MSS(536),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),  WS(10),EOL  and  W(16) MSS(265),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0)  and  W(512) NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) ‘C’  (0x43)  x  300  for  data  field.  IP  ID  value  0x1042   TOS(4),  CODE=0,  150  bytes  data,  ICMP  request  ID  and  SEQ  are  incremented
  • 19. Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera8on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges8on  no8fica8on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera8on  alg  (TI) §  TCP  8mestamp  op8on  alg  (TS) §  TCP  Op8ons  (O,  O1-­‐O6) §  TCP  ini8al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini8al  8me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 20. OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels  of   version  2.4.,  that  modifies   characteris+cs  of  network   traffic IP  PERSONALITY Simple  TCP  packets   iden+fica+on  solu+on  as  a   Kenel 2.2-­‐2.4  core  module  patch,   allowing  ignore  some  kind   of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of  version   2.2.  that  also  tries  to  hide   the  original  OS  and  act  as  a   different  one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op+ons,  allowing   to  respec+vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  soKware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 21. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 22. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 23. PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐   p0f   is  a  tool  that  u+lizes  an  array   of  sophis+cated,   purely   passive,   traffic   fingerprin+ng   mechanisms  to  iden+fy  the  players  behind  any  ini7al  TCP/IP  communica7on  (oKen  as  limle   as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Emercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐   Passive   fingerprin+ng   is   like   a   packet   sniffer.   Examines   network   traffic,   making   a   copy   of   the   data   but   without   redirec+ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.   As   stealthy   fingerprin7ng,   bypassing   the   need   for   using  an  ac+ve  tool  that  can  be  detected  by  various  IDS   systems. 2.  To  iden7fy  remote  proxy  firewalls.   3.  Organiza+ons  can  use  it  to  iden7fy  rogue  systems  on   their  network. NUIT DU HACK 2013 Sniffer OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 24. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op8ons  a]er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op8ons  decode TCP  op+ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul8ple      -­‐  Sxx  MSS  Mul8ple      -­‐  Txx  MTU  Mul8ple      -­‐  xxx  Constant  value Ini+al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 25. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 26. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 27. COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa+ons.  We  hide  our  machine,   faking  the  detector  engine  and  recognizing  us  like  another  OS,  to  amack  another  host  and   leading  administrator  to  think  it  may  be  a  false  posi+ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example: key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip8on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  +me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen   so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the   desired  TCP/IP  header  values. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 28. (  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL  OUTBOUND   CONNECTIONS  ) From  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 29. SPOOF  NON  EXISTING   HOSTS HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 30. Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 31. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)