Top Banner
1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
31
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Stealth servers need Stealth Packets - Derbycon 3.0

1

STEALTH SERVERS NEED STEALTH PACKETS

STEALTH SERVERS

NEED

STEALTH PACKETS

JAIME SANCHEZ (@SEGOFENSIVA)WWW.SEGURIDADOFENSIVA.COM

Page 2: Stealth servers need Stealth Packets - Derbycon 3.0

2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

$  WHO  I  AM  §  Passionate  about  computer  security.

§  Computer  Engineering  degree   and  an  Execu7ve  MBA.  

§   In   my   free   8me   I   conduct   research   on   security  and  work  as  an  independent  consultant.

§  I’m  from  Spain;  We’re  sexy  and  you  know  it.

§    Other  conferences:§  RootedCON  in  Spain§  Nuit  Du  Hack  in  Paris  §  Black  Hat  Arsenal  USA§  Defcon  21  USA§  Next  conferences:  Hack7vity,  NoConName  and  Black  Hat  Sao  Paulo

Page 3: Stealth servers need Stealth Packets - Derbycon 3.0

FROM KERNEL SPACE TO USER HEAVEN

3 NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)

The most important phases are RECONNAISSANCE and SCANNING.

The less information the attacker has the better for our security.

If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts

2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 4: Stealth servers need Stealth Packets - Derbycon 3.0

A  BRIEF  OVERVIEW

FROM KERNEL SPACE TO USER HEAVEN

4 NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 5: Stealth servers need Stealth Packets - Derbycon 3.0

Devices

Devices

Devices

Kernel

Ring  0

Ring  1

Ring  2

Ring  3

LessPrivileged

MorePrivileged

§  Computer  opera+ng  systems  provide  different  levels  of  access  to  resources.

§  This  is  generally  hardware-­‐enforced  by  some  CPU  architectures  hat  provide  different  CPU  modes  at  the  hardware  or  microcode  level.

§  Rings  are  arranged  in  a  hierarchy  from  most  privileged  (most  trusted,  usually  numbered  zero)  to  least  privileged  (least  trusted,  usually  with  the  highest  ring  number).

§  On  most  opera+ng  systems,  RING  0  is  the  level  with  the  most  privileges  and  interacts  most  directly  with  the  physical  hardware  such  as  the  CPU  and  memory.

ARCHITECTURE

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

5

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 6: Stealth servers need Stealth Packets - Derbycon 3.0

KERNEL  vs  USER  SPACE

KERNEL  SPACE USER  SPACEKERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device  drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica+ons  work  and  this  memory  can  be  swapped  out  when  necessary.Similarly,   the   term  USER   LAND   refers   to   all   applica+on   soKware   that   runs   in  user   space.  Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera+ng  system  uses  to  interact  with  the  kernel:   soKware   that  performs   input/output,  manipulates  file   system,  objects,  etc.

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

6

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 7: Stealth servers need Stealth Packets - Derbycon 3.0

WTF  !?

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

7

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 8: Stealth servers need Stealth Packets - Derbycon 3.0

8

How Imet yourpackets

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

the NFQUEUE way

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 9: Stealth servers need Stealth Packets - Derbycon 3.0

9

NIC  Memory

DMA  EngineInterrupt

Incoming  Packet

RingBuffer

InterruptHandler

NIC

MemoryKernel

Packet  Data

IP  Layer

TCP  Process

TCP  recv  Buffer

APPLICATION

DEVICE  DRIVER

KERNEL  SPACE

USER  SPACE

Poll  List

so]irq

tcp_v4_rcv()

Pointer  toDevice

SocketBacklog

ip_rcv()

read()

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 10: Stealth servers need Stealth Packets - Derbycon 3.0

NIC  Memory

DMA  EngineInterrupt

Incoming  Packet

RingBuffer

InterruptHandler

NIC

MemoryKernel

Packet  Data

IP  Layer

TCP  Process

TCP  recv  Buffer

APPLICATION

DEVICE  DRIVER

KERNEL  SPACE

USER  SPACE

Poll  List

so]irq

tcp_v4_rcv()

Pointer  toDevice

SocketBacklog

ip_rcv()

read()

locally  des8ned  packets  must  pass  the  INPUT  chains  to  reach  listening  sockets

INPUT

FORWARD

PREROUTING

MANGLECONNTRACK FILTER

forwarded  and  accepted  packets

Inbound  Packets

forwarded  packets

localpackets

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

10

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 11: Stealth servers need Stealth Packets - Derbycon 3.0

TARGET  EXTENSIONS

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

 A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op+onal  extension  to  iptables  to  provide  new  command  line  op+ons.

There  are  several  extensions  in  the  default  NeQilter  distribu+on:

11

FROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 12: Stealth servers need Stealth Packets - Derbycon 3.0

QUEUE§  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace  processing.

§  For  this  to  be  useful,  two  further  components  are  required:• a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between  

the  kernel  and  userspace;  and• a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on  

packets.

§  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new  packets  will  be  dropped  un+l  the  length  of  the  queue  falls  below  the  limit  again.  

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

12

FROM KERNEL SPACE TO USER HEAVEN

13

$ iptables -A INPUT -j NFQUEUE --queue-num 0

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 13: Stealth servers need Stealth Packets - Derbycon 3.0

SOME  PRACTICALEXAMPLES

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

13

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 14: Stealth servers need Stealth Packets - Derbycon 3.0

REMOTE  OSFINGERPRINTING

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

14

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 15: Stealth servers need Stealth Packets - Derbycon 3.0

CLASSIC  TECHNIQUES

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

15

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 16: Stealth servers need Stealth Packets - Derbycon 3.0

NMAP

  -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  Predic7on   -­‐  OS  Details       -­‐  IP  ID  Sequence  Genera7on   -­‐  Up7me  Guess

Device  Type:  general  purposeRunning:  MicrosoK  Windows  7|Vista|2000OS  CPE:  cpe:/o:microsoK_7::professionalOS  details:  MicrosoK  Windows  7  Professional,  MicrosoK  Windows  Vista  SP0  or  SP1Up7me  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013)Network  Distance:  1  hopTCP  Sequence  Predic7on:  Difficulty=262  (Good  Luck!)IP  ID  Sequence  Genera7on:  IncrementalService  Info:  OS:  Windows;  CPE:  cpe:/o:microsoK:windows

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

16

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 17: Stealth servers need Stealth Packets - Derbycon 3.0

17

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)

IPv4 UDP

TCP ICMP

2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

     RELEVANT  FIELDS

Page 18: Stealth servers need Stealth Packets - Derbycon 3.0

ECN  CWN  ECE,  WS(10),  NOP,  MSS(1460),  SACK,  NOP,  NOP  and  W3

IP  DF  bit,  TOS(0),  CODE=9,  SEQ=295,  120  bytes  of  0x00  for  payload

no  flags,  IP  DF  and  W(128)  to  an  open  portSYN,  FIN,  URG,  PSH  and  W(256)  to  an  open  port

ACK  with  IP  DF  and  W(1024)  to  an  open  portSYN  with  W(31337)  to  a  closed  port

ACK  with  IP  DF  and  W(32768)  to  a  closed  portFIN,  PSH,  URG  and  W(65535)  to  a  closed  port

WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.  Tsecr:0),  SACK  and  W(1)MSS(1400),  WS(0),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),EOL  and  W(63)

TS(Tval:0xFFFFFFFF.  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)  and  W(4)SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),WS(10),EOL  and  W(4)

MSS(536),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),  WS(10),EOL  and  W(16)MSS(265),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0)  and  W(512)

NMAP  METHODS

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

18

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1)

ICMP  ECHO  (IE)

TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN)

TCP  T2-­‐T7

UDP

 -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports:

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

‘C’  (0x43)  x  300  for  data  field.  IP  ID  value  0x1042  

TOS(4),  CODE=0,  150  bytes  data,  ICMP  request  ID  and  SEQ  are  incremented

Page 19: Stealth servers need Stealth Packets - Derbycon 3.0

Although  there  are  others:§  TCP  ISN  counter  rate  (ISR)§  ICMP  IP  ID  sequence  genera8on  alg  (II)§  Shared  IP  ID  sequence  Boolean  (SS)§  Don’t  Fragment  ICMP  (DFI)§  Explicit  conges8on  no8fica8on  (C)§  TCP  miscellaneous  quirks  (Q)§  TCP  sequence  number  (S)§  etc.

NMAP  INTERNAL  PROBES

Most  important:§  TCP  ISN  greatest  common  divisor  (GDC)§  TCP  IP  ID  sequence  genera8on  alg  (TI)§  TCP  8mestamp  op8on  alg  (TS)§  TCP  Op8ons  (O,  O1-­‐O6)§  TCP  ini8al  Window  Size  (W,  W1-­‐W6)§  Responsiveness  (R)§  IP  don’t  fragment  bit  (DF)§  IP  ini8al  8me-­‐to-­‐live  guess  (TG)

Fingerprint Linux 2.6.17 - 2.6.24Class Linux | Linux | 2.6.X | general purposeSEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(DFI=N%T=3B-45%TG=40%CD=S)

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

19

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 20: Stealth servers need Stealth Packets - Derbycon 3.0

OTHER  TOOLS

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

20

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

A  patch  for  Linux  kernels  of  version  2.4.,  that  modifies  characteris+cs  of  network  

traffic

IP  PERSONALITY

Simple  TCP  packets  iden+fica+on  solu+on  as  a  

Kenel2.2-­‐2.4  core  module  patch,  allowing  ignore  some  kind  

of  packets.

STEALTH  PATCH

A  kernel  module  available  for  Linux  kernel  of  version  2.2.  that  also  tries  to  hide  the  original  OS  and  act  as  a  

different  one.

FINGERPRINT  FUCKER

TCP  and  UDP  packets  filtering  op+ons,  allowing  to  respec+vely  block  RST  and  ICMP  answers  on  

closed  ports

BLACKHOLE

Honeyd  isable  to  simulate  Xprobe2  and  Nmap  (previous  

version)  signatures  for  itsvirtual  hosts.

HONEYD

Windows  soKware  that  modifies  keys  in  the  

register,  tochange  some  TCP/IP  

parameters.

OSFUSCATE

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 21: Stealth servers need Stealth Packets - Derbycon 3.0

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

21

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

!! LET’S CAMOUFLAGE !!

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 22: Stealth servers need Stealth Packets - Derbycon 3.0

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

22

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 23: Stealth servers need Stealth Packets - Derbycon 3.0

PASSIVE  OS  FINGERPRINTING

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

23

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

-­‐  p0f   is   a   tool   that  u+lizes  an   array   of   sophis+cated,  purely   passive,   traffic   fingerprin+ng  mechanisms  to  iden+fy  the  players  behind  any  ini7al  TCP/IP  communica7on  (oKen  as  limle  as  a  single  normal  SYN)  without  interfering  in  any  way.

-­‐  There  are  other  tools  like  Emercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence.

-­‐   Passive   fingerprin+ng   is   like   a   packet   sniffer.   Examines  network   traffic,   making   a   copy   of   the   data   but   without  redirec+ng  or  altering  it.

-­‐  Can  be  used  for  several  purposes:1.   As   stealthy   fingerprin7ng,   bypassing   the   need   for  using  an  ac+ve  tool  that  can  be  detected  by  various  IDS  systems.2.  To  iden7fy  remote  proxy  firewalls.  3.  Organiza+ons  can  use  it  to  iden7fy  rogue  systems  on  their  network.

NUIT DU HACK 2013

Sniffer

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 24: Stealth servers need Stealth Packets - Derbycon 3.0

SIGNATURES

8192:32:1:48:M*,N,N,S:.:Windows:98Opera+ng  System    -­‐  Family    -­‐  Version

Quirks      -­‐  Data  in  SYN  packets      -­‐  Op8ons  a]er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op8ons  decode

TCP  op+ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n

Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul8ple      -­‐  Sxx  MSS  Mul8ple      -­‐  Txx  MTU  Mul8ple      -­‐  xxx  Constant  value

Ini+al  TTL

DF  Bit  

Packet  Size

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

24

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 25: Stealth servers need Stealth Packets - Derbycon 3.0

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

25

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

!! LET’S CAMOUFLAGE !!

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 26: Stealth servers need Stealth Packets - Derbycon 3.0

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

26

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 27: Stealth servers need Stealth Packets - Derbycon 3.0

COMMERCIAL  ENGINES

This  techniques  can  be  used  to  avoid  commercial  implementa+ons.  We  hide  our  machine,  faking   the  detector  engine  and  recognizing  us  like  another  OS,  to  amack  another  host  and  leading  administrator  to  think  it  may  be  a  false  posi+ve.

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

27

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

Fingerprint  value  example:key=fp_id;value=100000key=rna_fingerprint_type_id;value=9key=rna_fingerprint_descrip8on;value=iPhonekey=rna_fingerprint_vendor_str;value=Applekey=rna_fingerprint_product_str;value=iOSkey=rna_fingerprint_version_str;value=NULLkey=val1;value=340e4d28c315390dkey=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22fe666cb1dc115309eb77key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b

I  had  no  +me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen  so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the  desired  TCP/IP  header  values.

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 28: Stealth servers need Stealth Packets - Derbycon 3.0

(  WE’RE  RUNNING  OUR  PROGRAM  IN  BACKGROUND  TO  CHANGE  ALL  OUTBOUND  

CONNECTIONS  )

From  kernel  Space  to  user  Heaven

28

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |

|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |NUIT DU HACK 2013

OS  FOOLED!  NOW  OUT  LINUX  IS  AN  IOS  DEVICE

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 29: Stealth servers need Stealth Packets - Derbycon 3.0

SPOOF  NON  EXISTING  HOSTS

HOST  CREATED  WITH  OURNEW  TOOL  :)

From  kernel  Space  to  user  Heaven

29

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |

|      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |

NUIT DU HACK 2013

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 30: Stealth servers need Stealth Packets - Derbycon 3.0

Long    story    short:SYN ACK FIN

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

30

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Page 31: Stealth servers need Stealth Packets - Derbycon 3.0

How  i  met  your  packetFrom  kernel  Space  to  user  Heaven

31

How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN

NUIT DU HACK 2013

SEGURIDADOFENSIVA.COM

@SEGOFENSIVA

OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...

BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2

STEALTH SERVERS NEED STEALTH PACKETS

DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)