Presentation of PRADS: the "Passive Realtime Asset Detection System" given to student at Dagen@IFI at UiO. Rights reserved to kwy and Ebf0.

1. PRADS
PASSIVE REAL-TIME ASSET DETECTION SYSTEM
Edward Fjellskål & Kacper Wysocki
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

2. Who are we?
Edward Fjellskål Kacper Wysocki
 Redpill Linpro (4 years)
 Redpill Linpro (1 year)
 First computer in 1983
 Born 31337
 Siv.Ing IKT
 B.A. Comp. Sci
 Linux and security since 98
 Norman Anti-Virus
 Network Security Monotoring
 Forensics  Kernelpatching '01
 Pen testing  Packet sniffing
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

3. What is PRADS?
Detection via:
 Hosts - ARP and IP
 Services - UDP and TCP
 OS - IP(TCP/UDP/ICMP)
 MAC - ARP
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

4. Why PRADS
 Existing open source tools do similar things but
 Want to combine data to do a fast assesment
 Designed for big networks and high bandwidth
 Automatically create host attribute table for Snort
 Exciting and educational
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

5. Ways to use PRADS
Overview over
 Machines (IP)
 Operating Systems and patch levels
(Windows/Linux/Solaris/Mac/*BSD...)
 Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)
 Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

6. Ways to use PRADS
... so one can:
 Automate monitoring of a network in constant change.
 Improve protection of your network with IDS/IPS.
 Policy & Compliance
 Know your assets at any given time.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

7. TCP fingerprinting?
 TCP used for (almost) everything.
 Nothing new here (nmap, p0f, SinPF, netfilter!, pf)
 Nmap is active. (p0f can too!)
 Active scanning is not always acceptable.
 P0f – a proof of concept
 Fingerprint fuzzing
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

8. TCP Fingerprinting in depth
 Transmission Control Protocol: Crash course
TCP is reliable communication of data streams.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

9. TCP Fingerprinting in depth
A typical TCP connection: 3-way handshake
1) Client sends SYN
"Hello, I want to talk to you"
2) Server sends SYN+ACK
"Hi, ok I'm listening"
3) Client sends ACK
Communication is established.
Interesting fields already in first packet!
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

10. TCP Fingerprinting in depth
 Signatures: known patterns
Guess the OS on the basis of packet fields
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
 Fingerprints: describe packets
– Fingerprints match one or more signatures
sig and fp are concise, not readable :-)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

11. TCP Fingerprinting in depth
Interesting fields in 1st packet

Window Size

Reserved field

TCP Flags

TCP Options
Data?

PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

12. TCP Fingerprinting in depth
 Signatures: known patterns
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6
S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+
65535:64:1:48:M1460,S:.:FreeBSD:7.0
 Fingerprints: describe packets
[5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)
 Fingerprints match one or more signatures
sig and fp are concise, not readable :-)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

13. TCP Fingerprinting in depth
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

14. TCP Fingerprinting in depth
 TCP Options:
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6
MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++

Read the RFCs
 Quirks – weird things some OS's do
Z: no ID, I: IP opts, U: URG flag, X: reserved,
A: ACK flag, F: other flags, D: data in SYN packet,
T: extra timestamp, P: options after EOL
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

15. UDP/ICMP fingerprinting
 Not 100%, only used as indication
 Easy to implement compared to IP/TCP FP
 Good alternative if can't use TCP for some reason
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

17. ARP Fingerprinting/Detection
 Catch ARP Request/Reply
 Registrer MAC and IP
 Look up MAC vendor
who made the NIC?
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

18. Detection: Clients and Services
 Look for signatures in traffic flow
 Expensive to look at each byte of each packet
 Signature is usually at start of connection (think
magic numbers)
 Signatures can be manipulated.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

19. DEMO
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

20. PRADS – future work
 More detection methods
– (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)
 even better optimizations (OpenCL, SIMD etc)
 GUI / network mapping
 Policy & Compliance
 Alarms
 CVE
 OSSIM integration
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING

21. Thank you for your time
 edward@redpill-linpro.com
 kwy@redpill-linpro.com
 http://gamelinux.github.com/prads/
Questions? Yes please!
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING