SlideShare a Scribd company logo

fingerprinting blackhat by pseudor00t

pseudor00t overflow
pseudor00t overflow

fingerprinting blackhat by pseudor00t

Internet
1 of 23
Download to read offline
Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
“Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
• Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
• Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
• Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaEC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxdohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 

Recommended

Anomaly detection final
Anomaly detection finalAnomaly detection final
Anomaly detection finalAkshay Bansal
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
 
WiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaWiFi Data Leakage by Solomon Sonya
WiFi Data Leakage by Solomon SonyaEC-Council
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Antony's Final Draft v7
Antony's Final Draft v7Antony's Final Draft v7
Antony's Final Draft v7Antony Law
 
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...
BlueHat v18 || Record now, decrypt later - future quantum computers are a pre...BlueHat Security Conference
 
NETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxNETWORKING SYSTEMS .docx
NETWORKING SYSTEMS .docxdohertyjoetta
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
Seminar V2
Seminar V2Seminar V2
Seminar V2Moustafa Najm
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)GulshanKumar368
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYLINE Corporation
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edgeSimon Elliston Ball
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For EngineersLeif Bloomquist
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionDatabricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxrosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)n|u - The Open Security Community
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics Deepak Kumar (D3)
 
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tpseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...pseudor00t overflow
 

More Related Content

Similar to fingerprinting blackhat by pseudor00t

Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Brian Proctor - GICSP, CISSP, CRISC
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)GulshanKumar368
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edgeSimon Elliston Ball
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3Linaro
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging96Boards
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics IntroJake K.
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionDatabricks
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxrosemarybdodson23141
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...confluent
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...confluent
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 

Similar to fingerprinting blackhat by pseudor00t (20)

Seminar V2
Seminar V2Seminar V2
Seminar V2
 
Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?Encryption in industrial control systems; Is the juice worth the squeeze?
Encryption in industrial control systems; Is the juice worth the squeeze?
 
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
Osi week10(1) [autosaved] by Gulshan K Maheshwari(QAU)
 
FRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHYFRONTIERS IN CRYPTOGRAPHY
FRONTIERS IN CRYPTOGRAPHY
 
mcubed london - data science at the edge
mcubed london - data science at the edgemcubed london - data science at the edge
mcubed london - data science at the edge
 
TCP/IP For Engineers
TCP/IP For EngineersTCP/IP For Engineers
TCP/IP For Engineers
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
LAS16-111: Easing Access to ARM TrustZone – OP-TEE and Raspberry Pi 3
 
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debuggingLAS16 111 - Raspberry pi3, op-tee and jtag debugging
LAS16 111 - Raspberry pi3, op-tee and jtag debugging
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Network Forensics Intro
Network Forensics IntroNetwork Forensics Intro
Network Forensics Intro
 
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure ExecutionSpark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
Spark Summit EU 2016: The Next AMPLab: Real-time Intelligent Secure Execution
 
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docxName of Company for Term ProjectStudent Name(s)Course MGMT.docx
Name of Company for Term ProjectStudent Name(s)Course MGMT.docx
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi and Eri...
 
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
How To Use Kafka and Druid to Tame Your Router Data (Rachel Pedreschi, Imply ...
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Cyber Forensics
Cyber Forensics Cyber Forensics
Cyber Forensics
 

More from pseudor00t overflow

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tpseudor00t overflow
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...pseudor00t overflow
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tpseudor00t overflow
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIApseudor00t overflow
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tpseudor00t overflow
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tpseudor00t overflow
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tpseudor00t overflow
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tpseudor00t overflow
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tpseudor00t overflow
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t pseudor00t overflow
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tpseudor00t overflow
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t pseudor00t overflow
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tpseudor00t overflow
 

More from pseudor00t overflow (15)

Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00tCorreo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
Correo de carlos castaño a vicente castaño nov. 2002 by pseudor00t
 
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
Carta ramon isaza by pseudor00t Carta ramon isaza AUC by pseudor00t Ramón Is...
 
Bomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00tBomba lapa artefactos explosivos by pseudor00t
Bomba lapa artefactos explosivos by pseudor00t
 
Colombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIAColombia paramilitares confidencial by pseudor00t CIA
Colombia paramilitares confidencial by pseudor00t CIA
 
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00tDefcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
Defcon 21-ozavci-vo ip-wars-return-of-the-sip by pseudor00t
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00tDefcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
Defcon 21-caceres-massive-attacks-with-distributed-computing by pseudor00t
 
EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t EL RANSOMWARE by pseudor00t
EL RANSOMWARE by pseudor00t
 
Modelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00tModelo de seguridad Zerotrust by pseudor00t
Modelo de seguridad Zerotrust by pseudor00t
 
Nagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00tNagios para Dummies By pseudor00t
Nagios para Dummies By pseudor00t
 
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
Medicamentos disponibles para SARSCOV2 COVID19 by pseudor00t
 
Hacking Etico by pseudor00t
Hacking Etico by pseudor00tHacking Etico by pseudor00t
Hacking Etico by pseudor00t
 
Criptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00tCriptopunks. La libertad y el futuro de internet by pseudor00t
Criptopunks. La libertad y el futuro de internet by pseudor00t
 
Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t Infor nmap6 listado_de_comandos by pseudor00t
Infor nmap6 listado_de_comandos by pseudor00t
 
Metodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00tMetodologia pentesting-dragon jar by pseudor00t
Metodologia pentesting-dragon jar by pseudor00t
 

Recently uploaded

Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfOndejSur
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsrahman018755
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxChloeMeadows1
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxabhinandnam9997
 
Topology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdfTopology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdfAnushkaTripathi61
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appscristianmanaila2
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?Linksys Velop Login
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfappinfoedgeca
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideVarun Mithran
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresencePC Doctors NET
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyDamar Juniarto
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebJie Liau
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkklolsDocherty
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxAnkitscribd
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsrahman018755
 

Recently uploaded (16)

Statistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdfStatistical Analysis of DNS Latencies.pdf
Statistical Analysis of DNS Latencies.pdf
 
Reggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirtsReggie miller choke t shirts
Reggie miller choke t shirtsReggie miller choke t shirts
 
Production 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptxProduction 2024 sunderland culture final - Copy.pptx
Production 2024 sunderland culture final - Copy.pptx
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
Topology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdfTopology of the Network class 8 .ppt pdf
Topology of the Network class 8 .ppt pdf
 
Pvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdfPvtaan Social media marketing proposal.pdf
Pvtaan Social media marketing proposal.pdf
 
Development Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of appsDevelopment Lifecycle.pptx for the secure development of apps
Development Lifecycle.pptx for the secure development of apps
 
How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?How Do I Begin the Linksys Velop Setup Process?
How Do I Begin the Linksys Velop Setup Process?
 
Premier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdfPremier Mobile App Development Agency in USA.pdf
Premier Mobile App Development Agency in USA.pdf
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital PresenceCyber Security Services Unveiled: Strategies to Secure Your Digital Presence
Cyber Security Services Unveiled: Strategies to Secure Your Digital Presence
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWebiThome_CYBERSEC2024_Drive_Into_the_DarkWeb
iThome_CYBERSEC2024_Drive_Into_the_DarkWeb
 
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkkaudience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
audience research (emma) 1.pptxkkkkkkkkkkkkkkkkk
 
Case study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptxCase study on merger of Vodafone and Idea (VI).pptx
Case study on merger of Vodafone and Idea (VI).pptx
 
Thank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirtsThank You Luv I’ll Never Walk Alone Again T shirts
Thank You Luv I’ll Never Walk Alone Again T shirts
 

fingerprinting blackhat by pseudor00t

  • 1. Cyber Security and Trust Research & DevelopmentCyber Security and Trust Research & Development http://www.ISTS.dartmouth.eduhttp://www.ISTS.dartmouth.edu Dartmouth CollegeDartmouth College IINSTITUTENSTITUTE FORFOR SSECURITYECURITY TTECHNOLOGYECHNOLOGY SSTUDIESTUDIES Active 802.11 fingerprinting Sergey Bratus Cory Cornelius, Daniel Peebles, Axel Hansen
  • 2. Can a client station trust an AP? Is this AP one of a trusted group, or evil faker? Why yes, just exchange some crypto with it, and verify the AP knows the right secrets. Problem solved, right? Not exactly: are all these exchanges bug-free? www.ISTS.dartmouth.edu Motivation INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 3. Initially, an AP is just a MAC address (and other easily faked info) That's all we know. www.ISTS.dartmouth.edu The problem INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College  To perform crypto authentication of AP, driver must parse complex data structures  Complex data from untrusted source? -- Is this such a good idea? Trust me!
  • 4. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response
  • 5. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 6. www.ISTS.dartmouth.edu Say it ain't so INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point rates, essid, ... Probe Request -- Probe Response Laptop Ring 0 exploit
  • 7. Early 802.11: AP = castle, must fight off barbarians (unauthorized clients) Reality: can peasants = clients find the right castle? • Dai Zovi, Macaulay: Karma • Shmoo: “Badass tackle...” • Simple Nomad: “Friendly skies...” • Cache & Maynor: “Hijackng a MacBook in 60 seconds” • Month of kernel bugs (Nov '06) www.ISTS.dartmouth.edu AP vs. clients INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 8. Fingerprint the AP before trying to authenticate and associate with it: limit the kinds of accepted data Must be simple & cheap (no RF spectrum analysis, Fourier transforms, etc. ) Follow IP stack fingerprinting ideas: unusual and non-standard header field combinations – but in link layer (L2) www.ISTS.dartmouth.edu Fingerprint it! INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 9. www.ISTS.dartmouth.edu Where we fit in INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Passive “Reasonable & Customary” Frames “Cruel & Unusual” Frames L4 / L3 L2 Xprobe P0f SinFP J.Cache U5 duration field Franklin et al. probe timings Fuzzers Nmap BAFFLE
  • 10. L3, need an L2 connection • Nmap (1998-2006, ...) • Xprobe (2001, 2005, ...) • P0f (2000, 2006) • SinFP (2005) • Timing-related: Ping RTT (2003), Clock Skew (2005) • Scrubbers: Norm, Bro (2000-01) • Honeyd, Morph (2004-) • ... ? www.ISTS.dartmouth.edu TCP/IP fingerprinting INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 11. www.ISTS.dartmouth.edu BAFFLE INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College • Written in Ruby 1.8.2 • Ruby LORCON bindings from Metasploit • Builds Pcap/BPF filters for 802.11 frames from Ruby objects • Domain-specific language for tests, probes, and for matching responses
  • 12. www.ISTS.dartmouth.edu Bits and states INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Not all flags make sense for all types & subtypes Not all flags make sense for all states Type Subtype
  • 13. www.ISTS.dartmouth.edu 802.11 fiddly bits INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Only 0 makes sense on Mgmt & Ctrl frames Type Subtype Unusual on Probes Not for Mgmt frames
  • 14. So many flags... www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 15. Probe Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 16. Auth Request tests www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 17. “Secret handshake” www.ISTS.dartmouth.edu INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Laptop Wireless Access Point ? • Send “gibberish” flag combinations in ProbeReq and AuthReq frames • Watch for reactions (varying MACs helps): • FromDS, ToDS, MoreFrags, MoreData on STA -> AP frames are all non-standard
  • 18. • Tony Capella (DC-11, '03): Ping RTT “Fashionably late – what your RTT tells ...” • Kohno, Broido, Claffy ('05): Clock Skew “Remote physical device fingerprinting” • Dan Kaminsky ('05): IP frag time-outs • Johnny Cache (Uninformed.org 5, '06): Statistical analysis of the duration field • Franklin et al (USENIX Sec, '06): Scanning Time intervals between Probe Req frames www.ISTS.dartmouth.edu Timing INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College 802.11 L2 TCP/IP L3
  • 19. • Beacon frames contain AP clock's timestamp • Each HW clock drift differently; skew is the derivative of the clock's offsets against another clock (cf. Kohno, Broido, Claffy '05) • Issues: – AP clock's unique skew can be estimated reliably within 1-2 mins – Similar AP models have closer skews – Faking (e.g., with a laptop + Wi-Fi card in master mode) is hard enough www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 20. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College Sensor Time AP T i m e
  • 21. www.ISTS.dartmouth.edu AP beacon clock skew INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College
  • 22. • Johnny Cache for many inspirations • Joshua Wright and Mike Kershaw for LORCON • ToorCon & Uninformed.org • Everyone else who helped (including authors of madwifi*, Metasploit, Ruby, Lapack and many other great tools) www.ISTS.dartmouth.edu Source & Thanks INSTITUTE FOR SECURITY TECHNOLOGY STUDIES Dartmouth College http://baffle.cs.dartmouth.edu/
  • 23. Contact Information Institute for Security Technology Studies Dartmouth College 6211 Sudikoff Laboratory Hanover, NH 03755 --------------------------------- Phone: 603.646.0700 Fax: 603.646.1672 Email: info@ists.dartmouth.edu