Recommandé
Recommandé
Contenu connexe
Similaire à PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
Similaire à PRADS presentation (English) @ University of Oslo by Ebf0 and kwy (20)
Dernier
Dernier (20)
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
- 1. PRADS PASSIVE REAL-TIME ASSET DETECTION SYSTEM Edward Fjellskål & Kacper Wysocki PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 2. Who are we? Edward Fjellskål Kacper Wysocki Redpill Linpro (4 years) Redpill Linpro (1 year) First computer in 1983 Born 31337 Siv.Ing IKT B.A. Comp. Sci Linux and security since 98 Norman Anti-Virus Network Security Monotoring Forensics Kernelpatching '01 Pen testing Packet sniffing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 3. What is PRADS? Detection via: Hosts - ARP and IP Services - UDP and TCP OS - IP(TCP/UDP/ICMP) MAC - ARP PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 4. Why PRADS Existing open source tools do similar things but Want to combine data to do a fast assesment Designed for big networks and high bandwidth Automatically create host attribute table for Snort Exciting and educational PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 5. Ways to use PRADS Overview over Machines (IP) Operating Systems and patch levels (Windows/Linux/Solaris/Mac/*BSD...) Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...) Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 6. Ways to use PRADS ... so one can: Automate monitoring of a network in constant change. Improve protection of your network with IDS/IPS. Policy & Compliance Know your assets at any given time. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 7. TCP fingerprinting? TCP used for (almost) everything. Nothing new here (nmap, p0f, SinPF, netfilter!, pf) Nmap is active. (p0f can too!) Active scanning is not always acceptable. P0f – a proof of concept Fingerprint fuzzing PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 8. TCP Fingerprinting in depth Transmission Control Protocol: Crash course TCP is reliable communication of data streams. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 9. TCP Fingerprinting in depth A typical TCP connection: 3-way handshake 1) Client sends SYN "Hello, I want to talk to you" 2) Server sends SYN+ACK "Hi, ok I'm listening" 3) Client sends ACK Communication is established. Interesting fields already in first packet! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 10. TCP Fingerprinting in depth Signatures: known patterns Guess the OS on the basis of packet fields WindowSize : TTL : DontFrag : SYNsize : Options : Quirks Fingerprints: describe packets – Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 11. TCP Fingerprinting in depth Interesting fields in 1st packet Window Size Reserved field TCP Flags TCP Options Data? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 12. TCP Fingerprinting in depth Signatures: known patterns WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+ 65535:64:1:48:M1460,S:.:FreeBSD:7.0 Fingerprints: describe packets [5672:64:0:60:M1430,S,T,N,W6:A] (Google bot) Fingerprints match one or more signatures sig and fp are concise, not readable :-) PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 13. TCP Fingerprinting in depth PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 14. TCP Fingerprinting in depth TCP Options: WindowSize : TTL : DontFrag : SYNsize : Options : Quirks S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6 MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++ Read the RFCs Quirks – weird things some OS's do Z: no ID, I: IP opts, U: URG flag, X: reserved, A: ACK flag, F: other flags, D: data in SYN packet, T: extra timestamp, P: options after EOL PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 15. UDP/ICMP fingerprinting Not 100%, only used as indication Easy to implement compared to IP/TCP FP Good alternative if can't use TCP for some reason PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 17. ARP Fingerprinting/Detection Catch ARP Request/Reply Registrer MAC and IP Look up MAC vendor who made the NIC? PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 18. Detection: Clients and Services Look for signatures in traffic flow Expensive to look at each byte of each packet Signature is usually at start of connection (think magic numbers) Signatures can be manipulated. PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 19. DEMO PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 20. PRADS – future work More detection methods – (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...) even better optimizations (OpenCL, SIMD etc) GUI / network mapping Policy & Compliance Alarms CVE OSSIM integration PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
- 21. Thank you for your time edward@redpill-linpro.com kwy@redpill-linpro.com http://gamelinux.github.com/prads/ Questions? Yes please! PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING