Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure.
You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system.
This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them:
- Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile)
- Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile)
- Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop)
There will be a many live demos, and will release OSfoller, that have some interesting features:
- No need for kernel modification or patches
- Highly portable and configurable
- Will emulate any OS
- Capable of handling nmap and p0f fingerprint database (beta phase)
- Transparent for the user
- Undetectable for the attacker
- Available for your Linux laptop, server and mobile device
Sorry guys, remote OS fingerprinting is over…
Stealth servers need Stealth Packets - Derbycon 3.0
1. 1
STEALTH SERVERS NEED STEALTH PACKETS
STEALTH SERVERS
NEED
STEALTH PACKETS
JAIME SANCHEZ (@SEGOFENSIVA)
WWW.SEGURIDADOFENSIVA.COM
2. 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
$
WHO
I
AM
§
Passionate
about
computer
security.
§
Computer
Engineering
degree
and
an
Execu7ve
MBA.
§
In
my
free
8me
I
conduct
research
on
security
and
work
as
an
independent
consultant.
§
I’m
from
Spain;
We’re
sexy
and
you
know
it.
§
Other
conferences:
§
RootedCON
in
Spain
§
Nuit
Du
Hack
in
Paris
§
Black
Hat
Arsenal
USA
§
Defcon
21
USA
§
Next
conferences:
Hack7vity,
NoConName
and
Black
Hat
Sao
Paulo
3. FROM KERNEL SPACE TO USER HEAVEN
3 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
The most important phases are RECONNAISSANCE and
SCANNING.
The less information the attacker has the better for our security.
If we can fool all network tools he’ll be using, we’ll be able to
prevent some attacks attempts
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
4. A
BRIEF
OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
4 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
5. Devices
Devices
Devices
Kernel
Ring
0
Ring
1
Ring
2
Ring
3
Less
Privileged
More
Privileged
§
Computer
opera+ng
systems
provide
different
levels
of
access
to
resources.
§
This
is
generally
hardware-‐enforced
by
some
CPU
architectures
hat
provide
different
CPU
modes
at
the
hardware
or
microcode
level.
§
Rings
are
arranged
in
a
hierarchy
from
most
privileged
(most
trusted,
usually
numbered
zero)
to
least
privileged
(least
trusted,
usually
with
the
highest
ring
number).
§
On
most
opera+ng
systems,
RING
0
is
the
level
with
the
most
privileges
and
interacts
most
directly
with
the
physical
hardware
such
as
the
CPU
and
memory.
ARCHITECTURE
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
5
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
6. KERNEL
vs
USER
SPACE
KERNEL
SPACE USER
SPACE
KERNEL
SPACE
is
strictly
reserved
for
running
the
kernel,
kernel
extensions,
and
most
device
drivers.
In
contrast,
user
space
is
the
memory
area
where
all
user
mode
applica+ons
work
and
this
memory
can
be
swapped
out
when
necessary.
Similarly,
the
term
USER
LAND
refers
to
all
applica+on
soKware
that
runs
in
user
space.
Userland
usually
refers
to
the
various
programs
and
libraries
that
the
opera+ng
system
uses
to
interact
with
the
kernel:
soKware
that
performs
input/output,
manipulates
file
system,
objects,
etc.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
6
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
7. WTF
!?
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
8. 8
How Imet your
packets
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
the NFQUEUE way
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
9. 9
NIC
Memory
DMA
EngineInterrupt
Incoming
Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet
Data
IP
Layer
TCP
Process
TCP
recv
Buffer
APPLICATION
DEVICE
DRIVER
KERNEL
SPACE
USER
SPACE
Poll
List
so]irq
tcp_v4_rcv()
Pointer
to
Device
Socket
Backlog
ip_rcv()
read()
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
10. NIC
Memory
DMA
EngineInterrupt
Incoming
Packet
Ring
Buffer
Interrupt
Handler
NIC
Memory
Kernel
Packet
Data
IP
Layer
TCP
Process
TCP
recv
Buffer
APPLICATION
DEVICE
DRIVER
KERNEL
SPACE
USER
SPACE
Poll
List
so]irq
tcp_v4_rcv()
Pointer
to
Device
Socket
Backlog
ip_rcv()
read()
locally
des8ned
packets
must
pass
the
INPUT
chains
to
reach
listening
sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded
and
accepted
packets
Inbound
Packets
forwarded
packets
local
packets
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
10
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
11. TARGET
EXTENSIONS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
A
target
extension
consists
of
a
KERNEL
MODULE,
and
an
op+onal
extension
to
iptables
to
provide
new
command
line
op+ons.
There
are
several
extensions
in
the
default
NeQilter
distribu+on:
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
12. QUEUE
§
QUEUE
is
an
iptables
and
ip6tables
target
which
which
queues
the
packet
for
userspace
processing.
§
For
this
to
be
useful,
two
further
components
are
required:
• a
QUEUE
HANDLER
which
deals
with
the
actual
mechanics
of
passing
packets
between
the
kernel
and
userspace;
and
• a
USERSPACE
APPLICATION
to
receive,
possibly
manipulate,
and
issue
verdicts
on
packets.
§
The
default
value
for
the
maximum
queue
length
is
1024.
Once
this
limit
is
reached,
new
packets
will
be
dropped
un+l
the
length
of
the
queue
falls
below
the
limit
again.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
12
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
13. SOME
PRACTICAL
EXAMPLES
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
13
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
14. REMOTE
OS
FINGERPRINTING
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
14
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
15. CLASSIC
TECHNIQUES
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
15
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
16. NMAP
-‐
Device
Type
-‐
Network
Distance
-‐
Running
-‐
TCP
Sequence
Predic7on
-‐
OS
Details
-‐
IP
ID
Sequence
Genera7on
-‐
Up7me
Guess
Device
Type:
general
purpose
Running:
MicrosoK
Windows
7|Vista|2000
OS
CPE:
cpe:/o:microsoK_7::professional
OS
details:
MicrosoK
Windows
7
Professional,
MicrosoK
Windows
Vista
SP0
or
SP1
Up7me
guess:
2.196
days
(since
Mon
Feb
4
12:14:01
2013)
Network
Distance:
1
hop
TCP
Sequence
Predic7on:
Difficulty=262
(Good
Luck!)
IP
ID
Sequence
Genera7on:
Incremental
Service
Info:
OS:
Windows;
CPE:
cpe:/o:microsoK:windows
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
16
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
17. 17
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
IPv4 UDP
TCP ICMP
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
RELEVANT
FIELDS
18. ECN
CWN
ECE,
WS(10),
NOP,
MSS(1460),
SACK,
NOP,
NOP
and
W3
IP
DF
bit,
TOS(0),
CODE=9,
SEQ=295,
120
bytes
of
0x00
for
payload
no
flags,
IP
DF
and
W(128)
to
an
open
port
SYN,
FIN,
URG,
PSH
and
W(256)
to
an
open
port
ACK
with
IP
DF
and
W(1024)
to
an
open
port
SYN
with
W(31337)
to
a
closed
port
ACK
with
IP
DF
and
W(32768)
to
a
closed
port
FIN,
PSH,
URG
and
W(65535)
to
a
closed
port
WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.
Tsecr:0),
SACK
and
W(1)
MSS(1400),
WS(0),SACK,
TS(Tval:0xFFFFFFFF.
Tsecr:0),EOL
and
W(63)
TS(Tval:0xFFFFFFFF.
Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)
and
W(4)
SACK,
TS(Tval:0xFFFFFFFF.
Tsecr:0),WS(10),EOL
and
W(4)
MSS(536),SACK,
TS(Tval:0xFFFFFFFF.
Tsecr:0),
WS(10),EOL
and
W(16)
MSS(265),SACK,
TS(Tval:0xFFFFFFFF.
Tsecr:0)
and
W(512)
NMAP
METHODS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
18
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE
GENERATION
(SEQ,
OPS,
WIN
&
T1)
ICMP
ECHO
(IE)
TCP
EXPLICIT
CONGESTION
NOTIFICATION
(ECN)
TCP
T2-‐T7
UDP
-‐
Nmap
sends
15
TCP,
UDP
and
ICMP
tests,
to
open
and
closed
system
ports:
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
‘C’
(0x43)
x
300
for
data
field.
IP
ID
value
0x1042
TOS(4),
CODE=0,
150
bytes
data,
ICMP
request
ID
and
SEQ
are
incremented
19. Although
there
are
others:
§
TCP
ISN
counter
rate
(ISR)
§
ICMP
IP
ID
sequence
genera8on
alg
(II)
§
Shared
IP
ID
sequence
Boolean
(SS)
§
Don’t
Fragment
ICMP
(DFI)
§
Explicit
conges8on
no8fica8on
(C)
§
TCP
miscellaneous
quirks
(Q)
§
TCP
sequence
number
(S)
§
etc.
NMAP
INTERNAL
PROBES
Most
important:
§
TCP
ISN
greatest
common
divisor
(GDC)
§
TCP
IP
ID
sequence
genera8on
alg
(TI)
§
TCP
8mestamp
op8on
alg
(TS)
§
TCP
Op8ons
(O,
O1-‐O6)
§
TCP
ini8al
Window
Size
(W,
W1-‐W6)
§
Responsiveness
(R)
§
IP
don’t
fragment
bit
(DF)
§
IP
ini8al
8me-‐to-‐live
guess
(TG)
Fingerprint Linux 2.6.17 - 2.6.24
Class Linux | Linux | 2.6.X | general purpose
SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)
OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)
WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)
ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)
T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)
T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=N%T=3B-45%TG=40%CD=S)
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
19
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
20. OTHER
TOOLS
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
20
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
A
patch
for
Linux
kernels
of
version
2.4.,
that
modifies
characteris+cs
of
network
traffic
IP
PERSONALITY
Simple
TCP
packets
iden+fica+on
solu+on
as
a
Kenel
2.2-‐2.4
core
module
patch,
allowing
ignore
some
kind
of
packets.
STEALTH
PATCH
A
kernel
module
available
for
Linux
kernel
of
version
2.2.
that
also
tries
to
hide
the
original
OS
and
act
as
a
different
one.
FINGERPRINT
FUCKER
TCP
and
UDP
packets
filtering
op+ons,
allowing
to
respec+vely
block
RST
and
ICMP
answers
on
closed
ports
BLACKHOLE
Honeyd
is
able
to
simulate
Xprobe2
and
Nmap
(previous
version)
signatures
for
its
virtual
hosts.
HONEYD
Windows
soKware
that
modifies
keys
in
the
register,
to
change
some
TCP/IP
parameters.
OSFUSCATE
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
21. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
21
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
22. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
22
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
23. PASSIVE
OS
FINGERPRINTING
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
23
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
-‐
p0f
is
a
tool
that
u+lizes
an
array
of
sophis+cated,
purely
passive,
traffic
fingerprin+ng
mechanisms
to
iden+fy
the
players
behind
any
ini7al
TCP/IP
communica7on
(oKen
as
limle
as
a
single
normal
SYN)
without
interfering
in
any
way.
-‐
There
are
other
tools
like
Emercap,
NetworkMiner,
PRADS,
Satori
or
PacketFence.
-‐
Passive
fingerprin+ng
is
like
a
packet
sniffer.
Examines
network
traffic,
making
a
copy
of
the
data
but
without
redirec+ng
or
altering
it.
-‐
Can
be
used
for
several
purposes:
1.
As
stealthy
fingerprin7ng,
bypassing
the
need
for
using
an
ac+ve
tool
that
can
be
detected
by
various
IDS
systems.
2.
To
iden7fy
remote
proxy
firewalls.
3.
Organiza+ons
can
use
it
to
iden7fy
rogue
systems
on
their
network.
NUIT DU HACK 2013
Sniffer
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
24. SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Opera+ng
System
-‐
Family
-‐
Version
Quirks
-‐
Data
in
SYN
packets
-‐
Op8ons
a]er
EOL
-‐
IP
ID
Field
=
0
-‐
ACK
different
to
0
-‐
Unusual
flags
-‐
Incorrect
op8ons
decode
TCP
op+ons
and
order
-‐
N:
NOP
-‐
E:
EOL
-‐
Wnnn:
WS
-‐
Mnnn:
MSS
-‐
S:
SACK
-‐
T
/
T0:
Timestamp
-‐
?n
Window
Size
-‐
*
Any
value
-‐
%nnn
nnn
Mul8ple
-‐
Sxx
MSS
Mul8ple
-‐
Txx
MTU
Mul8ple
-‐
xxx
Constant
value
Ini+al
TTL
DF
Bit
Packet
Size
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
24
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
25. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
25
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
26. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
26
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
27. COMMERCIAL
ENGINES
This
techniques
can
be
used
to
avoid
commercial
implementa+ons.
We
hide
our
machine,
faking
the
detector
engine
and
recognizing
us
like
another
OS,
to
amack
another
host
and
leading
administrator
to
think
it
may
be
a
false
posi+ve.
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
27
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint
value
example:
key=fp_id;value=100000
key=rna_fingerprint_type_id;value=9
key=rna_fingerprint_descrip8on;value=iPhone
key=rna_fingerprint_vendor_str;value=Apple
key=rna_fingerprint_product_str;value=iOS
key=rna_fingerprint_version_str;value=NULL
key=val1;value=340e4d28c315390d
key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1
66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a
f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5
03a4847e9c0fa22fe666cb1dc115309eb77
key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b
I
had
no
+me
to
figure
out
what
each
field
means
in
all
the
commercial
appliances
I’ve
seen
so
far.
I
decided
to
cross
the
data
available
with
default
Nmap
and
p0f
database
to
get
the
desired
TCP/IP
header
values.
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
28. (
WE’RE
RUNNING
OUR
PROGRAM
IN
BACKGROUND
TO
CHANGE
ALL
OUTBOUND
CONNECTIONS
)
From
kernel
Space
to
user
Heaven
28
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
NUIT DU HACK 2013
OS
FOOLED!
NOW
OUT
LINUX
IS
AN
IOS
DEVICE
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
29. SPOOF
NON
EXISTING
HOSTS
HOST
CREATED
WITH
OUR
NEW
TOOL
:)
From
kernel
Space
to
user
Heaven
29
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
S
C
R
E
E
N
S
H
O
T
|
NUIT DU HACK 2013
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenHow
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
30. Long
story
short:
SYN ACK FIN
How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
30
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
31. How
i
met
your
packetFrom
kernel
Space
to
user
Heaven
31
How
i
met
your
packetFrom
kernel
Space
to
user
HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)