SlideShare une entreprise Scribd logo

Stealth servers need Stealth Packets - Derbycon 3.0

Jaime Sánchez
Jaime Sánchez

Sun Tzu once said "Know your enemy and know yourself, and in a hundred battles you will never be defeated". Cyberwar is upon us, and APT is too common nowadays and we need to think about new tricks to avoid it, being one step ahead to keep your systems secure. You can give that step in order defend your servers against the first phase in all APT operations: Fingerprinting. This is done by intercepting all traffic that your box is sending in order to camouflage and modify in real time the flags in TCP/IP packets that discover your system. This presentation will discuss the current techniques used for OS fingerprinting and how to frustrate them: - Active remote OS fingerprinting: like Nmap or Xprobe (with Live Demo: Laptop and Mobile) - Passive remote OS fingeprinting: like p0f or pfsense (with Live Demo: Mobile) - Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting (with Live Demo: Laptop) There will be a many live demos, and will release OSfoller, that have some interesting features: - No need for kernel modification or patches - Highly portable and configurable - Will emulate any OS - Capable of handling nmap and p0f fingerprint database (beta phase) - Transparent for the user - Undetectable for the attacker - Available for your Linux laptop, server and mobile device Sorry guys, remote OS fingerprinting is over…

Technologie
1  sur  31
Télécharger pour lire hors ligne
1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $  WHO  I  AM   §  Passionate  about  computer  security. §  Computer  Engineering  degree   and  an  Execu7ve   MBA.   §   In   my   free   8me   I   conduct   research   on   security   and  work  as  an  independent  consultant. §  I’m  from  Spain;  We’re  sexy  and  you  know  it. §    Other  conferences: §  RootedCON  in  Spain §  Nuit  Du  Hack  in  Paris   §  Black  Hat  Arsenal  USA §  Defcon  21  USA §  Next  conferences:  Hack7vity,  NoConName  and   Black  Hat  Sao  Paulo
FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera+ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera+ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica+ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term  USER  LAND  refers  to  all  applica+on  soKware  that  runs  in  user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera+ng  system  uses   to  interact  with  the  kernel:  soKware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
8 How Imet your packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
9 NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des8ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op+onal  extension  to  iptables  to   provide  new  command  line  op+ons. There  are  several  extensions  in  the  default  NeQilter  distribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un+l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SOME  PRACTICAL EXAMPLES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  Predic7on   -­‐  OS  Details       -­‐  IP  ID  Sequence  Genera7on   -­‐  Up7me  Guess Device  Type:  general  purpose Running:  MicrosoK  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoK_7::professional OS  details:  MicrosoK  Windows  7  Professional,  MicrosoK   Windows  Vista  SP0  or  SP1 Up7me  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  Predic7on:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  Genera7on:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoK:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)      RELEVANT  FIELDS
ECN  CWN  ECE,  WS(10),  NOP,  MSS(1460),  SACK,  NOP,  NOP  and  W3 IP  DF  bit,  TOS(0),  CODE=9,  SEQ=295,  120  bytes  of  0x00  for  payload no  flags,  IP  DF  and  W(128)  to  an  open  port SYN,  FIN,  URG,  PSH  and  W(256)  to  an  open  port ACK  with  IP  DF  and  W(1024)  to  an  open  port SYN  with  W(31337)  to  a  closed  port ACK  with  IP  DF  and  W(32768)  to  a  closed  port FIN,  PSH,  URG  and  W(65535)  to  a  closed  port WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.  Tsecr:0),  SACK  and  W(1) MSS(1400),  WS(0),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),EOL  and  W(63) TS(Tval:0xFFFFFFFF.  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)  and  W(4) SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),WS(10),EOL  and  W(4) MSS(536),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),  WS(10),EOL  and  W(16) MSS(265),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0)  and  W(512) NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) ‘C’  (0x43)  x  300  for  data  field.  IP  ID  value  0x1042   TOS(4),  CODE=0,  150  bytes  data,  ICMP  request  ID  and  SEQ  are  incremented
Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera8on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges8on  no8fica8on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera8on  alg  (TI) §  TCP  8mestamp  op8on  alg  (TS) §  TCP  Op8ons  (O,  O1-­‐O6) §  TCP  ini8al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini8al  8me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels  of   version  2.4.,  that  modifies   characteris+cs  of  network   traffic IP  PERSONALITY Simple  TCP  packets   iden+fica+on  solu+on  as  a   Kenel 2.2-­‐2.4  core  module  patch,   allowing  ignore  some  kind   of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of  version   2.2.  that  also  tries  to  hide   the  original  OS  and  act  as  a   different  one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op+ons,  allowing   to  respec+vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  soKware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐   p0f   is  a  tool  that  u+lizes  an  array   of  sophis+cated,   purely   passive,   traffic   fingerprin+ng   mechanisms  to  iden+fy  the  players  behind  any  ini7al  TCP/IP  communica7on  (oKen  as  limle   as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Emercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐   Passive   fingerprin+ng   is   like   a   packet   sniffer.   Examines   network   traffic,   making   a   copy   of   the   data   but   without   redirec+ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.   As   stealthy   fingerprin7ng,   bypassing   the   need   for   using  an  ac+ve  tool  that  can  be  detected  by  various  IDS   systems. 2.  To  iden7fy  remote  proxy  firewalls.   3.  Organiza+ons  can  use  it  to  iden7fy  rogue  systems  on   their  network. NUIT DU HACK 2013 Sniffer OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op8ons  a]er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op8ons  decode TCP  op+ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul8ple      -­‐  Sxx  MSS  Mul8ple      -­‐  Txx  MTU  Mul8ple      -­‐  xxx  Constant  value Ini+al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa+ons.  We  hide  our  machine,   faking  the  detector  engine  and  recognizing  us  like  another  OS,  to  amack  another  host  and   leading  administrator  to  think  it  may  be  a  false  posi+ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example: key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip8on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  +me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen   so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the   desired  TCP/IP  header  values. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
(  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL  OUTBOUND   CONNECTIONS  ) From  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SPOOF  NON  EXISTING   HOSTS HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Recommandé

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
IPSflexresponse-eng
IPSflexresponse-engIPSflexresponse-eng
IPSflexresponse-engPierpaolo Palazzoli
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 

Recommandé

From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
CDP Indicator
CDP IndicatorCDP Indicator
CDP Indicatornpsg
 
IPSflexresponse-eng
IPSflexresponse-engIPSflexresponse-eng
IPSflexresponse-engPierpaolo Palazzoli
 
Creating a firewall in UBUNTU
Creating a firewall in UBUNTUCreating a firewall in UBUNTU
Creating a firewall in UBUNTUMumbai University
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxNaoto MATSUMOTO
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Lalad
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentationEmin Abdul Azeez
 
Manipulating the Network with PacketFu
Manipulating the Network with PacketFuManipulating the Network with PacketFu
Manipulating the Network with PacketFuKeith Lee
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver hardenGregory Hanis
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
Wireshark
WiresharkWireshark
Wiresharkashiesh0007
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Deathnitayart
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CMLnpsg
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 
AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedJaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 

Contenu connexe

Tendances

Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxNaoto MATSUMOTO
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Cumulus Networks
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Lalad
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Jim Geovedi
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabMichelle Holley
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networkingSim Janghoon
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.Naoto MATSUMOTO
 
Manipulating the Network with PacketFu
Manipulating the Network with PacketFuManipulating the Network with PacketFu
Manipulating the Network with PacketFuKeith Lee
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linuxNouman Baloch
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Serveranandvaidya
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)Sam Kim
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Deathnitayart
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CMLnpsg
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorialEueung Mulyana
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksCohesive Networks
 

Tendances (20)

Disruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on LinuxDisruptive IP Networking with Intel DPDK on Linux
Disruptive IP Networking with Intel DPDK on Linux
 
Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]Webinar: Network Automation [Tips & Tricks]
Webinar: Network Automation [Tips & Tricks]
 
Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1Hakin9 nmap-ebook-ch1
Hakin9 nmap-ebook-ch1
 
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2Leonardo Nve Egea - Playing in a Satellite Environment 1.2
Leonardo Nve Egea - Playing in a Satellite Environment 1.2
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule Writing
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
OpenStack networking
OpenStack networkingOpenStack networking
OpenStack networking
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 
How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.How to Speak Intel DPDK KNI for Web Services.
How to Speak Intel DPDK KNI for Web Services.
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
Manipulating the Network with PacketFu
Manipulating the Network with PacketFuManipulating the Network with PacketFu
Manipulating the Network with PacketFu
 
introduction of iptables in linux
introduction of iptables in linuxintroduction of iptables in linux
introduction of iptables in linux
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
 
Analysis of Compromised Linux Server
Analysis of Compromised Linux ServerAnalysis of Compromised Linux Server
Analysis of Compromised Linux Server
 
Wireshark
WiresharkWireshark
Wireshark
 
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
도커 없이 컨테이너 만들기 4편 네트워크네임스페이스 (2)
 
NDIS Packet of Death
NDIS Packet of DeathNDIS Packet of Death
NDIS Packet of Death
 
IxVM on CML
IxVM on CMLIxVM on CML
IxVM on CML
 
Open stack pike-devstack-tutorial
Open stack pike-devstack-tutorialOpen stack pike-devstack-tutorial
Open stack pike-devstack-tutorial
 
Chris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container NetworksChris Swan's ONUG NYC talk - Container Networks
Chris Swan's ONUG NYC talk - Container Networks
 

En vedette

AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedJaime Sánchez
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User HeavenJaime Sánchez
 
Improving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingImproving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingHargyo T. Nugroho
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppJaime Sánchez
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Jaime Sánchez
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Jaime Sánchez
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyJaime Sánchez
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจicesmurf
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceZimperium
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology BriefingJake Leonard
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumZimperium
 

En vedette (13)

AndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security ReloadedAndroIDS: Mobile Security Reloaded
AndroIDS: Mobile Security Reloaded
 
From Kernel Space to User Heaven
From Kernel Space to User HeavenFrom Kernel Space to User Heaven
From Kernel Space to User Heaven
 
Improving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device PollingImproving Passive Packet Capture : Beyond Device Polling
Improving Passive Packet Capture : Beyond Device Polling
 
Plataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsAppPlataformas de mensajería y riesgos asociados: caso WhatsApp
Plataformas de mensajería y riesgos asociados: caso WhatsApp
 
Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014Whatsapp: mentiras y cintas de video RootedCON 2014
Whatsapp: mentiras y cintas de video RootedCON 2014
 
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
Malicious Threats, Vulnerabilities and Defenses in WhatsApp and Mobile Instan...
 
Defeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of PrivacyDefeating WhatsApp’s Lack of Privacy
Defeating WhatsApp’s Lack of Privacy
 
ศิลปินในดวงใจ
ศิลปินในดวงใจศิลปินในดวงใจ
ศิลปินในดวงใจ
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
 
How to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat IntelligenceHow to Gather Global Mobile Threat Intelligence
How to Gather Global Mobile Threat Intelligence
 
Zimperium - Technology Briefing
Zimperium - Technology BriefingZimperium - Technology Briefing
Zimperium - Technology Briefing
 
Mobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by ZimperiumMobile Protect Pro - Powered by Zimperium
Mobile Protect Pro - Powered by Zimperium
 
Cisco OpenSOC
Cisco OpenSOCCisco OpenSOC
Cisco OpenSOC
 

Similaire à Stealth servers need Stealth Packets - Derbycon 3.0

Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms OverviewEL Bachir Nouni
 
Neural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningNeural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningAsim Jalis
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...AMD Developer Central
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...RISC-V International
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoAlvaro Viebrantz
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureSergey Gordeychik
 
Building Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsBuilding Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsZURB
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Databricks
 
App Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsApp Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsDataCore Software
 

Similaire à Stealth servers need Stealth Packets - Derbycon 3.0 (20)

Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
 
(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview(Crypto) DES And RSA Algorithms Overview
(Crypto) DES And RSA Algorithms Overview
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
Neural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep LearningNeural Networks, Spark MLlib, Deep Learning
Neural Networks, Spark MLlib, Deep Learning
 
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
Computer Vision Powered by Heterogeneous System Architecture (HSA) by Dr. Ha...
 
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
Ziptillion boosting RISC-V with an efficient and os transparent memory comp...
 
Explorando Go em Ambiente Embarcado
Explorando Go em Ambiente EmbarcadoExplorando Go em Ambiente Embarcado
Explorando Go em Ambiente Embarcado
 
Spark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg SchadSpark Summit EU talk by Jorg Schad
Spark Summit EU talk by Jorg Schad
 
Project
ProjectProject
Project
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Hack.lu 2016
Hack.lu 2016 Hack.lu 2016
Hack.lu 2016
 
Vulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructureVulnerabilities of machine learning infrastructure
Vulnerabilities of machine learning infrastructure
 
Troubleshooting Java HotSpot VM
Troubleshooting Java HotSpot VMTroubleshooting Java HotSpot VM
Troubleshooting Java HotSpot VM
 
Building Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.jsBuilding Pageless Apps with Rails and Backbone.js
Building Pageless Apps with Rails and Backbone.js
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
Microservices and Teraflops: Effortlessly Scaling Data Science with PyWren wi...
 
App Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized WorkloadsApp Performance Tip: Sharing Flash Across Virtualized Workloads
App Performance Tip: Sharing Flash Across Virtualized Workloads
 

Dernier

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Dernier (20)

The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Stealth servers need Stealth Packets - Derbycon 3.0

  • 1. 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
  • 2. 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $  WHO  I  AM   §  Passionate  about  computer  security. §  Computer  Engineering  degree   and  an  Execu7ve   MBA.   §   In   my   free   8me   I   conduct   research   on   security   and  work  as  an  independent  consultant. §  I’m  from  Spain;  We’re  sexy  and  you  know  it. §    Other  conferences: §  RootedCON  in  Spain §  Nuit  Du  Hack  in  Paris   §  Black  Hat  Arsenal  USA §  Defcon  21  USA §  Next  conferences:  Hack7vity,  NoConName  and   Black  Hat  Sao  Paulo
  • 3. FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 4. A  BRIEF  OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 5. Devices Devices Devices Kernel Ring  0 Ring  1 Ring  2 Ring  3 Less Privileged More Privileged §  Computer  opera+ng  systems  provide  different   levels  of  access  to  resources. §  This  is  generally  hardware-­‐enforced  by  some   CPU  architectures  hat  provide  different  CPU   modes  at  the  hardware  or  microcode  level. §  Rings  are  arranged  in  a  hierarchy  from  most   privileged  (most  trusted,  usually  numbered  zero)   to  least  privileged  (least  trusted,  usually  with  the   highest  ring  number). §  On  most  opera+ng  systems,  RING  0  is  the  level   with  the  most  privileges  and  interacts  most   directly  with  the  physical  hardware  such  as  the   CPU  and  memory. ARCHITECTURE How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 6. KERNEL  vs  USER  SPACE KERNEL  SPACE USER  SPACE KERNEL  SPACE  is  strictly  reserved  for  running  the  kernel,  kernel  extensions,  and  most  device   drivers.  In  contrast,  user  space  is  the  memory  area  where  all  user  mode  applica+ons  work   and  this  memory  can  be  swapped  out  when  necessary. Similarly,   the  term  USER  LAND  refers  to  all  applica+on  soKware  that  runs  in  user   space.   Userland  usually  refers  to  the  various  programs  and  libraries  that  the  opera+ng  system  uses   to  interact  with  the  kernel:  soKware  that  performs  input/output,  manipulates  file  system,   objects,  etc. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 7. WTF  !? How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 8. 8 How Imet your packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 9. 9 NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 10. NIC  Memory DMA  EngineInterrupt Incoming  Packet Ring Buffer Interrupt Handler NIC Memory Kernel Packet  Data IP  Layer TCP  Process TCP  recv  Buffer APPLICATION DEVICE  DRIVER KERNEL  SPACE USER  SPACE Poll  List so]irq tcp_v4_rcv() Pointer  to Device Socket Backlog ip_rcv() read() locally  des8ned  packets  must  pass  the   INPUT  chains  to  reach  listening  sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded  and  accepted  packets Inbound  Packets forwarded   packets local packets How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 11. TARGET  EXTENSIONS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven  A  target  extension  consists  of  a  KERNEL  MODULE,  and  an  op+onal  extension  to  iptables  to   provide  new  command  line  op+ons. There  are  several  extensions  in  the  default  NeQilter  distribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 12. QUEUE §  QUEUE  is  an  iptables  and  ip6tables  target  which  which  queues  the  packet  for  userspace   processing. §  For  this  to  be  useful,  two  further  components  are  required: • a  QUEUE  HANDLER  which  deals  with  the  actual  mechanics  of  passing  packets  between   the  kernel  and  userspace;  and • a  USERSPACE  APPLICATION  to  receive,  possibly  manipulate,  and  issue  verdicts  on   packets. §  The  default  value  for  the  maximum  queue  length  is  1024.  Once  this  limit  is  reached,  new   packets  will  be  dropped  un+l  the  length  of  the  queue  falls  below  the  limit  again.   How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 13. SOME  PRACTICAL EXAMPLES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 13 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 14. REMOTE  OS FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 14 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 15. CLASSIC  TECHNIQUES How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 15 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 16. NMAP   -­‐  Device  Type       -­‐  Network  Distance   -­‐  Running       -­‐  TCP  Sequence  Predic7on   -­‐  OS  Details       -­‐  IP  ID  Sequence  Genera7on   -­‐  Up7me  Guess Device  Type:  general  purpose Running:  MicrosoK  Windows  7|Vista|2000 OS  CPE:  cpe:/o:microsoK_7::professional OS  details:  MicrosoK  Windows  7  Professional,  MicrosoK   Windows  Vista  SP0  or  SP1 Up7me  guess:  2.196  days  (since  Mon  Feb  4  12:14:01  2013) Network  Distance:  1  hop TCP  Sequence  Predic7on:  Difficulty=262  (Good  Luck!) IP  ID  Sequence  Genera7on:  Incremental Service  Info:  OS:  Windows;  CPE:  cpe:/o:microsoK:windows How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 16 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 17. 17 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)      RELEVANT  FIELDS
  • 18. ECN  CWN  ECE,  WS(10),  NOP,  MSS(1460),  SACK,  NOP,  NOP  and  W3 IP  DF  bit,  TOS(0),  CODE=9,  SEQ=295,  120  bytes  of  0x00  for  payload no  flags,  IP  DF  and  W(128)  to  an  open  port SYN,  FIN,  URG,  PSH  and  W(256)  to  an  open  port ACK  with  IP  DF  and  W(1024)  to  an  open  port SYN  with  W(31337)  to  a  closed  port ACK  with  IP  DF  and  W(32768)  to  a  closed  port FIN,  PSH,  URG  and  W(65535)  to  a  closed  port WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.  Tsecr:0),  SACK  and  W(1) MSS(1400),  WS(0),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),EOL  and  W(63) TS(Tval:0xFFFFFFFF.  Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)  and  W(4) SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),WS(10),EOL  and  W(4) MSS(536),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0),  WS(10),EOL  and  W(16) MSS(265),SACK,  TS(Tval:0xFFFFFFFF.  Tsecr:0)  and  W(512) NMAP  METHODS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 18 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE  GENERATION  (SEQ,  OPS,  WIN  &  T1) ICMP  ECHO  (IE) TCP  EXPLICIT  CONGESTION  NOTIFICATION  (ECN) TCP  T2-­‐T7 UDP  -­‐  Nmap  sends  15  TCP,  UDP  and  ICMP  tests,  to  open  and  closed  system  ports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) ‘C’  (0x43)  x  300  for  data  field.  IP  ID  value  0x1042   TOS(4),  CODE=0,  150  bytes  data,  ICMP  request  ID  and  SEQ  are  incremented
  • 19. Although  there  are  others: §  TCP  ISN  counter  rate  (ISR) §  ICMP  IP  ID  sequence  genera8on  alg  (II) §  Shared  IP  ID  sequence  Boolean  (SS) §  Don’t  Fragment  ICMP  (DFI) §  Explicit  conges8on  no8fica8on  (C) §  TCP  miscellaneous  quirks  (Q) §  TCP  sequence  number  (S) §  etc. NMAP  INTERNAL  PROBES Most  important: §  TCP  ISN  greatest  common  divisor  (GDC) §  TCP  IP  ID  sequence  genera8on  alg  (TI) §  TCP  8mestamp  op8on  alg  (TS) §  TCP  Op8ons  (O,  O1-­‐O6) §  TCP  ini8al  Window  Size  (W,  W1-­‐W6) §  Responsiveness  (R) §  IP  don’t  fragment  bit  (DF) §  IP  ini8al  8me-­‐to-­‐live  guess  (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 19 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 20. OTHER  TOOLS How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 20 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN A  patch  for  Linux  kernels  of   version  2.4.,  that  modifies   characteris+cs  of  network   traffic IP  PERSONALITY Simple  TCP  packets   iden+fica+on  solu+on  as  a   Kenel 2.2-­‐2.4  core  module  patch,   allowing  ignore  some  kind   of  packets. STEALTH  PATCH A  kernel  module  available   for  Linux  kernel  of  version   2.2.  that  also  tries  to  hide   the  original  OS  and  act  as  a   different  one. FINGERPRINT  FUCKER TCP  and  UDP  packets   filtering  op+ons,  allowing   to  respec+vely  block  RST   and  ICMP  answers  on   closed  ports BLACKHOLE Honeyd  is able  to  simulate  Xprobe2   and  Nmap  (previous   version)  signatures  for  its virtual  hosts. HONEYD Windows  soKware  that   modifies  keys  in  the   register,  to change  some  TCP/IP   parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 21. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 21 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 22. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 22 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 23. PASSIVE  OS  FINGERPRINTING How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 23 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN -­‐   p0f   is  a  tool  that  u+lizes  an  array   of  sophis+cated,   purely   passive,   traffic   fingerprin+ng   mechanisms  to  iden+fy  the  players  behind  any  ini7al  TCP/IP  communica7on  (oKen  as  limle   as  a  single  normal  SYN)  without  interfering  in  any  way. -­‐  There  are  other  tools  like  Emercap,  NetworkMiner,  PRADS,  Satori  or  PacketFence. -­‐   Passive   fingerprin+ng   is   like   a   packet   sniffer.   Examines   network   traffic,   making   a   copy   of   the   data   but   without   redirec+ng  or  altering  it. -­‐  Can  be  used  for  several  purposes: 1.   As   stealthy   fingerprin7ng,   bypassing   the   need   for   using  an  ac+ve  tool  that  can  be  detected  by  various  IDS   systems. 2.  To  iden7fy  remote  proxy  firewalls.   3.  Organiza+ons  can  use  it  to  iden7fy  rogue  systems  on   their  network. NUIT DU HACK 2013 Sniffer OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 24. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ng  System    -­‐  Family    -­‐  Version Quirks      -­‐  Data  in  SYN  packets      -­‐  Op8ons  a]er  EOL      -­‐  IP  ID  Field  =  0      -­‐  ACK  different  to  0      -­‐  Unusual  flags      -­‐  Incorrect  op8ons  decode TCP  op+ons  and  order      -­‐  N:  NOP      -­‐  E:  EOL      -­‐  Wnnn:  WS      -­‐  Mnnn:  MSS      -­‐  S:  SACK      -­‐  T  /  T0:  Timestamp          -­‐  ?n Window  Size      -­‐  *  Any  value      -­‐  %nnn  nnn  Mul8ple      -­‐  Sxx  MSS  Mul8ple      -­‐  Txx  MTU  Mul8ple      -­‐  xxx  Constant  value Ini+al  TTL DF  Bit   Packet   Size How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 24 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 25. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 25 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 26. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 26 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 27. COMMERCIAL  ENGINES This  techniques  can  be  used  to  avoid  commercial  implementa+ons.  We  hide  our  machine,   faking  the  detector  engine  and  recognizing  us  like  another  OS,  to  amack  another  host  and   leading  administrator  to  think  it  may  be  a  false  posi+ve. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 27 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint  value  example: key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip8on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-­‐991a-­‐445c-­‐bddb-­‐a8b13c23706b I  had  no  +me  to  figure  out  what  each  field  means  in  all  the  commercial  appliances  I’ve  seen   so  far.  I  decided  to  cross  the  data  available  with  default  Nmap  and  p0f  database  to  get  the   desired  TCP/IP  header  values. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 28. (  WE’RE  RUNNING  OUR  PROGRAM  IN   BACKGROUND  TO  CHANGE  ALL  OUTBOUND   CONNECTIONS  ) From  kernel  Space  to  user  Heaven 28 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 OS  FOOLED!  NOW  OUT   LINUX  IS  AN  IOS  DEVICE How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 29. SPOOF  NON  EXISTING   HOSTS HOST  CREATED  WITH  OUR NEW  TOOL  :) From  kernel  Space  to  user  Heaven 29 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      |      S  C  R  E  E  N  S  H  O  T      | NUIT DU HACK 2013 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenHow  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 30. Long    story    short: SYN ACK FIN How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 30 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  • 31. How  i  met  your  packetFrom  kernel  Space  to  user  Heaven 31 How  i  met  your  packetFrom  kernel  Space  to  user  HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)