Charla antifingerprinting

61
The art of disguise Anti-fingerprinting techniques 1 Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

TAGS:

Transcript of Charla antifingerprinting

Page 1: Charla antifingerprinting

The art of disguise

Anti-fingerprinting techniques

1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 2: Charla antifingerprinting

2

The art of disguise - Anti-fingerprinting techniques by Daniel García García a.k.a. cr0hn is licensed under a:

Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.

Permissions beyond the scope of this license may be available at: [email protected].

Creative Commons License

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 3: Charla antifingerprinting

Index

1.FreeBSD: A brief introduction.

2.How fingerprint works?

3.How to defeat it?

3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 4: Charla antifingerprinting

FreeBSD…

A brief introduction

4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 5: Charla antifingerprinting

1 - FreeBSD: A brief introduction

1.How install it?

2.How manage the software?

3.How install program?

4.Main differences between GNU/Linux.

5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 6: Charla antifingerprinting

How install it?

Simple… With a wizard

6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 7: Charla antifingerprinting

Software management

• What is a port system?

• Why port is a good idea?

• How port works?

7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 8: Charla antifingerprinting

Installing new software

Compiling…

8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 9: Charla antifingerprinting

Installing new software

From binaries…

9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 10: Charla antifingerprinting

Main differences with GNU/Linux

FreeBSD GNU/Linux

General config file: /etc/rc.conf Multiple config files and directories

Services start •/etc/rc.d/ •/usr/local/etc/rc.d/

Service start: /etc/init.d/

User directories: /usr/home User directories: /home

Kernel:- config: about 200 lines- Many security features included

Kernel:- config file: very complicated- Extra features via patches

Software, natively, can be compiled Only some distribution can do it, like Gentoo.

10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 11: Charla antifingerprinting

The fingerprinting…

How it works?

11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 12: Charla antifingerprinting

2 – Fingerprinting: How it works?

1. Why hide your systems?

2. Operating system level.

3. Service level.

4. Application level.

12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 13: Charla antifingerprinting

Why hide your OS and services?

1. To hide of known (and unknown!) exploits.

2. Necessaries unpatched versions of software.

3. If somebody knows OS you’re running also

may guess the application that run in.

4. Privacy: nobody needs to know the systems

you've got running13

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 14: Charla antifingerprinting

Fingerprinting: Risk demo

Risk demo

14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 15: Charla antifingerprinting

Operating System level

• TTL

15

Linux/*BSD: 64Windows: 128

OpenBSD: 255

AIX: 30

mmm ... fish

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 16: Charla antifingerprinting

Operating System level

• Common TCP Initial Windows size

16

Linux: 16A0Windows: 2000

OpenBSD: 4000

AIX: 4470/FFFF

*BSD: FFFF

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 17: Charla antifingerprinting

Operating System level

• IP ID sequence generation algorithm.

• Invalid TCP flags combination.

• Answer to closed port: RST, nothing,

ICMP unreachable.

• TCP send/receive window sizes.

• Port ranges17

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 18: Charla antifingerprinting

Service level

• Banners

18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 19: Charla antifingerprinting

Application level

• Session ID var (PHPSESID/JSESSIONID)

• Hidden/lost files.

• Meta headers.

• Vars and methods names.

19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 20: Charla antifingerprinting

Application level

A practical example: Metadata.

20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 21: Charla antifingerprinting

Application level

A practical example: Lost files.

21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 22: Charla antifingerprinting

The fight…

How to defeat it?

22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 23: Charla antifingerprinting

3 – Defeating fingerprinting

• Kernel parameters

• Changing banners

• Modifying applications

23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 24: Charla antifingerprinting

Kernel parameters

Disable (if you don’t need)

• SCTP

• IPv6

24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 25: Charla antifingerprinting

Kernel parameters

25

In your /etc/sysctl.conf

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 26: Charla antifingerprinting

Service level

How to defeat it?

• Changing configuration files

• Changing source code of software

26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 27: Charla antifingerprinting

How to make a patch

Step to make a patch:

1. Download the source code of app you want to patch.

2. Extract code an create a copy of code.

3. From your copy, make the changes you need.

4. Apply a diff to extract changes.

5. Save change into a patch-* file.27

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 28: Charla antifingerprinting

How to make a patch: Nginx

Step 1 and 2:

1. Download the source code of Nginx.

2. Creating a copy of source.

28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 29: Charla antifingerprinting

How to make a patch: Nginx

Step 3:

• Locate file that contains information of version:

• Change file information:

29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 30: Charla antifingerprinting

How to make a patch: NginxStep 4 and 5:

• Make a diff with original file and save into patch.

30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 31: Charla antifingerprinting

FreeBSD patching method

What need FreeBSD to apply our path?

• Put your file into:

/usr/ports/CATEGORY/PROG/files

• Your patch must be named like:

patch-ORIGINAL_FILE_NAME

• Change relative path in your patch:

31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 32: Charla antifingerprinting

FreeBSD patching method

And now, how compile our patched software…?

32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 33: Charla antifingerprinting

FreeBSD patching method

Even an idiot can do it!

33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 34: Charla antifingerprinting

Service level

Learning with examples:

Nginx

• OpenSSH

• PureFTPd

• Apache Tomcat34

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 35: Charla antifingerprinting

Service level: Nginx

Where is version information?

• In nginx.h

35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 36: Charla antifingerprinting

Service level: Nginx

The result:

36

Yes! I use a publicIP for my LANYes! I use a publicIP for my LAN

Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 37: Charla antifingerprinting

Service level: OpenSSH

Where is version information?

• In Makefile:

• Or in version.h:

37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 38: Charla antifingerprinting

Service level: OpenSSH

The result:

38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 39: Charla antifingerprinting

Service level: PureFTPdWhere is version information?

• In pure-ftphow.c

• In altlog.c

• In ftp_parser.c

• In ftpd.c

39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 40: Charla antifingerprinting

Service level: PureFTPd

The result:

40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 41: Charla antifingerprinting

Service level: Tomcat

Where is version information:

• /usr/local/apache-tomcat-7.0/conf/server.xml

41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 42: Charla antifingerprinting

Service level: Tomcat

The result:

42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 43: Charla antifingerprinting

Service level: nmap

What think nmap?

43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 44: Charla antifingerprinting

Service level: fingerprinting database

Where can we find a database of fingerprintings?

44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 45: Charla antifingerprinting

Application level

Learning with examples…

…Testing WordPress

45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 46: Charla antifingerprinting

Application level: WordPress

Hiding our WordPress information:

1.WordPress version.

2.WordPress’s plugins versions.

3.Session ID

4.Custom error pages.

5.Metadata info

6.Hash of static and common files.

46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie

Page 47: Charla antifingerprinting

Application level: WordPress

Step 1: WordPress version.

47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 48: Charla antifingerprinting

Application level: WordPress

Step 2: Plugins versions.

48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 49: Charla antifingerprinting

Application level: WordPress

Step 1 and 2: Hiding versions.

49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 50: Charla antifingerprinting

Application level: WordPress

Step 3: Session ID var.

50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 51: Charla antifingerprinting

Application level: WordPress

Step 3: Hiding session ID var.

51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 52: Charla antifingerprinting

Application level: WordPress

Step 4: Custom error pages… of IIS

52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 53: Charla antifingerprinting

Application level: WordPress

Step 5: Metadata info.

53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 54: Charla antifingerprinting

Application level: WordPress

Step 5: Hiding metadata info.

54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 55: Charla antifingerprinting

Application level: WordPress

Step 6: Hash of static and common files.

• Site.com/wp-includes/css/admin-bar.css:

• Some programs have a database of hashes:

55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 56: Charla antifingerprinting

Application level: WordPress

Step 6: Hiding common hashes:

1.Modify our static files, like css:

1.Check the new hash:

56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 57: Charla antifingerprinting

Application level: WordPress

The result:

• Plecost (http://www.iniqua.com/labs/plecost/ )

57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

No plugins found!!

Page 58: Charla antifingerprinting

Application level: WordPress

The result:

• WP-scan (http://code.google.com/p/wpscan/)

58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

wp-scan don’t like our filters

Page 59: Charla antifingerprinting

Application level: WordPress

The result:

• Nmap

59Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Page 60: Charla antifingerprinting

Application level: WordPress

Final result….

60Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

We've earned a beer!

Page 61: Charla antifingerprinting

61

Questions?Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel


Charla de Marketing

Charla de Marketing

Astin2011 Charla

Astin2011 Charla

Charla ingles teoria

Charla ingles teoria

Charla Osteoporosis

Charla Osteoporosis

Charla ro 2

Charla ro 2

Charla Nutricion Simple

Charla Nutricion Simple

Charla MGST 8Nov

Charla MGST 8Nov

Charla de Topico

Charla de Topico

Usa charla poster

Usa charla poster

CHARLA SAFETY

CHARLA SAFETY

Charla perseverancia

Charla perseverancia

Charla Radio Cognitiva

Charla Radio Cognitiva

Charla CATIC

Charla CATIC

Charla marketing_estrategico

Charla marketing_estrategico

Charla medio ambiente

Charla medio ambiente

Expo Secretarias2008 Charla

Expo Secretarias2008 Charla

Charla mercadeo electronico

Charla mercadeo electronico

Charla Ortopedia Cima

Charla Ortopedia Cima

Charla Bioinformatica

Charla Bioinformatica

Charla ipv6

Charla ipv6