Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified...
Transcript of Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified...
![Page 1: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/1.jpg)
DefCon 21, Las Vegas 2013
Let’s Screw With nMap
![Page 3: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/3.jpg)
Overview
Nosey Bastards!All About Packet NormalizationWorking It All OutPutting It Into PracticeFinishing Up
![Page 4: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/4.jpg)
Network Defenders
We see scans and probes of our network every dayFrom the inside and from the outsideEverybody is targeting usIdentifying our assets
![Page 5: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/5.jpg)
How They Do It
Network stack implementation is highly discretionaryDifferences identify the operating system type and versionAllowing Attackers to identify their targetsBy matching the headers of their target to known operating system implementations
![Page 6: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/6.jpg)
… then it’s likely a Windows 2003 Sever!
Uses the following options
MSS of 1460Single NOPWindow Size 0Single NOPSingle NOPEnding SACK
If your target …Has a TTL of 128
![Page 7: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/7.jpg)
Implications
If they identify your assets …They know their weaknessesHow to attack them successfullyWithout triggering your sensors
![Page 8: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/8.jpg)
TSA-Style patdowns …
It’s fact of life
![Page 9: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/9.jpg)
But does it have to be?
![Page 10: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/10.jpg)
Why can’t we …
Remove the differencesTo remove their advantage Strip them of their ability to fingerprint To significantly reduce their chance of success
![Page 11: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/11.jpg)
My Answer
Packet
ization
![Page 12: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/12.jpg)
OK. What is packet normalization?
Had anyone thought of this before?Not an entirely developed conceptMany expressions but most incomplete …
![Page 13: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/13.jpg)
Normalization vs. Scrubbing
Scrubbing is to do away with; cancel Normalization is to make normal, especially to cause to conform to a standard or normBoth are seen in varying degrees
![Page 14: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/14.jpg)
Scrubbing
Used by a number of firewallsRandomize IP IDClear IP DF
Also …Set IP tos/dscp, and ttlIP Fragment Reassembly
Primarily ConcernPolicy ViolationsAbnormal PacketsAbnormal Flows
![Page 15: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/15.jpg)
Scrubbing
Custom patch for netfilterRandom IP IDRandomize TCP TimestampRandomize TCP SEQClear IP tos/dscpIP TTL Tinkering
Developed by Nicolas BareilMentions fingerprint preventionHost Only
![Page 16: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/16.jpg)
Scrubbing
Used by some network devices such as Cisco ACE and ASA
Random TCP SEQClear TCP Reserved, and URGClears TCP OptionsMinimum IP TTL
Fragment Reassembly too …Primarily Concern
Policy ViolationsAbnormal PacketsAbnormal Flows
![Page 17: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/17.jpg)
Incoming Normalization
Used by IPS and IDS devicesIP Fragment ReassemblyIP TTL Evasion
Primarily ConcernDetect AttacksDetection Evasion
![Page 18: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/18.jpg)
Outgoing Normalization?
![Page 19: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/19.jpg)
Fingerprinting Process
TCP, UDP, and ICMP probes are sentCompile results into fingerprint
Compare against databaseIdentify operating system
![Page 20: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/20.jpg)
Where to Start?
Nmap fingerprint databaseWhat about other fingerprinting tools?
xprobe2amapVulnerability scanners … Nessus, Et. Al
Best to disrupt any existing patterns
![Page 21: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/21.jpg)
Clear out any unnecessary valuesIP ToS/DCSP/Traffic Class ClearedIP ECN ClearedTCP URG Flag and URG Pointer Cleared
Randomize anything that you canIP ID
IP TTL/HOP Limit? TCP Options?
Scrubbing
![Page 22: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/22.jpg)
Packet NormalizationOutgoing Normalization
![Page 23: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/23.jpg)
Normalizing(IP Time-To-Live / Hop Limit)
Make some assumptionsOriginally Well-Known TTLDecrements OnlyTraveled < 32 hops
Back into Original Starting TTLEstimate number of hops traveledRecalibrate current TTLUsing Starting TTL of 255
![Page 24: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/24.jpg)
Normalizing(IP Time-To-Live / Hop Limit)
Start with the lowest well known TTL first!Several exceptions to this normalization …Will be discussed later
![Page 25: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/25.jpg)
Normalizing(TCP Options)
AssumptionsOnly Few Well Known Options NeededOrder is unimportant
Requirement …Values can’t be changedRead necessary optionsDiscard the restRewrite options in proper orderNOP … till the end of the options
![Page 26: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/26.jpg)
Normalizing(TCP Options)
Options selected … And their orderMSSWindowSACKMD5 … if present
After processing …
![Page 27: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/27.jpg)
Making everyone look the samePutting It All Together
With IDGuard
![Page 28: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/28.jpg)
Selecting The Platform
Identified Suitable HardwareAlready Modified By OthersDocumentation Available … Mikrotik Routerboards
Identified Suitable Operating SystemAvailable BaseWriteable File System …OpenWrt
Best to develop in a VM first!
![Page 29: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/29.jpg)
Building the Development Environment
Download Debian v6.0 Net-install CD-ROMBuild a VMWare VMInstall rcp100 from SourceforgeConfigure rcp100 routing functions
![Page 30: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/30.jpg)
Building the Development Environment
![Page 31: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/31.jpg)
Configuring the Development Environment
![Page 32: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/32.jpg)
Deploying the Kernel Module
Download IDguard v0.50Install IDGuard
![Page 33: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/33.jpg)
Deploying the Kernel Module
![Page 34: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/34.jpg)
OK … What worked?
I am really tired of those nosey bastards!
![Page 35: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/35.jpg)
What Didn’t Work
ToS/DCSP/Traffic Class ClearingECN ClearingURG Flag and URG Pointer ClearingIP ID RandomizationDF Clearing
… the Scrubbing
![Page 36: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/36.jpg)
What Worked
TTL StandardizingTCP Option Standardizing
… the Normalization
![Page 37: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/37.jpg)
End ResultsOperating System Unprotected ProtectedWindows 7 Microsoft Windows 7|2008Windows Server 2003 Microsoft Windows 2003Ubuntu Desktop 11.10 Linux 2.6.X|3.XRed Hat Enterprise Linux 6 Linux 2.6.X|3.X
Allied Telesyn AlliedWareAllied Telesyn AlliedWareCisco IOS 12.XD-Link embedded
![Page 38: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/38.jpg)
Other Effects
NmapNetwork Distance
Other Fingerprintingxprobe2Nessus …
Other Toolspingtraceroute
![Page 39: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/39.jpg)
Deploying to Hardware
Purchase the hardware from a local vendorDownload OpenWrt kernel image with an embedded initramfsSetup dhcp & tftp netboot environmentConnect to the routerboardConfigure routerboard for DHCPBack up RouterOS Prepare the OpenWrt images Flash it
![Page 40: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/40.jpg)
Deploying to Hardware
![Page 41: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/41.jpg)
Demonstration
![Page 42: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/42.jpg)
Challenges
Authorized ActivityOther Methods
Banners and Direct QueryIdentification Through Layer-7
![Page 43: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/43.jpg)
Challenges
Authorized ActivityScannersManagement Platforms
ResolutionExclude them …
![Page 44: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/44.jpg)
Challenges
Banners and Direct QueryWindows Networking AvailableApplication-Layer QueryOS Details in Reply
ResolutionPerimeter NetworkInternal Network
![Page 45: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/45.jpg)
Concerns
ConnectivityFragmentation
UpstreamDownstream
TTL AttenuationTTL Special Uses
TCP Options Sensitivity?Link-Local Routing Protocols
![Page 46: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/46.jpg)
Concern
Upstream FragmentationIP ID Randomized“Fragmentation Needed” ICMP Message ReceivedHost is confusedKeeps sending original packet
ResolutionClear DF
![Page 47: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/47.jpg)
Concern
Downstream FragmentationEach fragment given a different IP IDDestination can’t be reassembled
ResolutionEnd-Point Switch Placement Exclude Fragments
![Page 48: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/48.jpg)
Concern
TTL AttenuationPacket travels more than 32 hopsPacket TTL is continually extendedRouting Loop occurs
ResolutionEnd-Point Switch Placement
![Page 49: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/49.jpg)
Concern
TTL Special UsesTTL recalibratedTTL never runs outTraceroute fails
ResolutionExclude ICMP Echo Requests
![Page 50: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/50.jpg)
Concern
Link-Local Routing ProtocolsTTL of 1 for RIP packetTTL of 255 is abnormalPacket is malformed
ResolutionExclude routing protocols
![Page 51: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/51.jpg)
Concerns
PerformanceBreak Something
Poorly Coded ApplicationsWhat else?
![Page 52: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/52.jpg)
Benefits
Shields from …Casual AttackersAutomated AssaultsOblique Threats
Protects …UnmanagedUnpatchedUnhardened
Defeats … canned exploits
![Page 53: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/53.jpg)
What’s Next
More PlatformsOpen-Source Router FirmwareLinux-Based Switches
Production TrialsTalk to vendors
![Page 54: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/54.jpg)
Accurate target identification is key to a successful attackIdentification that is way too easy for an attacker to performLet’s change that with fingerprint preventionI’ve proven that it can be doneNow, we just have to make it happen
Final Thoughts
![Page 55: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/55.jpg)
Proof of Concept
SHA256 hash is e97b2c8325a0ba3459c9a3a1d67a6306Updates can be found at http://idguard.sourceforge.net/
![Page 56: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/56.jpg)
Linkshttp://www.wisegeek.com/what-is-packet-mangling.htmhttp://www.openbsd.gr/faq/pf/scrub.htmlhttp://www.linuxsecurity.com.br/info/fw/PacketManglingwithiptables.dochttp://chdir.org/~nico/scrub/http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.pdfhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.pdfhttp://www.sans.org/reading_room/whitepapers/intrusion/packet-level-normalisation_1128http://nmap.org/book/osdetect-methods.htmlhttp://rcp100.sourceforge.nethttp://wiki.hwmn.org/w/Mikrotik_RouterBoard_450Ghttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-vmlinux.elfhttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-rootfs.tar.gz https://sites.google.com/site/guenterbartsch/blog/myfirstlinuxkernelmodulehttp://www.farlock.org/nslu2/openwrt-non-standard-module-compiling/
![Page 57: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/57.jpg)
Special ThanksAditiya SoodKenny Nguyen and E-CQURITYKathy GilletteNick Pruitt
![Page 58: Let’s Screw With nMap CON 21/DEF CON 21 presentations/DE… · Mikrotik Routerboards Identified Suitable Operating System Available ... Back up RouterOS Prepare the OpenWrt images](https://reader033.fdocuments.in/reader033/viewer/2022060507/5f1fea45b2d8864a3f69e2f5/html5/thumbnails/58.jpg)