Using system fingerprints to track attackers
-
Upload
lance-cottrell -
Category
Technology
-
view
293 -
download
1
description
Transcript of Using system fingerprints to track attackers
![Page 1: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/1.jpg)
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
®
1
Using system fingerprints
totrack
attackers
Using system fingerprints
totrack
attackersLance Cottrell
Ntrepid/Anonymizer
![Page 2: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/2.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
When You Are Under Attack
2
You may ask:
Who was that masked man?
![Page 3: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/3.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
As a Defender, You See...
3
IP: 37.123.118.67Lat / Long: +54 / -2Country: UKPing: 110msISP: as13213.net (AKA UK2.net) server hostingOpen Ports: SSH, HTTP
![Page 4: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/4.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Is THIS Really the Attacker?
4
![Page 5: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/5.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Which is the “Real” Attacker?
5
It’s Turtles All the Way Down
It’s Turtles All the Way Down
![Page 6: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/6.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
What If You Could Spot People Hiding?
Block Web Access
Redirect to Honeypot
Add Firewall Rule
Deny Credit Card
Flag in Logs
6
NOTRESPASSING
DETOUR
![Page 7: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/7.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
What If You Could Identify Your Attacker?
7
![Page 8: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/8.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
How Do They Hide?
Proxies
VPNs
Chained VPNs / TOR
Botnets / Compromised Hosts
Tradecraft
8
![Page 9: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/9.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
How Can You Spot Them?
9
![Page 10: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/10.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Known Anonymous IP
10
![Page 11: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/11.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Anon IPs are well known
11
![Page 12: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/12.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Open Proxy / Ports
12
![Page 13: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/13.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Obviously not a home PC
HTTP
X11
FTP
SSH
13
![Page 14: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/14.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Non-Consumer IP
14
![Page 15: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/15.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identifying non-consumer IP
9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms
10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms
VS13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms
14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X
15
![Page 16: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/16.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Latency vs. Ping Time
HTTP / Javascript
DHCP Ping
16
![Page 17: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/17.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
DNS Mismatch
HTTP from Chicago
DNS from Nigeria
17
![Page 18: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/18.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identify the Attacker
18
![Page 19: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/19.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identity Leakage
Embedded Media
Apps bypass proxy / VPN
Phone home
19
![Page 20: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/20.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Fortunately (for you),
Good OPSEC is HardTools can be slow and cumbersome
May go direct for “innocent” activity / reconnaissance
May forget to use it
Accidentally cross the streams of personas
Correlate attacker print with all previous activity
20
![Page 21: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/21.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Cookies and Bugs
21
![Page 22: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/22.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Browser Fingerprints
22
![Page 23: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/23.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Fingerprint Entropy
12.3 - User Agent
5.4 - HTTP_ACCEPT Headers
21.9+ - Browser Plugin Details
5.0 - Time Zone
7.5 - Screen Size and Color Depth
21.9 - System Fonts
0.4 - Cookie Test
0.9 - Super Cookie Test
23
![Page 24: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/24.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Attacker Use of Virtualization
24
Advantages Disadvantages
Easy to Clean Cloned Each Time
No Cookies or Super-Cookies
Too Clean or Outdated Cruft
Detection as VM Requires Local Execution
Can Be Detected as VM
![Page 25: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/25.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Dread Pirate Roberts
25
![Page 26: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/26.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Why Should YOU be StealthyLurk in IRC and Forums
Discover Plans
Learn Techniques
Hide your interest & activity
Bait Honeypots
Drop False Leads and Links
Government
Has Other More Aggressive Options26
![Page 27: Using system fingerprints to track attackers](https://reader034.fdocuments.in/reader034/viewer/2022051612/54c044674a79597c3e8b45e2/html5/thumbnails/27.jpg)
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Thanks
Contact me at:
Email: [email protected]
Commercial / Gov: http://ntrepidcorp.com
Consumer: http://anonymizer.com
Blog: http://theprivacyblog.com
Twitter: @LanceCottrell
LinkedIn: http://linkedin.com/in/LanceCottrell
27