Upload
navajanegra
View
1.518
Download
0
Tags:
Embed Size (px)
Citation preview
The art of disguise
Anti-fingerprinting techniques
1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
2
The art of disguise - Anti-fingerprinting techniques by Daniel García García a.k.a. cr0hn is licensed under a:
Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.
Permissions beyond the scope of this license may be available at: [email protected].
Creative Commons License
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Index
1.FreeBSD: A brief introduction.
2.How fingerprint works?
3.How to defeat it?
3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
FreeBSD…
A brief introduction
4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
1 - FreeBSD: A brief introduction
1.How install it?
2.How manage the software?
3.How install program?
4.Main differences between GNU/Linux.
5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
How install it?
Simple… With a wizard
6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Software management
• What is a port system?
• Why port is a good idea?
• How port works?
7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Installing new software
Compiling…
8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Installing new software
From binaries…
9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Main differences with GNU/Linux
FreeBSD GNU/Linux
General config file: /etc/rc.conf Multiple config files and directories
Services start •/etc/rc.d/ •/usr/local/etc/rc.d/
Service start: /etc/init.d/
User directories: /usr/home User directories: /home
Kernel:- config: about 200 lines- Many security features included
Kernel:- config file: very complicated- Extra features via patches
Software, natively, can be compiled Only some distribution can do it, like Gentoo.
10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
The fingerprinting…
How it works?
11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
2 – Fingerprinting: How it works?
1. Why hide your systems?
2. Operating system level.
3. Service level.
4. Application level.
12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Why hide your OS and services?
1. To hide of known (and unknown!) exploits.
2. Necessaries unpatched versions of software.
3. If somebody knows OS you’re running also
may guess the application that run in.
4. Privacy: nobody needs to know the systems
you've got running13
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Fingerprinting: Risk demo
Risk demo
14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Operating System level
• TTL
15
Linux/*BSD: 64Windows: 128
OpenBSD: 255
AIX: 30
mmm ... fish
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Operating System level
• Common TCP Initial Windows size
16
Linux: 16A0Windows: 2000
OpenBSD: 4000
AIX: 4470/FFFF
*BSD: FFFF
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Operating System level
• IP ID sequence generation algorithm.
• Invalid TCP flags combination.
• Answer to closed port: RST, nothing,
ICMP unreachable.
• TCP send/receive window sizes.
• Port ranges17
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level
• Banners
18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level
• Session ID var (PHPSESID/JSESSIONID)
• Hidden/lost files.
• Meta headers.
• Vars and methods names.
19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level
A practical example: Metadata.
20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level
A practical example: Lost files.
21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
The fight…
How to defeat it?
22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
3 – Defeating fingerprinting
• Kernel parameters
• Changing banners
• Modifying applications
23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Kernel parameters
Disable (if you don’t need)
• SCTP
• IPv6
24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Kernel parameters
25
In your /etc/sysctl.conf
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level
How to defeat it?
• Changing configuration files
• Changing source code of software
26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
How to make a patch
Step to make a patch:
1. Download the source code of app you want to patch.
2. Extract code an create a copy of code.
3. From your copy, make the changes you need.
4. Apply a diff to extract changes.
5. Save change into a patch-* file.27
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
How to make a patch: Nginx
Step 1 and 2:
1. Download the source code of Nginx.
2. Creating a copy of source.
28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
How to make a patch: Nginx
Step 3:
• Locate file that contains information of version:
• Change file information:
29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
How to make a patch: NginxStep 4 and 5:
• Make a diff with original file and save into patch.
30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
FreeBSD patching method
What need FreeBSD to apply our path?
• Put your file into:
/usr/ports/CATEGORY/PROG/files
• Your patch must be named like:
patch-ORIGINAL_FILE_NAME
• Change relative path in your patch:
31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
FreeBSD patching method
And now, how compile our patched software…?
32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
FreeBSD patching method
Even an idiot can do it!
33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level
Learning with examples:
Nginx
• OpenSSH
• PureFTPd
• Apache Tomcat34
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: Nginx
Where is version information?
• In nginx.h
35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: Nginx
The result:
36
Yes! I use a publicIP for my LANYes! I use a publicIP for my LAN
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: OpenSSH
Where is version information?
• In Makefile:
• Or in version.h:
37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: OpenSSH
The result:
38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: PureFTPdWhere is version information?
• In pure-ftphow.c
• In altlog.c
• In ftp_parser.c
• In ftpd.c
39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: PureFTPd
The result:
40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: Tomcat
Where is version information:
• /usr/local/apache-tomcat-7.0/conf/server.xml
41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: Tomcat
The result:
42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: nmap
What think nmap?
43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Service level: fingerprinting database
Where can we find a database of fingerprintings?
44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level
Learning with examples…
…Testing WordPress
45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Hiding our WordPress information:
1.WordPress version.
2.WordPress’s plugins versions.
3.Session ID
4.Custom error pages.
5.Metadata info
6.Hash of static and common files.
46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
Application level: WordPress
Step 1: WordPress version.
47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 2: Plugins versions.
48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 1 and 2: Hiding versions.
49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 3: Session ID var.
50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 3: Hiding session ID var.
51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 4: Custom error pages… of IIS
52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 5: Metadata info.
53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 5: Hiding metadata info.
54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 6: Hash of static and common files.
• Site.com/wp-includes/css/admin-bar.css:
• Some programs have a database of hashes:
55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Step 6: Hiding common hashes:
1.Modify our static files, like css:
1.Check the new hash:
56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
The result:
• Plecost (http://www.iniqua.com/labs/plecost/ )
57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
No plugins found!!
Application level: WordPress
The result:
• WP-scan (http://code.google.com/p/wpscan/)
58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
wp-scan don’t like our filters
Application level: WordPress
The result:
• Nmap
59Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
Application level: WordPress
Final result….
60Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
We've earned a beer!
61
Questions?Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel