articulus
play

Articulus Detecting IP Hijacking Through Server Fingerprinting - PowerPoint PPT Presentation

Nov 18, 2022 •474 likes •795 views

Articulus Detecting IP Hijacking Through Server Fingerprinting Research Question How can we detect BGP IP hijacking by probing the at risk subnets to detect suspect change to hosts and subnets. 2 Intro Fingerprinting Avoiding

  1. Articulus Detecting IP Hijacking Through Server Fingerprinting

  2. Research Question How can we detect BGP IP hijacking by probing the at – risk subnets to detect suspect change to hosts and subnets. 2 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  3. (Slightly) related work  BGPmon  Cyclops by UCLA  Uptrends SSL monitoring  Unnamed Eric & Mick tool 3 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  4. The problem 4 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  5. What are the possibilities  Man-in-the-middle attacks  Downgrade attacks  False information 5 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  6. Articulus 6 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  7. Terminology  Sentinel  Globally spread out  Executes fingers  Node  At-risk host in need of protection  Server  Command & control server  Result comparison  Fingers 7  Commands executed on Sentinels Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  8. Our solution 8 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  9. Fingerprinting  Identifying software used  Identifying software version used  Identifying specific host characteristics 9 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  10. Fingerprinting - DNS  Response only  DNS censorship/hijacking detection. 10 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  11. Fingerprinting - Mail services  SMTP / IMAP / POP  STARTTLS 11 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  12. Fingerprinting – Secure Shell  RSA Fingerprint  OpenSSH version  Distribution 12 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  13. Fingerprinting - Webservices  WordPress 3.8  Apache 2.2.16  JQuery 1.10.2 13 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  14. Fingerprinting – Sercure Webservices  Nginx 1.4.4  SHA-1 of certificate 14 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  15. Fingerprinting - Traceroute  ICMP / UDP / TCP port 80 15 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  16. Fingerprinting – TCP/IP  Uptime Guess  TCP characteristics  TCP Sequence difficulty 16 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  17. Reporting  Three levels  Paranoid  System administrator  User  Alerts  Email  SMS 17 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  18. Fingerprinting – Avoiding detection 18 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  19. Comparing Fingerprints  All output saved  RegEx fingerprint  Compare result to previous result 19 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  20. Technical details  Command and Control server  Python API  Only works for approved UUID’s  HTTPS webserver with Python support (Apache, Nginx , …)  MySQL database (MariaDB should work as well)  Sentinels  Python  Hardcoded server and certificate (-pinning)  POST requests to C&C API  Generates UUID  Parallel command execution 20 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  21. Technical details  Secure  Lightweight  Scalable 21 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  22. Modular setup  Add commands for execution on the fly  Sentinel needs commands to be installed though  Add nodes dynamically  IPv4 and IPv6 support 22 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  23. DEMO  http://sne.pretwolk.nl:81 23 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  24. Thank you for your attention  Are there any questions? 24 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  25. 25 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  26. 26 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  27. 27 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  28. 28 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  29. 29 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  30. 30 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

  31. Thank you for your attention  Are there any questions? 31 Intro – Fingerprinting – Avoiding Detection – Technical Details – Demo - Questions

Recommend

More recommend