ipmorph unification de la mystification de la prise d
play

IpMorph : unification de la mystification de la prise d'empreinte - PowerPoint PPT Presentation

This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : unification de la mystification de la prise d'empreinte Guillaume PRIGENT DIATEAM - Brest SSTIC - 5 juin 2009 1 IpMorph is an Open Source project


  1. This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de la prise d'empreinte » Guillaume PRIGENT DIATEAM - Brest SSTIC - 5 juin 2009 1 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  2. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Contexte Théorème : « Vivons heureux, vivons cachés » Corolaire : « Si une machine peut falsifier son identité et l’usurper, celle ci minimise l’attrait de l’attaquant et perturbe la pertinence des attaques ciblées à sa nature apparente.» guillaume.prigent@diateam.net - DIATEAM 2 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  3. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Typologie de la prise d’empreinte Techniques de détection Actives Passives Collectes Empreintes de pile Ecoutes réseau Réponses ICMP « Time-out » Entêtes TCP Profils ISN Bannières Binaires Xprobe2 Ettercap thc-rut Nmap SinFP Ring2 SinFP p0f guillaume.prigent@diateam.net - DIATEAM 4 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  4. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Principes de détection Détection active d’empreinte de pile Nmap, SinFP , … NETWORK REPONSES STIMULI A A = Détection passive d’empreinte de pile p0f, SinFP , … NETWORK SYN+ SYN ACK B A B = A = guillaume.prigent@diateam.net - DIATEAM 5 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  5. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Cas d’utilisation d’ IpMorph SYN SYN+ACK SYN SYN+ACK A = A B = A = B A OSFP Actif + Machine réelle OSFP Actif + Machines « virtuelles » SYN SYN+ACK SYN SYN+ACK A = A A = B = A B OSFP Passif + Machine réelle OSFP Passif + Machines « virtuelles » guillaume.prigent@diateam.net - DIATEAM 6 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  6. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Etat de l'art de la mystification [7] • Filtrage – Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4 [14] – Blackhole : FreeBSD, kernel options [16] – IPlog : Unmaintaned as of 2001, *BSD [17] – Packet filter : OpenBSD [18] • Configuration et modification de pile TCP/IP ("host based") – Ip Personality [19] – Fingerprint Fucker [12][13] – Fingerprint scrubber [1] – OSfuscate [8] • Substitution de pile TCP/IP ("proxy behaviour") – Honeyd [9] – Packet purgatory / Morph [10] guillaume.prigent@diateam.net - DIATEAM 7 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  7. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Socle logiciel • Langage C++ • Application « UserLand » • Utilisation du « framework » Qt4 • Eléments constituants : – IpMorph (Core) – IpMorph Controller – IpMorph Personality Manager – IpView (IpMorph GUI) • Portabilité : – GNU/Linux – *BSD, Mac OS • License GPLv3 guillaume.prigent@diateam.net - DIATEAM 8 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  8. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Architecture générale Exposed IP stack Context queue Protected IP stack TCP TCP context tracker & TCP TCP TCP Filter & Processor data processor (plugins) Filter & Processor Scheduler UDP UDP UDP context tracker & UDP UDP Filter data processor (plugins) Filter ICMP ICMP ICMP ICMP context tracker & ICMP Filter data processor (plugins) Filter Frag. & Reass. Frag. & Reass. IP context tracker & data IP IP processor (plugins) IP Filter IP Filter (R)ARP (R)ARP ETH (R)ARP translation ETH processor Eth. Read Eth. Write Eth. Write Eth. Read Interface layer Interface layer eth tap fd eth tap fd guillaume.prigent@diateam.net - DIATEAM 9 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  9. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Nmap : Format d’une signature SP : TCP ISN GCD : TCP ISN ISR : TCP TI : TCP IP ID II : ICMP IP ID SS : Shared IP ID TS : TCP Predictability Greatest ISN counter sequence generation sequence generation sequence timestamp Common Divisor Rate algorithm algorithm Boolean option algorithm O1-06 : TCP W1-W6 Fingerprint FreeBSD 7.0-CURRENT Class FreeBSD | FreeBSD | 7.X | general purpose Options : TCP SEQ(SP=101-10D%GCD=<7%ISR=108-112%TI=RD%II=RI%TS=20|21|22) (ordering & initial OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M5B4NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11) values) win size WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF) ECN(R=Y%DF=Y%T=40%TG=40%W=FFFF%O=M5B4NW8%CC=N%Q=) T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=) DF : IP don’t W : TCP T2(R=N) fragment bit initial T3(R=Y%DF=Y%T=40%TG=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW8NNT11%RD=0%Q=) win size T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T : IP initial T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) time-to-live T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) S : TCP T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) seq. U1(DF=N%T=40%TG=40%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) TG : IP initial IE(DFI=S%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S) number time-to-live guess … F : TCP RD : TCP RST Q : TCP misc. RIPCK : Returned RUCK : Returned A : TCP ack. Flags data checksum quirks probe IP probe UDP number checksum value checksum IPL : IP UN : Unused port RIPL : Returned TOS : IP type of total unreach. field probe IP total RID : Returned RUL : Returned service length nonzero length value probe IP ID value probe UDP length guillaume.prigent@diateam.net - DIATEAM 10 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  10. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Base des signatures (sqlite) IpVersion SystemClass Signature OsVersionChildren idIpVersion(PK) idSystemClass(PK) idSignature(PK) idSignature ipVersion systemClass idIpVersion idOsVersion Vendor idSystemClass Os OsVersion idVendor(PK) idVendor idOs (PK) idOsVersion(PK) vendor idOs os osVersion idOsVersion idOsVersionFamily OsVersionFamily PatternTcpWindow PatternTcpFlags idP1PatternBinary idOsVersionFamily(PK) idPatternTcpWindow(PK) idPatternTcpFlags(PK) idP1PatternTcpFlags osVersionFamily patternTcpWindowHeuristic0 patternTcpFlagsHeuristic0 idP1PatternTcpWindow PatternBinary patternTcpWindowHeuristic1 patternTcpFlagsHeuristic1 idP1PatternTcpOptions idPatternBinary (PK) patternTcpWindowHeuristic2 patternTcpFlagsHeuristic2 idP1PatternTcpMss patternBinaryHeuristic0 … patternBinaryHeuristic1 PatternTcpOptions PatternTcpMss idP3PatternBinary patternBinaryHeuristic2 idP3PatternTcpFlags idPatternTcpOptions(PK) idPatternTcpMss(PK) idP3PatternTcpWindow patternTcpOptionsHeuristic0 patternTcpMssHeuristic0 idP3PatternTcpOptions patternTcpOptionsHeuristic1 patternTcpMssHeuristic1 idP3PatternTcpMss patternTcpOptionsHeuristic2 patternTcpMssHeuristic2 trusted guillaume.prigent@diateam.net - DIATEAM 11 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  11. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Format d’une signature idSignature trusted ipVersion systemClass vendor os osVersionFamily osVersion 104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista, B11113,B…13,B….., F0x12:F0x12:F0x12, Test P1 M1460,M1[34]..,M\d+, O0204ffff,O0204ffff,O0204ffff, W8192,W8[012]..,W\d+, B11113,B…12,B….., F0x12,F0x12,F0x12, Test P2 M1460,M1[34]..,M\d+, O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?, W8192,W8[012]..,W\d+, B11121,B…21,B….., F0x04,F0x04,F0x012, Test M0,M0,M0, P3 O0,O0,O0 W0,W0,W0 TcpWindow : TcpOptions : TcpMss : TcpFlags : Binary : heuristic0, heuristic0, heuristic0, heuristic0, heuristic0, heuristic1, heuristic1, heuristic1, heuristic1, heuristic1, heuristic2 heuristic2 heuristic2 heuristic2 heuristic2 guillaume.prigent@diateam.net - DIATEAM 12 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

Recommend


More recommend