1. 1. 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
2. 2. 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $WHOIAM Passionateaboutcomputersecurity. ComputerEngineeringdegree andanExecu7ve MBA. In my free 8me I conduct research on security andworkasanindependentconsultant. ImfromSpain;Weresexyandyouknowit. Otherconferences: RootedCONinSpain NuitDuHackinParis BlackHatArsenalUSA Defcon21USA Nextconferences:Hack7vity,NoConNameand BlackHatSaoPaulo
3. 3. FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools hell be using, well be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
4. 4. ABRIEFOVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
5. 5. Devices Devices Devices Kernel Ring0 Ring1 Ring2 Ring3 Less Privileged More Privileged Computeropera+ngsystemsprovidedierent levelsofaccesstoresources. Thisisgenerallyhardware-enforcedbysome CPUarchitectureshatprovidedierentCPU modesatthehardwareormicrocodelevel. Ringsarearrangedinahierarchyfrommost privileged(mosttrusted,usuallynumberedzero) toleastprivileged(leasttrusted,usuallywiththe highestringnumber). Onmostopera+ngsystems,RING0isthelevel withthemostprivilegesandinteractsmost directlywiththephysicalhardwaresuchasthe CPUandmemory. ARCHITECTURE HowimetyourpacketFromkernelSpacetouserHeaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
6. 6. KERNELvsUSERSPACE KERNELSPACE USERSPACE KERNELSPACEisstrictlyreservedforrunningthekernel,kernelextensions,andmostdevice drivers.Incontrast,userspaceisthememoryareawhereallusermodeapplica+onswork andthismemorycanbeswappedoutwhennecessary. Similarly, thetermUSERLANDreferstoallapplica+onsoKwarethatrunsinuser space. Userlandusuallyreferstothevariousprogramsandlibrariesthattheopera+ngsystemuses tointeractwiththekernel:soKwarethatperformsinput/output,manipulateslesystem, objects,etc. HowimetyourpacketFromkernelSpacetouserHeaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
7. 7. WTF!? HowimetyourpacketFromkernelSpacetouserHeaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
8. 8. 8 How Imet your packets HowimetyourpacketFromkernelSpacetouserHeaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
9. 9. 9 NICMemory DMAEngineInterrupt IncomingPacket Ring Buer Interrupt Handler NIC Memory Kernel PacketData IPLayer TCPProcess TCPrecvBuer APPLICATION DEVICEDRIVER KERNELSPACE USERSPACE PollList so]irq tcp_v4_rcv() Pointerto Device Socket Backlog ip_rcv() read() HowimetyourpacketFromkernelSpacetouserHeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
10. 10. NICMemory DMAEngineInterrupt IncomingPacket Ring Buer Interrupt Handler NIC Memory Kernel PacketData IPLayer TCPProcess TCPrecvBuer APPLICATION DEVICEDRIVER KERNELSPACE USERSPACE PollList so]irq tcp_v4_rcv() Pointerto Device Socket Backlog ip_rcv() read() locallydes8nedpacketsmustpassthe INPUTchainstoreachlisteningsockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwardedandacceptedpackets InboundPackets forwarded packets local packets HowimetyourpacketFromkernelSpacetouserHeaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
11. 11. TARGETEXTENSIONS HowimetyourpacketFromkernelSpacetouserHeaven AtargetextensionconsistsofaKERNELMODULE,andanop+onalextensiontoiptablesto providenewcommandlineop+ons. ThereareseveralextensionsinthedefaultNeQilterdistribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
12. 12. QUEUE QUEUEisaniptablesandip6tablestargetwhichwhichqueuesthepacketforuserspace processing. Forthistobeuseful,twofurthercomponentsarerequired: aQUEUEHANDLERwhichdealswiththeactualmechanicsofpassingpacketsbetween thekernelanduserspace;and aUSERSPACEAPPLICATIONtoreceive,possiblymanipulate,andissueverdictson packets. Thedefaultvalueforthemaximumqueuelengthis1024.Oncethislimitisreached,new packetswillbedroppedun+lthelengthofthequeuefallsbelowthelimitagain. HowimetyourpacketFromkernelSpacetouserHeaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
13. 13. SOMEPRACTICAL EXAMPLES HowimetyourpacketFromkernelSpacetouserHeaven 13 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
14. 14. REMOTEOS FINGERPRINTING HowimetyourpacketFromkernelSpacetouserHeaven 14 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
15. 15. CLASSICTECHNIQUES HowimetyourpacketFromkernelSpacetouserHeaven 15 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
16. 16. NMAP -DeviceType -NetworkDistance -Running -TCPSequencePredic7on -OSDetails -IPIDSequenceGenera7on -Up7meGuess DeviceType:generalpurpose Running:MicrosoKWindows7|Vista|2000 OSCPE:cpe:/o:microsoK_7::professional OSdetails:MicrosoKWindows7Professional,MicrosoK WindowsVistaSP0orSP1 Up7meguess:2.196days(sinceMonFeb412:14:012013) NetworkDistance:1hop TCPSequencePredic7on:Diculty=262(GoodLuck!) IPIDSequenceGenera7on:Incremental ServiceInfo:OS:Windows;CPE:cpe:/o:microsoK:windows HowimetyourpacketFromkernelSpacetouserHeaven 16 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
17. 17. 17 HowimetyourpacketFromkernelSpacetouserHeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) RELEVANTFIELDS
18. 18. ECNCWNECE,WS(10),NOP,MSS(1460),SACK,NOP,NOPandW3 IPDFbit,TOS(0),CODE=9,SEQ=295,120bytesof0x00forpayload noags,IPDFandW(128)toanopenport SYN,FIN,URG,PSHandW(256)toanopenport ACKwithIPDFandW(1024)toanopenport SYNwithW(31337)toaclosedport ACKwithIPDFandW(32768)toaclosedport FIN,PSH,URGandW(65535)toaclosedport WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.Tsecr:0),SACKandW(1) MSS(1400),WS(0),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),EOLandW(63) TS(Tval:0xFFFFFFFF.Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)andW(4) SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),WS(10),EOLandW(4) MSS(536),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),WS(10),EOLandW(16) MSS(265),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0)andW(512) NMAPMETHODS HowimetyourpacketFromkernelSpacetouserHeaven 18 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCEGENERATION(SEQ,OPS,WIN&T1) ICMPECHO(IE) TCPEXPLICITCONGESTIONNOTIFICATION(ECN) TCPT2-T7 UDP -Nmapsends15TCP,UDPandICMPtests,toopenandclosedsystemports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) C(0x43)x300fordataeld.IPIDvalue0x1042 TOS(4),CODE=0,150bytesdata,ICMPrequestIDandSEQareincremented
19. 19. Althoughthereareothers: TCPISNcounterrate(ISR) ICMPIPIDsequencegenera8onalg(II) SharedIPIDsequenceBoolean(SS) DontFragmentICMP(DFI) Explicitconges8onno8ca8on(C) TCPmiscellaneousquirks(Q) TCPsequencenumber(S) etc. NMAPINTERNALPROBES Mostimportant: TCPISNgreatestcommondivisor(GDC) TCPIPIDsequencegenera8onalg(TI) TCP8mestampop8onalg(TS) TCPOp8ons(O,O1-O6) TCPini8alWindowSize(W,W1-W6) Responsiveness(R) IPdontfragmentbit(DF) IPini8al8me-to-liveguess(TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) HowimetyourpacketFromkernelSpacetouserHeaven 19 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
20. 20. OTHERTOOLS HowimetyourpacketFromkernelSpacetouserHeaven 20 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN ApatchforLinuxkernelsof version2.4.,thatmodies characteris+csofnetwork trac IPPERSONALITY SimpleTCPpackets iden+ca+onsolu+onasa Kenel 2.2-2.4coremodulepatch, allowingignoresomekind ofpackets. STEALTHPATCH Akernelmoduleavailable forLinuxkernelofversion 2.2.thatalsotriestohide theoriginalOSandactasa dierentone. FINGERPRINTFUCKER TCPandUDPpackets lteringop+ons,allowing torespec+velyblockRST andICMPanswerson closedports BLACKHOLE Honeydis abletosimulateXprobe2 andNmap(previous version)signaturesforits virtualhosts. HONEYD WindowssoKwarethat modieskeysinthe register,to changesomeTCP/IP parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
21. 21. HowimetyourpacketFromkernelSpacetouserHeaven 21 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LETS CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
22. 22. HowimetyourpacketFromkernelSpacetouserHeaven 22 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
23. 23. PASSIVEOSFINGERPRINTING HowimetyourpacketFromkernelSpacetouserHeaven 23 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN - p0f isatoolthatu+lizesanarray ofsophis+cated, purely passive, trac ngerprin+ng mechanismstoiden+fytheplayersbehindanyini7alTCP/IPcommunica7on(oKenaslimle asasinglenormalSYN)withoutinterferinginanyway. -ThereareothertoolslikeEmercap,NetworkMiner,PRADS,SatoriorPacketFence. - Passive ngerprin+ng is like a packet snier. Examines network trac, making a copy of the data but without redirec+ngoralteringit. -Canbeusedforseveralpurposes: 1. As stealthy ngerprin7ng, bypassing the need for usinganac+vetoolthatcanbedetectedbyvariousIDS systems. 2.Toiden7fyremoteproxyrewalls. 3.Organiza+onscanuseittoiden7fyroguesystemson theirnetwork. NUIT DU HACK 2013 Snier OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
24. 24. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ngSystem -Family -Version Quirks -DatainSYNpackets -Op8onsa]erEOL -IPIDField=0 -ACKdierentto0 -Unusualags -Incorrectop8onsdecode TCPop+onsandorder -N:NOP -E:EOL -Wnnn:WS -Mnnn:MSS -S:SACK -T/T0:Timestamp -?n WindowSize -*Anyvalue -%nnnnnnMul8ple -SxxMSSMul8ple -TxxMTUMul8ple -xxxConstantvalue Ini+alTTL DFBit Packet Size HowimetyourpacketFromkernelSpacetouserHeaven 24 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
25. 25. HowimetyourpacketFromkernelSpacetouserHeaven 25 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LETS CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
26. 26. HowimetyourpacketFromkernelSpacetouserHeaven 26 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
27. 27. COMMERCIALENGINES Thistechniquescanbeusedtoavoidcommercialimplementa+ons.Wehideourmachine, fakingthedetectorengineandrecognizinguslikeanotherOS,toamackanotherhostand leadingadministratortothinkitmaybeafalseposi+ve. HowimetyourpacketFromkernelSpacetouserHeaven 27 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprintvalueexample: key=fp_id;value=100000 key=rna_ngerprint_type_id;value=9 key=rna_ngerprint_descrip8on;value=iPhone key=rna_ngerprint_vendor_str;value=Apple key=rna_ngerprint_product_str;value=iOS key=rna_ngerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe41acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-991a-445c-bddb-a8b13c23706b Ihadno+metogureoutwhateacheldmeansinallthecommercialappliancesIveseen sofar.IdecidedtocrossthedataavailablewithdefaultNmapandp0fdatabasetogetthe desiredTCP/IPheadervalues. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
28. 28. (WERERUNNINGOURPROGRAMIN BACKGROUNDTOCHANGEALLOUTBOUND CONNECTIONS) FromkernelSpacetouserHeaven 28 HowimetyourpacketFromkernelSpacetouserHeavenHowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN |SCREENSHOT|SCREENSHOT|SCREENSHOT|SCREENSHOT| |SCREENSHOT|SCREENSHOT|SCREENSHOT|SCREENSHOT| NUIT DU HACK 2013 OSFOOLED!NOWOUT LINUXISANIOSDEVICE HowimetyourpacketFromkernelSpacetouserHeavenHowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
29. 29. SPOOFNONEXISTING HOSTS HOSTCREATEDWITHOUR NEWTOOL:) FromkernelSpacetouserHeaven 29 HowimetyourpacketFromkernelSpacetouserHeavenHowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN |SCREENSHOT|SCREENSHOT|SCREENSHOT|SCREENSHOT| |SCREENSHOT|SCREENSHOT|SCREENSHOT|SCREENSHOT| NUIT DU HACK 2013 HowimetyourpacketFromkernelSpacetouserHeavenHowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
30. 30. Longstoryshort: SYN ACK FIN HowimetyourpacketFromkernelSpacetouserHeaven 30 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
31. 31. HowimetyourpacketFromkernelSpacetouserHeaven 31 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)