Date post: | 28-Mar-2015 |
Category: |
Documents |
Upload: | lauren-garza |
View: | 213 times |
Download: | 1 times |
This document is licensed under a Creative Commons Attribution 3.0 License
SSTIC - 5 juin 2009
IpMorph is an Open Source project owned, developed and supported by DIATEAM 1
IpMorph :« unification de la mystification de
la prise d'empreinte »
Guillaume PRIGENTDIATEAM - Brest
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Contexte
2009/06/05 [email protected] - DIATEAM 2
Théorème :« Vivons heureux, vivons cachés »
Corolaire :« Si une machine peut falsifier son
identité et l’usurper, celle ci minimise l’attrait de l’attaquant et
perturbe la pertinence des attaques ciblées à sa nature apparente.»
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Typologie de la prise d’empreinte
2009/06/05 [email protected] - DIATEAM 4
Techniques de détectionTechniques de détection
ActivesActives PassivesPassivesBi
naire
sBi
naire
s
thc-
rut
thc-
rut
Xpro
be2
Xpro
be2
Nm
apN
map
Ring
2Ri
ng2
SinF
PSi
nFP
p0f
p0f
SinF
PSi
nFP
Etter
cap
Etter
cap
« Ti
me-
out »
« Ti
me-
out »
Ecoutes réseauEcoutes réseau
Entê
tes
TCP
Entê
tes
TCP
Répo
nses
ICM
PRé
pons
es IC
MP
Profi
ls IS
NPr
ofils
ISN
Bann
ière
sBa
nniè
res
CollectesCollectes Empreintes de pileEmpreintes de pile
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Principes de détection
2009/06/05 [email protected] - DIATEAM 5
NETWORK
REPONSESSTIMULI A
ABSYN
A = A = B = B =
SYN+ACK
Détection active d’empreinte de pile Détection active d’empreinte de pile
Détection passive d’empreinte de pile Détection passive d’empreinte de pile
Nmap, SinFP, …
p0f, SinFP, …
NETWORK
A = A =
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Cas d’utilisation d’IpMorph
2009/06/05 [email protected] - DIATEAM 6
A =B = A =B =
A =B = A =B =
A = A =
A =A =
SYN SYN+ACKSYN SYN+ACK
SYN SYN+ACK
SYN SYN+ACK
OSFP Actif + Machine réelle
OSFP Passif + Machine réelle
OSFP Actif + Machines « virtuelles »
OSFP Passif + Machines « virtuelles »
A
BA
A B
A
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Etat de l'art de la mystification [7]
2009/06/05 [email protected] - DIATEAM 7
• Filtrage – Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4 [14] – Blackhole : FreeBSD, kernel options [16]– IPlog : Unmaintaned as of 2001, *BSD [17] – Packet filter : OpenBSD [18]
• Configuration et modification de pile TCP/IP ("host based") – Ip Personality [19]– Fingerprint Fucker [12][13]– Fingerprint scrubber [1]– OSfuscate [8]
• Substitution de pile TCP/IP ("proxy behaviour") – Honeyd [9] – Packet purgatory / Morph [10]
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Socle logiciel
2009/06/05 [email protected] - DIATEAM 8
• Langage C++• Application « UserLand »• Utilisation du « framework » Qt4• Eléments constituants :– IpMorph (Core)– IpMorph Controller– IpMorph Personality Manager– IpView (IpMorph GUI)
• Portabilité :– GNU/Linux– *BSD, Mac OS
• License GPLv3
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Interface layerInterface layerInterface layerInterface layer
Eth. WriteEth. Write
Architecture générale
2009/06/05 [email protected] - DIATEAM 9
Eth. WriteEth. Write
TCPFilter & Processor
TCPFilter & Processor
Context queueExposed IP stack Protected IP stack
TCP
UD
PIC
MP
IPET
H
TCP
UD
PIC
MP
IPET
H
UDPFilterUDPFilter
ICMP FilterICMP Filter
IP FilterIP Filter
Eth. ReadEth. Read(R)ARP(R)ARP
TCPFilter & Processor
TCPFilter & Processor
UDPFilterUDPFilter
ICMP FilterICMP Filter
IP FilterIP Filter
(R)ARP(R)ARP
Eth. ReadEth. Read
etheth taptap fdfd etheth taptap fdfd
Frag. & Reass. Frag. & Reass. Frag. & Reass. Frag. & Reass.
Scheduler
UDP context tracker & data processor (plugins)UDP context tracker &
data processor (plugins)
ICMP context tracker & data processor (plugins)ICMP context tracker & data processor (plugins)
IP context tracker & data processor (plugins)
IP context tracker & data processor (plugins)
(R)ARP translation processor
(R)ARP translation processor
TCP context tracker & data processor (plugins)TCP context tracker &
data processor (plugins)
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Nmap : Format d’une signature
2009/06/05 [email protected] - DIATEAM 10
Fingerprint FreeBSD 7.0-CURRENTClass FreeBSD | FreeBSD | 7.X | general purposeSEQ(SP=101-10D%GCD=<7%ISR=108-112%TI=RD%II=RI%TS=20|21|22)OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M5B4NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF)ECN(R=Y%DF=Y%T=40%TG=40%W=FFFF%O=M5B4NW8%CC=N%Q=)T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%TG=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW8NNT11%RD=0%Q=)T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(DF=N%T=40%TG=40%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)IE(DFI=S%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
…
SP : TCP ISN PredictabilitySP : TCP ISN
PredictabilityGCD : TCP ISN
Greatest Common Divisor
GCD : TCP ISN Greatest
Common Divisor
ISR : TCP ISN counter
Rate
ISR : TCP ISN counter
Rate
TI : TCP IP ID sequence generation
algorithm
TI : TCP IP ID sequence generation
algorithm
II : ICMP IP ID sequence generation
algorithm
II : ICMP IP ID sequence generation
algorithm
TS : TCP timestamp
option algorithm
TS : TCP timestamp
option algorithm
SS : Shared IP ID sequence Boolean
SS : Shared IP ID sequence Boolean
W1-W6 : TCP initial
win size
W1-W6 : TCP initial
win size
O1-06: TCP Options
(ordering & values)
O1-06: TCP Options
(ordering & values)
DF: IP don’t fragment bitDF: IP don’t fragment bit
T: IP initial time-to-liveT: IP initial
time-to-live
TG: IP initial time-to-live
guess
TG: IP initial time-to-live
guess
W: TCP initial
win size
W: TCP initial
win size
S: TCP seq.
number
S: TCP seq.
number
A: TCP ack. number
A: TCP ack. number
F: TCP Flags
F: TCP Flags
RD: TCP RST data checksumRD: TCP RST
data checksumQ: TCP misc.
quirksQ: TCP misc.
quirks
TOS: IP type of service
TOS: IP type of service
IPL: IP total
length
IPL: IP total
length
UN: Unused port unreach. field nonzero
UN: Unused port unreach. field nonzero
RID: Returned probe IP ID valueRID: Returned
probe IP ID value
RIPCK: Returned probe IP
checksum value
RIPCK: Returned probe IP
checksum value
RUCK: Returned probe UDP checksum
RUCK: Returned probe UDP checksum
RUL: Returned probe UDP length
RUL: Returned probe UDP length
RIPL: Returned probe IP total length value
RIPL: Returned probe IP total length value
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
SinFP : Base des signatures (sqlite)
2009/06/05 [email protected] - DIATEAM 11
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
SinFP : Format d’une signature
2009/06/05 [email protected] - DIATEAM 12
104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista,B11113,B…13,B…..,F0x12:F0x12:F0x12,M1460,M1[34]..,M\d+,O0204ffff,O0204ffff,O0204ffff,W8192,W8[012]..,W\d+,B11113,B…12,B…..,F0x12,F0x12,F0x12,M1460,M1[34]..,M\d+,O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,W8192,W8[012]..,W\d+,B11121,B…21,B…..,F0x04,F0x04,F0x012,M0,M0,M0,O0,O0,O0W0,W0,W0
104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista,B11113,B…13,B…..,F0x12:F0x12:F0x12,M1460,M1[34]..,M\d+,O0204ffff,O0204ffff,O0204ffff,W8192,W8[012]..,W\d+,B11113,B…12,B…..,F0x12,F0x12,F0x12,M1460,M1[34]..,M\d+,O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,W8192,W8[012]..,W\d+,B11121,B…21,B…..,F0x04,F0x04,F0x012,M0,M0,M0,O0,O0,O0W0,W0,W0
idSignatureidSignature ipVersionipVersion systemClass systemClass vendorvendor osos osVersionosVersionosVersionFamilyosVersionFamilytrustedtrusted
Test
P1Te
st
P1Te
st
P2Test
P2
Test
P3Te
st
P3
Binary : heuristic0, heuristic1, heuristic2
Binary : heuristic0, heuristic1, heuristic2
TcpFlags : heuristic0, heuristic1, heuristic2
TcpFlags : heuristic0, heuristic1, heuristic2
TcpMss : heuristic0, heuristic1, heuristic2
TcpMss : heuristic0, heuristic1, heuristic2
TcpOptions : heuristic0, heuristic1, heuristic2
TcpOptions : heuristic0, heuristic1, heuristic2
TcpWindow : heuristic0, heuristic1, heuristic2
TcpWindow : heuristic0, heuristic1, heuristic2
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
p0f : Format d’une signature
2009/06/05 [email protected] - DIATEAM 13
8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta)8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta)
TCP Window Size
TCP Window Size
TCP Initial TTL
TCP Initial TTL
IP Don’t Fragment Bit
IP Don’t Fragment Bit
TCP SYN Packet Size
TCP SYN Packet Size
TCP OptionsTCP Options QuirksQuirks OS System Class
OS System Class
OS NameOS Name
• Version 2.0.8 (2006) • 6 paramètres d’analyse• Uniquement sur un SYN (par défaut = p0f.fp)• Autres fichiers de signatures pour autres modes (expérimentaux)
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Ring2 - Mystification de la congestion
2009/06/05 [email protected] - DIATEAM 14
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Personality Manager
2009/06/05 [email protected] - DIATEAM 16
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
Perspectives
2009/06/05 [email protected] - DIATEAM 17
• Juin 2009 – SSTIC 2009– Présentation « officielle »– « Beta release » 0.1 (en « download » par courriel)
• Fin 2009 – Début 2010– « Refactoring » (Qt4 ?, uIp !, tests en production …)– PersonalityManager, Intégration filtrage, …– Version 0.2 en « download » Internet– Documentation, « UserGuide », …– Intégration de quelques « scrubbers » applicatifs (DNS,
SMB, DHCP, …) ?
This document is licensed under a Creative Commons Attribution 3.0 License
IpMorph is an Open Source project owned, developed and supported by DIATEAM
v0.1
IpMorph : « unification de la mystification de prise d'empreinte»
1 - Interface tap01 - Interface tap0
Démonstration
2009/06/05 [email protected] - DIATEAM 18
192.168.10.110Linux Ubuntu 8.04
192.168.10.73Nmap, Xprobe2,
SinFP, P0f
tap0
eth0LAN
Scénario de la démonstrationScénario de la démonstration
4 - Xprobe24 - Xprobe2
2 - VirtualBox2 - VirtualBox
3- IpMorph3- IpMorph
5 - Nmap5 - Nmap
6 - SinFp en actif6 - SinFp en actif
7 - SinFp en passif7 - SinFp en passif
8 - p0f8 - p0f
ConfigurationPrise d’empreinte
« active »Prise d’empreinte
« passive »
This document is licensed under a Creative Commons Attribution 3.0 License
SSTIC - 5 juin 2009
IpMorph is an Open Source project owned, developed and supported by DIATEAM2009/06/05 19
Merci de votre attention.