The art of disguise - Antifingerprinting techniques

The art of disguise
Anti-fingerprinting techniques

1
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel

Creative Commons License

The art of disguise - Anti-fingerprinting techniques
by Daniel García García a.k.a. cr0hn is licensed under a:

Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.

Permissions beyond the scope of this license may be available at: dani@iniqua.com.

2

Index

1. FreeBSD: A brief introduction.

2. How fingerprint works?

3. How to defeat it?

3

FreeBSD…

A brief introduction

4

1 - FreeBSD: A brief introduction

1. How install it?

2. How manage the software?

3. How install program?

4. Main differences between GNU/Linux.

5

How install it?
Simple… With a wizard

6

Software management

• What is a port system?

• Why port is a good idea?

• How port works?

7

Installing new software
Compiling…

8

Installing new software

From binaries…

9

Main differences with GNU/Linux

FreeBSD GNU/Linux
General config file: /etc/rc.conf Multiple config files and directories
Services start
• /etc/rc.d/ Service start: /etc/init.d/
• /usr/local/etc/rc.d/
User directories: /usr/home User directories: /home
Kernel config: about 200 lines Kernel config file: very complicated
Only some distribution can do it, like
Software, natively, can be compiled
Gentoo.

10

The fingerprinting…

How it works?

11

2 – Fingerprinting: How it works?

1. Why hide your systems?

2. Operating system level.

3. Service level.

4. Application level.

12

Why hide your OS and services?

1. To hide of known (and unknown!) exploits.

2. Necessaries unpatched versions of software.

3. If somebody knows OS you’re running also
may guess the application that run in.

4. Privacy: nobody needs to know the systems
you've got running
13

Operating System level
mmm ... fish
• TTL

OpenBSD: 255

Linux/*BSD: 64
Windows: 128
AIX: 30

14

• Common TCP Initial Windows size

*BSD: FFFF OpenBSD: 4000

Linux: 16A0
Windows: 2000 AIX: 4470/FFFF
15


• IP ID sequence generation algorithm.

• Invalid TCP flags combination.

• Answer to closed port: RST, nothing,
ICMP unreachable.

• TCP max send/receive window sizes.

• Port ranges
16

Service level
• Banners

17

Application level

• Session ID var (PHPSESID/JSESSIONID)

• Hidden/lost files.

• Meta headers.

• Vars and methods names.

18

Application level
A practical example: Metadata.

19

Application level
A practical example: Lost files.

20

The fight…

How to defeat it?

21

3 – Defeating fingerprinting

• Kernel parameters

• Changing banners

• Modifying applications

22

Kernel parameters
Disable (if you don’t need)
• SCTP
• IPv6

23

Kernel parameters
In your /etc/sysctl.conf

24

Service level
How to defeat it?

• Changing configuration files

• Changing source code of software*

25

How to make a patch
Step to make a patch:
1. Download the source code of app you want to
patch.

2. Extract code an create a copy of code.

3. From your copy, make the changes you need.

4. Apply a diff to extract changes.

5. Save change into a patch-* file.
26

How to make a patch: Nginx
Step 1 and 2:
1. Download the source code of Nginx.
2. Creating a copy of source.

27

Step 3:
• Locate file that contains information of version:

• Change file information:

28

Step 4 and 5:
• Make a diff with original file and save into patch.

29

FreeBSD patching method
What need FreeBSD to apply our path?
• Put your file into:
/usr/ports/CATEGORY/PROG/files
• Your patch must be named like:
patch-ORIGINAL_FILE_NAME
• Change relative path in your patch:

30

And now, how compile our patched software…?

31

Even an idiot can do it!

32

Service level
Learning with examples:

• Nginx

• OpenSSH

• PureFTPd

33

Service level: Nginx
Where is version information?
• In nginx.h

34

Service level: Nginx
Yes! I use a public
The result: IP for my LAN

35

Service level: OpenSSH
• In Makefile:

• Or in version.h:

36

Service level: OpenSSH
The result:

37

Service level: PureFTPd

• In pure-ftphow.c

• In altlog.c
• In ftp_parser.c

• In ftpd.c

38

Service level: PureFTPd
The result:

39

Service level: nmap
What think nmap?

40

Service level: fingerprinting database
Where can we find a database of fingerprintings?

41

Application level
Learning with examples…

…Testing WordPress

42

Application level: WordPress
Hiding our WordPress information:
1. WordPress version.
2. WordPress’s plugins versions.
3. Session ID
4. Custom error pages.
5. Metadata info
6. Hash of static and common files.

43
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie

Step 1: WordPress version.

44

Step 2: Plugins versions.

45

Step 1 and 2: Hiding versions.

46

Step 3: Session ID var.

47

Step 3: Hiding session ID var.

48

Step 4: Custom error pages… of IIS

49

Step 5: Metadata info.

50

Step 5: Hiding metadata info.

51

Step 6: Hash of static and common files.

• Site.com/wp-includes/css/admin-bar.css:

• Some programs have a database of hashes:

52

Step 6: Hiding common hashes:

1. Modify our static files, like css:

2. Check the new hash:

53

The result:
• Plecost (http://www.iniqua.com/labs/plecost/ )

No plugins
found!!

54

The result:
• WP-scan (http://code.google.com/p/wpscan/)
wp-scan don’t
like our filters

55

The result:
• Nmap

56

Final result….

We've earned a beer!

57

Questions?
58

The art of disguise - Antifingerprinting techniques

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie The art of disguise - Antifingerprinting techniques

Ähnlich wie The art of disguise - Antifingerprinting techniques (20)

Mehr von Daniel Garcia (a.k.a cr0hn)

Mehr von Daniel Garcia (a.k.a cr0hn) (8)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

The art of disguise - Antifingerprinting techniques