Download - Charla antifingerprinting
![Page 1: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/1.jpg)
The art of disguise
Anti-fingerprinting techniques
1Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 2: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/2.jpg)
2
The art of disguise - Anti-fingerprinting techniques by Daniel García García a.k.a. cr0hn is licensed under a:
Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.
Permissions beyond the scope of this license may be available at: [email protected].
Creative Commons License
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 3: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/3.jpg)
Index
1.FreeBSD: A brief introduction.
2.How fingerprint works?
3.How to defeat it?
3Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 4: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/4.jpg)
FreeBSD…
A brief introduction
4Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 5: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/5.jpg)
1 - FreeBSD: A brief introduction
1.How install it?
2.How manage the software?
3.How install program?
4.Main differences between GNU/Linux.
5Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 6: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/6.jpg)
How install it?
Simple… With a wizard
6Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 7: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/7.jpg)
Software management
• What is a port system?
• Why port is a good idea?
• How port works?
7Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 8: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/8.jpg)
Installing new software
Compiling…
8Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 9: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/9.jpg)
Installing new software
From binaries…
9Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 10: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/10.jpg)
Main differences with GNU/Linux
FreeBSD GNU/Linux
General config file: /etc/rc.conf Multiple config files and directories
Services start •/etc/rc.d/ •/usr/local/etc/rc.d/
Service start: /etc/init.d/
User directories: /usr/home User directories: /home
Kernel:- config: about 200 lines- Many security features included
Kernel:- config file: very complicated- Extra features via patches
Software, natively, can be compiled Only some distribution can do it, like Gentoo.
10Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 11: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/11.jpg)
The fingerprinting…
How it works?
11Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 12: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/12.jpg)
2 – Fingerprinting: How it works?
1. Why hide your systems?
2. Operating system level.
3. Service level.
4. Application level.
12Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 13: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/13.jpg)
Why hide your OS and services?
1. To hide of known (and unknown!) exploits.
2. Necessaries unpatched versions of software.
3. If somebody knows OS you’re running also
may guess the application that run in.
4. Privacy: nobody needs to know the systems
you've got running13
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 14: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/14.jpg)
Fingerprinting: Risk demo
Risk demo
14Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 15: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/15.jpg)
Operating System level
• TTL
15
Linux/*BSD: 64Windows: 128
OpenBSD: 255
AIX: 30
mmm ... fish
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 16: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/16.jpg)
Operating System level
• Common TCP Initial Windows size
16
Linux: 16A0Windows: 2000
OpenBSD: 4000
AIX: 4470/FFFF
*BSD: FFFF
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 17: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/17.jpg)
Operating System level
• IP ID sequence generation algorithm.
• Invalid TCP flags combination.
• Answer to closed port: RST, nothing,
ICMP unreachable.
• TCP send/receive window sizes.
• Port ranges17
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 18: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/18.jpg)
Service level
• Banners
18Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 19: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/19.jpg)
Application level
• Session ID var (PHPSESID/JSESSIONID)
• Hidden/lost files.
• Meta headers.
• Vars and methods names.
19Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 20: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/20.jpg)
Application level
A practical example: Metadata.
20Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 21: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/21.jpg)
Application level
A practical example: Lost files.
21Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 22: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/22.jpg)
The fight…
How to defeat it?
22Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 23: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/23.jpg)
3 – Defeating fingerprinting
• Kernel parameters
• Changing banners
• Modifying applications
23Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 24: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/24.jpg)
Kernel parameters
Disable (if you don’t need)
• SCTP
• IPv6
24Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 25: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/25.jpg)
Kernel parameters
25
In your /etc/sysctl.conf
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 26: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/26.jpg)
Service level
How to defeat it?
• Changing configuration files
• Changing source code of software
26Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 27: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/27.jpg)
How to make a patch
Step to make a patch:
1. Download the source code of app you want to patch.
2. Extract code an create a copy of code.
3. From your copy, make the changes you need.
4. Apply a diff to extract changes.
5. Save change into a patch-* file.27
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 28: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/28.jpg)
How to make a patch: Nginx
Step 1 and 2:
1. Download the source code of Nginx.
2. Creating a copy of source.
28Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 29: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/29.jpg)
How to make a patch: Nginx
Step 3:
• Locate file that contains information of version:
• Change file information:
29Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 30: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/30.jpg)
How to make a patch: NginxStep 4 and 5:
• Make a diff with original file and save into patch.
30Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 31: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/31.jpg)
FreeBSD patching method
What need FreeBSD to apply our path?
• Put your file into:
/usr/ports/CATEGORY/PROG/files
• Your patch must be named like:
patch-ORIGINAL_FILE_NAME
• Change relative path in your patch:
31Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 32: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/32.jpg)
FreeBSD patching method
And now, how compile our patched software…?
32Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 33: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/33.jpg)
FreeBSD patching method
Even an idiot can do it!
33Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 34: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/34.jpg)
Service level
Learning with examples:
Nginx
• OpenSSH
• PureFTPd
• Apache Tomcat34
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 35: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/35.jpg)
Service level: Nginx
Where is version information?
• In nginx.h
35Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 36: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/36.jpg)
Service level: Nginx
The result:
36
Yes! I use a publicIP for my LANYes! I use a publicIP for my LAN
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 37: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/37.jpg)
Service level: OpenSSH
Where is version information?
• In Makefile:
• Or in version.h:
37Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 38: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/38.jpg)
Service level: OpenSSH
The result:
38Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 39: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/39.jpg)
Service level: PureFTPdWhere is version information?
• In pure-ftphow.c
• In altlog.c
• In ftp_parser.c
• In ftpd.c
39Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 40: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/40.jpg)
Service level: PureFTPd
The result:
40Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 41: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/41.jpg)
Service level: Tomcat
Where is version information:
• /usr/local/apache-tomcat-7.0/conf/server.xml
41Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 42: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/42.jpg)
Service level: Tomcat
The result:
42Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 43: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/43.jpg)
Service level: nmap
What think nmap?
43Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 44: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/44.jpg)
Service level: fingerprinting database
Where can we find a database of fingerprintings?
44Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 45: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/45.jpg)
Application level
Learning with examples…
…Testing WordPress
45Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 46: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/46.jpg)
Application level: WordPress
Hiding our WordPress information:
1.WordPress version.
2.WordPress’s plugins versions.
3.Session ID
4.Custom error pages.
5.Metadata info
6.Hash of static and common files.
46Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
![Page 47: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/47.jpg)
Application level: WordPress
Step 1: WordPress version.
47Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 48: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/48.jpg)
Application level: WordPress
Step 2: Plugins versions.
48Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 49: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/49.jpg)
Application level: WordPress
Step 1 and 2: Hiding versions.
49Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 50: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/50.jpg)
Application level: WordPress
Step 3: Session ID var.
50Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 51: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/51.jpg)
Application level: WordPress
Step 3: Hiding session ID var.
51Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 52: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/52.jpg)
Application level: WordPress
Step 4: Custom error pages… of IIS
52Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 53: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/53.jpg)
Application level: WordPress
Step 5: Metadata info.
53Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 54: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/54.jpg)
Application level: WordPress
Step 5: Hiding metadata info.
54Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 55: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/55.jpg)
Application level: WordPress
Step 6: Hash of static and common files.
• Site.com/wp-includes/css/admin-bar.css:
• Some programs have a database of hashes:
55Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 56: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/56.jpg)
Application level: WordPress
Step 6: Hiding common hashes:
1.Modify our static files, like css:
1.Check the new hash:
56Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 57: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/57.jpg)
Application level: WordPress
The result:
• Plecost (http://www.iniqua.com/labs/plecost/ )
57Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
No plugins found!!
![Page 58: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/58.jpg)
Application level: WordPress
The result:
• WP-scan (http://code.google.com/p/wpscan/)
58Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
wp-scan don’t like our filters
![Page 59: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/59.jpg)
Application level: WordPress
The result:
• Nmap
59Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
![Page 60: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/60.jpg)
Application level: WordPress
Final result….
60Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
We've earned a beer!
![Page 61: Charla antifingerprinting](https://reader038.vdocuments.site/reader038/viewer/2022110307/55567cc1d8b42abc5a8b527c/html5/thumbnails/61.jpg)
61
Questions?Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel