DefCon 21, Las Vegas 2013
Let’s Screw With nMap
Overview
Nosey Bastards!All About Packet NormalizationWorking It All OutPutting It Into PracticeFinishing Up
Network Defenders
We see scans and probes of our network every dayFrom the inside and from the outsideEverybody is targeting usIdentifying our assets
How They Do It
Network stack implementation is highly discretionaryDifferences identify the operating system type and versionAllowing Attackers to identify their targetsBy matching the headers of their target to known operating system implementations
… then it’s likely a Windows 2003 Sever!
Uses the following options
MSS of 1460Single NOPWindow Size 0Single NOPSingle NOPEnding SACK
If your target …Has a TTL of 128
Implications
If they identify your assets …They know their weaknessesHow to attack them successfullyWithout triggering your sensors
TSA-Style patdowns …
It’s fact of life
But does it have to be?
Why can’t we …
Remove the differencesTo remove their advantage Strip them of their ability to fingerprint To significantly reduce their chance of success
My Answer
Packet
ization
OK. What is packet normalization?
Had anyone thought of this before?Not an entirely developed conceptMany expressions but most incomplete …
Normalization vs. Scrubbing
Scrubbing is to do away with; cancel Normalization is to make normal, especially to cause to conform to a standard or normBoth are seen in varying degrees
Scrubbing
Used by a number of firewallsRandomize IP IDClear IP DF
Also …Set IP tos/dscp, and ttlIP Fragment Reassembly
Primarily ConcernPolicy ViolationsAbnormal PacketsAbnormal Flows
Scrubbing
Custom patch for netfilterRandom IP IDRandomize TCP TimestampRandomize TCP SEQClear IP tos/dscpIP TTL Tinkering
Developed by Nicolas BareilMentions fingerprint preventionHost Only
Scrubbing
Used by some network devices such as Cisco ACE and ASA
Random TCP SEQClear TCP Reserved, and URGClears TCP OptionsMinimum IP TTL
Fragment Reassembly too …Primarily Concern
Policy ViolationsAbnormal PacketsAbnormal Flows
Incoming Normalization
Used by IPS and IDS devicesIP Fragment ReassemblyIP TTL Evasion
Primarily ConcernDetect AttacksDetection Evasion
Outgoing Normalization?
Fingerprinting Process
TCP, UDP, and ICMP probes are sentCompile results into fingerprint
Compare against databaseIdentify operating system
Where to Start?
Nmap fingerprint databaseWhat about other fingerprinting tools?
xprobe2amapVulnerability scanners … Nessus, Et. Al
Best to disrupt any existing patterns
Clear out any unnecessary valuesIP ToS/DCSP/Traffic Class ClearedIP ECN ClearedTCP URG Flag and URG Pointer Cleared
Randomize anything that you canIP ID
IP TTL/HOP Limit? TCP Options?
Scrubbing
Packet NormalizationOutgoing Normalization
Normalizing(IP Time-To-Live / Hop Limit)
Make some assumptionsOriginally Well-Known TTLDecrements OnlyTraveled < 32 hops
Back into Original Starting TTLEstimate number of hops traveledRecalibrate current TTLUsing Starting TTL of 255
Normalizing(IP Time-To-Live / Hop Limit)
Start with the lowest well known TTL first!Several exceptions to this normalization …Will be discussed later
Normalizing(TCP Options)
AssumptionsOnly Few Well Known Options NeededOrder is unimportant
Requirement …Values can’t be changedRead necessary optionsDiscard the restRewrite options in proper orderNOP … till the end of the options
Normalizing(TCP Options)
Options selected … And their orderMSSWindowSACKMD5 … if present
After processing …
Making everyone look the samePutting It All Together
With IDGuard
Selecting The Platform
Identified Suitable HardwareAlready Modified By OthersDocumentation Available … Mikrotik Routerboards
Identified Suitable Operating SystemAvailable BaseWriteable File System …OpenWrt
Best to develop in a VM first!
Building the Development Environment
Download Debian v6.0 Net-install CD-ROMBuild a VMWare VMInstall rcp100 from SourceforgeConfigure rcp100 routing functions
Building the Development Environment
Configuring the Development Environment
Deploying the Kernel Module
Download IDguard v0.50Install IDGuard
Deploying the Kernel Module
OK … What worked?
I am really tired of those nosey bastards!
What Didn’t Work
ToS/DCSP/Traffic Class ClearingECN ClearingURG Flag and URG Pointer ClearingIP ID RandomizationDF Clearing
… the Scrubbing
What Worked
TTL StandardizingTCP Option Standardizing
… the Normalization
End ResultsOperating System Unprotected ProtectedWindows 7 Microsoft Windows 7|2008Windows Server 2003 Microsoft Windows 2003Ubuntu Desktop 11.10 Linux 2.6.X|3.XRed Hat Enterprise Linux 6 Linux 2.6.X|3.X
Allied Telesyn AlliedWareAllied Telesyn AlliedWareCisco IOS 12.XD-Link embedded
Other Effects
NmapNetwork Distance
Other Fingerprintingxprobe2Nessus …
Other Toolspingtraceroute
Deploying to Hardware
Purchase the hardware from a local vendorDownload OpenWrt kernel image with an embedded initramfsSetup dhcp & tftp netboot environmentConnect to the routerboardConfigure routerboard for DHCPBack up RouterOS Prepare the OpenWrt images Flash it
Deploying to Hardware
Demonstration
Challenges
Authorized ActivityOther Methods
Banners and Direct QueryIdentification Through Layer-7
Challenges
Authorized ActivityScannersManagement Platforms
ResolutionExclude them …
Challenges
Banners and Direct QueryWindows Networking AvailableApplication-Layer QueryOS Details in Reply
ResolutionPerimeter NetworkInternal Network
Concerns
ConnectivityFragmentation
UpstreamDownstream
TTL AttenuationTTL Special Uses
TCP Options Sensitivity?Link-Local Routing Protocols
Concern
Upstream FragmentationIP ID Randomized“Fragmentation Needed” ICMP Message ReceivedHost is confusedKeeps sending original packet
ResolutionClear DF
Concern
Downstream FragmentationEach fragment given a different IP IDDestination can’t be reassembled
ResolutionEnd-Point Switch Placement Exclude Fragments
Concern
TTL AttenuationPacket travels more than 32 hopsPacket TTL is continually extendedRouting Loop occurs
ResolutionEnd-Point Switch Placement
Concern
TTL Special UsesTTL recalibratedTTL never runs outTraceroute fails
ResolutionExclude ICMP Echo Requests
Concern
Link-Local Routing ProtocolsTTL of 1 for RIP packetTTL of 255 is abnormalPacket is malformed
ResolutionExclude routing protocols
Concerns
PerformanceBreak Something
Poorly Coded ApplicationsWhat else?
Benefits
Shields from …Casual AttackersAutomated AssaultsOblique Threats
Protects …UnmanagedUnpatchedUnhardened
Defeats … canned exploits
What’s Next
More PlatformsOpen-Source Router FirmwareLinux-Based Switches
Production TrialsTalk to vendors
Accurate target identification is key to a successful attackIdentification that is way too easy for an attacker to performLet’s change that with fingerprint preventionI’ve proven that it can be doneNow, we just have to make it happen
Final Thoughts
Proof of Concept
SHA256 hash is e97b2c8325a0ba3459c9a3a1d67a6306Updates can be found at http://idguard.sourceforge.net/
Linkshttp://www.wisegeek.com/what-is-packet-mangling.htmhttp://www.openbsd.gr/faq/pf/scrub.htmlhttp://www.linuxsecurity.com.br/info/fw/PacketManglingwithiptables.dochttp://chdir.org/~nico/scrub/http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.pdfhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.pdfhttp://www.sans.org/reading_room/whitepapers/intrusion/packet-level-normalisation_1128http://nmap.org/book/osdetect-methods.htmlhttp://rcp100.sourceforge.nethttp://wiki.hwmn.org/w/Mikrotik_RouterBoard_450Ghttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-vmlinux.elfhttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-rootfs.tar.gz https://sites.google.com/site/guenterbartsch/blog/myfirstlinuxkernelmodulehttp://www.farlock.org/nslu2/openwrt-non-standard-module-compiling/
Special ThanksAditiya SoodKenny Nguyen and E-CQURITYKathy GilletteNick Pruitt