stealth servers need stealth packets - derbycon 3.0

Download Stealth servers need Stealth Packets - Derbycon 3.0

Post on 20-Aug-2015

1.661 views

Category:

Technology

2 download

Embed Size (px)

TRANSCRIPT

  1. 1. 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM
  2. 2. 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $WHOIAM Passionateaboutcomputersecurity. ComputerEngineeringdegree andanExecu7ve MBA. In my free 8me I conduct research on security andworkasanindependentconsultant. ImfromSpain;Weresexyandyouknowit. Otherconferences: RootedCONinSpain NuitDuHackinParis BlackHatArsenalUSA Defcon21USA Nextconferences:Hack7vity,NoConNameand BlackHatSaoPaulo
  3. 3. FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools hell be using, well be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  4. 4. ABRIEFOVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  5. 5. Devices Devices Devices Kernel Ring0 Ring1 Ring2 Ring3 Less Privileged More Privileged Computeropera+ngsystemsprovidedierent levelsofaccesstoresources. Thisisgenerallyhardware-enforcedbysome CPUarchitectureshatprovidedierentCPU modesatthehardwareormicrocodelevel. Ringsarearrangedinahierarchyfrommost privileged(mosttrusted,usuallynumberedzero) toleastprivileged(leasttrusted,usuallywiththe highestringnumber). Onmostopera+ngsystems,RING0isthelevel withthemostprivilegesandinteractsmost directlywiththephysicalhardwaresuchasthe CPUandmemory. ARCHITECTURE HowimetyourpacketFromkernelSpacetouserHeaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  6. 6. KERNELvsUSERSPACE KERNELSPACE USERSPACE KERNELSPACEisstrictlyreservedforrunningthekernel,kernelextensions,andmostdevice drivers.Incontrast,userspaceisthememoryareawhereallusermodeapplica+onswork andthismemorycanbeswappedoutwhennecessary. Similarly, thetermUSERLANDreferstoallapplica+onsoKwarethatrunsinuser space. Userlandusuallyreferstothevariousprogramsandlibrariesthattheopera+ngsystemuses tointeractwiththekernel:soKwarethatperformsinput/output,manipulateslesystem, objects,etc. HowimetyourpacketFromkernelSpacetouserHeaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  7. 7. WTF!? HowimetyourpacketFromkernelSpacetouserHeaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  8. 8. 8 How Imet your packets HowimetyourpacketFromkernelSpacetouserHeaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  9. 9. 9 NICMemory DMAEngineInterrupt IncomingPacket Ring Buer Interrupt Handler NIC Memory Kernel PacketData IPLayer TCPProcess TCPrecvBuer APPLICATION DEVICEDRIVER KERNELSPACE USERSPACE PollList so]irq tcp_v4_rcv() Pointerto Device Socket Backlog ip_rcv() read() HowimetyourpacketFromkernelSpacetouserHeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  10. 10. NICMemory DMAEngineInterrupt IncomingPacket Ring Buer Interrupt Handler NIC Memory Kernel PacketData IPLayer TCPProcess TCPrecvBuer APPLICATION DEVICEDRIVER KERNELSPACE USERSPACE PollList so]irq tcp_v4_rcv() Pointerto Device Socket Backlog ip_rcv() read() locallydes8nedpacketsmustpassthe INPUTchainstoreachlisteningsockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwardedandacceptedpackets InboundPackets forwarded packets local packets HowimetyourpacketFromkernelSpacetouserHeaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  11. 11. TARGETEXTENSIONS HowimetyourpacketFromkernelSpacetouserHeaven AtargetextensionconsistsofaKERNELMODULE,andanop+onalextensiontoiptablesto providenewcommandlineop+ons. ThereareseveralextensionsinthedefaultNeQilterdistribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  12. 12. QUEUE QUEUEisaniptablesandip6tablestargetwhichwhichqueuesthepacketforuserspace processing. Forthistobeuseful,twofurthercomponentsarerequired: aQUEUEHANDLERwhichdealswiththeactualmechanicsofpassingpacketsbetween thekernelanduserspace;and aUSERSPACEAPPLICATIONtoreceive,possiblymanipulate,andissueverdictson packets. Thedefaultvalueforthemaximumqueuelengthis1024.Oncethislimitisreached,new packetswillbedroppedun+lthelengthofthequeuefallsbelowthelimitagain. HowimetyourpacketFromkernelSpacetouserHeaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  13. 13. SOMEPRACTICAL EXAMPLES HowimetyourpacketFromkernelSpacetouserHeaven 13 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  14. 14. REMOTEOS FINGERPRINTING HowimetyourpacketFromkernelSpacetouserHeaven 14 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  15. 15. CLASSICTECHNIQUES HowimetyourpacketFromkernelSpacetouserHeaven 15 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  16. 16. NMAP -DeviceType -NetworkDistance -Running -TCPSequencePredic7on -OSDetails -IPIDSequenceGenera7on -Up7meGuess DeviceType:generalpurpose Running:MicrosoKWindows7|Vista|2000 OSCPE:cpe:/o:microsoK_7::professional OSdetails:MicrosoKWindows7Professional,MicrosoK WindowsVistaSP0orSP1 Up7meguess:2.196days(sinceMonFeb412:14:012013) NetworkDistance:1hop TCPSequencePredic7on:Diculty=262(GoodLuck!) IPIDSequenceGenera7on:Incremental ServiceInfo:OS:Windows;CPE:cpe:/o:microsoK:windows HowimetyourpacketFromkernelSpacetouserHeaven 16 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
  17. 17. 17 HowimetyourpacketFromkernelSpacetouserHeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) RELEVANTFIELDS
  18. 18. ECNCWNECE,WS(10),NOP,MSS(1460),SACK,NOP,NOPandW3 IPDFbit,TOS(0),CODE=9,SEQ=295,120bytesof0x00forpayload noags,IPDFandW(128)toanopenport SYN,FIN,URG,PSHandW(256)toanopenport ACKwithIPDFandW(1024)toanopenport SYNwithW(31337)toaclosedport ACKwithIPDFandW(32768)toaclosedport FIN,PSH,URGandW(65535)toaclosedport WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF.Tsecr:0),SACKandW(1) MSS(1400),WS(0),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),EOLandW(63) TS(Tval:0xFFFFFFFF.Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640)andW(4) SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),WS(10),EOLandW(4) MSS(536),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0),WS(10),EOLandW(16) MSS(265),SACK,TS(Tval:0xFFFFFFFF.Tsecr:0)andW(512) NMAPMETHODS HowimetyourpacketFromkernelSpacetouserHeaven 18 HowimetyourpacketFromkernelSpacetouserHeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCEGENERATION(SEQ,OPS,WIN&T1) ICMPECHO(IE) TCPEXPLICITCONGESTIONNOTIFICATION(ECN) TCPT2-T7 UDP -Nmapsends15TCP,UDPandICMPtests,toopenandclosedsystemports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) C(0x43)x300fordataeld.IPIDvalue0x1042 TOS(4),CODE=0,150bytesdata,ICMPrequestIDandSEQareincremented
  19. 19. Althoughthereareothers: TCPISNcounterrate(ISR) ICMPIPIDsequencegenera8onalg(II) SharedIPIDsequenceBoolean(SS) DontFragmentICMP(DFI) Explicitconges8onno8ca8on(C) TCPmiscellaneousquirks(Q) TCPsequencenumber(S) etc. NMAPINTERNALPROBES Mostimportant: TCPISNgreatestcommondivisor(GDC) TCPIPIDsequencegenera8onalg(TI) TCP8mestampop8onalg(TS) TCPOp8ons(O,O1-O6) TCPini8alWindowSize(W,W1-W6) Responsiveness(R) IPdontfragmentbit(DF) IPini8al8me-to-liveguess(TG) F