WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
PRADS presentation (English) @ University of Oslo by Ebf0 and kwy
1. PRADS
PASSIVE REAL-TIME ASSET DETECTION SYSTEM
Edward Fjellskål & Kacper Wysocki
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
2. Who are we?
Edward Fjellskål Kacper Wysocki
Redpill Linpro (4 years)
Redpill Linpro (1 year)
First computer in 1983
Born 31337
Siv.Ing IKT
B.A. Comp. Sci
Linux and security since 98
Norman Anti-Virus
Network Security Monotoring
Forensics Kernelpatching '01
Pen testing Packet sniffing
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
3. What is PRADS?
Detection via:
Hosts - ARP and IP
Services - UDP and TCP
OS - IP(TCP/UDP/ICMP)
MAC - ARP
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
4. Why PRADS
Existing open source tools do similar things but
Want to combine data to do a fast assesment
Designed for big networks and high bandwidth
Automatically create host attribute table for Snort
Exciting and educational
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
5. Ways to use PRADS
Overview over
Machines (IP)
Operating Systems and patch levels
(Windows/Linux/Solaris/Mac/*BSD...)
Services (Apache, IIS, MySQL, MSSQL, SMTP XXXX...)
Clients (Firefox, Thunderbird, Skype, IE(5,6,7,8)...)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
6. Ways to use PRADS
... so one can:
Automate monitoring of a network in constant change.
Improve protection of your network with IDS/IPS.
Policy & Compliance
Know your assets at any given time.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
7. TCP fingerprinting?
TCP used for (almost) everything.
Nothing new here (nmap, p0f, SinPF, netfilter!, pf)
Nmap is active. (p0f can too!)
Active scanning is not always acceptable.
P0f – a proof of concept
Fingerprint fuzzing
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
8. TCP Fingerprinting in depth
Transmission Control Protocol: Crash course
TCP is reliable communication of data streams.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
9. TCP Fingerprinting in depth
A typical TCP connection: 3-way handshake
1) Client sends SYN
"Hello, I want to talk to you"
2) Server sends SYN+ACK
"Hi, ok I'm listening"
3) Client sends ACK
Communication is established.
Interesting fields already in first packet!
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
10. TCP Fingerprinting in depth
Signatures: known patterns
Guess the OS on the basis of packet fields
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
Fingerprints: describe packets
– Fingerprints match one or more signatures
sig and fp are concise, not readable :-)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
11. TCP Fingerprinting in depth
Interesting fields in 1st packet
Window Size
Reserved field
TCP Flags
TCP Options
Data?
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
12. TCP Fingerprinting in depth
Signatures: known patterns
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6
S12:128:1:48:M*,N,N,S:.:Windows:XP SP1+
65535:64:1:48:M1460,S:.:FreeBSD:7.0
Fingerprints: describe packets
[5672:64:0:60:M1430,S,T,N,W6:A] (Google bot)
Fingerprints match one or more signatures
sig and fp are concise, not readable :-)
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
13. TCP Fingerprinting in depth
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
14. TCP Fingerprinting in depth
TCP Options:
WindowSize : TTL : DontFrag : SYNsize : Options : Quirks
S4 : 64 : 1 : 60 : M*,S,T,N,W8 : . : Linux:2.6
MSS, SACK, TIMESTAMP, NOOP, WINDOWSCALE, EOL, ++
Read the RFCs
Quirks – weird things some OS's do
Z: no ID, I: IP opts, U: URG flag, X: reserved,
A: ACK flag, F: other flags, D: data in SYN packet,
T: extra timestamp, P: options after EOL
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
15. UDP/ICMP fingerprinting
Not 100%, only used as indication
Easy to implement compared to IP/TCP FP
Good alternative if can't use TCP for some reason
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
16.
17. ARP Fingerprinting/Detection
Catch ARP Request/Reply
Registrer MAC and IP
Look up MAC vendor
who made the NIC?
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
18. Detection: Clients and Services
Look for signatures in traffic flow
Expensive to look at each byte of each packet
Signature is usually at start of connection (think
magic numbers)
Signatures can be manipulated.
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
20. PRADS – future work
More detection methods
– (DNS / DHCP / SNMP / retransmission timings / phase plane analysis ...)
even better optimizations (OpenCL, SIMD etc)
GUI / network mapping
Policy & Compliance
Alarms
CVE
OSSIM integration
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING
21. Thank you for your time
edward@redpill-linpro.com
kwy@redpill-linpro.com
http://gamelinux.github.com/prads/
Questions? Yes please!
PRODUCTS • CONSULTING • APPLICATION MANAGEMENT • IT OPERATIONS • SUPPORT • TRAINING