SlideShare una empresa de Scribd logo

Using system fingerprints to track attackers

Descargar como PPT, PDF
Lance Cottrell
Lance Cottrell

Using system fingerprints to track attackers. Talk at B-Sides SF 2014 by Lance Cottrell Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.

Tecnología
1 de 27
Using system fingerprints to track attackers Lance Cottrell Ntrepid/Anonymizer ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 1
When You Are Under Attack You may ask: Who was that masked man? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 2
As a Defender, You See... IP: 37.123.118.67 Lat / Long: +54 / -2 Country: UK Ping: 110ms ISP: as13213.net (AKA UK2.net) server hosting Open Ports: SSH, HTTP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 3
Is THIS Really the Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 4
Which is the “Real” Attacker? It’s Turtles All the Way Down ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 5
What If You Could Spot People Hiding? Block Web Access DETOUR Redirect to Honeypot NO TRESPASSING Add Firewall Rule Deny Credit Card Flag in Logs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 6
What If You Could Identify Your Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 7
How Do They Hide? Proxies VPNs Chained VPNs / TOR Botnets / Compromised Hosts Tradecraft ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 8
How Can You Spot Them? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 9
Known Anonymous IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 10
Anon IPs are well known ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 11
Open Proxy / Ports ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 12
Obviously not a home PC HTTP X11 FTP SSH ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 13
Non-Consumer IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 14
Identifying non-consumer IP 9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms 10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms VS 13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms 14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 15
Latency vs. Ping Time HTTP / Javascript DHCP Ping ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 16
DNS Mismatch HTTP from Chicago DNS from Nigeria ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 17
Identify the Attacker ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 18
Identity Leakage Embedded Media Apps bypass proxy / VPN Phone home ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 19
Fortunately (for you), Good OPSEC is Hard Tools can be slow and cumbersome May go direct for “innocent” activity / reconnaissance May forget to use it Accidentally cross the streams of personas Correlate attacker print with all previous activity ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 20
Cookies and Bugs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 21
Browser Fingerprints ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 22
Fingerprint Entropy 12.3 - User Agent 5.4 - HTTP_ACCEPT Headers 21.9+ - Browser Plugin Details 5.0 - Time Zone 7.5 - Screen Size and Color Depth 21.9 - System Fonts 0.4 - Cookie Test ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 0.9 - Super Cookie Test 23
Attacker Use of Virtualization Advantages Disadvantages Easy to Clean Cloned Each Time No Cookies or Super-Cookies Too Clean or Outdated Cruft Detection as VM Requires Local Execution Can Be Detected as VM ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 24
Dread Pirate Roberts ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 25
Why Should YOU be Stealthy Lurk in IRC and Forums Discover Plans Learn Techniques Hide your interest & activity Bait Honeypots Drop False Leads and Links Government Has Other More Aggressive Options ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 26
Thanks Contact me at: Email: lance.cottrell@ntrepidcorp.com Commercial / Gov: http://ntrepidcorp.com Consumer: http://anonymizer.com Blog: http://theprivacyblog.com Twitter: @LanceCottrell LinkedIn: http://linkedin.com/in/LanceCottrell ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 27

Recomendados

Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationPavel Odintsov
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
9534715
95347159534715
9534715Pavel Odintsov
 

Recomendados

Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
FastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationFastNetMon - ENOG9 speech about DDoS mitigation
FastNetMon - ENOG9 speech about DDoS mitigationPavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationPavel Odintsov
 
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)
Ultra fast DDoS Detection with FastNetMon at Coloclue (AS 8283)Pavel Odintsov
 
Network telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationNetwork telemetry for DDoS detection presentation
Network telemetry for DDoS detection presentationPavel Odintsov
 
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
9534715
95347159534715
9534715Pavel Odintsov
 
FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux serverMarian Marinov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Firewall
FirewallFirewall
FirewallAngga Racing
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionWestermo Network Technologies
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 
Product_Engineer_Zscaler
Product_Engineer_ZscalerProduct_Engineer_Zscaler
Product_Engineer_Zscalermustufa mithaiwala
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
Botnet Detection And Countermeasures
Botnet Detection And CountermeasuresBotnet Detection And Countermeasures
Botnet Detection And CountermeasuresSynerzip
 
Hacking3e ppt ch06
Hacking3e ppt ch06Hacking3e ppt ch06
Hacking3e ppt ch06Skillspire LLC
 

Más contenido relacionado

La actualidad más candente

FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみたYutaka Ishizaki
 
How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux serverMarian Marinov
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossPavel Odintsov
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaPavel Odintsov
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaHanaysha
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handoutFaelix Ltd
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simplePavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSPavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool Pavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonPavel Odintsov
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolPavel Odintsov
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionWestermo Network Technologies
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESFaelix Ltd
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeFaelix Ltd
 

La actualidad más candente (18)

FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
How to setup your linux server
How to setup your linux serverHow to setup your linux server
How to setup your linux server
 
Blackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_vossBlackholing from a_providers_perspektive_theo_voss
Blackholing from a_providers_perspektive_theo_voss
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Net mcr 2021 05 handout
Net mcr 2021 05 handoutNet mcr 2021 05 handout
Net mcr 2021 05 handout
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
Firewall
FirewallFirewall
Firewall
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
FastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection toolFastNetMon Advanced DDoS detection tool
FastNetMon Advanced DDoS detection tool
 
Best practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protectionBest practices for using VPNs for easy network-to-network protection
Best practices for using VPNs for easy network-to-network protection
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICESL2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
L2TP 101 ON-RAMP TO CONSUMING WHOLESALE BROADBAND SERVICES
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Product_Engineer_Zscaler
Product_Engineer_ZscalerProduct_Engineer_Zscaler
Product_Engineer_Zscaler
 

Similar a Using system fingerprints to track attackers

Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
Botnet Detection And Countermeasures
Botnet Detection And CountermeasuresBotnet Detection And Countermeasures
Botnet Detection And CountermeasuresSynerzip
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13Jaime Sánchez
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response TimeBoni Bruno
 
IPv6-Hardening.pdf
IPv6-Hardening.pdfIPv6-Hardening.pdf
IPv6-Hardening.pdfMustafazer21
 
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar RazCODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar RazCODE BLUE
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Faelix Ltd
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityFelipe Prado
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor FiorimTI Safe
 

Similar a Using system fingerprints to track attackers (20)

Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
Botnet Detection And Countermeasures
Botnet Detection And CountermeasuresBotnet Detection And Countermeasures
Botnet Detection And Countermeasures
 
Hacking3e ppt ch06
Hacking3e ppt ch06Hacking3e ppt ch06
Hacking3e ppt ch06
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
Decreasing Incident Response Time
Decreasing Incident Response TimeDecreasing Incident Response Time
Decreasing Incident Response Time
 
IPv6-Hardening.pdf
IPv6-Hardening.pdfIPv6-Hardening.pdf
IPv6-Hardening.pdf
 
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar RazCODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz
 
Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"Keeping your rack cool with one "/IP route rule"
Keeping your rack cool with one "/IP route rule"
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
DEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning securityDEF CON 27- JISKA FABIAN - vacuum cleaning security
DEF CON 27- JISKA FABIAN - vacuum cleaning security
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014No More Fraud, Astricon, Las Vegas 2014
No More Fraud, Astricon, Las Vegas 2014
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Wireguard VPN
Wireguard VPNWireguard VPN
Wireguard VPN
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

Using system fingerprints to track attackers

  • 1. Using system fingerprints to track attackers Lance Cottrell Ntrepid/Anonymizer ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 1
  • 2. When You Are Under Attack You may ask: Who was that masked man? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 2
  • 3. As a Defender, You See... IP: 37.123.118.67 Lat / Long: +54 / -2 Country: UK Ping: 110ms ISP: as13213.net (AKA UK2.net) server hosting Open Ports: SSH, HTTP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 3
  • 4. Is THIS Really the Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 4
  • 5. Which is the “Real” Attacker? It’s Turtles All the Way Down ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 5
  • 6. What If You Could Spot People Hiding? Block Web Access DETOUR Redirect to Honeypot NO TRESPASSING Add Firewall Rule Deny Credit Card Flag in Logs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 6
  • 7. What If You Could Identify Your Attacker? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 7
  • 8. How Do They Hide? Proxies VPNs Chained VPNs / TOR Botnets / Compromised Hosts Tradecraft ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 8
  • 9. How Can You Spot Them? ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 9
  • 10. Known Anonymous IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 10
  • 11. Anon IPs are well known ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 11
  • 12. Open Proxy / Ports ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 12
  • 13. Obviously not a home PC HTTP X11 FTP SSH ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 13
  • 14. Non-Consumer IP ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 14
  • 15. Identifying non-consumer IP 9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms 10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms VS 13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms 14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 15
  • 16. Latency vs. Ping Time HTTP / Javascript DHCP Ping ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 16
  • 17. DNS Mismatch HTTP from Chicago DNS from Nigeria ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 17
  • 18. Identify the Attacker ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 18
  • 19. Identity Leakage Embedded Media Apps bypass proxy / VPN Phone home ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 19
  • 20. Fortunately (for you), Good OPSEC is Hard Tools can be slow and cumbersome May go direct for “innocent” activity / reconnaissance May forget to use it Accidentally cross the streams of personas Correlate attacker print with all previous activity ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 20
  • 21. Cookies and Bugs ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 21
  • 22. Browser Fingerprints ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 22
  • 23. Fingerprint Entropy 12.3 - User Agent 5.4 - HTTP_ACCEPT Headers 21.9+ - Browser Plugin Details 5.0 - Time Zone 7.5 - Screen Size and Color Depth 21.9 - System Fonts 0.4 - Cookie Test ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 0.9 - Super Cookie Test 23
  • 24. Attacker Use of Virtualization Advantages Disadvantages Easy to Clean Cloned Each Time No Cookies or Super-Cookies Too Clean or Outdated Cruft Detection as VM Requires Local Execution Can Be Detected as VM ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 24
  • 25. Dread Pirate Roberts ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 25
  • 26. Why Should YOU be Stealthy Lurk in IRC and Forums Discover Plans Learn Techniques Hide your interest & activity Bait Honeypots Drop False Leads and Links Government Has Other More Aggressive Options ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 26
  • 27. Thanks Contact me at: Email: lance.cottrell@ntrepidcorp.com Commercial / Gov: http://ntrepidcorp.com Consumer: http://anonymizer.com Blog: http://theprivacyblog.com Twitter: @LanceCottrell LinkedIn: http://linkedin.com/in/LanceCottrell ® ©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information. 27

Notas del editor

  1. Because most attackers are smart enough not to use their own home IP address
  2. When you look at any attacker activity, you can see the immediate source.
  3. That source is likely a relay or innocent compromised bystander
  4. You identify the visible attacker Then track who connected there then who connected there, and who …
  5. Imagine what you could do if you knew with certainty which of your visitors was doing so anonymously.
  6. Even better, what if you could actually identify them?
  7. There are a number of tools attackers will use to hide their identity
  8. The question is, how can you identify and recognize the people using these tools?
  9. Overtly Anonymous activity Addresses of public privacy services are easily discovered.
  10. If the machine visiting you has server characteristics, or proxy or VPN ports, it is almost certainly a relay.
  11. Easy to see that an IP addresses is from a data center not consumer - likely relay. Bulletproof hosting providers even more likely to be dubious.
  12. The speed of light and causality are unavoidable. Using relays will have impacts. VM on the relay harder to detect.
  13. DNS mismatch indicates effort to hide. Use wildcard DNS and unique dynamic hostnames to detect this.
  14. Now lets move from recognizing that someone is being anonymous to trying to identify who they actually are.
  15. Often only the browser is hidden. Side doors may exit more directly. Flash, Active X, Media Players, Apps,
  16. Human error is your best friend. Few if any have the needed discipline
  17. Conventional Cookies / Super cookies / flash cookies. Yours and others. Browser history cookies. Third party trackers and identifiers. Look for teleportation. Good for forensics.
  18. Known fingerprint from other activity - hard to change Odd, unusual or impossible fingerprints suggest fakes.
  19. Attacker use of VM can be very effective Still some tell tale indicators.
  20. Ross Ulbricht. Forged IDs sent to his house account “altoid” linked to his silk road blog in some posts and to his real name email in others. Used characteristic language and rant topics.
  21. Taking the next step, you may want to go on the “offensive” which will require you to use anonymity yourself.