1. The art of disguise
Anti-fingerprinting techniques
1
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
2. Creative Commons License
The art of disguise - Anti-fingerprinting techniques
by Daniel García García a.k.a. cr0hn is licensed under a:
Creative Commons Reconocimiento-NoComercial-SinObraDerivada 3.0 Unported License.
Permissions beyond the scope of this license may be available at: dani@iniqua.com.
2
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
3. Index
2.FreeBSD: A brief introduction.
3.How fingerprint works?
4.How to defeat it?
3
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
4. FreeBSD…
A brief introduction
4
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
5. 1 - FreeBSD: A brief introduction
2.How install it?
3.How manage the software?
4.How install program?
5.Main differences between GNU/Linux.
5
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
6. How install it?
Simple… With a wizard
6
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
7. Software management
• What is a port system?
• Why port is a good idea?
• How port works?
7
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
8. Installing new software
Compiling…
8
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
9. Installing new software
From binaries…
9
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
10. Main differences with GNU/Linux
FreeBSD GNU/Linux
General config file: /etc/rc.conf Multiple config files and directories
Services start
•/etc/rc.d/ Service start: /etc/init.d/
•/usr/local/etc/rc.d/
User directories: /usr/home User directories: /home
Kernel: Kernel:
- config: about 200 lines - config file: very complicated
- Many security features included - Extra features via patches
Only some distribution can do it, like
Software, natively, can be compiled
Gentoo.
10
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
12. 2 – Fingerprinting: How it works?
1. Why hide your systems?
2. Operating system level.
3. Service level.
4. Application level.
12
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
13. Why hide your OS and services?
1. To hide of known (and unknown!) exploits.
2. Necessaries unpatched versions of software.
3. If somebody knows OS you’re running also
may guess the application that run in.
4. Privacy: nobody needs to know the systems
you've got running
13
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
14. Fingerprinting: Risk demo
Risk demo
14
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
15. Operating System level
mmm ... fish
• TTL
OpenBSD: 255
Linux/*BSD: 64
Windows: 128
AIX: 30
15
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
16. Operating System level
• Common TCP Initial Windows size
*BSD: FFFF OpenBSD: 4000
Linux: 16A0
Windows: 2000 AIX: 4470/FFFF
16
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
17. Operating System level
• IP ID sequence generation algorithm.
• Invalid TCP flags combination.
• Answer to closed port: RST, nothing,
ICMP unreachable.
• TCP send/receive window sizes.
• Port ranges
17
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
18. Service level
• Banners
18
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
19. Application level
• Session ID var (PHPSESID/JSESSIONID)
• Hidden/lost files.
• Meta headers.
• Vars and methods names.
19
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
20. Application level
A practical example: Metadata.
20
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
21. Application level
A practical example: Lost files.
21
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
22. The fight…
How to defeat it?
22
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
24. Kernel parameters
Disable (if you don’t need)
• SCTP
• IPv6
24
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
25. Kernel parameters
In your /etc/sysctl.conf
25
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
26. Service level
How to defeat it?
• Changing configuration files
• Changing source code of software
26
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
27. How to make a patch
Step to make a patch:
2. Download the source code of app you want to
patch.
3. Extract code an create a copy of code.
4. From your copy, make the changes you need.
5. Apply a diff to extract changes.
6. Save change into a patch-* file.
27
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
28. How to make a patch: Nginx
Step 1 and 2:
2. Download the source code of Nginx.
3. Creating a copy of source.
28
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
29. How to make a patch: Nginx
Step 3:
• Locate file that contains information of version:
• Change file information:
29
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
30. How to make a patch: Nginx
Step 4 and 5:
• Make a diff with original file and save into patch.
30
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
31. FreeBSD patching method
What need FreeBSD to apply our path?
• Put your file into:
/usr/ports/CATEGORY/PROG/files
• Your patch must be named like:
patch-ORIGINAL_FILE_NAME
• Change relative path in your patch:
31
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
32. FreeBSD patching method
And now, how compile our patched software…?
32
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
33. FreeBSD patching method
Even an idiot can do it!
33
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
34. Service level
Learning with examples:
Nginx
• OpenSSH
• PureFTPd
• Apache Tomcat
34
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
35. Service level: Nginx
Where is version information?
• In nginx.h
35
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
36. Service level: Nginx
Yes! I use a public
The result: IP for my LAN
36
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
37. Service level: OpenSSH
Where is version information?
• In Makefile:
• Or in version.h:
37
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
38. Service level: OpenSSH
The result:
38
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
39. Service level: PureFTPd
Where is version information?
• In pure-ftphow.c
• In altlog.c
• In ftp_parser.c
• In ftpd.c
39
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
40. Service level: PureFTPd
The result:
40
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
41. Service level: Tomcat
Where is version information:
• /usr/local/apache-tomcat-7.0/conf/server.xml
41
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
42. Service level: Tomcat
The result:
42
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
43. Service level: nmap
What think nmap?
43
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
44. Service level: fingerprinting database
Where can we find a database of fingerprintings?
44
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
45. Application level
Learning with examples…
…Testing WordPress
45
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
46. Application level: WordPress
Hiding our WordPress information:
2.WordPress version.
3.WordPress’s plugins versions.
4.Session ID
5.Custom error pages.
6.Metadata info
7.Hash of static and common files.
46
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadanie
47. Application level: WordPress
Step 1: WordPress version.
47
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
48. Application level: WordPress
Step 2: Plugins versions.
48
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
49. Application level: WordPress
Step 1 and 2: Hiding versions.
49
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
50. Application level: WordPress
Step 3: Session ID var.
50
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
51. Application level: WordPress
Step 3: Hiding session ID var.
51
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
52. Application level: WordPress
Step 4: Custom error pages… of IIS
52
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
53. Application level: WordPress
Step 5: Metadata info.
53
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
54. Application level: WordPress
Step 5: Hiding metadata info.
54
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
55. Application level: WordPress
Step 6: Hash of static and common files.
• Site.com/wp-includes/css/admin-bar.css:
• Some programs have a database of hashes:
55
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
56. Application level: WordPress
Step 6: Hiding common hashes:
2.Modify our static files, like css:
4.Check the new hash:
56
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
57. Application level: WordPress
The result:
• Plecost (http://www.iniqua.com/labs/plecost/ )
No plugins
found!!
57
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
58. Application level: WordPress
The result:
• WP-scan (http://code.google.com/p/wpscan/)
wp-scan don’t
like our filters
58
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
59. Application level: WordPress
The result:
• Nmap
59
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
60. Application level: WordPress
Final result….
We've earned a beer!
60
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel
61. Questions?
61
Daniel García a.k.a. cr0hn - @ggdaniel - http://es.linkedin.com/in/garciagarciadaniel