Presentation is loading. Please wait.

Presentation is loading. Please wait.

This document is licensed under a Creative Commons Attribution 3.0 License SSTIC - 5 juin 2009 IpMorph is an Open Source project owned, developed and supported.

Published byLauren Garza Modified over 10 years ago

Similar presentations

Presentation on theme: "This document is licensed under a Creative Commons Attribution 3.0 License SSTIC - 5 juin 2009 IpMorph is an Open Source project owned, developed and supported."— Presentation transcript:

1 This document is licensed under a Creative Commons Attribution 3.0 License SSTIC - 5 juin 2009 IpMorph is an Open Source project owned, developed and supported by DIATEAM 1 IpMorph : « unification de la mystification de la prise d'empreinte » Guillaume PRIGENT DIATEAM - Brest

2 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Contexte 2009/06/05 guillaume.prigent@diateam.net - DIATEAM2 Théorème : « Vivons heureux, vivons cachés » Corolaire : « Si une machine peut falsifier son identité et lusurper, celle ci minimise lattrait de lattaquant et perturbe la pertinence des attaques ciblées à sa nature apparente.»

3 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Etymologie 2009/06/05 guillaume.prigent@diateam.net - DIATEAM3 – IpMorph Du greek ancien μορφή - θημωνιά, morphéstakis, « forme de pile ».μορφή - θημωνιάformede pile – Suffixe -morph /mɔʁf//mɔʁf/ 1.En relation avec la forme dune pile IP, qui a la forme dune pile IP. – Apparentés étymologiques 1.FingerprintFucker 2.OS fingerprint frustrating 3.Packet scrubbing

4 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Typologie de la prise dempreinte 2009/06/05 guillaume.prigent@diateam.net - DIATEAM4 Techniques de détection Actives Passives Binaires thc-rut Xprobe2 Nmap Ring2 SinFP p0f SinFP Ettercap « Time-out » Ecoutes réseau Entêtes TCP Réponses ICMP Profils ISN Bannières Collectes Empreintes de pile

5 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Principes de détection 2009/06/05 guillaume.prigent@diateam.net - DIATEAM5 NETWORK REPONSES STIMULI A A B SYN A = B = SYN+ ACK Détection active dempreinte de pile Détection passive dempreinte de pile Nmap, SinFP, … p0f, SinFP, … NETWORK A =

6 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Cas dutilisation dIpMorph 2009/06/05 guillaume.prigent@diateam.net - DIATEAM6 A = B = A = B = A = B = A = B = A = SYNSYN+ACK SYNSYN+ACK SYNSYN+ACK SYNSYN+ACK OSFP Actif + Machine réelle OSFP Passif + Machine réelle OSFP Actif + Machines « virtuelles » OSFP Passif + Machines « virtuelles » A B A AB A

7 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Etat de l'art de la mystification [7] 2009/06/05 guillaume.prigent@diateam.net - DIATEAM7 Filtrage – Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4 [14] – Blackhole : FreeBSD, kernel options [16] – IPlog : Unmaintaned as of 2001, *BSD [17] – Packet filter : OpenBSD [18] Configuration et modification de pile TCP/IP ("host based") – Ip Personality [19] – Fingerprint Fucker [12][13] – Fingerprint scrubber [1] – OSfuscate [8] Substitution de pile TCP/IP ("proxy behaviour") – Honeyd [9] – Packet purgatory / Morph [10]

8 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Socle logiciel 2009/06/05 guillaume.prigent@diateam.net - DIATEAM8 Langage C++ Application « UserLand » Utilisation du « framework » Qt4 Eléments constituants : – IpMorph (Core) – IpMorph Controller – IpMorph Personality Manager – IpView (IpMorph GUI) Portabilité : – GNU/Linux – *BSD, Mac OS License GPLv3

9 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Interface layer Eth. Write Architecture générale 2009/06/05 guillaume.prigent@diateam.net - DIATEAM9 Eth. Write TCP Filter & Processor TCP Filter & Processor Context queueExposed IP stackProtected IP stack TCP UDP ICMP IP ETH TCP UDP ICMP IP ETH UDP Filter UDP Filter ICMP Filter IP Filter Eth. Read (R)ARP TCP Filter & Processor TCP Filter & Processor UDP Filter UDP Filter ICMP Filter IP Filter (R)ARP Eth. Read eth tap fd eth tap fd Frag. & Reass. Scheduler UDP context tracker & data processor (plugins) ICMP context tracker & data processor (plugins) IP context tracker & data processor (plugins) (R)ARP translation processor TCP context tracker & data processor (plugins)

10 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Nmap : Format dune signature 2009/06/05 guillaume.prigent@diateam.net - DIATEAM10 Fingerprint FreeBSD 7.0-CURRENT Class FreeBSD | FreeBSD | 7.X | general purpose SEQ(SP=101-10D%GCD=<7%ISR=108-112%TI=RD%II=RI%TS=20|21|22) OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M5B4NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11) WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF) ECN(R=Y%DF=Y%T=40%TG=40%W=FFFF%O=M5B4NW8%CC=N%Q=) T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=40%TG=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW8NNT11%RD=0%Q=) T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) U1(DF=N%T=40%TG=40%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) IE(DFI=S%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S) … SP : TCP ISN Predictability GCD : TCP ISN Greatest Common Divisor ISR : TCP ISN counter Rate TI : TCP IP ID sequence generation algorithm II : ICMP IP ID sequence generation algorithm TS : TCP timestamp option algorithm SS : Shared IP ID sequence Boolean W1-W6 : TCP initial win size O1-06: TCP Options (ordering & values) DF: IP dont fragment bit T: IP initial time-to-live TG: IP initial time-to-live guess W: TCP initial win size S: TCP seq. number A: TCP ack. number F: TCP Flags RD: TCP RST data checksum Q: TCP misc. quirks TOS: IP type of service IPL: IP total length UN: Unused port unreach. field nonzero RID: Returned probe IP ID value RIPCK: Returned probe IP checksum value RUCK: Returned probe UDP checksum RUL: Returned probe UDP length RIPL: Returned probe IP total length value

11 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Base des signatures (sqlite) 2009/06/05 guillaume.prigent@diateam.net - DIATEAM11

12 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Format dune signature 2009/06/05 guillaume.prigent@diateam.net - DIATEAM12 104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista, B11113,B…13,B….., F0x12:F0x12:F0x12, M1460,M1[34]..,M\d+, O0204ffff,O0204ffff,O0204ffff, W8192,W8[012]..,W\d+, B11113,B…12,B….., F0x12,F0x12,F0x12, M1460,M1[34]..,M\d+, O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?, W8192,W8[012]..,W\d+, B11121,B…21,B….., F0x04,F0x04,F0x012, M0,M0,M0, O0,O0,O0 W0,W0,W0 104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista, B11113,B…13,B….., F0x12:F0x12:F0x12, M1460,M1[34]..,M\d+, O0204ffff,O0204ffff,O0204ffff, W8192,W8[012]..,W\d+, B11113,B…12,B….., F0x12,F0x12,F0x12, M1460,M1[34]..,M\d+, O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?, W8192,W8[012]..,W\d+, B11121,B…21,B….., F0x04,F0x04,F0x012, M0,M0,M0, O0,O0,O0 W0,W0,W0 idSignature ipVersion systemClass vendor os osVersion osVersionFamily trusted Test P1 Test P1 Test P2 Test P2 Test P3 Test P3 Binary : heuristic0, heuristic1, heuristic2 TcpFlags : heuristic0, heuristic1, heuristic2 TcpMss : heuristic0, heuristic1, heuristic2 TcpOptions : heuristic0, heuristic1, heuristic2 TcpWindow : heuristic0, heuristic1, heuristic2

13 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» p0f : Format dune signature 2009/06/05 guillaume.prigent@diateam.net - DIATEAM13 8192:128:1:52:M*,W8,N,N,N,S:.:Windows:Vista (beta) TCP Window Size TCP Initial TTL IP Dont Fragment Bit TCP SYN Packet Size TCP Options Quirks OS System Class OS Name Version 2.0.8 (2006) 6 paramètres danalyse Uniquement sur un SYN (par défaut = p0f.fp) Autres fichiers de signatures pour autres modes (expérimentaux)

14 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Ring2 - Mystification de la congestion 2009/06/05 guillaume.prigent@diateam.net - DIATEAM14

15 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» 2009/06/05 guillaume.prigent@diateam.net - DIATEAM15 192.168.10.110192.168.10.73IpMorph

16 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Personality Manager 2009/06/05 guillaume.prigent@diateam.net - DIATEAM16

17 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» Perspectives 2009/06/05 guillaume.prigent@diateam.net - DIATEAM17 Juin 2009 – SSTIC 2009 – Présentation « officielle » – « Beta release » 0.1 (en « download » par courriel) Fin 2009 – Début 2010 – « Refactoring » (Qt4 ?, uIp !, tests en production …) – PersonalityManager, Intégration filtrage, … – Version 0.2 en « download » Internet – Documentation, « UserGuide », … – Intégration de quelques « scrubbers » applicatifs (DNS, SMB, DHCP, …) ?

18 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph is an Open Source project owned, developed and supported by DIATEAM v0.1 IpMorph : « unification de la mystification de prise d'empreinte» 1 - Interface tap0 Démonstration 2009/06/05 guillaume.prigent@diateam.net - DIATEAM18 192.168.10.110 Linux Ubuntu 8.04 192.168.10.73 Nmap, Xprobe2, SinFP, P0f tap0 eth0 LAN Scénario de la démonstration 4 - Xprobe2 2 - VirtualBox 3- IpMorph 5 - Nmap 6 - SinFp en actif 7 - SinFp en passif 8 - p0f Configuration Prise dempreinte « active » Prise dempreinte « passive »

19 This document is licensed under a Creative Commons Attribution 3.0 License SSTIC - 5 juin 2009 IpMorph is an Open Source project owned, developed and supported by DIATEAM 2009/06/0519 Merci de votre attention.

Download ppt "This document is licensed under a Creative Commons Attribution 3.0 License SSTIC - 5 juin 2009 IpMorph is an Open Source project owned, developed and supported."

Similar presentations

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
Art Foundations Exam 1.What are the Elements of Art? List & write a COMPLETE definition; you may supplement your written definition with Illustrations.

Art Foundations Exam 1.What are the Elements of Art? List & write a COMPLETE definition; you may supplement your written definition with Illustrations.
1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 38.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Building Fast, Flexible Virtual Networks on Commodity Hardware Nick Feamster Georgia Tech Trellis: A Platform for Building Flexible, Fast Virtual Networks.

Building Fast, Flexible Virtual Networks on Commodity Hardware Nick Feamster Georgia Tech Trellis: A Platform for Building Flexible, Fast Virtual Networks.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Cultural Heritage in REGional NETworks REGNET Project Meeting Content Group 2002-01-28 - 2002-01-29.

Cultural Heritage in REGional NETworks REGNET Project Meeting Content Group
What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/07/15 v0.1.

What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/07/15 v0.1.
What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.

What's a Proxy Printer Provider? PWG WIMS-CIM Working Group Rick Landau Dell, CTO Office 2008/08/08 v0.2.
Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.

Overview of IETF work on IP traffic flow measurement and current developments Dr. Jürgen Quittek General Manager Network Research Division, NEC Europe.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
ALGEBRAIC EXPRESSIONS

ALGEBRAIC EXPRESSIONS
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

FACTORING Think Distributive property backwards Work down, Show all steps ax + ay = a(x + y)

Similar presentations

Ads by Google