1 / 12

Thwarting Remote OS Fingerprinting

Thwarting Remote OS Fingerprinting. Eric Kluthe . What is OS fingerprinting?. Sending packets, usually ICMP and TCP, and recording the responses that come back.

whitney
Download Presentation

Thwarting Remote OS Fingerprinting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Thwarting Remote OS Fingerprinting Eric Kluthe 

  2. What is OS fingerprinting? Sending packets, usually ICMP and TCP, and recording the responses that come back. In order to get optimal results, Nmap and other tools use a handful of specially crafted packets in order to accurately fingerprint and detect an OS. 

  3. An example of fingerprinting The ICMP echo test 

  4. ICMP packet structure

  5. An Example - The ICMP echo test In this test we send out two packets with the following attributes set:  Packet 1: IP DF bit set, TOS byte value of 0, an ICMP code of 9 (should be 0), Sequence # of 295, and 125 bytes of 0's as a payload.  Packet 2: TOS of four (IP_TOS_RELIABILITY), a code of 0, 150 bytes of random data. 

  6. What do we get in return?  Windows 2008 Server:  IE(R=Y%DFI=N%TG=80%CD=Z) Ubuntu 10.04:         IE(R=Y%DFI=N%T=40%CD=S) Notice the differences? 

  7. My Research 1. Find out what software packages are out there for both OS detection and evasion.  2. Test these tools using Backtrack 5, clean install of Ubuntu 10.04, and a clean install of Windows Server 2008.  3. Firewall all of the non-public services off from the public.  4. Test again and record results. 5. Install OS evasion software. Disable firewall.  6. Test again and record results. 7. Enable firewall and evasion software 8. Test again and record results. 

  8. What ended up happening?  1. The only detection tools that are still being updated are Nmap, and SinFP.  2. There are no fingerprint evasion tools that work for operating systems made within the past 4 years.  3. Since I knew how the fingerprinting software worked, I was able to mess with some TCP variables in the operating system to mimic the evasion tools.  4.Success. 

  9. Results Clean     Nmap: Detected Both Perfectly      SinFP: Detected Both Perfectly With FW rules in place     Nmap: Detected both perfectly.      SinFP: Detected both perfectly.  After changing the TCP values (MTU, Win Size, default TTL, etc.)     Nmap: Ubuntu 10.04 turned into a Linksys WRV54G WAP. Windows: No exact match, but guessed it anyway.     SinFP: Completely failed on both, no fingerprint found.

  10. Results After implementing both FW rules and changing the tcp values:      Nmap: Ubuntu machine returned no OS matches.  Windows machine returned no exact matches but                                        guessed with equal probability that it was either windows, or freeBSD.      SinFP: Failed. 

  11. Results -Created a script that makes an Ubuntu machine look like a Linksys router.  -Would have been easy to make a small script for Windows. 

  12. Conclusions 1. Tools need to be updated or recreated for newer OS's.  2. It is pretty easy to change the profile of your machine and fool the detection/fingerprinting software.  3. You should probably lock down the services on your machine's anyway... 4. Messing with the TCP/IP values may introduce performance issues. (Future research?)

More Related