 Okay, let's get started on the next session. I've got Jamie Sanchez with derevolutionizing OS fingerprinting, the cat and mouse game. Jamie's got over 20 years experience as a specialist advisor for large national and international companies focusing on different aspects of security. Without further ado, I'll hand over to Jamie. Thanks very much. Well, hi, hello. It's great to be here. Thank you for coming to see this talk. Just some things about me. I've been working in security for almost 20 years. It's not my first time in Megas. So it's great to be here again. What we are gonna talk about is OS fingerprinting. That is something very interesting from different perspectives, from the attacker point of view, for the defenders, administrators, vendors. You really need to know what kind of operating system you are trying to connect. If you try to attack, you need to know, for example, if it's a Windows XP without a service pack or whatever before launching your exploit, you have to know the memory addresses. So it's described as passive collection of configuration attributes from remote devices, but it's not also this because there are a lot of approaches for operating system fingerprinting. You know, the old days when everything was like banner grabbing, that's manual reconnaissance. Then we moved to active operating system fingerprinting with tools like XPOOV, like NMAP. Then we have also that passive point of view where you are only analyzer, like a packet sneaker, all the traffic that you are generating on your side and on the other side just to get useful information. But there is another approach that are the timing attacks. We are not gonna see it here. So the first technique is banner grabbing is very simple. You connect to your still net, for example, to a web server to get all the headers information if you are dealing with an ESS or engines, whatever. You can also connect to FTP services, still net to see the banner. You can use SNMP. That's kind of active techniques. But you can also get free information for other services, you know, EMAP, FINGER, NNTP. And if you have access to the remote machines you can also play with some configuration files for the ECU files, the banners. And you can try to port scan and also you can try to do social engineering just to get information about the technologies used by any company. There are a lot of services that gives any other information for example, FTP, use the CST command that asks information about the server operating systems and you have some examples there. Another useful thing would be for example, in FTP connecting to the FTP, get any file that is inside. For example, the LS, compress, cut, and try to get information on your local machine. For example, here you can see that our files compile it for Linux, for SAN, whatever. You can also use all the kind of search engines like SORAN, like CENSI, that get all this information for you so you don't have to interact with the other machine. For example, this is very useful because, I don't know if you can see there. Well, don't worry. If you try to scan, for example, mobile networks, you can try to look for ports 62078 as well for jailbroken iPhones and you can try to connect with SSH with default credentials that are root and alpine and try to move on so this is very important to know. To know what kind of operating system you are dealing with. In this case, I only use that mobile phones to jump to another machine and finally attack my target. Try to get all the information and try finally attack my final target. So, some things you need to know, TCP IP theory. This would be very basic, but it's something that people have to understand before going into fingerprinting. For example, in IP, you have to know what kind of protocol you are dealing with, TCP, UDP, ICMP, that are the most important ones that we are taking a look. Source address, destination address, something you know, but in TCP, we will be dealing with SIM packets, act packets, push. We have to know not every, almost every TCP option that is available, but you have to understand that every almost operating system use some TCP options in the same order and maybe in Windows XP and Windows 2000, they have the same options, but they are in different order. So that's the way that we can make the difference and know what we are dealing with a Windows XP or Windows 2000. The same for UDP, just to know source port, destination port, you will see that in Nmap, it has like a custom data, that has a lot of Cs. And finally, ICMP, that is used by, approved by Nmap. So these are some basics that you will see that in any database, you get all this information if there is a congestion flag that is on, if the default fragment flag is on. So for active operating system fingerprinting, we are gonna see just little tools that, for example, some of the first one that was called Queso, that is in Spanish is Queso Operativo, it's like which operating system. And it was sending like seven kind of tests. You can see the SIM, SIM plus acknowledge, and then they moved and another project was released that called X-Proof. X-Proof deal with a lot of packets of ICMP, send also UDP packets, but this kind of tools are some old right now and I think that almost everyone in the Hacking and Seeing security is using Nmap. Nmap is a mass for pentester for everyone. And Nmap gives you a lot of information about what kind of device you are dealing with. For example, the device type, in this case it's a general purpose because it's a computer, but it can also tell you if you are dealing with a printer, if you are dealing with a firewall, with a router, or if it doesn't know well, it can give you information about this. Maybe it should be a router or maybe it's a firewall. Next thing that we'll tell you is the family, in this case it's Linux, and the generation, the generation is practically the version that you are running. Common platform enumeration, that's something standard, the details on the fingerprint. If it's not a perfect match, because there are some times where you have a firewall or you are not getting all the traffic, you can get a message like just guessing. So Nmap doesn't know exactly what kind of operating system is, but maybe it's telling you that you are dealing with a Solaris, maybe this version, maybe another one. You know a lot of information, the network distance, like if you were doing a trace route, uptime guess, TCP sequence prediction, but you can also use version scan. Version scan is very useful when you are dealing with a proxy because if you try to make the operating system fingerprinting, you are dealing really with the proxy and you need to get information about the remote host. So in this case, it can get a lot of information about if it's an SSL service, if it's running TCP in UDP, it can deal with a map, whatever service. But the interesting thing here is how does Nmap works? How does it really work? The new working for this is that Nmap is leaving 15 TCP proofs to UDP and ICMP. All these tests are with a custom destination port, they have custom plaques and the result for the Nmap database is something like that. I don't know if you can see very fine, but you know you can find it in the slides, that you have a lot of information about every operating system that you are dealing. For example, the six first TCP proofs, so it has like these custom TCP options. If you want to get more information about this, it's really useful to get the official Nmap book. It has a lot of information about this. So you can get all the TCP options that they are using, the remote port they are using. If they are looking for a network congestion flag, if the default fragment bit is set on ICMP. And then begins with the real proofs that they are T1, T2 to T7, when you have a lot of flags that you will know that you will receive. For example, packet T2 is no flags, fragment bit is on, it's window size is 124. This is all the information I got, so I can know which packets I should filter and I should manipulate and let all the traffic go to the other traffic go to my machine. So I, in this case, we will see a tool that is called OSFULER that is only dealing with the specific packets for Nmap. All the other traffic should be treated by the kernel. This case is UDP, UDP has a special payload because it has like 300 times the letter C, so it's very easy to recognize that kind of packets. I have a small demo but I think it will be better if we do it live because we can make the screen bigger. So the same thing is for passive operating system fingerprinting, it's like dealing with a packet sniffer. What you are trying to do is copying the data without modifying it, you don't manipulate the traffic, you just get all the information and try to analyze it locally to get all the information you can about the remote host. And for this you got pop, for example, OSFULER, that's the tool I'm presenting, can hold all the information from the database from version two, it's very simple, every line is like this, the first is the window size for the TCP IP stack, time to leave, if the default fragment flag is on, the TCP options on the order, and some quirks, for example, if you get a SIM packet, you shouldn't have any payload inside, but there are some operating systems that send this kind of information, so this is very useful to identify them. And finally you got the label for the operating system. This is fully working, but then pop move to another version as version three, that is like a complete rewrite of the original code and it deals with TCP packets, the SIM packets, but the SIM and the acknowledged packets, HTTP request, so it's more complete, in this case, instead of rebuilding all OSFULER, what I'm trying to do is just to migrate this kind of database to the old format so we can use it. If you can see, it's almost the same kind of information, you have the time to leave, the length of the packet, maximum segment size, you have the TCP options, the full fragment, some more quirks that are available in this operating system, so this is very easy to identify. And finally, there are a lot of people that is still using EtherCAP. EtherCAP is almost using the same technique as both. It's only copying all the traffic and just trying to analyze and it has some database. If you can see, practically all these tools use the same format, all the same information, you can analyze TCP options, length of the packet, what kind of information if it has a payload. So in this case, in the next release of OSFULER, I will migrate the same database from EtherCAP to both. It's very simple because the version two of database, database of version two is being parsed by OSFULER and it is 100% complete, so it works like a term, so I will be doing this change. But also, there are some commercial engines like SURFIRE or Firesite that use this kind of techniques to identify all the traffic for the IPS or the IDS when you get an alert, they told you like, hey, you have been attacked by this kind of machine, maybe it's a Linux, maybe it's a Windows machine. They are using almost the same information and the same information, you can spoof that kind of fingerprint, so you can try to confuse administrators, defenders. And this is really useful to know because there are other online services, for example, for vendors for ads or whatever that use this online. So it's very useful for vendors, for example, to know if you are using not only Chrome or Safari, but if you are using Macintosh, you are using Windows, you are using Solaris, whatever. So in this case, it's very simple to make the same thing in the first approach, it thinks it's Linux, version three, and in the second one, we are running only OSFueler and you get like Windows and T-kernel. So that's because it's using same database like Poff or Tercap, so it's very simple to deal with this. So other techniques to do this kind of fingerprinting could be analyzing the DHCP requests. So when it acts, for example, for options like the DNS server, default gateway, it asking in an exact order, so you can try to do, there is a tool called Satori, there is a very interesting white paper that you can download and take a look. And at last, you can use other techniques like identify the Mac addresses, for example, Apple or Sony, use some kind of patterns, so you can use that to get all the information about the machine you want. So at this point, we know how to do that kind of active fingerprinting, passive fingerprinting, but which kind of countermeasures do we have to protect from this? I have collected some information about just, some ones, for example, IP personality, it was very famous because depending on some parameters, it let you change sequence number, window size, IDs, how it answer to TCP packets, but the problem is that it changed a lot of the behavior of the TCP IP stack for Linux, and this was working for all releases of the kernel, so nowadays it's not very useful. The other one was the Stealth patch that was running from kernel 22 to 24, but this problem, did this tool have a problem that if you change some parameters when scanning, you can know that the remote machine is using this tool and you can identify it because you know that Stealth patch only works for some kernels, so it makes easier to understand. Many others, it was Ipolo, Blackhole, Fingerprintfucker, Morph, there were a lot of tools, but nowadays I didn't find any useful tool to avoid this, so when I was working, I worked for Telefonica, when I was working at the Security Protection Center I have to deal with a customer that it was scanning all his network every day, every day, I didn't have time enough, I didn't have alerts so fast to notice him that I know that he was scanning, so I tried to make some kind of cool thing that this was detecting the scannings with a program I made in Perl, but also tried to fool him, and so like, hey, you're scanning, but you have a PlayStation inside your network, usually you have a Sony Wal-Man Ericsson, and that's how we came to OS Fuehler. OS Fuehler, if you know, the packets are inside the kernel space, and you are on user space, so you cannot interact with packets in real time, so the solution was to use NFQ, NFQ is an extension for IP tables that accepts some extensions and lets you put all the packets inside some queues, so you have two elements, you have a queue handler that deals with the packets with the kernel, so it tells the kernel, just give me the packets, and it moves to user space, in user space you can receive those packets, manipulate them, and send them back. The only problem here is that you have a maximum queue length that is 1,424, so you have to manipulate all those packets very, very fast because if you don't, and the queue gets full, all the traffic will be rejected, and that's a big problem. So, to just take a look for example, let me see if I can, okay. Okay, now you have, I think that you can see the screen now, if you for example do an MAP scan for localhost, it will give no information why, because I don't have any open ports, so let's start, for example, secure sale. So we have, I'm running on Kali, I have Linux with kernel version three, 372.3.10, so this is all the information that NMAP can give me, so we will be using our tool, it's OSFueler, OSFueler is working. So what can you do? First of all, just let you know that here, we are only dealing with, in case of NMAP, only dealing with a specific test for a MAP, all the traffic, all the traffic should go directly to your computer and shouldn't be manipulated in any way. So, for example, if you just want to take a look at what kind of operating systems do you have minus N? We are interacting with the official NMAP database, so you can just update it and we work in, so this is almost all the operating systems that are available right now, there are a lot of them just to let you know that it has like 5,500 signatures, so there are a lot of operating systems to emulate, so if you do the same thing, for example, with cough, the same. In this case, you have to deal with what kind of operating system do you want and then you go to the versions. In this case, NMAP, with OSFueler, you can go in both ways, you can specify, I want to be like a Windows and I need the version to be like XP or 2000, or maybe you just specify the family, I need to be Windows and every packet that you are sending will be in a loop and you will be changing your ID inside Windows, for example, the first one will be XP, second one will be 98, the third one will be 2000, that kind of things randomly. There are not so much signatures for both, there are like 250 and there is a special flag that if you just want to search, for example, give me all the information that you have, not for Windows, let's see if you can, something that is smaller, for PlayStation. NMAP has like one, two, three, four, five signatures available for PlayStation and you have one available for both. In this case, there are two queues for the traffic, one will go to both, to passive fingerprinting, the other one will go only to NMAP, so when you are running OSFueler, you get those different queues and in this case, the program is running in multi-threading, so I have made some tests, no some stress tests, but because last day in the LEMO labs, people asked me about the performance, so when using in a web server without a lot of connection, you have to understand that you have 1024 packets per queue, but in case of NMAP, NMAP sells like 20 packets, so to get the queue full, you will have like, you will need maybe like 200 attackers scanning at the same time and yourself running a Celeron or something like that. So if you just wanted to, let's search if we can do NMAP, grip, no, let's search for Windows for NMAP, for example, this one, now I have the information, so let's emulate to be Microsoft Windows 2000 and you get this info, you are mutating to NMAP, you get in the database, the signature, you can see that there are some proofs that we shouldn't respond, for example, for UDP, for example, for ICMP and if you open a new window, let's repeat the same test, you see, NMAP thinks that we are running Microsoft Windows 2000 or maybe XP, that's because the signatures are very similar and NMAP doesn't have all the information it needs to complete the profiling of my operating system. If you use the verbose option and you send, and you launch the same scan, you will get information for every packet that you receive from NMAP. So for example, you remember I told you that UDP test in NMAP has a payload of 300 Cs, you can see it here. So this is not only useful to try to defeat NMAP, but you can also let it run in the background and write directly all this information to a log and try to get information when you are getting a scan. The same thing we can do with, for example, Pof, we search Windows, for example, let's work with 2002. So, family is Windows, details are this and interface would be localhost. The same, you get here the signature for Windows 2000 and let's get in Pof, just let me launch some localhost connections. If you see, I have started a secret cell connection and Pof thinks that we are running Microsoft Windows XP. If you stop always filler and do the same thing, in this case, it doesn't have information because it's a newer kernel and all that base of Pof doesn't have it, but it's not the same signature. And you remember I told you that you can just specify the family. Just, I'm telling no spoiler to try to emulate almost every version of Windows it has on every new packet. So, if you launch Pof, Windows CE, Windows 98, Windows 2000, Windows NT, Windows 98, so on every connection you will be changing inside the same family, your fingerprint. You can go to random, in this case, is a sound touch auto receiver, Linux 2.6.39 of just search for PlayStation. Now, let's see if we can learn something cooler. Sony Ericsson, Walmart mobile phone. Oh, and you see, same thing for this. So, it's very easy for the tool to get all this information to read the end map database, to read Pof databases. End map database is working like 95% because there are some signatures that doesn't have all the fields and I have to change dinner working off for your filler to change that, but in case of Pof it's running with almost every operating system and I think that's all. You can get those filler using GitHub or using PIP and feel free to collaborate on certain issues that you find. So, if there is any question, yes, I can hear you. No, no, in this case, we are only dealing with active fingerprint, no, there are, this is not valid proof. This is only a proof of concept for end map and for Pof. If you make some modifications in end map, for example, and you deal with some small changes, you can get information about the remote host. So, this is not valid proof, but this only proof of concept for those specific tools. You can still use like DHCP, you can use the MAC address, you can use timing attacks to identify the operating system. So, this is not working for every technique, just should be working fine for these kind of tools. Yes? Excuse me? That's what I told you before. I have not, I haven't made any stress test, but think of that in the case of PASIF, you are only modifying the SIM packets and in the case of end map, you are only dealing with almost 20 packets per scan. So, that's not, that shouldn't be a problem. You should maybe have a slow machine and have like 200 or 400 attackers scanning you at the same time to get the queue full and the programs works with multi-threading. So, I haven't made a lot of tests, but it should be working fine. I'm using like on my pen test when I try to do research and it's working fine when with some service I have on internet and it's working okay. But if any of you can get those information, that information about the performance, it should be great to have it inside the GitHub. Thank you.