============== Page 1/1 ============== Remote Network Analysis - I know what you know - Torsten Höfler htor@cs.tu-chemnitz.de Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 1/41 Outline • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 1. Introduction 2. Passive Analysis 3. Active Analysis 4. Advanced Scanning 5. Prevention 6. Questions Remote Network Analysis - p. 2/41 Introduction Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 3/41 Motivation play instinct :o) • explore a remote network • find backdoors • check weaknesses • prepare an attack • fool IDS systems • see which software your bank runs • ... • • Outline Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 4/41 Typical Targets Router / Firewalls / Packetfilter • Intrusion Detection Systems • Loghosts (to hide traces) • servers - from the outside accessible (DMZ?) • Client-Systems / Workstations • Hardware-Systems (e.g. Access Points, Routers ...) • • Outline Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 5/41 Structure of FW Systems • Outline easy layout: Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 6/41 Structure of FW Systems • Outline more complex layout(s): Introduction • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 7/41 Possible Attacks Introduction ⇒ attacker (we) located in the Internet ⇒ attacks performed from outside • Motivation • Typical Targets • Structure of FW Systems • Structure of FW Systems • Possible Attacks • • Outline Passive Analysis Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 passive analysis (e.g. sniffing) • noticeable active analysis (e.g. scanning) • hidden active analysis (e.g. fingerprinting) • analysis of topology (e.g. firewalking, tracing) • social engineering Remote Network Analysis - p. 8/41 Passive Analysis Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 9/41 Layer 2/3/4 • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary ⇒ different possibilities: • passive fingerprinting (without sending anything) ◦ Layer 4 (versions of used software products) ◦ Payload Analysis (not widely used, no tools available) ◦ Layer 2/3 (OS’s TCP/IP implementation) ◦ Header-Analysis (widely used, tools available) Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 10/41 Header-Analysis gives information about deployed topology: ◦ TTL: OS usually starts with ”typical” values (255, 128, 64 ...) -> difference equals Hop-Count ◦ be aware of exceptions (e.g. traceroute)! • offered or used services e.g.: ◦ analyse source or/and destination port • • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 11/41 Header-Fields • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 12/41 Header-Information • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 much information can be gained from the header fields: Field Location Tools? What? TTL Fragmentation Header Length TOS ID Source Port Window Size Max. Segmentsz. ... IP IP IP IP IP TCP TCP/Opt TCP/Opt ... x x x x x - OS + Topology OS + Topology OS OS OS + Traffic OS + Traffic OS OS OS Remote Network Analysis - p. 13/41 Header-Analysis (example) SYN/ACK Header from www.ccc.de:80 • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 14/41 Header-Analysis (example) SYN/ACK Header from www.microsoft.de:80 • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 15/41 Example practical values: • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 OS TOS DF TTL Window Options Win2000 Win98 Linux 2.2 Linux 2.4 Linux 2.6 FreeBSD 4.6 FreeBSD 5.0 OpenBSD 2.x ... 0 0 0 0 0 0 0 16 1 1 1 1 1 1 1 0 128 128 64 64 64 64 64 64 65535 8760 32210 5792 5792 57344 65535 17520 tsval=0, SACK SACK tsval>0, SACK tsval>0, SACK tsval>0, SACK tsval>0 tsval>0 tsval=0, SACK ... ... ... ... ... Remote Network Analysis - p. 16/41 More Examples • Outline Introduction Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 examples (p0f - SYN/ACK analysis): • www.metro.de - Windows 2000 SP4 • www.ebay.de - unknown • www.heise.de - NetApp Data OnTap 6.x • www.microsoft.de:80 - Windows 2000 (SP1+) (firewall!) • www.openbsd.org:80 - Solaris 7 (up: 2533 hrs) • www.freebsd.org:80 - FreeBSD 4.6-4.8 (up: 9 hrs) • www.mcafee.com:80 - Windows 2000 SP4 • www.georgewbush.com:80 - Windows 2000 SP4 • www.bundeskanzler.de:80 - Linux recent 2.4 (1) (up: 11405 hrs) • www.nsa.gov:80 - Linux recent 2.4 (1) (up: 5664 hrs) • www.dod.gov:80 - Linux recent 2.4 (up: 2804 hrs) • ... Remote Network Analysis - p. 17/41 Summary fingerprinting without sending any data • Outline Introduction utilizes imprecise standard definitions ... • ... or deviations of OSes from standards (RFC) • cumulative analysis of different header fields • manually nearly impossible (huge information databases) • ⇒ automated tools (ettercap, siphon, p0f) • BUT: very slow / imprecise! ⇒ active analysis is more accurate • new techniques (AI / Fuzzy Match) improve accurancy • Passive Analysis • Layer 2/3/4 • Header-Analysis • Header-Fields • Header-Information • Header-Analysis (example) • Header-Analysis (example) • Example • More Examples • Summary Active Analysis Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 18/41 Active Analysis Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 19/41 Layer 4 (Application Level) • Outline Introduction Passive Analysis Active Analysis • Layer 4 (Application Level) • Layer 2/3 (OS Level) • OS Detection Tools Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 sending packets and analysing the response • ”classical manual banner grabbing” ◦ e.g. FTP, HTTP, POP, IMAP, SMTP, SSH, NNTP, Finger ... • binary analysis ◦ e.g. /bin/ls from FTP server (which binary format (ELF, COFF) → OS) • well known ports ◦ e.g. 80 → HTTP, 22 → SSH, ... • ⇒ easy to prevent/fake ◦ e.g. 222 → SSH (ipcop) • → application fingerprinting (sending special requests, evaluate (error) responses) ◦ automated tools: thc-amap, nmap (-sV) Remote Network Analysis - p. 20/41 Layer 2/3 (OS Level) • Outline send ”special” crafted IP packets and analyse the response • ⇒ easy to detect ◦ e.g. IDS notifies attempts (see portscan) • ⇒ firewall can block results ◦ e.g. stateful firewalls block connectionless FIN packets • ⇒ firewall can modify results ◦ e.g. change TTL, TOS or filter out Options with iptables • Introduction Passive Analysis Active Analysis • Layer 4 (Application Level) • Layer 2/3 (OS Level) • OS Detection Tools Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 21/41 OS Detection Tools de-facto standard: nmap from Fyodor • a lot of active fingerprinting techniques (FIN to open port, ISN Sampling, ICMP Tests, TCP Options, Fragmentation Handling ...) • is recognized by many IDS or packetfilters and can be filtered easily • nmap needs one opened and one closed TCP-Port + one closed UDP-Port (often not possible → firewall) • ⇒ other metrics have to be found • others: ◦ xprobe2 - fuzzy logic, similar to nmap ◦ queso - no further development • • Outline Introduction Passive Analysis Active Analysis • Layer 4 (Application Level) • Layer 2/3 (OS Level) • OS Detection Tools Advanced Methods Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 22/41 Advanced Methods Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 23/41 Old Techniques • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 Inverse Mapping • normal ”inconspicuous” packets to different IP’s • e.g. FIN, ACK, DNS-Reply • → only for stateless firewalls / IDS • non existing hosts: router sends ICMP host unreachable -> attacker concludes network structure / used addresses Slow Scan • packet-rate < 1 packet/hour • very hard to detect automatically Remote Network Analysis - p. 24/41 RING ⇒ RING (Remote Identification Next Generation) • TCP retransmissioncount and -time is used! • deviations from RFC2988 (defines a retransmission algorithm) • tools: snacktime, Cron-OS, tbit • • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 25/41 RING - Examples • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 snacktime evaluation: • www.metro.de:80 - Windows_2000_Server_SP3 • www.ebay.de:80 - Windows_XP_Professional • www.heise.de:80 - no retransmission • www.microsoft.de:80 - no retransmission • www.openbsd.org:80 - Linux_2.4.9_Alpha (???) • www.freebsd.org:80 - Generic_BSD_Stack • www.mcafee.com:80 - no retransmission • www.georgewbush.com:80 - RST after first retrans! • www.bundeskanzler.de:80 - Linux_2.4.18 • www.nsa.gov:80 - no retransmission • www.dod.gov:80 - Linux_2.4.18 • ... Remote Network Analysis - p. 26/41 Overview Fingerprinting • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 27/41 Idle Scan • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) • no packet sent directly → sending through ”zombie” hosts • using predictable IP fragment-numbers • suitable for testing IP-based filter-rules • IDS sees ”zombie” as attacker • tool: nmap (-D) - decoy scan protect own hosts from being used as zombies: • stateful firewall • OS with unpredictable or constant fragment-numbers Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 28/41 Idle Scan - Example • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 29/41 Finding Zombies • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) chance to find zombies is relatively high! htor@archimedes: $ hping2 -SA -p 80 www.tu-dresden.de len=46 ip=141.30.66.151 ttl=46 DF id=216 sport=80 ... len=46 ip=141.30.66.151 ttl=46 DF id=217 sport=80 ... len=46 ip=141.30.66.151 ttl=46 DF id=218 sport=80 ... htor@archimedes: $ ping -c1 www.tu-dresden.de htor@archimedes: $ hping2 -SA -p 80 www.tu-dresden.de len=46 ip=141.30.66.151 ttl=46 DF id=220 sport=80 ... → IP-ID counts up globally! more useable zombies: Prevention • www.tu-dresden.de Questions • 64.203.100.217 (hosting georgewbush.com :) • mx2.freebsd.org • www.openbsd.org • ... Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 30/41 Firewalking • Outline Introduction = analyze the hosts behind a firewall e.g. test if IP is up: Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) SYN-packets are dropped by firewall • SYN/ACK not (only stateful FWs) • use SYN/ACK packets to scan IP’s behind FW • ruleset of the FW can be guessed • Prevention Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 31/41 Firewalking - Example • Outline Introduction Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 e.g. portscan of wald.informatik.tu-chemnitz.de (134.109.184.40): archimedes: # hping2 wald.informatik.tu-chemnitz.de -p 22 -A HPING wald.informatik.tu-chemnitz.de (eth0 134.109.184.40): A set ... len=46 ip=134.109.184.40 ttl=55 DF id=0 sport=22 flags=R seq=0 win=0 rtt=64.3 ms len=46 ip=134.109.184.40 ttl=55 DF id=0 sport=22 flags=R seq=1 win=0 rtt=64.8 ms ⇒ port 22 (ssh) open archimedes: # hping2 wald.informatik.tu-chemnitz.de -p 81 -A HPING wald.informatik.tu-chemnitz.de (eth0 134.109.184.40): A set ... ICMP Port Unreachable from ip=134.109.184.40 name=wald ICMP Port Unreachable from ip=134.109.184.40 name=wald ⇒ port 81 closed are the pool-computers switched on during the weekend? HPING donau.hrz.tu-chemnitz.de (eth0 134.109.72.177): SA set ... len=46 ip=134.109.72.177 ttl=55 DF id=0 sport=82 flags=R seq=0 win=0 rtt=62.5 ms len=46 ip=134.109.72.177 ttl=55 DF id=0 sport=82 flags=R seq=1 win=0 rtt=65.4 ms ⇒ yes ;o) Remote Network Analysis - p. 32/41 Firewalking (2) • Outline Introduction Cambridge Technology Partners: ”A Traceroute-Like Analysis of IP Packet Responses to determine Gateway Access Control Lists.” Passive Analysis Active Analysis Advanced Methods • Old Techniques • RING • RING - Examples • Overview Fingerprinting • Idle Scan • Idle Scan - Example • Finding Zombies • Firewalking • Firewalking - Example • Firewalking (2) Prevention Questions Torsten Höfler, 21. November 2004 • newer development • phase 1: determine hop-count to FW (Gateway) = HC(FW) • phase 2: packets with TTL=HC(GW)+1 for SYN scan • if HC(target) > HC(GW)+1 → no packet reaches target • open port: ICMP Time exceed • closed Port: no answer (timeout) • prevention: ◦ drop outgoing ICMP time exceed packets ◦ application proxy Remote Network Analysis - p. 33/41 Prevention Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 34/41 TCP/IP Stack Tuning • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention • TCP/IP Stack Tuning • Linux Kernel Modifications • Deep Packet Inspection • DPI - Example Questions Torsten Höfler, 21. November 2004 Linux (adjustment of kernel parameters): • /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts = 1 • /proc/sys/net/ipv4/conf/*/accept_source_route = 0 • /proc/sys/net/ipv4/conf/*/rp_filter = 1 (prevent spoofing) • /proc/sys/net/ipv4/ipfrag_high_thresh = ? (fragments will be dropped when this valua is reached - Rose Attacks?) • /proc/sys/net/ipv4/ipfrag_low_thresh = ? (fragments will be accepted again under this level) • /proc/sys/net/ipv4/conf/*/log_martians (log packets with unusual addresses) • /proc/sys/net/ipv4/ip_default_ttl = ? (confuses simple OS detection) ⇒ appropriate values on other Operating Systems (e.g. sysctl with BSD) Remote Network Analysis - p. 35/41 Linux Kernel Modifications • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention • TCP/IP Stack Tuning • Linux Kernel Modifications • Deep Packet Inspection • DPI - Example Questions Torsten Höfler, 21. November 2004 ⇒ Grsecurity • larger entropy pools (better random numbers) • randomized TCP Initial Sequence Numbers (confuses OS detection) • randomized IP IDs (prevents ”zombie”-scans) • randomized TCP source ports (confuses OS detection) ⇒ IP Personality • changeable characteristics to pretend other TCP/IP stacks • nice tool, but only up to kernel 2.4.18 :-( ⇒ own modifications in kernel sources • z.B. no answer to illegal packets: /usr/src/linux/net/ipv4/* • change the window size: /usr/src/linux/include/net/tcp.h (MAX_TCP_WINDOW) • ... Remote Network Analysis - p. 36/41 Deep Packet Inspection • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention • TCP/IP Stack Tuning • Linux Kernel Modifications • Deep Packet Inspection • DPI - Example Questions Torsten Höfler, 21. November 2004 Firewall Evolution • Firewall - protect • IDS - observe • today: manual adding of firewall rules after notification from IDS • problem: fast attacks (Code Red, Nimda) • → deep packet inspection = FW + IDS coupled • exploits and scan attempts can be interrupted automatically e.g. layer 4 monitoring (see PIX ”fixup” command) ⇒ next slide Remote Network Analysis - p. 37/41 DPI - Example • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention • TCP/IP Stack Tuning • Linux Kernel Modifications • Deep Packet Inspection • DPI - Example Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 38/41 Questions Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 39/41 Questions? • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention Questions • Questions? • Sources Torsten Höfler, 21. November 2004 Remote Network Analysis - p. 40/41 Sources • own experience :o) • Outline Introduction Passive Analysis Active Analysis Advanced Methods Prevention Questions • Questions? • Sources Torsten Höfler, 21. November 2004 • Laurent Joncheray: Simple Active Attack Against TCP, 1995 • Kevin Timm: Passive Network Traffic Analysis, 2003 • Lance Spitzner: Passive Fingerprinting, 2000 • Fyodor: Remote OS detection via TCP/IP Stack FingerPrinting, 1998 • Intranode Research: RING - Full Paper, 2002 • Synnergy Networks: Advanced Host Detection, 2001 • Cambridge Technology Partners: Firewalking, 1998 • Ido Dubrawsky: Firewall Evolution - Deep Packet Inspection, 2003 Remote Network Analysis - p. 41/41