Détection des systèmes d exploitation avec Cron-OS
Dimension: px
Commencer à balayer dès la page:

Download "Détection des systèmes d exploitation avec Cron-OS"

Transcription

1 O. Courtay O. Heen F. Veysset Détection des systèmes d exploitation avec Cron-OS 1

2 Utilité Pourquoi reconnaître des OS? Auditer des configurations Administrer un parc Aider d autres logiciels Mais aussi Savoir ce que voient les pirates Fabriquer de meilleurs leurres 2

3 Windows 3.1 3

4 System7 4

5 SunOS 5

6 FreeBSD 6

7 Principes Operating System Finger Printing (OSFP) Stimuler la cible Capter ses réactions Analyser (base de référence) Réitérer si nécessaire 7

8 Difficultés Beaucoup (trop) d inconnues État initial de la cible ffet précis du stimulus ffet du médium Des cas d échecs ambigus base incomplète? Nouvelle protection? Réseau perturbé? 8

9 Techniques de détection Actives Passives Écoute réseau Collecte mpreinte de pile p0f tter cap Bannières Binaires Réponses ICMP Profils ISN Analyse entêtes Analyse tempo. 9 thcrut XPROB NMAP RING Cron-OS

10 x : NMAP Port ouvert ISN (séquence TCP) IP ID (ouvert) TCP SYN + options Port fermé IP ID (fermé) TCP SYN, TCP ACK UDP (réponse ICMP) TCP ACK TCP S/F/P/U TCP Xmas (F/P/U) TCP NULL Paquets non-standards 10

11 x : Profils ISN Cisco IOS 12.0 (unpatched) Linux

12 Principes de Cron-OS Congestion TCP/IP, Stimuli, Mesures, Déductions, rreurs 12

13 Connexion TCP/IP C L I N T SYN(x) SYN(y) ACK(x+1) ACK(y+1) S R V U R SYN RCVD STABLI SHD 13

14 Avec congestion C L I N T SYN(x) SYN(y) ACK(x+1) S R V U R SYN RCVD 14

15 1 er Principe 1. Amener le serveur dans l état SYN RCVD 2. Ne pas répondre aux SYN ACK 3. Mesurer la suite des délais entre SYN ACK C L I N T 4. Confronter à la base 15

16 Déconnexion TCP/IP active C L I N T FIN ACK FIN ACK S R V U R CLOS WAIT LASTACK then CLOS 16

17 Avec congestion C L I N T FIN ACK FIN S R V U R CLOS WAIT 17

18 2 ème Principe 1. Amener le serveur dans l état CLOS WAIT 2. Ignorer le ACK, ne pas répondre aux FIN 3. Mesurer la suite des délais entre FIN C L I N T 4. Confronter à la base 18

19 <QUOT RFC 2988 > An implementation MUST manage the RTO in such a way that a segment is never retransmitted too early. The host MUST set RTO <- RTO * 2 ("back off the timer"). The maximum value (60s) may be used to provide an upper bound to these doubling operation. </QUOT RFC 2988 > 19

20 Déconnexion TCP/IP passive C L I N T FIN ACK FIN ACK S R V U R STABLI SHD FIN WAIT1 FIN WAIT2 20

21 Avec congestion C L I N T FIN S R V U R FIN WAIT1 21

22 3 ème Principe 1. spérer que le serveur passe en FIN WAIT1 2. Ignorer les FIN 3. Mesurer la suite des délais entre FIN C L I N T 4. Comparer à la base 22

23 Justification du 3 ème Principe Les serveurs web ferment volontiers leur connexion Comportement HTTP 1.0 normal nvoyer GT / HTTP/1.0\r\n\r\n Le serveur se comporte alors comme un client TCP/IP t peut donc passer en FIN WAIT1 23

24 xemples concrets Cas typiques, cas particuliers, SYNRelay 24

25 Intégration Cron-OS / NMAP #./nmap-cron-os shal.no-ip.org Ports -p 80, et --cron-os slf timeout 60 -O testés Écoute de 60 secondes pour chaque état analysé États syn lastack et fin-wait1 analysés 25

26 Fingerprint: Windows NT TSeq(Class=RI%gcd=1%SI=3CC4%IPID=I... T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags= PU(Resp=Y%DF=N%TOS=0%IPLN=38%RIPTL=... CronOS_Syn(nbPkt=2%Time=30%p= %p= ) CronOS_LastAck(nbPkt=3%Time=30%Connect= %p= %p= %p= ) CronOS_FinWait(nbPkt=0%Time=30%Connect= ) 26

27 Portabilité Point faible de Cron-OS, mais Planb-security fournit une version en PRL appelée Snacktime LibNet 1.1 maintenant supportée Cron-OS est en source libre Les bonnes volontés sont donc encouragées 27

28 Fonctionnement simple # s Starting./nmap-cron-OS --timeout 60 V. freebsd.qq.part -n P0( -p method ) Starting filtre s --timeout pcap nmap:src 60 V. freebsd.qq.part 3.00 host ( xxx.xxx.xxx.xxx and src ) Starting filtre port 80 pcap and nmap:src dst V. port 3.00 host ( xxx.xxx.xxx.xxx and src ) Starting filtre port Try Time: 80 pcap and nmap :src dst V. port 3.00 host ( xxx.xxx.xxx.xxx and src ) filtre port Try Interesting Time: 80 pcap and :src dst ports port host on (xxx.xxx.xxx.xxx): and src por t Try Interesting Port 80 Time: and dst State ports on (xxx.xxx.xxx.xxx): Service Try Interesting Port 80/tcp Time: open State ports on (xxx.xxx.xxx.xxx): http Service Interesting Port 80/tcp Remote OS guesses: open State ports on FreeBSD (xxx.xxx.xxx.xxx): http Service 4.5 (2success/2t Port 80/tcp Remote ests), OS FreeBSD guesses: open State 4.7-RLAS FreeBSD http Service RLAS (2success/2t 80/tcp Remote ests), success/2tests), OS FreeBSD guesses: open 4.7-RLAS Windows FreeBSD http Second 4.8-RLAS dition (2success/2t Remote ests), (2success/2tests), OS FreeBSD guesses: 4.7-RLAS FreeBSD Windows NT Second 4.8-RLAS 4 Workstation dition (2success/2t SP2/S ests), (2success/2tests), P3/SP4/SP5 FreeBSD 4.7-RLAS (2success/2tests) Windows 98 -NT Second 4.8-RLAS 4 Workstation dition SP2/S (2 (2success/2tests), P3/SP4/SP5 # (2success/2tests) Windows 98 NT Second 4 Workstation dition SP2/S 28

29 Fonctionnement simple #esp=n" Starting Interesting Port 80/tcp./nmap nmap -n open State ports -P0 V. -p 3.00 on 80 (xxx.xxx.xxx.xxx): freebsd.qq.part http Service grep v) "R Starting Interesting Port 80/tcp No esp=n" exact nmap OS open State ports matches V on for (xxx.xxx.xxx.xxx): http Service host (test conditions nonideal). exact nmap OS open State ports matches V on for (xxx.xxx.xxx.xxx): http Service host (test conditions non- ) ) Starting Interesting Port 80/tcp No Starting nmap V ( Interesting Port 80/tcp No ideal). TCP/IP exact fingerprint: OS open State ports matches on for (xxx.xxx.xxx.xxx): http Service host (test conditions nonideal). TCP/IP SInfo(V=3.00%P=i686-pc-linux exact fingerprint: OS open State matches for http Service host (test conditions non- Interesting ports on (xxx.xxx.xxx.xxx): Port 80/tcp No Port State Service 80/tcp No ideal). TCP/IP SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) exact fingerprint: OS open matches for http host (test conditions nonideal). TCP/IP SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) exact fingerprint: OS matches for host (test conditions non- 80/tcp open http No No exact OS matches for host (test conditions nonideal)ideal). TCP/IP SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) T1(Resp=Y%DF=Y%W=000%ACK=S++%Flags=AS%Ops=MNWNN) fingerprint: TCP/IP SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) T1(Resp=Y%DF=Y%W=000%ACK=S++%Flags=AS%Ops=MNWNN) Uptime fingerprint: days (since Sun Mar 9 01:17: ) TCP/IP fingerprint: SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) T1(Resp=Y%DF=Y%W=000%ACK=S++%Flags=AS%Ops=MNWNN) Uptime Nmap run completed days -- (since 1 IP Sun address Mar 9 (101:17:11 host up) 2003) sca SInfo(V=3.00%P=i686-pc-linux gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) T1(Resp=Y%DF=Y%W=000%ACK=S++%Flags=AS%Ops=MNWNN) Uptime Nmap nned run in completed seconds days -- (since 1 IP Sun address Mar 9 (101:17:11 host up) 2003) sca gnu%d=5/21%time=3cb3a3%o=80%c=-1) TSeq(Class=TR%TS=100HZ) T1(Resp=Y%DF=Y%W=000%ACK=S++%Flags=AS%Ops=MNWNN) Uptime Nmap nned # run in completed seconds days -- (since 1 IP Sun address Mar 9 (101:17:11 host up) 2003) sca TSeq(Class=TR%TS=100HZ) 29

30 Fonctionnement simple Les résultats diffèrent. Pourquoi? Il y a un pare-feu «droppant» L OS réel n est pas dans les bases Les conditions réseau sont mauvaises 30

31 Fonctionnement avancé od filtre and 25) Try Interesting Port #./nmap-cron-os lf dst Time: unos.qq.part pcap port waiting State :src ports host -n to and on reap -P0 (tcp[13] (yy.yy.yy.yy): Service child -p == :--meth and 17 or src tcp[13] port == filtre and Try Interesting Port 80/tcp od 25) lf dst Time: unos.qq.part pcap port waiting open State :src ports host to and on reap (tcp[13] (yy.yy.yy.yy): http Service child == : and 17 or src tcp[13] port == filtre and Try Interesting Port 80/tcp Remote 25) dst Time: OS pcap port waiting guesses: open State :src ports host to and on Win2k reap (tcp[13] (yy.yy.yy.yy): http Service Pro child Base/SP1/SP2/SP3, == : and 17 or src tcp[13] port Win == filtre and Try Interesting Port 80/tcp Remote 2k Starting 25) Srv dst Time: OS Base/SP1/SP2/SP3, pcap port nmap waiting guesses: open State :src ports V. host 3.00 to and on Win2k reap (tcp[13] (yy.yy.yy.yy): http Service Pro Win2k child Base/SP1/SP2/SP3, == AdvSrv : and 17 src tcp[13] port ) Win == filtre and Try Interesting Port 80/tcp Remote 2k /SP3 25) Srv dst Time: OS Base/SP1/SP2/SP3, pcap port waiting guesses: open State (2success/2tests), :src ports host to and on Win2k reap (tcp[13] (yy.yy.yy.yy): http Service Pro Win2k child Base/SP1/SP2/SP3, Windows == AdvSrv : and 17 or src 95 tcp[13] B port Win == filtre and Try Interesting Port 80/tcp Remote 2k /SP3 (2success/2tests), 25) Srv dst Time: OS Base/SP1/SP2/SP3, pcap port waiting guesses: open State (2success/2tests), :src ports host to and on Win2k Windows reap (tcp[13] (yy.yy.yy.yy): http Service Pro Win2k child Base/SP1/SP2/SP3, Windows Second == AdvSrv : and 17 or dition src 95 tcp[13] B port Win == filtre and Try Interesting Port 80/tcp Remote 2k /SP3 25) (2success/2tests), Srv dst Time: OS Base/SP1/SP2/SP3, pcap port waiting guesses: open State (2success/2tests), :src ports 1035 host to and on Win2k Windows reap (tcp[13] (yy.yy.yy.yy): http Service Pro Win2k child Me Base/SP1/SP2/SP3, Windows Second == AdvSrv : and 17 or (2success/2te dition src 95 tcp[13] B port Win == filtre and Try Interesting Port 80/tcp Remote 2k /SP3 sts), 25) (2success/2tests), Srv dst Time: Windows OS Base/SP1/SP2/SP3, pcap port waiting guesses: open State (2success/2tests), :src ports 1035 NT host 4 to and on Win2k Workstation Windows reap (tcp[13] (yy.yy.yy.yy): http Service Pro Win2k child Me Base/SP1/SP2/SP3, Windows Second == AdvSrv : and 17 or (2success/2te dition src 95 tcp[13] B port Win == and Try Interesting Port 80/tcp Remote 2k /SP3 sts), filtre 25) (2success/2tests), Srv dst Time: Windows OS Base/SP1/SP2/SP3, pcap port waiting guesses: open State (2success/2tests), ports :src 1035 NT Windows host 4 to and on Win2k Workstation Windows reap (tcp[13] (yy.yy.yy.yy): http Service NT Pro Win2k child 498 Me Workstation Base/SP1/SP2/SP3, Windows Second == AdvSrv : and 17 (2success/2te dition src 95 tcp[13] SP2/SP3/SP B port Win == Try Interesting Port 80/tcp Remote 2k /SP3 sts), 4/SP5 and 25) (2success/2tests), Srv Time: dst Windows OS Base/SP1/SP2/SP3, port waiting guesses: open State ports (2success/2tests), 1035 NT Windows 4 to on and Win2k Workstation Windows reap (tcp[13] (yy.yy.yy.yy): http Service NT Pro Win2k child 498 Me Workstation Base/SP1/SP2/SP3, Windows Second == AdvSrv WinXP : Home (2success/2te dition 95 tcp[13] SP2/SP3/SP B Base/SP1 Win == Try Interesting Port 80/tcp Remote 2k /SP3 sts), 4/SP5 a, (2success/2tests), 25) Srv WinXP Time: Windows OS Base/SP1/SP2/SP3, Pro waiting guesses: open State ports (2success/2tests), Base/SP1a NT Windows 4 to on Win2k Workstation Windows reap (yy.yy.yy.yy): http Service NT Pro Win2k child 498 Me Workstation Base/SP1/SP2/SP3, (2success/2tests) Windows Second AdvSrv WinXP : Home dition 95 SP2/SP3/SP B Base/SP1 (2su Win Interesting Port 80/tcp Remote 2k /SP3 sts), 4/SP5 a, # Try (2success/2tests), Srv WinXP Time: Windows OS Base/SP1/SP2/SP3, Pro guesses: waiting open State ports (2success/2tests), Base/SP1a NT Windows 4 to on Win2k Workstation Windows reap (yy.yy.yy.yy): http Service NT Pro Win2k child 498 Me Workstation Base/SP1/SP2/SP3, (2success/2tests) Windows Second AdvSrv WinXP : Home dition 95 SP2/SP3/SP B Base/SP1 (2su Win 31

32 Fonctionnement avancé qq.part #./nmap -d grep -v -n -v "Resp=N" -P0 -p 80 --osscan_guess unos. Port qq.part grep State -v "Resp=N" Service 80/tcp Port open State http Service Remote 80/tcp operating open system http guess: Nokia M1122 DSL Rou ter Remote operating system guess: Nokia M1122 DSL Rou OS terfingerprint: TSeq(Class=RI%gcd=1%SI=5937%IPID=I%TS=0) OS Fingerprint: T1(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT) TSeq(Class=RI%gcd=1%SI=5937%IPID=I%TS=0) T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT) T1(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT) T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT) Nmap run completed -- 1 IP address (1 host up) sca nned Nmap in run4 completed seconds -- 1 IP address (1 host up) sca 32

33 Fonctionnement avancé Les résultats diffèrent. Pourquoi? Un équipement Nokia est utilisé en SYNRelay NMAP «voit» cet équipement Cron-OS «voit» au travers 33

34 SYN C L I N T SYN ACK ACK R L A I S SYN SYN ACK ACK S R V U R 34

35 Fonctionnement avancé Les résultats sont complémentaires Tout seul, Cron-OS ne voit pas le SYNRelay Tout seul, NMAP ne voit pas la machine protégée nsemble, Cron-OS et NMAP voient les OS et l architecture 35

36 Vos questions 36

37 Bibliographie et annexes Livres, articles, sites, outils 37

38 Bibliographie W. Richard Stevens, TCP/IP illustrated Autres sources de connaissance RFC 793, Transmission Control Protocol RFC 1122, Requirements for Internet Hosts -- Communication Layers RFC 2988, Computing TCP's Retransmission Timer 38

39 Bibliographie R. Spangler, Analysis of Remote Active Operating System Fingerprinting Tools O. Arkin, F. Yarochkin, XProbe2 A 'Fuzzy' Approach to Remote Active Operating System Fingerprinting T. Beardsley, Plan B Security, RING Out The Old, RING In The New: OS Fingerprinting through RTOs. D. Comer, J. Lin, USNIX Summer Conf Probing TCP Implementations labs.com/user/johnlin/probing-tcp.pdf Fyodor, Phrack Remote OS detection via TCP/IP Stack FingerPrinting P. Karn, C. Partridge, SIGCOMM 87. Improving Round-Trip Time stimates in Reliable Transport Protocols 39

40 Bibliographie B. Morin, L. Mé, H. Debar, M. Ducassé. M2D2 : A Formal Data Model for IDS Alert Correlation. RAID 2002 : J. Padhye, S. Floyd, SigComm Identifying the TCP Behavior of Web Servers M. Smart, G. R. Malan, F. Jahanian, 9th USNIX Security Symp. Defeating TCP/IP Stack Fingerprinting F. Veysset, O. Courtay, O. Heen RING : New Tool and Technique For Remote OSFP M. Zalewski, Strange Attractors and TCP/IP Sequence Number Analysis lcamtuf.coredump.cx/newtcp/ 40

41 Outils ettercap.sourceforge.net 41

42 Annexe 1 Difficultés L outil donne un résultat L outil ne Donne pas de résultat OS connu dans la base OK KO erreur KO faux négatif OS Inconnu dans la base KO faux positif OK OS Indéterminé (cas d utilisation normal) OK KO OK KO 42

43 Annexe 2 CLOSD États TCP/IP LISTN SYNRCVD SYNSNT CLINT SRVUR SRVIC FINWAIT1 STABLISHD CLOSING CLOSWAIT LASTACK FINWAIT2 TMWAIT 43

Documents pareils
2024 © DocPlayer.fr Politique de confidentialité | Conditions de service | Feed-back