The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Stealth servers need Stealth Packets - Derbycon 3.0
-
Upload
jaime-sanchez -
Category
Technology
-
view
1.688 -
download
2
Transcript of Stealth servers need Stealth Packets - Derbycon 3.0
1
STEALTH SERVERS NEED STEALTH PACKETS
STEALTH SERVERS
NEED
STEALTH PACKETS
JAIME SANCHEZ (@SEGOFENSIVA)WWW.SEGURIDADOFENSIVA.COM
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
$ WHO I AM § Passionate about computer security.
§ Computer Engineering degree and an Execu7ve MBA.
§ In my free 8me I conduct research on security and work as an independent consultant.
§ I’m from Spain; We’re sexy and you know it.
§ Other conferences:§ RootedCON in Spain§ Nuit Du Hack in Paris § Black Hat Arsenal USA§ Defcon 21 USA§ Next conferences: Hack7vity, NoConName and Black Hat Sao Paulo
FROM KERNEL SPACE TO USER HEAVEN
3 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
The most important phases are RECONNAISSANCE and SCANNING.
The less information the attacker has the better for our security.
If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
A BRIEF OVERVIEW
FROM KERNEL SPACE TO USER HEAVEN
4 NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Devices
Devices
Devices
Kernel
Ring 0
Ring 1
Ring 2
Ring 3
LessPrivileged
MorePrivileged
§ Computer opera+ng systems provide different levels of access to resources.
§ This is generally hardware-‐enforced by some CPU architectures hat provide different CPU modes at the hardware or microcode level.
§ Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number).
§ On most opera+ng systems, RING 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.
ARCHITECTURE
How i met your packetFrom kernel Space to user Heaven
5
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
KERNEL vs USER SPACE
KERNEL SPACE USER SPACEKERNEL SPACE is strictly reserved for running the kernel, kernel extensions, and most device drivers. In contrast, user space is the memory area where all user mode applica+ons work and this memory can be swapped out when necessary.Similarly, the term USER LAND refers to all applica+on soKware that runs in user space. Userland usually refers to the various programs and libraries that the opera+ng system uses to interact with the kernel: soKware that performs input/output, manipulates file system, objects, etc.
How i met your packetFrom kernel Space to user Heaven
6
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
WTF !?
How i met your packetFrom kernel Space to user Heaven
7
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
8
How Imet yourpackets
How i met your packetFrom kernel Space to user Heaven
the NFQUEUE way
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
9
NIC Memory
DMA EngineInterrupt
Incoming Packet
RingBuffer
InterruptHandler
NIC
MemoryKernel
Packet Data
IP Layer
TCP Process
TCP recv Buffer
APPLICATION
DEVICE DRIVER
KERNEL SPACE
USER SPACE
Poll List
so]irq
tcp_v4_rcv()
Pointer toDevice
SocketBacklog
ip_rcv()
read()
How i met your packetFrom kernel Space to user HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NIC Memory
DMA EngineInterrupt
Incoming Packet
RingBuffer
InterruptHandler
NIC
MemoryKernel
Packet Data
IP Layer
TCP Process
TCP recv Buffer
APPLICATION
DEVICE DRIVER
KERNEL SPACE
USER SPACE
Poll List
so]irq
tcp_v4_rcv()
Pointer toDevice
SocketBacklog
ip_rcv()
read()
locally des8ned packets must pass the INPUT chains to reach listening sockets
INPUT
FORWARD
PREROUTING
MANGLECONNTRACK FILTER
forwarded and accepted packets
Inbound Packets
forwarded packets
localpackets
How i met your packetFrom kernel Space to user Heaven
10
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
TARGET EXTENSIONS
How i met your packetFrom kernel Space to user Heaven
A target extension consists of a KERNEL MODULE, and an op+onal extension to iptables to provide new command line op+ons.
There are several extensions in the default NeQilter distribu+on:
11
FROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
QUEUE§ QUEUE is an iptables and ip6tables target which which queues the packet for userspace processing.
§ For this to be useful, two further components are required:• a QUEUE HANDLER which deals with the actual mechanics of passing packets between
the kernel and userspace; and• a USERSPACE APPLICATION to receive, possibly manipulate, and issue verdicts on
packets.
§ The default value for the maximum queue length is 1024. Once this limit is reached, new packets will be dropped un+l the length of the queue falls below the limit again.
How i met your packetFrom kernel Space to user Heaven
12
FROM KERNEL SPACE TO USER HEAVEN
13
$ iptables -A INPUT -j NFQUEUE --queue-num 0
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SOME PRACTICALEXAMPLES
How i met your packetFrom kernel Space to user Heaven
13
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
REMOTE OSFINGERPRINTING
How i met your packetFrom kernel Space to user Heaven
14
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
CLASSIC TECHNIQUES
How i met your packetFrom kernel Space to user Heaven
15
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
NMAP
-‐ Device Type -‐ Network Distance -‐ Running -‐ TCP Sequence Predic7on -‐ OS Details -‐ IP ID Sequence Genera7on -‐ Up7me Guess
Device Type: general purposeRunning: MicrosoK Windows 7|Vista|2000OS CPE: cpe:/o:microsoK_7::professionalOS details: MicrosoK Windows 7 Professional, MicrosoK Windows Vista SP0 or SP1Up7me guess: 2.196 days (since Mon Feb 4 12:14:01 2013)Network Distance: 1 hopTCP Sequence Predic7on: Difficulty=262 (Good Luck!)IP ID Sequence Genera7on: IncrementalService Info: OS: Windows; CPE: cpe:/o:microsoK:windows
How i met your packetFrom kernel Space to user Heaven
16
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
17
How i met your packetFrom kernel Space to user HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA)
IPv4 UDP
TCP ICMP
2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
RELEVANT FIELDS
ECN CWN ECE, WS(10), NOP, MSS(1460), SACK, NOP, NOP and W3
IP DF bit, TOS(0), CODE=9, SEQ=295, 120 bytes of 0x00 for payload
no flags, IP DF and W(128) to an open portSYN, FIN, URG, PSH and W(256) to an open port
ACK with IP DF and W(1024) to an open portSYN with W(31337) to a closed port
ACK with IP DF and W(32768) to a closed portFIN, PSH, URG and W(65535) to a closed port
WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF. Tsecr:0), SACK and W(1)MSS(1400), WS(0),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0),EOL and W(63)
TS(Tval:0xFFFFFFFF. Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640) and W(4)SACK, TS(Tval:0xFFFFFFFF. Tsecr:0),WS(10),EOL and W(4)
MSS(536),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0), WS(10),EOL and W(16)MSS(265),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0) and W(512)
NMAP METHODS
How i met your packetFrom kernel Space to user Heaven
18
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEQUENCE GENERATION (SEQ, OPS, WIN & T1)
ICMP ECHO (IE)
TCP EXPLICIT CONGESTION NOTIFICATION (ECN)
TCP T2-‐T7
UDP
-‐ Nmap sends 15 TCP, UDP and ICMP tests, to open and closed system ports:
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
‘C’ (0x43) x 300 for data field. IP ID value 0x1042
TOS(4), CODE=0, 150 bytes data, ICMP request ID and SEQ are incremented
Although there are others:§ TCP ISN counter rate (ISR)§ ICMP IP ID sequence genera8on alg (II)§ Shared IP ID sequence Boolean (SS)§ Don’t Fragment ICMP (DFI)§ Explicit conges8on no8fica8on (C)§ TCP miscellaneous quirks (Q)§ TCP sequence number (S)§ etc.
NMAP INTERNAL PROBES
Most important:§ TCP ISN greatest common divisor (GDC)§ TCP IP ID sequence genera8on alg (TI)§ TCP 8mestamp op8on alg (TS)§ TCP Op8ons (O, O1-‐O6)§ TCP ini8al Window Size (W, W1-‐W6)§ Responsiveness (R)§ IP don’t fragment bit (DF)§ IP ini8al 8me-‐to-‐live guess (TG)
Fingerprint Linux 2.6.17 - 2.6.24Class Linux | Linux | 2.6.X | general purposeSEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U)OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C)WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018)ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=)T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=)T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(DFI=N%T=3B-45%TG=40%CD=S)
How i met your packetFrom kernel Space to user Heaven
19
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
OTHER TOOLS
How i met your packetFrom kernel Space to user Heaven
20
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
A patch for Linux kernels of version 2.4., that modifies characteris+cs of network
traffic
IP PERSONALITY
Simple TCP packets iden+fica+on solu+on as a
Kenel2.2-‐2.4 core module patch, allowing ignore some kind
of packets.
STEALTH PATCH
A kernel module available for Linux kernel of version 2.2. that also tries to hide the original OS and act as a
different one.
FINGERPRINT FUCKER
TCP and UDP packets filtering op+ons, allowing to respec+vely block RST and ICMP answers on
closed ports
BLACKHOLE
Honeyd isable to simulate Xprobe2 and Nmap (previous
version) signatures for itsvirtual hosts.
HONEYD
Windows soKware that modifies keys in the
register, tochange some TCP/IP
parameters.
OSFUSCATE
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How i met your packetFrom kernel Space to user Heaven
21
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How i met your packetFrom kernel Space to user Heaven
22
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
PASSIVE OS FINGERPRINTING
How i met your packetFrom kernel Space to user Heaven
23
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
-‐ p0f is a tool that u+lizes an array of sophis+cated, purely passive, traffic fingerprin+ng mechanisms to iden+fy the players behind any ini7al TCP/IP communica7on (oKen as limle as a single normal SYN) without interfering in any way.
-‐ There are other tools like Emercap, NetworkMiner, PRADS, Satori or PacketFence.
-‐ Passive fingerprin+ng is like a packet sniffer. Examines network traffic, making a copy of the data but without redirec+ng or altering it.
-‐ Can be used for several purposes:1. As stealthy fingerprin7ng, bypassing the need for using an ac+ve tool that can be detected by various IDS systems.2. To iden7fy remote proxy firewalls. 3. Organiza+ons can use it to iden7fy rogue systems on their network.
NUIT DU HACK 2013
Sniffer
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98Opera+ng System -‐ Family -‐ Version
Quirks -‐ Data in SYN packets -‐ Op8ons a]er EOL -‐ IP ID Field = 0 -‐ ACK different to 0 -‐ Unusual flags -‐ Incorrect op8ons decode
TCP op+ons and order -‐ N: NOP -‐ E: EOL -‐ Wnnn: WS -‐ Mnnn: MSS -‐ S: SACK -‐ T / T0: Timestamp -‐ ?n
Window Size -‐ * Any value -‐ %nnn nnn Mul8ple -‐ Sxx MSS Mul8ple -‐ Txx MTU Mul8ple -‐ xxx Constant value
Ini+al TTL
DF Bit
Packet Size
How i met your packetFrom kernel Space to user Heaven
24
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How i met your packetFrom kernel Space to user Heaven
25
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
!! LET’S CAMOUFLAGE !!
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How i met your packetFrom kernel Space to user Heaven
26
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
COMMERCIAL ENGINES
This techniques can be used to avoid commercial implementa+ons. We hide our machine, faking the detector engine and recognizing us like another OS, to amack another host and leading administrator to think it may be a false posi+ve.
How i met your packetFrom kernel Space to user Heaven
27
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
Fingerprint value example:key=fp_id;value=100000key=rna_fingerprint_type_id;value=9key=rna_fingerprint_descrip8on;value=iPhonekey=rna_fingerprint_vendor_str;value=Applekey=rna_fingerprint_product_str;value=iOSkey=rna_fingerprint_version_str;value=NULLkey=val1;value=340e4d28c315390dkey=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d166085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834af9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc503a4847e9c0fa22fe666cb1dc115309eb77key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b
I had no +me to figure out what each field means in all the commercial appliances I’ve seen so far. I decided to cross the data available with default Nmap and p0f database to get the desired TCP/IP header values.
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
( WE’RE RUNNING OUR PROGRAM IN BACKGROUND TO CHANGE ALL OUTBOUND
CONNECTIONS )
From kernel Space to user Heaven
28
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |NUIT DU HACK 2013
OS FOOLED! NOW OUT LINUX IS AN IOS DEVICE
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
SPOOF NON EXISTING HOSTS
HOST CREATED WITH OURNEW TOOL :)
From kernel Space to user Heaven
29
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
| S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T |
NUIT DU HACK 2013
How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
Long story short:SYN ACK FIN
How i met your packetFrom kernel Space to user Heaven
30
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)
How i met your packetFrom kernel Space to user Heaven
31
How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN
NUIT DU HACK 2013
SEGURIDADOFENSIVA.COM
@SEGOFENSIVA
OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ...
BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2
STEALTH SERVERS NEED STEALTH PACKETS
DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)