ipmorph unification de la mystification de la prise d
play

IpMorph : unification de la mystification de la prise d'empreinte - PowerPoint PPT Presentation

Apr 10, 2023 •286 likes •470 views

This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : unification de la mystification de la prise d'empreinte Guillaume PRIGENT DIATEAM - Brest SSTIC - 5 juin 2009 1 IpMorph is an Open Source project

  1. This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de la prise d'empreinte » Guillaume PRIGENT DIATEAM - Brest SSTIC - 5 juin 2009 1 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  2. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Contexte Théorème : « Vivons heureux, vivons cachés » Corolaire : « Si une machine peut falsifier son identité et l’usurper, celle ci minimise l’attrait de l’attaquant et perturbe la pertinence des attaques ciblées à sa nature apparente.» guillaume.prigent@diateam.net - DIATEAM 2 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  3. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Typologie de la prise d’empreinte Techniques de détection Actives Passives Collectes Empreintes de pile Ecoutes réseau Réponses ICMP « Time-out » Entêtes TCP Profils ISN Bannières Binaires Xprobe2 Ettercap thc-rut Nmap SinFP Ring2 SinFP p0f guillaume.prigent@diateam.net - DIATEAM 4 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  4. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Principes de détection Détection active d’empreinte de pile Nmap, SinFP , … NETWORK REPONSES STIMULI A A = Détection passive d’empreinte de pile p0f, SinFP , … NETWORK SYN+ SYN ACK B A B = A = guillaume.prigent@diateam.net - DIATEAM 5 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  5. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Cas d’utilisation d’ IpMorph SYN SYN+ACK SYN SYN+ACK A = A B = A = B A OSFP Actif + Machine réelle OSFP Actif + Machines « virtuelles » SYN SYN+ACK SYN SYN+ACK A = A A = B = A B OSFP Passif + Machine réelle OSFP Passif + Machines « virtuelles » guillaume.prigent@diateam.net - DIATEAM 6 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  6. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Etat de l'art de la mystification [7] • Filtrage – Stealth patch : Unmaintained as of 2002, GNU/Linux kernel 2.2-2.4 [14] – Blackhole : FreeBSD, kernel options [16] – IPlog : Unmaintaned as of 2001, *BSD [17] – Packet filter : OpenBSD [18] • Configuration et modification de pile TCP/IP ("host based") – Ip Personality [19] – Fingerprint Fucker [12][13] – Fingerprint scrubber [1] – OSfuscate [8] • Substitution de pile TCP/IP ("proxy behaviour") – Honeyd [9] – Packet purgatory / Morph [10] guillaume.prigent@diateam.net - DIATEAM 7 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  7. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Socle logiciel • Langage C++ • Application « UserLand » • Utilisation du « framework » Qt4 • Eléments constituants : – IpMorph (Core) – IpMorph Controller – IpMorph Personality Manager – IpView (IpMorph GUI) • Portabilité : – GNU/Linux – *BSD, Mac OS • License GPLv3 guillaume.prigent@diateam.net - DIATEAM 8 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  8. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Architecture générale Exposed IP stack Context queue Protected IP stack TCP TCP context tracker & TCP TCP TCP Filter & Processor data processor (plugins) Filter & Processor Scheduler UDP UDP UDP context tracker & UDP UDP Filter data processor (plugins) Filter ICMP ICMP ICMP ICMP context tracker & ICMP Filter data processor (plugins) Filter Frag. & Reass. Frag. & Reass. IP context tracker & data IP IP processor (plugins) IP Filter IP Filter (R)ARP (R)ARP ETH (R)ARP translation ETH processor Eth. Read Eth. Write Eth. Write Eth. Read Interface layer Interface layer eth tap fd eth tap fd guillaume.prigent@diateam.net - DIATEAM 9 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  9. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» Nmap : Format d’une signature SP : TCP ISN GCD : TCP ISN ISR : TCP TI : TCP IP ID II : ICMP IP ID SS : Shared IP ID TS : TCP Predictability Greatest ISN counter sequence generation sequence generation sequence timestamp Common Divisor Rate algorithm algorithm Boolean option algorithm O1-06 : TCP W1-W6 Fingerprint FreeBSD 7.0-CURRENT Class FreeBSD | FreeBSD | 7.X | general purpose Options : TCP SEQ(SP=101-10D%GCD=<7%ISR=108-112%TI=RD%II=RI%TS=20|21|22) (ordering & initial OPS(O1=M5B4NW8NNT11%O2=M578NW8NNT11%O3=M280NW8NNT11%O4=M5B4NW8NNT11%O5=M218NW8NNT11%O6=M109NNT11) values) win size WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFFF) ECN(R=Y%DF=Y%T=40%TG=40%W=FFFF%O=M5B4NW8%CC=N%Q=) T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=) DF : IP don’t W : TCP T2(R=N) fragment bit initial T3(R=Y%DF=Y%T=40%TG=40%W=FFFF%S=O%A=S+%F=AS%O=M109NW8NNT11%RD=0%Q=) win size T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T : IP initial T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) time-to-live T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) S : TCP T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) seq. U1(DF=N%T=40%TG=40%TOS=0%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) TG : IP initial IE(DFI=S%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S) number time-to-live guess … F : TCP RD : TCP RST Q : TCP misc. RIPCK : Returned RUCK : Returned A : TCP ack. Flags data checksum quirks probe IP probe UDP number checksum value checksum IPL : IP UN : Unused port RIPL : Returned TOS : IP type of total unreach. field probe IP total RID : Returned RUL : Returned service length nonzero length value probe IP ID value probe UDP length guillaume.prigent@diateam.net - DIATEAM 10 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  10. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Base des signatures (sqlite) IpVersion SystemClass Signature OsVersionChildren idIpVersion(PK) idSystemClass(PK) idSignature(PK) idSignature ipVersion systemClass idIpVersion idOsVersion Vendor idSystemClass Os OsVersion idVendor(PK) idVendor idOs (PK) idOsVersion(PK) vendor idOs os osVersion idOsVersion idOsVersionFamily OsVersionFamily PatternTcpWindow PatternTcpFlags idP1PatternBinary idOsVersionFamily(PK) idPatternTcpWindow(PK) idPatternTcpFlags(PK) idP1PatternTcpFlags osVersionFamily patternTcpWindowHeuristic0 patternTcpFlagsHeuristic0 idP1PatternTcpWindow PatternBinary patternTcpWindowHeuristic1 patternTcpFlagsHeuristic1 idP1PatternTcpOptions idPatternBinary (PK) patternTcpWindowHeuristic2 patternTcpFlagsHeuristic2 idP1PatternTcpMss patternBinaryHeuristic0 … patternBinaryHeuristic1 PatternTcpOptions PatternTcpMss idP3PatternBinary patternBinaryHeuristic2 idP3PatternTcpFlags idPatternTcpOptions(PK) idPatternTcpMss(PK) idP3PatternTcpWindow patternTcpOptionsHeuristic0 patternTcpMssHeuristic0 idP3PatternTcpOptions patternTcpOptionsHeuristic1 patternTcpMssHeuristic1 idP3PatternTcpMss patternTcpOptionsHeuristic2 patternTcpMssHeuristic2 trusted guillaume.prigent@diateam.net - DIATEAM 11 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

  11. v0.1 This document is licensed under a Creative Commons Attribution 3.0 License IpMorph : « unification de la mystification de prise d'empreinte» SinFP : Format d’une signature idSignature trusted ipVersion systemClass vendor os osVersionFamily osVersion 104,1,IPv4,Windows,Microsoft,Windows,Vista,Vista, B11113,B…13,B….., F0x12:F0x12:F0x12, Test P1 M1460,M1[34]..,M\d+, O0204ffff,O0204ffff,O0204ffff, W8192,W8[012]..,W\d+, B11113,B…12,B….., F0x12,F0x12,F0x12, Test P2 M1460,M1[34]..,M\d+, O0204ffff010303080402080affffffff44454144,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?,O0204ffff(?:01)?(?:030308).(.:0402)?(?:080affffffff44454144)?, W8192,W8[012]..,W\d+, B11121,B…21,B….., F0x04,F0x04,F0x012, Test M0,M0,M0, P3 O0,O0,O0 W0,W0,W0 TcpWindow : TcpOptions : TcpMss : TcpFlags : Binary : heuristic0, heuristic0, heuristic0, heuristic0, heuristic0, heuristic1, heuristic1, heuristic1, heuristic1, heuristic1, heuristic2 heuristic2 heuristic2 heuristic2 heuristic2 guillaume.prigent@diateam.net - DIATEAM 12 2009/06/05 IpMorph is an Open Source project owned, developed and supported by DIATEAM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Diagnostic et Prise Prise en Charge des en Charge des Diagnostic et Echecs De Thrombolyse De

Diagnostic et Prise Prise en Charge des en Charge des Diagnostic et Echecs De Thrombolyse De

Diagnostic et Prise Prise en Charge des en Charge des Diagnostic et Echecs De Thrombolyse De Thrombolyse Echecs Antoine Sarkis, MD Jeudi 24 Novembre 2005 Diagnostic et Prise Prise en Charge des en Charge des Diagnostic et Echecs De

554 views • 43 slides
Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and

Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and

Unification in EL Baader &amp; Morawska Introduction Unification in the Description Logic EL EL - unification Minimal unifiers Franz Baader and Barbara Morawska Decision Procedure Conclusion TU Dresden, Germany UNIF 2009 Unification in

359 views • 25 slides
unification 2016 unification strategic roadmap succession unification strategic roadmap

unification 2016 unification strategic roadmap succession unification strategic roadmap

unification 2016 unification strategic roadmap succession unification strategic roadmap succession Board rd CE CEO Committe ttees unification strategic roadmap succession Global Member Value Centre Advocacy &amp; Education

347 views • 30 slides
The unification type of Workshop on Admissible Rules and Unification

The unification type of Workshop on Admissible Rules and Unification

The unication type The unification type of Workshop on Admissible Rules and Unification http://logica.dmi.unisa.it/lucaspada University of Salerno Department of Mathematics Luca Spada Based on a joint work with V. Marra ukasiewicz logic

1.83k views • 145 slides
Research Initiative for Scientific Enhancement UPR-PRISE Program NIH-NIGMS #R25-GM-096955 *

Research Initiative for Scientific Enhancement UPR-PRISE Program NIH-NIGMS #R25-GM-096955 *

Research Initiative for Scientific Enhancement UPR-PRISE Program NIH-NIGMS #R25-GM-096955 * UPR-PRISE is the acronym for University of Puerto Rico in Ponce Research Initiative for Scientific Enhancement (UPR-PRISE). UPR- Ponce is the only

490 views • 12 slides
Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices

Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices

Unification on Subvarieties of Pseudocomple- mented lattices L.M. Cabrer Unification on Subvarieties of Introduction Algebraic Unification Pseudocomplemented lattices Fragments of Heyting algebras P-Lattices Definition Duality

570 views • 33 slides
Outline Motivation 1 Unification problems 2 Formalisation of a nominal C-unification algorithm

Outline Motivation 1 Unification problems 2 Formalisation of a nominal C-unification algorithm

Outline N OMINAL C- UNIFICATION on , Washington L. R. de Carvalho Segundo , Mauricio Ayala-Rinc andez and Daniele Nantes Sobrinho Maribel Fern K ING S C OLLEGE L ONDON U NIVERSIDADE DE B RAS ILIA 27 th Int.

679 views • 39 slides
Introduction to Unification Theory Syntactic Unification Temur Kutsia RISC, Johannes Kepler

Introduction to Unification Theory Syntactic Unification Temur Kutsia RISC, Johannes Kepler

Introduction to Unification Theory Syntactic Unification Temur Kutsia RISC, Johannes Kepler University Linz kutsia@risc.jku.at What is Unification Goal: Identify two symbolic expressions. Method: Replace certain subexpressions

1.86k views • 142 slides
Pathways to Resilience in Semi-Arid Economies (PRISE) Nairobi Inception Meeting 2014 Dr. Tom

Pathways to Resilience in Semi-Arid Economies (PRISE) Nairobi Inception Meeting 2014 Dr. Tom

Pathways to Resilience in Semi-Arid Economies (PRISE) Nairobi Inception Meeting 2014 Dr. Tom Mitchell PRISE Goal This research will support the emergence of equitable, climate resilient economic development in semi-arid lands through research

524 views • 11 slides
LE ROLE DU MEDECIN COORDONNATEUR DANS LA PRISE EN CHARGE DES CHUTES DE LA PERSONNE AGEE EN EHPAD

LE ROLE DU MEDECIN COORDONNATEUR DANS LA PRISE EN CHARGE DES CHUTES DE LA PERSONNE AGEE EN EHPAD

LE ROLE DU MEDECIN COORDONNATEUR DANS LA PRISE EN CHARGE DES CHUTES DE LA PERSONNE AGEE EN EHPAD DOCTEUR LYDIE WALTZING DIU de formation la fonction de mdecin coordonnateur dEHPAD LE ROLE DU MEDECIN COORDONNATEUR DANS LA PRISE EN

82 views • 7 slides
Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features

Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features

Grammar: Features and Unification Plan for the Talk Problems with CFG (PCFG) Features Structure Attribute-value Matrix (AVM) Unification Grammar formalisms based on unification Agreement Constraints that hold among various

504 views • 48 slides
Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory

Depending on equations A proof-relevant framework for unification in dependent type theory Jesper Cockx DistriNet KU Leuven 3 September 2017 Unification for dependent types Unification is used for many purposes: logic programming, type

1.97k views • 151 slides
F-Theory GUTs Benjamin Jurke Contents Grand Unification F-Theory basics GUTs in F-Theory

F-Theory GUTs Benjamin Jurke Contents Grand Unification F-Theory basics GUTs in F-Theory

F-Theory GUTs Benjamin Jurke Contents Grand Unification F-Theory basics GUTs in F-Theory IMPRS Young Scientists Workshop (Ringberg) July 29th, 2009 Field-theoretic Grand Unification 1970s issue: Running gauge couplings suggest unification

416 views • 16 slides
Introduction to Unification Theory Higher-Order Unification Temur Kutsia RISC, Johannes Kepler

Introduction to Unification Theory Higher-Order Unification Temur Kutsia RISC, Johannes Kepler

Introduction to Unification Theory Higher-Order Unification Temur Kutsia RISC, Johannes Kepler University of Linz, Austria kutsia@risc.jku.at Overview Introduction Preliminaries Higher-Order Unification Procedure Outline Introduction

1.53k views • 130 slides
Introduction to Unification Theory Solving Systems of Linear Diophantine Equations Temur Kutsia

Introduction to Unification Theory Solving Systems of Linear Diophantine Equations Temur Kutsia

Introduction to Unification Theory Solving Systems of Linear Diophantine Equations Temur Kutsia RISC, Johannes Kepler University Linz kutsia@risc.jku.at ACU-Unification We saw an example how to solve ACU-unification problem. Reduction

906 views • 53 slides
Unification by Narrowing Mircea Marin West University of Timisoara mmarin@info.uvt.ro May 20,

Unification by Narrowing Mircea Marin West University of Timisoara mmarin@info.uvt.ro May 20,

Unification by Narrowing Mircea Marin West University of Timisoara mmarin@info.uvt.ro May 20, 2014 Marin Unification by Narrowing What is narrowing? Narrowing sound and complete method for solving E -unification problems in theories

1.06k views • 69 slides
ARCHER Training Courses General Overview Reusing this material This work is licensed under a

ARCHER Training Courses General Overview Reusing this material This work is licensed under a

ARCHER Training Courses General Overview Reusing this material This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. http://creativecommons.org/licenses/by-nc-sa/4.0/deed.en_US This

459 views • 14 slides
Learning Rules to Pre-process Web Data for Automatic Integration Kai Simon, Thomas Hornung, Georg

Learning Rules to Pre-process Web Data for Automatic Integration Kai Simon, Thomas Hornung, Georg

Learning Rules to Pre-process Web Data for Automatic Integration Kai Simon, Thomas Hornung, Georg Lausen Workshop &quot;Model Checking and Semantic Web Rules Languages 28th October 2006 D ata b ases and I nformation S ystems Research Group

759 views • 40 slides
Crawling the Community Structure of Multiplex Networks Ricky Laishram 1 Jeremy D. Wendt 2 Sucheta

Crawling the Community Structure of Multiplex Networks Ricky Laishram 1 Jeremy D. Wendt 2 Sucheta

Crawling the Community Structure of Multiplex Networks Ricky Laishram 1 Jeremy D. Wendt 2 Sucheta Soundarajan 1 1 Syracuse University, Syracuse NY, USA 2 Sandia National Laboratories, Albuquerque NM, USA Multiplex Networks Nodes have multiple

628 views • 20 slides
Challenges and future of three-body heavy meson decays Patricia C. Magalhes University of

Challenges and future of three-body heavy meson decays Patricia C. Magalhes University of

Challenges and future of three-body heavy meson decays Patricia C. Magalhes University of Bristol seminar @ Imperial College London, 30 October 2019 p.magalhaes@bristol.ac.uk discussion topics 2 Please stop me Why we study 3-body

471 views • 32 slides
Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more

Mining Anomalies Andrzej Wasylkowski 1 Why Mine Anomalies? How can we make programs more reliable? Testing, code inspection, etc. Mining anomalies, etc. In general: automatic defect detection 2 Overview Automatic Defect

446 views • 19 slides
Achieve Online Mastery! A Review for Nonprofits OR Alliance of Childrens Programs

Achieve Online Mastery! A Review for Nonprofits OR Alliance of Childrens Programs

Achieve Online Mastery! A Review for Nonprofits OR Alliance of Childrens Programs Multichannel Content Planning Amy Sample Ward CEO, NTEN: The Nonprofit Technology Network @amyrsward #NPTechMastery How does it fit: Connec/ons How does

660 views • 39 slides
FreVast - Combining Modelling with Diagnostics at University Level Ingo Kirchner and Christopher

FreVast - Combining Modelling with Diagnostics at University Level Ingo Kirchner and Christopher

Central Idea Software Components Use Case - Course Example Implementation Plan FreVast - Combining Modelling with Diagnostics at University Level Ingo Kirchner and Christopher Kadow Institute of Meteorology Freie Universit at Berlin

421 views • 14 slides
Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The

Managing Kubernetes and OpenShift with ManageIQ Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Containerizing an app Alissa Bonas @ Container Con Seattle 2015 The stages of containers world Run a container

911 views • 62 slides

More recommend