Chapter 21 Fingerprinting Module Network Reconnaissance: Curiosity killed the Cat D 7 eep L ay “Fingerprint identification Se occurs when an expert er s c determines that two impressions o V originated from the same finger f I i e n or palm.” nn sec a 2007 (Wikipedia.org) urity Copyright Information Some rights reserved / Einige Rechte vorbehalten Michael Kafka, René Pfeiffer, Sebastian Mayer C.a.T. Consulting and Trainings, Vienna, Austria You may freely use, distribute and modify this work under following D agreement: 7 eep Diese Arbeit darf frei genutzt, verbreitet und bearbeitet werden unter L folgenden Bedingungen: ay Se Authors must be referenced (also for modification) er s Autoren müssen genannt werden (auch bei Bearbeitung) c o V Only for non commercial use f I i Nur für nichtkommerzielle Nutzung e n nn Derivative work under same licence sec Derivative Arbeit unter selber Lizenz a 2007 urity http://www.creativecommons.com © November 2007 21 - Fingerprinting 2 Chapter 21 Fingerprinting Agenda Fingerprinting Basics Passive Fingerprinting D 7 eep Protocol Headers L ay Se Active Fingerprinting er s c Identify Individuals o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 3 Fingerprinting Basics How to Find Valuable Hints? What to look for, what to ignore? What is it good for? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 4 Fingerprinting Basics Systems may have unique signatures Network stack responses DCE RPC signatures D 7 eep Versions and protocols are crucial L ay Se for matching against weaknesses er s c for capability assessment o V f I i Tools exist for automating scans e n nn Fingerprinting may be active or passive sec a 2007 urity © November 2007 21 - Fingerprinting 5 Fingerprinting Basics Why find out Details? Versions unveil state of maintenance Look for “forgotten systems” Identify “abandoned applications” D 7 eep Gather information for attack approach L ay Se Determine dependencies er s c Important for indirect attacks o V f I i Proper chaining of exploits e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 6 Fingerprinting Information Collect everything Scan and get all you can get Useful to get the “big picture” D 7 eep Information can be used in social engineering L ay Se Facts improve credibility er s c Phone calls can confirm/reject results o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 7 Passive Fingerprinting Just Watch or Listen! D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 8 p0f Passive method Identifies systems that connect to you (SYN) D 7 eep systems you connect to (SYN+ACK) L ay Se systems you cannot connect to (RST) er s c Additionally detects network devices o V f I i NAT e n nn load balancers sec a 2007 urity © November 2007 21 - Fingerprinting 9 Protocol Headers A Wealth of “Hidden” Information. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 10 Protocol Header Information Network distances Round trip time, TTL Analyse hop count, intermediate devices D 7 eep Hops that change information L ay Se Missing IP options, normalisation er s c NAT devices o V f I i Risk: medium Impact: medium e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 11 Active Fingerprinting “Shout, shout, let it all out. …” D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 12 Banner Grabbing Layer 2 is full of announcements Layer 7 is full of banners Most Internet protocols are based on text D 7 eep Attackers look for L ay Se version strings er s c capabilities o V f I i host / domain names e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 13 Popular banners CDP/LLDP strings FTP servers SMTP dialogues D 7 eep SNMP communities L ay Se HTTP responses er s c SSH version information o V f I i IMAP/POP3 servers e n nn DNS (with suitable tools) sec a 2007 Risk: high Impact: medium urity © November 2007 21 - Fingerprinting 14 DNS Digging DNS zones are very important Public records disclose starting points Avoid secret.fileserver.example.net D 7 eep Attackers will use dictionaries L ay Se Attackers will try to er s c zone transfer all data o V f I i identify DNS infrastructure e n nn Monitoring DNS queries can reveal attacks sec a 2007 Risk: medium Impact: high urity © November 2007 21 - Fingerprinting 15 Firewalking Mapping packet filters by response Attackers investigate IP TTL D 7 eep ICMP responses L ay Se IP/TCP options er s c responses to invalid packets o V f I i Name stems from tool “firewalk” e n nn Risk: medium Impact: medium sec a 2007 urity © November 2007 21 - Fingerprinting 16 SNMP Walking SNMP offers rich informations Many network devices are SNMP-capable Attackers look for unprotected access D 7 eep Port scanners on port 161/162 (UDP/TCP) L ay Se Default information very useful er s c Risk: medium Impact: high o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 17 Tools for Reconnaissance What to Use? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 18 Tools of the trade Times change, tools adapt telnet, ping, traceroute telnet, hping2, tcptraceroute D 7 eep Any packet generator will do L ay Se Any tool capable of TCP will do likewise er s c telnet is still common o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 19 nmap nmap is around since 1997 Host discovery OS detection D 7 eep Port scanning L ay Se Support for scripting er s c nmap offers parallel scanning o V f I i TCP, UDP, ICMP capability e n nn Protocol scan sec a 2007 Idle scan urity Banner grabbing (version strings) © November 2007 21 - Fingerprinting 20 Idle Scan D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 21 xprobe2 Active scanning tool, around since 2001 Early focus on ICMP footprints Key features include fuzzy fingerprinting D 7 eep Multiple signatures used L ay Se TCP, UDP, ICMP er s c SNMP V2 o V f I i SMB e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 22 hping2/hping3 “ping on steroids” Sends crafted UDP, ICMP, TCP packets Collects TCP ISN, pioneered Idle Scan D 7 eep Has API for automated tests L ay Se Useful for firewall/IDS/IPS testing er s c More capable than standard tools o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 23 Large networks Attackers map large networks Automated scans for popular ports “Auto-r00ter” attached D 7 eep Parallel scans may appear on monitoring L ay Se Large scans reduce number of ports er s c Bulk scanners look for specifics o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 24 Port Scanning Risks Risk: medium Impact: medium Mitigation Drop malformed/useless/unwanted packets D 7 eep Detect port sweeps, packet rates L ay Se Limit ICMP error rate er s c Reassemble fragments at border o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 25 Identify Individuals Matching Addresses to People. D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 26 Personal Information Look out for anything like E-mail addresses Telephone numbers, FAX numbers D 7 eep “Personalised” network addresses L ay Se Personal namespaces (in DNS) er s c Personal information improves credibility o V f I i Important for social engineering e n nn Useful for faking other information sec a 2007 Risk: medium Impact: high urity © November 2007 21 - Fingerprinting 27 Chapter 21 Fingerprinting Summary Reconnaissance is about information. Any protocol is affected. D 7 eep Carefully design access to network(s). L ay Se Monitor incoming traffic. er s c Limit access wherever you can. o V f I i Know where your data is and what to do e n nn with it. sec a 2007 urity © November 2007 21 - Fingerprinting 28 Thank you for your attention! Questions? D 7 eep L ay Se er s c o V f I i e n nn sec a 2007 urity © November 2007 21 - Fingerprinting 29 DeepSec Conference Vienna © November 2007 Chapter 21 Fingerprinting Module Network Reconnaissance: Curiosity killed the Cat D 7 eep L ayers o “Fingerprint identification occurs when an expert Sec determines that two impressions Vien originated from the same finger f I or palm.” n secu n a 2007 (Wikipedia.org) rity © November 2007 21 - Fingerprinting 1 Fingerprinting is a reconnaissance technique which allows to identify systems, versions of operating systems, patch levels, services packs etc. by observing a target for individual responses or actions. This chapter presents the latest developments in different techniques and discusses methods how risks can be mitigated.