let’s screw with nmap - def con media server con 21/def con 21 presentations... · nmap network...
TRANSCRIPT
![Page 1: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/1.jpg)
DefCon 21, Las Vegas 2013
Let’s Screw With nMap
![Page 3: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/3.jpg)
Overview
Nosey Bastards!All About Packet NormalizationWorking It All OutPutting It Into PracticeFinishing Up
![Page 4: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/4.jpg)
Network Defenders
We see scans and probes of our network every dayFrom the inside and from the outsideEverybody is targeting usIdentifying our assets
![Page 5: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/5.jpg)
How They Do It
Network stack implementation is highly discretionaryDifferences identify the operating system type and versionAllowing Attackers to identify their targetsBy matching the headers of their target to known operating system implementations
![Page 6: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/6.jpg)
… then it’s likely a Windows 2003 Sever!
Uses the following options
MSS of 1460Single NOPWindow Size 0Single NOPSingle NOPEnding SACK
If your target …Has a TTL of 128
![Page 7: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/7.jpg)
Implications
If they identify your assets …They know their weaknessesHow to attack them successfullyWithout triggering your sensors
![Page 8: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/8.jpg)
TSA-Style patdowns …
It’s fact of life
![Page 9: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/9.jpg)
But does it have to be?
![Page 10: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/10.jpg)
Why can’t we …
Remove the differencesTo remove their advantage Strip them of their ability to fingerprint To significantly reduce their chance of success
![Page 11: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/11.jpg)
My Answer
Packet
ization
![Page 12: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/12.jpg)
OK. What is packet normalization?
Had anyone thought of this before?Not an entirely developed conceptMany expressions but most incomplete …
![Page 13: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/13.jpg)
Normalization vs. Scrubbing
Scrubbing is to do away with; cancel Normalization is to make normal, especially to cause to conform to a standard or normBoth are seen in varying degrees
![Page 14: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/14.jpg)
Scrubbing
Used by a number of firewallsRandomize IP IDClear IP DF
Also …Set IP tos/dscp, and ttlIP Fragment Reassembly
Primarily ConcernPolicy ViolationsAbnormal PacketsAbnormal Flows
![Page 15: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/15.jpg)
Scrubbing
Custom patch for netfilterRandom IP IDRandomize TCP TimestampRandomize TCP SEQClear IP tos/dscpIP TTL Tinkering
Developed by Nicolas BareilMentions fingerprint preventionHost Only
![Page 16: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/16.jpg)
Scrubbing
Used by some network devices such as Cisco ACE and ASA
Random TCP SEQClear TCP Reserved, and URGClears TCP OptionsMinimum IP TTL
Fragment Reassembly too …Primarily Concern
Policy ViolationsAbnormal PacketsAbnormal Flows
![Page 17: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/17.jpg)
Incoming Normalization
Used by IPS and IDS devicesIP Fragment ReassemblyIP TTL Evasion
Primarily ConcernDetect AttacksDetection Evasion
![Page 18: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/18.jpg)
Outgoing Normalization?
![Page 19: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/19.jpg)
Fingerprinting Process
TCP, UDP, and ICMP probes are sentCompile results into fingerprint
Compare against databaseIdentify operating system
![Page 20: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/20.jpg)
Where to Start?
Nmap fingerprint databaseWhat about other fingerprinting tools?
xprobe2amapVulnerability scanners … Nessus, Et. Al
Best to disrupt any existing patterns
![Page 21: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/21.jpg)
Clear out any unnecessary valuesIP ToS/DCSP/Traffic Class ClearedIP ECN ClearedTCP URG Flag and URG Pointer Cleared
Randomize anything that you canIP ID
IP TTL/HOP Limit? TCP Options?
Scrubbing
![Page 22: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/22.jpg)
Packet NormalizationOutgoing Normalization
![Page 23: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/23.jpg)
Normalizing(IP Time-To-Live / Hop Limit)
Make some assumptionsOriginally Well-Known TTLDecrements OnlyTraveled < 32 hops
Back into Original Starting TTLEstimate number of hops traveledRecalibrate current TTLUsing Starting TTL of 255
![Page 24: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/24.jpg)
Normalizing(IP Time-To-Live / Hop Limit)
Start with the lowest well known TTL first!Several exceptions to this normalization …Will be discussed later
![Page 25: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/25.jpg)
Normalizing(TCP Options)
AssumptionsOnly Few Well Known Options NeededOrder is unimportant
Requirement …Values can’t be changedRead necessary optionsDiscard the restRewrite options in proper orderNOP … till the end of the options
![Page 26: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/26.jpg)
Normalizing(TCP Options)
Options selected … And their orderMSSWindowSACKMD5 … if present
After processing …
![Page 27: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/27.jpg)
Making everyone look the samePutting It All Together
With IDGuard
![Page 28: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/28.jpg)
Selecting The Platform
Identified Suitable HardwareAlready Modified By OthersDocumentation Available … Mikrotik Routerboards
Identified Suitable Operating SystemAvailable BaseWriteable File System …OpenWrt
Best to develop in a VM first!
![Page 29: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/29.jpg)
Building the Development Environment
Download Debian v6.0 Net-install CD-ROMBuild a VMWare VMInstall rcp100 from SourceforgeConfigure rcp100 routing functions
![Page 30: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/30.jpg)
Building the Development Environment
![Page 31: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/31.jpg)
Configuring the Development Environment
![Page 32: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/32.jpg)
Deploying the Kernel Module
Download IDguard v0.50Install IDGuard
![Page 33: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/33.jpg)
Deploying the Kernel Module
![Page 34: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/34.jpg)
OK … What worked?
I am really tired of those nosey bastards!
![Page 35: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/35.jpg)
What Didn’t Work
ToS/DCSP/Traffic Class ClearingECN ClearingURG Flag and URG Pointer ClearingIP ID RandomizationDF Clearing
… the Scrubbing
![Page 36: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/36.jpg)
What Worked
TTL StandardizingTCP Option Standardizing
… the Normalization
![Page 37: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/37.jpg)
End ResultsOperating System Unprotected ProtectedWindows 7 Microsoft Windows 7|2008Windows Server 2003 Microsoft Windows 2003Ubuntu Desktop 11.10 Linux 2.6.X|3.XRed Hat Enterprise Linux 6 Linux 2.6.X|3.X
Allied Telesyn AlliedWareAllied Telesyn AlliedWareCisco IOS 12.XD-Link embedded
![Page 38: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/38.jpg)
Other Effects
NmapNetwork Distance
Other Fingerprintingxprobe2Nessus …
Other Toolspingtraceroute
![Page 39: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/39.jpg)
Deploying to Hardware
Purchase the hardware from a local vendorDownload OpenWrt kernel image with an embedded initramfsSetup dhcp & tftp netboot environmentConnect to the routerboardConfigure routerboard for DHCPBack up RouterOS Prepare the OpenWrt images Flash it
![Page 40: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/40.jpg)
Deploying to Hardware
![Page 41: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/41.jpg)
Demonstration
![Page 42: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/42.jpg)
Challenges
Authorized ActivityOther Methods
Banners and Direct QueryIdentification Through Layer-7
![Page 43: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/43.jpg)
Challenges
Authorized ActivityScannersManagement Platforms
ResolutionExclude them …
![Page 44: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/44.jpg)
Challenges
Banners and Direct QueryWindows Networking AvailableApplication-Layer QueryOS Details in Reply
ResolutionPerimeter NetworkInternal Network
![Page 45: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/45.jpg)
Concerns
ConnectivityFragmentation
UpstreamDownstream
TTL AttenuationTTL Special Uses
TCP Options Sensitivity?Link-Local Routing Protocols
![Page 46: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/46.jpg)
Concern
Upstream FragmentationIP ID Randomized“Fragmentation Needed” ICMP Message ReceivedHost is confusedKeeps sending original packet
ResolutionClear DF
![Page 47: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/47.jpg)
Concern
Downstream FragmentationEach fragment given a different IP IDDestination can’t be reassembled
ResolutionEnd-Point Switch Placement Exclude Fragments
![Page 48: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/48.jpg)
Concern
TTL AttenuationPacket travels more than 32 hopsPacket TTL is continually extendedRouting Loop occurs
ResolutionEnd-Point Switch Placement
![Page 49: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/49.jpg)
Concern
TTL Special UsesTTL recalibratedTTL never runs outTraceroute fails
ResolutionExclude ICMP Echo Requests
![Page 50: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/50.jpg)
Concern
Link-Local Routing ProtocolsTTL of 1 for RIP packetTTL of 255 is abnormalPacket is malformed
ResolutionExclude routing protocols
![Page 51: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/51.jpg)
Concerns
PerformanceBreak Something
Poorly Coded ApplicationsWhat else?
![Page 52: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/52.jpg)
Benefits
Shields from …Casual AttackersAutomated AssaultsOblique Threats
Protects …UnmanagedUnpatchedUnhardened
Defeats … canned exploits
![Page 53: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/53.jpg)
What’s Next
More PlatformsOpen-Source Router FirmwareLinux-Based Switches
Production TrialsTalk to vendors
![Page 54: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/54.jpg)
Accurate target identification is key to a successful attackIdentification that is way too easy for an attacker to performLet’s change that with fingerprint preventionI’ve proven that it can be doneNow, we just have to make it happen
Final Thoughts
![Page 55: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/55.jpg)
Proof of Concept
SHA256 hash is e97b2c8325a0ba3459c9a3a1d67a6306Updates can be found at http://idguard.sourceforge.net/
![Page 56: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/56.jpg)
Linkshttp://www.wisegeek.com/what-is-packet-mangling.htmhttp://www.openbsd.gr/faq/pf/scrub.htmlhttp://www.linuxsecurity.com.br/info/fw/PacketManglingwithiptables.dochttp://chdir.org/~nico/scrub/http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_tcpnorm.pdfhttp://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.pdfhttp://www.sans.org/reading_room/whitepapers/intrusion/packet-level-normalisation_1128http://nmap.org/book/osdetect-methods.htmlhttp://rcp100.sourceforge.nethttp://wiki.hwmn.org/w/Mikrotik_RouterBoard_450Ghttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-vmlinux.elfhttp://downloads.openwrt.org/snapshots/trunk/ar71xx/openwrt-ar71xx-generic-rootfs.tar.gz https://sites.google.com/site/guenterbartsch/blog/myfirstlinuxkernelmodulehttp://www.farlock.org/nslu2/openwrt-non-standard-module-compiling/
![Page 57: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/57.jpg)
Special ThanksAditiya SoodKenny Nguyen and E-CQURITYKathy GilletteNick Pruitt
![Page 58: Let’s Screw With nMap - DEF CON Media Server CON 21/DEF CON 21 presentations... · Nmap Network Distance Other Fingerprinting xprobe2 Nessus … Other Tools ping traceroute. Deploying](https://reader034.vdocuments.mx/reader034/viewer/2022051601/5ad3d0007f8b9a482c8e42c0/html5/thumbnails/58.jpg)