using system fingerprints to track attackers
DESCRIPTION
Using system fingerprints to track attackers. Talk at B-Sides SF 2014 by Lance Cottrell Leveraging known weaknesses in current anonymity tools to identify who is using such tools, and in some cases to identify the users themselves.TRANSCRIPT
©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
®
1
Using system fingerprints
totrack
attackers
Using system fingerprints
totrack
attackersLance Cottrell
Ntrepid/Anonymizer
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
When You Are Under Attack
2
You may ask:
Who was that masked man?
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
As a Defender, You See...
3
IP: 37.123.118.67Lat / Long: +54 / -2Country: UKPing: 110msISP: as13213.net (AKA UK2.net) server hostingOpen Ports: SSH, HTTP
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Is THIS Really the Attacker?
4
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Which is the “Real” Attacker?
5
It’s Turtles All the Way Down
It’s Turtles All the Way Down
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
What If You Could Spot People Hiding?
Block Web Access
Redirect to Honeypot
Add Firewall Rule
Deny Credit Card
Flag in Logs
6
NOTRESPASSING
DETOUR
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
What If You Could Identify Your Attacker?
7
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
How Do They Hide?
Proxies
VPNs
Chained VPNs / TOR
Botnets / Compromised Hosts
Tradecraft
8
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
How Can You Spot Them?
9
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Known Anonymous IP
10
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Anon IPs are well known
11
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Open Proxy / Ports
12
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Obviously not a home PC
HTTP
X11
FTP
SSH
13
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Non-Consumer IP
14
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identifying non-consumer IP
9 xe-0-3-0-5.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.229) 1.555 ms xe-0-3-0-3.r04.lsanca03.us.bb.gin.ntt.net (129.250.9.201) 1.545 ms 4.888 ms
10 ae-3.r05.lsanca03.us.bb.gin.ntt.net (129.250.2.221) 1.429 ms 1.514 ms 1.465 ms
VS13 te-18-10-cdn04.windsor.ca.sfba.comcast.net (68.85.101.34) 27.851 ms 32.571 ms 29.858 ms
14 c-98-248-25-27.hsd1.ca.comcast.net (98.248.25.27) 25.532 ms !X 25.736 ms !X 28.775 ms !X
15
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Latency vs. Ping Time
HTTP / Javascript
DHCP Ping
16
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
DNS Mismatch
HTTP from Chicago
DNS from Nigeria
17
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identify the Attacker
18
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Identity Leakage
Embedded Media
Apps bypass proxy / VPN
Phone home
19
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Fortunately (for you),
Good OPSEC is HardTools can be slow and cumbersome
May go direct for “innocent” activity / reconnaissance
May forget to use it
Accidentally cross the streams of personas
Correlate attacker print with all previous activity
20
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Cookies and Bugs
21
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Browser Fingerprints
22
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Fingerprint Entropy
12.3 - User Agent
5.4 - HTTP_ACCEPT Headers
21.9+ - Browser Plugin Details
5.0 - Time Zone
7.5 - Screen Size and Color Depth
21.9 - System Fonts
0.4 - Cookie Test
0.9 - Super Cookie Test
23
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Attacker Use of Virtualization
24
Advantages Disadvantages
Easy to Clean Cloned Each Time
No Cookies or Super-Cookies
Too Clean or Outdated Cruft
Detection as VM Requires Local Execution
Can Be Detected as VM
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Dread Pirate Roberts
25
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Why Should YOU be StealthyLurk in IRC and Forums
Discover Plans
Learn Techniques
Hide your interest & activity
Bait Honeypots
Drop False Leads and Links
Government
Has Other More Aggressive Options26
®©2014 Ntrepid Corporation. All rights reserved. Ntrepid Corporation proprietary information.
Thanks
Contact me at:
Email: [email protected]
Commercial / Gov: http://ntrepidcorp.com
Consumer: http://anonymizer.com
Blog: http://theprivacyblog.com
Twitter: @LanceCottrell
LinkedIn: http://linkedin.com/in/LanceCottrell
27