Documente Academic
Documente Profesional
Documente Cultură
Fingerprinting with
Morph
Kathy Wang
Syn Ack Labs
knwang@synacklabs.net
www.synacklabs.net DEFCON 12
Areas Covered in Talk
• OS Fingerprinting History
• What is Morph?
• Morph dependencies
• Morph architecture
• Implementation considerations
• Future directions
• Acknowledgments
www.synacklabs.net DEFCON 12
What is OS Fingerprinting?
• Banner information
• Manual reconnaissance
• Active fingerprinting
• Passive fingerprinting
• Timing analysis fingerprinting
www.synacklabs.net DEFCON 12
OS Fingerprinting History
• QueSO by Apostels
• Nmap by Fyodor
• p0f by Michael Zalewski
• Xprobe/Xprobe2 by Ofir Arkin and Fyodor
Yarochkin
• BSD licensed
• Download at http://www.synacklabs.net/projects/morph
www.synacklabs.net DEFCON 12
Morph Dependencies
• Morph is built on Packet Purgatory library
• Wedge between OS kernel and network
interface running in userland
www.synacklabs.net DEFCON 12
High-Level Morph Architecture
Remote
Host
Packet
Purgatory Morph
Host
OS
Kernel
www.synacklabs.net DEFCON 12
Morph Internal Architecture
Remote
Host
Morph
Inbound State Outbound
Handler Table Handler
Host
OS
Kernel
www.synacklabs.net DEFCON 12
More About Packet
Purgatory
• Route table maintains IP address to
intercept messages to/from
www.synacklabs.net DEFCON 12
Proxy Mode
Remote Raw
libdnet
IP
libdnet Host Write
raw IP write libpcap libpcap
Inbound sniffs Proxy IP sniffs Outbound
packet
Host sent
OS
libdnet
Kernel raw IP write
www.synacklabs.net DEFCON 12
Loopback-Firewall Mode
Remote Raw
libdnet
Ethernet
Host Write
libpcap
Inbound OS Firewall Outbound
libdnet
Interface
Host
loopback libpcap
OS
Kernel
libdnet
raw IP write
www.synacklabs.net DEFCON 12
OS scanners that
Morph will fool
• QueSO
• Nmap
• Xprobe/Xprobe2
• p0f (in progress)
• RING/Snacktime (in progress)
www.synacklabs.net DEFCON 12
Other Tools that Defeat OS
Fingerprinting
• FPF
• IP Personality
www.synacklabs.net DEFCON 12
Current OS Fingerprinting
Techniques
• Active fingerprinting
• Passive fingerprinting
• Timing analysis fingerprinting
• All of the above can be defeated with
Morph
www.synacklabs.net DEFCON 12
How does QueSO
work?
• Utilizes active fingerprinting techniques
• Sends 7 different types of packets to open
ports on target host
www.synacklabs.net DEFCON 12
Morph Response to QueSO
Morph Handling Status
QueSO Packet
Inbound State Table Outbound
Types
If port is open pass packet to
Rewrite packet to reflect
SYN OS, else write RST as a Add SYN connection
emulated OS
response
Check state table to see if Will update table if packet is If packet is solicited, then write
SYN+ACK connection is a response solicited appropriate ACK reply
Respond on behalf of
FIN+ACK emulated OS
Don’t care Don’t care
Respond on behalf of
SYN+FIN emulated OS
Don’t care Don’t care
www.synacklabs.net DEFCON 12
How does Xprobe2
work?
• Utilizes active fingerprinting techniques
• Xprobe2 sends 4 different types of ICMP
packets to target host
Respond on behalf of
ICMP Timestamp emulated OS
Don’t care Don’t care
www.synacklabs.net DEFCON 12
How does Nmap
work?
• Nmap sends 9 different types of packets to
target host
Respond on behalf of
NULL with Options emulated OS
Don’t care Don’t care
If OS accepts it, pass to OS.
SYN-FIN-URG-PSH If applicable, send response to
Otherwise, respond on Add connection
with Options reflect emulated OS
behalf of emulated OS
If connection exists, pass
Send response packet to
packet to OS. Otherwise, If part of existing connection,
ACK with Options respond on behalf of add ACK connection
reflect emulated OS if part of
existing connection
emulated OS
Respond on behalf of
SYN with Options emulated OS
Don’t care Don’t care
Closed Port
Respond on behalf of
ACK with Options emulated OS
Don’t care Don’t care
www.synacklabs.net DEFCON 12
Morph State Table
www.synacklabs.net DEFCON 12
Fooling other OS
scanners
www.synacklabs.net DEFCON 12
New OS Fingerprinting
Techniques
• CanSecWest talk on new OS fingerprinting
techniques
www.synacklabs.net DEFCON 12
How can you avoid
being fingerprinted?
www.synacklabs.net DEFCON 12
Challenges to Defeating OS
Fingerprinting
www.synacklabs.net DEFCON 12
Future Directions for
Morph
• Support more operating system emulation
(Solaris, HP-UX, etc)
www.synacklabs.net DEFCON 12