Dailydave mailing list archives
A bag of hammers
From: Dave Aitel <dave () immunityinc com>
Date: Sun, 17 Feb 2008 12:13:35 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just as a warning, if you're a mathematician, you're going to cough up your skull at this post. I don't know first thing about real math. Don't say I didn't warn you. _________________ So I often thing of some mathematical techniques as hammers that people use to smack at every nail, willy-nilly. For example in my sample bag of hammers: o Expert Systems/Heuristics/Signatures [5] o Neural Networks [3] o Bayesian Classifiers/Probabilistic learning algos [4] o Markov Chains o FFT/DCT/Wavelets There's lots of other examples, but some hammers are more generic and get used to smack at every nail, and the ones I listed are the ones you see every day. I've been thinking a lot about remote OS detection, and TCP flags, and that sort of thing. Ofir Arkin's presentation[1] has a good point in it, I think. XProbe2 uses "fuzzy logic" which I assume is some sort of statistical heuristics based on a decision tree (Ofir's on this list, so we'll all get to find out the details I'm sure :>). NMap uses a signature lookup. I think both of those techniques could be improved on. Essentially the problem, as I see it, is much harder than it originally looks. At first you think: Attacker ------->Firewall----> Target And you then proceed to compensate for packet loss, blocked packets, and whatnot. But in reality you're passing through a lot of different hardware. Attacker --->Switch--->Firewall--->Router--->Firewall--->Target And each of these can apply transformations to your packet, or choose to drop it, and each packet can go through different hosts each time, and come back over a different path, and your target might be different for each packet (say, if it is getting load balanced). And of course, each port on your target might go to a different machine. Closed ports may be the firewall, port 80 might be the Apache server running on Linux, and port 25 might be forwarded to a mail gateway. It's for this reason that CANVAS does only Application-Layer OS Fingerprinting now. We try to fingerprint the OS using the same protocol you're trying to attack. That way we don't care that port 25 goes to a different host entirely. To do os fingerprinting via raw packets right you essentially have to discover state on a lossy network on each of maybe 20 network devices in between yourself and your target, which change in and out randomly, and even your target can be one host or multiple hosts. What you really want is something more like firewalk[2] that does OS detection (or at least "feature" detection) on all the potential devices in between you and your target before it does the OS detection against your target(s). Devices may or may not have an IP address or modify TTL, which is part of the fun. w00t 07 had some interesting work[6] that optimized the ruleset for nmap to note that you only need one to three packets to do OS detection - which is a significant improvement. Of course, the benefit of having redundant information is that you can account more often for network interference during your scan, theoretically. Anyways, my thought is this. Can you represent the network conditions in between you and your target(s) with a Markov Chain? Would this provide better results than signature/Neural Network/Classifier approaches? Hopefully someday soon we'll get to find out. :> - -dave [1]http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-*arkin*.pdf [2]http://packetstormsecurity.org/UNIX/audit/firewalk/ [3]http://www.springerlink.com/content/j6dnbdnrjxdqbrk8/ [4]http://www.mit.edu/~rbeverly/papers/tcpclass-pam04.pdf [5]http://synscan.sourceforge.net/taleck-synscan-2004.pdf [6]http://www.usenix.org/event/woot07/tech/full_papers/greenwald/greenwald_html/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHuGs/tehAhL0gheoRArBcAJ4/XDV8sOHY1D5AhLHcDXO6tzMkwACcDB/D V86UHZzivKM2PshBn2C/h5U= =qC7q -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A bag of hammers Dave Aitel (Feb 17)