Re: Crimelabs Paper: Passive System Fingerprinting using Network Client Applications

[Szilveszter Adam <sziszi () PETRA HOS U-SZEGED HU>]

Hello everybody,

I would like to make a couple of comments on this paper.

Although generally the point stands that network applications often leak
more information about themselves and their environment than it would be
absolutely necessary, but the effectiveness of the techniques presented in
the paper are dependent on a couple of things.

First: The admin/user must not be able to alter/remove the ident strings
that are sent out by the application. This is the case for most of Windows
apps and even where it is possible people usually do not take any measures
in this departement. So we can move on.

Second: The information displayed must actually be correct. This is when
the fun begins. To take a really good example, the Pine on most Linux systems
*always* sends messages with a Message-Id that contains "LNX" although I
think most are using shadow passwords. (In fact I have never seen any other
variant for Linux... must be because many install ready-made packages from
rpm/debs and the string displays the stand of affairs on the compiling
rather than on the running machine? Just speculating, I do not use Pine:-)

Also, most mail agents are quite good at rewriting headers if I ask them
to, MTAs being another hidden champions of this. If you ever happen to
receive a mail from me with a From: header that says root, do not even for
a second
think that it was actually sent from that account:-)

Also, you do not seem to adequately account for the fact that many people
are not
running mail servers on their systems. So if you eg see: Outlook Express,
than fine, you know that the sender machine was running this MUA. But it
also makes it more than likely that the email address you found is not
actually that on the sending machine but rather one on a big mail server,
which may be running anything. You have no knowledge of how mail collection
at that site works, so you cannot be sure that your exploit will actually
work. (eg person can make an email enquiry with their browsers email client
after clicking on a link but use someting else for "normal" mail and may not
even be aware of the difference:-) and yes, I have seen a setup like this.)

Also, emulation is (or rather can be) a quite big issue with lesser known
OSs for which not enough native applications exist. Eg there is no Netscape
binary of the current release available for any BSD operating system. (With
BSDi support having been dropped after 4.75) so if you want to use Netscape
on any BSD, you have to use emulation. But if you go after the presumably
old, 2.0.x kernel based Linux system it reports itself as, you will be in
for a surprise:-) But the real kicker is using Wine (Windows emulation
package for UNIX) and a windows-based web-browser... (yes I have done
things like this. Sometimes you are forced to, eg if there is not even a
Linux port of the sw you need to run.)

For proxies: It is known that there exist proxies that hide your real IP
address and cannot be detected any easy way. (because they do not insert an
X-Forwarded-IP field.) See: http://neworder.box.sk/ in the relevant
section for tips. Yes, some of them are slow, but it really rocks when they
believe you were coming from some far-away place:-) and users can be made
to use these without their knowledge if you configure it centrally.
Because of this, the proxy may or may not be local, so you do not necessarily
have the entrance to the network either.

Also, web search engines can be helpful for finding vulnerabilities in
servers but to compile lists of target hosts from mailing list archives is
fragile... there may not be many live hits from those. (Even for server
fingerprinting, some surpriese are in the game: eg Walmart was suspected of
forging their server signature because at least on one occassion they
reported themselves as Microsoft-IIS/4.0 (Unix) mod_ssl/2.6.6
OpenSSL/0.9.5.. outright funny:-) So the point is: although the information
may be there, it may already be forged intentionally or otherwise
incorrect.

Also, the fact that you found eg Mutt does not tell a lot to you unless you
have a specific exploit... because many of these programs run on many
UNIX/UNIX-like systems plus on DOS/Windows. So you do not know a lot.

And finally: with all this information you have to go out and do some
actual scanning to verify/gather more information and this is where you can
already get caught.

But, yes, even with the above points made, considering the average
Windows/Mac user and admin, information leakage can be a cause for many an
interesting occurance... why, at this rate I got the idea for a paper titled:
"utilizing information gleaned from Internet-accessible support pages of
various big organizations and institutions in network incidents..." It is
at least as interesting a topic as this one:-)

Best to y'all!

--
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary