Security Incidents mailing list archives
An Embryonic Counterintelligence Tool
From: spb () SCHADENFREUDE MESHUGGENEH NET (Stephen P. Berry)
Date: Fri, 14 Jan 2000 22:18:47 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Several months ago, I asked if anyone knew of any tools (or projects to produce tools) that present an aribitrarily-chosen TCP fingerprint to a scanner. I had been fiddling around with such a thing, and was curious if there were any similar widgets already in a `finished product' state. I didn't get any suggestions for leads on existing code, but several people offered to help test any code I might have. If anyone is interested in testing some ragged, ugly, not-ready-to- see-the-light-of-day-(and-vice-versa) code, let me know. I've got the first rev in a works-consistantly-for-what-I-do-with-it state, and would like to submit the code to some outside scrutiny. The widget listens on an interface for traffic that matches any of a number of signatures characteristic of TCP fingerprinting scans, and then attempts to respond in such a way as to lead the scanner to believe the target machine is running an arbitrarily-specified OS and platform. It currently reads fingerprints directly from an nmap(1) config file, and my focus has been specifically to subvert nmap(1) scans. Disclaimer: At this stage, it is more of a cute toy than a badass, gung-ho, ass-kickin' security application. I'd like to eventually make the trigger conditions somewhat more generic and less scanner-specific. I'd also like to roll in functionality for multimple concurrent fingerprints, doing selective TTL decrementing and sending ICMP_UNREACHables---so the widget could appear to be an entire network. In addition to the code for the widget in question, you'll need an *BSD system to run it on. I've been developing on OpenBSD, but the other BSDs should work fine as well[0]. In addition to the OS itself, you should have some sort of packet filter---I suggest ipf(8) which, convieniently, comes with OpenBSD. If you're interested in testing, drop me a line. I'm currently putting together some documentation for the code, and expect to have it done this weekend or sometime next week. - -Steve - ----- 0 The widget uses BPF. Although my development has been done on OpenBSD, with some testing on FreeBSD, it should work on most systems implimenting BPF. Future revs will probably support other systems---the code for the fingerprint-foiling widget is just a set of custom callbacks for a small, generic libpcap-based IDS I'm fiddling with. Since everything but the bits for writing ether frames to the wire is portable, it would be nice to support non-BPF methods. On the other hand, BPF rocks and I have to fight back waves of nausea every time I think about DLPI[1].... 1 At least as implemented under Solaris. Mind you, the code I'm talking about does a lot of filtering and packet witing in luser space, so it's a bit of a pig anyway. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4gBBTG3kIaxeRZl8RAiPVAJ9WLHUReRF0/i8Bk1iIr2ppqpe3DwCg2gDl 1wdpf5WThDhWCqO7Zp80ZVg= =bX1R -----END PGP SIGNATURE-----
Current thread:
- Re: Log tools?, (continued)
- Re: Log tools? James Phillips (Jan 17)
- Re: Log tools? Gene Harris (Jan 18)
- Re: Log tools? Richard Trott (Jan 17)
- Re: Log tools? Pauline van Winsen (Jan 18)
- AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
- Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
- Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
- Re: Port 4 Lutz Pressler (Jan 12)
- Re: Port 4 Vanja Hrustic (Jan 13)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)