Stealth servers need Stealth Packets - Derbycon 3.0

1. 1 STEALTH SERVERS NEED STEALTH PACKETS STEALTH SERVERS NEED STEALTH PACKETS JAIME SANCHEZ (@SEGOFENSIVA) WWW.SEGURIDADOFENSIVA.COM

2. 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) $ WHO I AM § Passionate about computer security. § Computer Engineering degree and an Execu7ve MBA. § In my free 8me I conduct research on security and work as an independent consultant. § I’m from Spain; We’re sexy and you know it. § Other conferences: § RootedCON in Spain § Nuit Du Hack in Paris § Black Hat Arsenal USA § Defcon 21 USA § Next conferences: Hack7vity, NoConName and Black Hat Sao Paulo

3. FROM KERNEL SPACE TO USER HEAVEN 3 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) The most important phases are RECONNAISSANCE and SCANNING. The less information the attacker has the better for our security. If we can fool all network tools he’ll be using, we’ll be able to prevent some attacks attempts 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

4. A BRIEF OVERVIEW FROM KERNEL SPACE TO USER HEAVEN 4 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

5. Devices Devices Devices Kernel Ring 0 Ring 1 Ring 2 Ring 3 Less Privileged More Privileged § Computer opera+ng systems provide diﬀerent levels of access to resources. § This is generally hardware-‐enforced by some CPU architectures hat provide diﬀerent CPU modes at the hardware or microcode level. § Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). § On most opera+ng systems, RING 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. ARCHITECTURE How i met your packetFrom kernel Space to user Heaven 5 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

6. KERNEL vs USER SPACE KERNEL SPACE USER SPACE KERNEL SPACE is strictly reserved for running the kernel, kernel extensions, and most device drivers. In contrast, user space is the memory area where all user mode applica+ons work and this memory can be swapped out when necessary. Similarly, the term USER LAND refers to all applica+on soKware that runs in user space. Userland usually refers to the various programs and libraries that the opera+ng system uses to interact with the kernel: soKware that performs input/output, manipulates ﬁle system, objects, etc. How i met your packetFrom kernel Space to user Heaven 6 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

7. WTF !? How i met your packetFrom kernel Space to user Heaven 7 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

8. 8 How Imet your packets How i met your packetFrom kernel Space to user Heaven the NFQUEUE way OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

9. 9 NIC Memory DMA EngineInterrupt Incoming Packet Ring Buﬀer Interrupt Handler NIC Memory Kernel Packet Data IP Layer TCP Process TCP recv Buﬀer APPLICATION DEVICE DRIVER KERNEL SPACE USER SPACE Poll List so]irq tcp_v4_rcv() Pointer to Device Socket Backlog ip_rcv() read() How i met your packetFrom kernel Space to user HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

10. NIC Memory DMA EngineInterrupt Incoming Packet Ring Buﬀer Interrupt Handler NIC Memory Kernel Packet Data IP Layer TCP Process TCP recv Buﬀer APPLICATION DEVICE DRIVER KERNEL SPACE USER SPACE Poll List so]irq tcp_v4_rcv() Pointer to Device Socket Backlog ip_rcv() read() locally des8ned packets must pass the INPUT chains to reach listening sockets INPUT FORWARD PREROUTING MANGLECONNTRACK FILTER forwarded and accepted packets Inbound Packets forwarded packets local packets How i met your packetFrom kernel Space to user Heaven 10 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

11. TARGET EXTENSIONS How i met your packetFrom kernel Space to user Heaven A target extension consists of a KERNEL MODULE, and an op+onal extension to iptables to provide new command line op+ons. There are several extensions in the default NeQilter distribu+on: 11 FROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

12. QUEUE § QUEUE is an iptables and ip6tables target which which queues the packet for userspace processing. § For this to be useful, two further components are required: • a QUEUE HANDLER which deals with the actual mechanics of passing packets between the kernel and userspace; and • a USERSPACE APPLICATION to receive, possibly manipulate, and issue verdicts on packets. § The default value for the maximum queue length is 1024. Once this limit is reached, new packets will be dropped un+l the length of the queue falls below the limit again. How i met your packetFrom kernel Space to user Heaven 12 FROM KERNEL SPACE TO USER HEAVEN 13 $ iptables -A INPUT -j NFQUEUE --queue-num 0 NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

13. SOME PRACTICAL EXAMPLES How i met your packetFrom kernel Space to user Heaven 13 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

14. REMOTE OS FINGERPRINTING How i met your packetFrom kernel Space to user Heaven 14 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

15. CLASSIC TECHNIQUES How i met your packetFrom kernel Space to user Heaven 15 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

16. NMAP -‐ Device Type -‐ Network Distance -‐ Running -‐ TCP Sequence Predic7on -‐ OS Details -‐ IP ID Sequence Genera7on -‐ Up7me Guess Device Type: general purpose Running: MicrosoK Windows 7|Vista|2000 OS CPE: cpe:/o:microsoK_7::professional OS details: MicrosoK Windows 7 Professional, MicrosoK Windows Vista SP0 or SP1 Up7me guess: 2.196 days (since Mon Feb 4 12:14:01 2013) Network Distance: 1 hop TCP Sequence Predic7on: Diﬃculty=262 (Good Luck!) IP ID Sequence Genera7on: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoK:windows How i met your packetFrom kernel Space to user Heaven 16 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

17. 17 How i met your packetFrom kernel Space to user HeavenOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) IPv4 UDP TCP ICMP 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) RELEVANT FIELDS

18. ECN CWN ECE, WS(10), NOP, MSS(1460), SACK, NOP, NOP and W3 IP DF bit, TOS(0), CODE=9, SEQ=295, 120 bytes of 0x00 for payload no ﬂags, IP DF and W(128) to an open port SYN, FIN, URG, PSH and W(256) to an open port ACK with IP DF and W(1024) to an open port SYN with W(31337) to a closed port ACK with IP DF and W(32768) to a closed port FIN, PSH, URG and W(65535) to a closed port WS(10),NOP,MSS(1460),TS(Tval:0xFFFFFFFF. Tsecr:0), SACK and W(1) MSS(1400), WS(0),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0),EOL and W(63) TS(Tval:0xFFFFFFFF. Tsecr:0),NOP,NOP,WS(5),NOP,MSS(640) and W(4) SACK, TS(Tval:0xFFFFFFFF. Tsecr:0),WS(10),EOL and W(4) MSS(536),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0), WS(10),EOL and W(16) MSS(265),SACK, TS(Tval:0xFFFFFFFF. Tsecr:0) and W(512) NMAP METHODS How i met your packetFrom kernel Space to user Heaven 18 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEQUENCE GENERATION (SEQ, OPS, WIN & T1) ICMP ECHO (IE) TCP EXPLICIT CONGESTION NOTIFICATION (ECN) TCP T2-‐T7 UDP -‐ Nmap sends 15 TCP, UDP and ICMP tests, to open and closed system ports: OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA) ‘C’ (0x43) x 300 for data ﬁeld. IP ID value 0x1042 TOS(4), CODE=0, 150 bytes data, ICMP request ID and SEQ are incremented

19. Although there are others: § TCP ISN counter rate (ISR) § ICMP IP ID sequence genera8on alg (II) § Shared IP ID sequence Boolean (SS) § Don’t Fragment ICMP (DFI) § Explicit conges8on no8ﬁca8on (C) § TCP miscellaneous quirks (Q) § TCP sequence number (S) § etc. NMAP INTERNAL PROBES Most important: § TCP ISN greatest common divisor (GDC) § TCP IP ID sequence genera8on alg (TI) § TCP 8mestamp op8on alg (TS) § TCP Op8ons (O, O1-‐O6) § TCP ini8al Window Size (W, W1-‐W6) § Responsiveness (R) § IP don’t fragment bit (DF) § IP ini8al 8me-‐to-‐live guess (TG) Fingerprint Linux 2.6.17 - 2.6.24 Class Linux | Linux | 2.6.X | general purpose SEQ(SP=A5-D5%GCD=1-6%ISR=A7-D7%TI=Z%II=I%TS=U) OPS(O1=M400C%O2=M400C%O3=M400C%O4=M400C%O5=M400C%O6=M400C) WIN(W1=8018%W2=8018%W3=8018%W4=8018%W5=8018%W6=8018) ECN(R=Y%DF=Y%T=3B-45%TG=40%W=8018%O=M400C%CC=N%Q=) T1(R=Y%DF=Y%T=3B-45%TG=40%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=Y%DF=Y%T=3B-45%TG=40%W=8018%S=O%A=S+%F=AS%O=M400C%RD=0%Q=) T4(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T5(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=) T7(R=Y%DF=Y%T=3B-45%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(DF=N%T=3B-45%TG=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(DFI=N%T=3B-45%TG=40%CD=S) How i met your packetFrom kernel Space to user Heaven 19 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

20. OTHER TOOLS How i met your packetFrom kernel Space to user Heaven 20 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN A patch for Linux kernels of version 2.4., that modifies characteris+cs of network traffic IP PERSONALITY Simple TCP packets iden+fica+on solu+on as a Kenel 2.2-‐2.4 core module patch, allowing ignore some kind of packets. STEALTH PATCH A kernel module available for Linux kernel of version 2.2. that also tries to hide the original OS and act as a different one. FINGERPRINT FUCKER TCP and UDP packets filtering op+ons, allowing to respec+vely block RST and ICMP answers on closed ports BLACKHOLE Honeyd is able to simulate Xprobe2 and Nmap (previous version) signatures for its virtual hosts. HONEYD Windows soKware that modifies keys in the register, to change some TCP/IP parameters. OSFUSCATE NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

21. How i met your packetFrom kernel Space to user Heaven 21 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

22. How i met your packetFrom kernel Space to user Heaven 22 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

23. PASSIVE OS FINGERPRINTING How i met your packetFrom kernel Space to user Heaven 23 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN -‐ p0f is a tool that u+lizes an array of sophis+cated, purely passive, traffic fingerprin+ng mechanisms to iden+fy the players behind any ini7al TCP/IP communica7on (oKen as limle as a single normal SYN) without interfering in any way. -‐ There are other tools like Emercap, NetworkMiner, PRADS, Satori or PacketFence. -‐ Passive fingerprin+ng is like a packet sniffer. Examines network traffic, making a copy of the data but without redirec+ng or altering it. -‐ Can be used for several purposes: 1. As stealthy fingerprin7ng, bypassing the need for using an ac+ve tool that can be detected by various IDS systems. 2. To iden7fy remote proxy firewalls. 3. Organiza+ons can use it to iden7fy rogue systems on their network. NUIT DU HACK 2013 Sniffer OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

24. SIGNATURES 8192:32:1:48:M*,N,N,S:.:Windows:98 Opera+ng System -‐ Family -‐ Version Quirks -‐ Data in SYN packets -‐ Op8ons a]er EOL -‐ IP ID Field = 0 -‐ ACK diﬀerent to 0 -‐ Unusual ﬂags -‐ Incorrect op8ons decode TCP op+ons and order -‐ N: NOP -‐ E: EOL -‐ Wnnn: WS -‐ Mnnn: MSS -‐ S: SACK -‐ T / T0: Timestamp -‐ ?n Window Size -‐ * Any value -‐ %nnn nnn Mul8ple -‐ Sxx MSS Mul8ple -‐ Txx MTU Mul8ple -‐ xxx Constant value Ini+al TTL DF Bit Packet Size How i met your packetFrom kernel Space to user Heaven 24 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

25. How i met your packetFrom kernel Space to user Heaven 25 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 !! LET’S CAMOUFLAGE !! OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

26. How i met your packetFrom kernel Space to user Heaven 26 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

27. COMMERCIAL ENGINES This techniques can be used to avoid commercial implementa+ons. We hide our machine, faking the detector engine and recognizing us like another OS, to amack another host and leading administrator to think it may be a false posi+ve. How i met your packetFrom kernel Space to user Heaven 27 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN Fingerprint value example: key=fp_id;value=100000 key=rna_fingerprint_type_id;value=9 key=rna_fingerprint_descrip8on;value=iPhone key=rna_fingerprint_vendor_str;value=Apple key=rna_fingerprint_product_str;value=iOS key=rna_fingerprint_version_str;value=NULL key=val1;value=340e4d28c315390d key=val2;value=fdc5275d1377cce198247ceb93b0cb373bfd648db525a5bded36b1dad001100c2d5b3e26b22b91ec1c044f66d1 66085937ba1d34be0fd0afe4ff1acf20c8c970cfcc396e79ddf82b83c365605b2ad726047f872eee9245258bed3b18252dc922834a f9b354757b7590d4093d43b6c5ac81ed57f739c6daef2c1a343a20e191ccf4caebcf3a1e40760c2b8d51ae3375a1931c97824bcc5 03a4847e9c0fa22fe666cb1dc115309eb77 key=uuid;value=714e6bc6-‐991a-‐445c-‐bddb-‐a8b13c23706b I had no +me to figure out what each field means in all the commercial appliances I’ve seen so far. I decided to cross the data available with default Nmap and p0f database to get the desired TCP/IP header values. NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

28. ( WE’RE RUNNING OUR PROGRAM IN BACKGROUND TO CHANGE ALL OUTBOUND CONNECTIONS ) From kernel Space to user Heaven 28 How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | NUIT DU HACK 2013 OS FOOLED! NOW OUT LINUX IS AN IOS DEVICE How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

29. SPOOF NON EXISTING HOSTS HOST CREATED WITH OUR NEW TOOL :) From kernel Space to user Heaven 29 How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | S C R E E N S H O T | NUIT DU HACK 2013 How i met your packetFrom kernel Space to user HeavenHow i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVENOSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... 37 NUIT DU HACK 2013BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

30. Long story short: SYN ACK FIN How i met your packetFrom kernel Space to user Heaven 30 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

31. How i met your packetFrom kernel Space to user Heaven 31 How i met your packetFrom kernel Space to user HeavenFROM KERNEL SPACE TO USER HEAVEN NUIT DU HACK 2013 SEGURIDADOFENSIVA.COM @SEGOFENSIVA OSFOOLER: REMOTE OS FINGERPRINTING IS OVER ... BLACKHAT ARSENAL USA 2013JAIME SANCHEZ (@SEGOFENSIVA) 2 STEALTH SERVERS NEED STEALTH PACKETS DERBYCON 2013JAIME SANCHEZ (@SEGOFENSIVA)

Stealth servers need Stealth Packets - Derbycon 3.0

Esté a ler uma amostra.

Confira estes a seguir

Stealth servers need Stealth Packets - Derbycon 3.0

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (13)

Semelhante a Stealth servers need Stealth Packets - Derbycon 3.0 (20)

Mais recentes (20)