(Still) Exploiting TCP Timestamps

Similar documents
Improving TCP/IP Security Through Randomization Without Sacrificing Interoperability. Michael J. Silbersack. November 26th, 2005

CIT 480: Securing Computer Systems

Covert channels in TCP/IP: attack and defence

Application Presence Fingerprinting for NAT-Aware Router

System-Level Failures in Security

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

inside: THE MAGAZINE OF USENIX & SAGE April 2002 Volume 27 Number 2 SECURITY A Remote Active OS Fingerprinting Tool Using ICMP BY OFIR ARKIN

Configuring attack detection and prevention 1

What this talk is about?

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

TCP TCP/IP: TCP. TCP segment. TCP segment. TCP encapsulation. TCP encapsulation 1/25/2012. Network Security Lecture 6

On Reliability of Clock-Skew-Based Remote Computer Identification

Pwn ing you(r) cyber offenders

ECE 435 Network Engineering Lecture 10

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning

Handbook. Step by step practical hacking training

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. TCP Attacks. Chester Rebeiro IIT Madras

Security Enhancement by Detecting Network Address Translation Based on Instant Messaging

Computer Security and Privacy

A Robust Classifier for Passive TCP/IP Fingerprinting

Firewall Identification: Banner Grabbing

ELEC5616 COMPUTER & NETWORK SECURITY

CSC 574 Computer and Network Security. TCP/IP Security

Timing Attacks Made Practical

Configuring attack detection and prevention 1

Change Management: DYNAMIC NETWORK MAPPING. LinuxWorld San Francisco Security Track. Presented by Joshua D. Abraham.

EEC-682/782 Computer Networks I

Clock-Skew-Based Computer Identification: Traps and Pitfalls

Building an IPS solution for inline usage during Red Teaming

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

A Software Tool for Network Intrusion Detection

Introduction to Network. Topics

A Rate-Limiting System to Mitigate Denial of Service Attacks

A quick theorical introduction to network scanning. 23rd November 2005

Computer and Network Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Pwn ing you(r) cyber offenders

Practical security scanning for busy network administrators. Jim Davis D7: Data Science Institute

Information Network 1 TCP 1/2. Youki Kadobayashi NAIST

Network Forensics and Covert Channels Analysis in Internet Protocols

SinFP3. More Than a Complete Framework for Operating System Fingerprinting v1.0. Patrice

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Category: Informational May 1996

Host Identity Sources

Version 2.6. Product Overview

Avi Networks Technical Reference (16.3)

Denial of Service, Traceback and Anonymity

A Study on Intrusion Detection Techniques in a TCP/IP Environment

Module 19 : Threats in Network What makes a Network Vulnerable?

Discovering Mac OS X Weaknesses and Fixing Them with the New Bastille OS X Port

TCP /IP Fundamentals Mr. Cantu

CMSC 332 Computer Networks Transport Layer

THERE are now a number of powerful techniques for

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Internet-Wide Port Scanners Some history behind the development of high performance port scanners. Things to consider, and necessary preparations

Multimedia! 23/03/18. Part 3: Lecture 3! Content and multimedia! Internet traffic!

Part 3: Lecture 3! Content and multimedia!

Network Security: Scan

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Configuring IP Services

FOCUS on Intrusion Detection: Intrusion Detection Level Analysis of Nmap and Queso Page 1 of 6

Index. Note: Page numbers followed by f and t indicate figures and tables respectively

On the Origins of a Thesis

Measuring and Characterizing IPv6 Router Availability

Ambiguity Resolution via Passive OS Fingerprinting

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

NAVAL POSTGRADUATE SCHOOL THESIS

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

ECE 435 Network Engineering Lecture 23

This release of the product includes these new features that have been added since NGFW 5.5.

Onion services. Philipp Winter Nov 30, 2015

CSC 4900 Computer Networks: Transport Layer

Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)

Improving PF's performance and reliability Lessons learned from bashing pf with DDoS attacks and other malicious traffic. By Kajetan Staszkiewicz,

Master Course Computer Networks IN2097

Sirindhorn International Institute of Technology Thammasat University

New Approach towards Covert Communication using TCP-SQN Reference Model

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Dissecting Tor Bridges A Security Evaluation of their Private and Public Infrastructures

Results of a security assessment of the TCP and IP protocols and common implementation strategies

Metrics for Security and Performance in Low-Latency Anonymity Systems

Remote physical device fingerprinting

Ethical Hacking and Prevention

RFC 4301 Populate From Packet (PFP) in Linux

Encrypted Traffic Security (ETS) White Paper

Scan Report Executive Summary

Transparent TCP Timestamps draft-scheffenegger-tcpm-timestampnegotiation-03

The Protocols that run the Internet

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

CS395/495 Computer Security Project #2

P2P. 1 Introduction. 2 Napster. Alex S. 2.1 Client/Server. 2.2 Problems

CIS 188 CCNP TSHOOT Ch. 2: Troubleshooting Processes for Complex Enterprise Networks

Impact of Network Topology on Anonymity and Overhead in Low-Latency Anonymity Networks

UDP-based Amplification Attacks and its Mitigations

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

CE Advanced Network Security Anonymity II

Transcription:

(Still) Exploiting TCP Timestamps Veit N. Hailperin 1 1 scip AG Hack in Paris, June 2015 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 1 / 47

About Me Security Consultant & Researcher @ scip AG @fenceposterror Bug in the matrix Disclaimer I will use IP on the slides synonym to IP address for space reasons. Timestamps allows refer to TCP timestamps if not otherwise noted. Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 2 / 47

Outline 1 What are TCP Timestamps? 2 A History of Exploitation and Failed Remediation 3 More Fun with TCP Timestamps 4 What Now? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 3 / 47

TCP Timestamps Introduced in 1992 Described in RFC1323 Extension to provide PAWS and improved RTTM A constant, strictly monotonous increasing number Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 4 / 47

A TCP Timestamp Kind: 8 Length: 10 bytes +-------+-------+---------------------+---------------------+ Kind=8 10 TS Value (TSval) TS Echo Reply (TSecr) +-------+-------+---------------------+---------------------+ 1 1 4 4 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 5 / 47

Attack Vector - Timestamp 2001 - Uptime Calculation Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 6 / 47

Attack Vector - Timestamp 2001: Uptime Calculation Timestamp!= Uptime Multiple timestamps frequency of host timestamp & frequency uptime Uptime related to patch level Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 7 / 47

Attack Vector - Timestamp 2001: Uptime Calculation - Remediation Disable timestamps (bad idea) Randomize timestamps at boot (problems: lack of entropy, determination of initial value easy) Start each new TCP Connection with 0 (problem: still PAWS) Timestamp per IP/port pair (problem: only a question of time) More problems: Might break syn flood protection under linux Timestamp counter for each IP Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 8 / 47

Attack Vector - Timestamp 2015: Uptime Calculation Still possible 1... Also: timestamps observed over a longer period also lets us know their habits, e.g. when shutting down, when booting,... 1 It s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 9 / 47

Attack Vector - Timestamp 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 10 / 47

Attack Vector - Timestamp 2005: Host Identification = Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 11 / 47

Attack Vector - Timestamp 2005: Host Identification - Remediation Randomizing/Zeroing timestamps (loss of functionality) Use a different counter for each connection and initialize with 0 (problem: PAWS) Like above but with randomized start (problem: PAWS) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 12 / 47

Attack Vector - Timestamp 2015: Host Identification Still possible 2... 2 It s a tiny bit more tricky for a small group of systems Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 13 / 47

Attack Vector - Clock Skew Let s assume we did fix the aforementioned issues, are we done? no :( (Mainly) due to physical properties (heat, fabrication,... ) clock isn t exact This slight imperfection of clock can be used as identifier (clock skew) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 14 / 47

Attack Vector - Clock Skew 2005 - Host Identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 15 / 47

Attack Vector - Clock Skew 2005: Host Identification Possible even if host/port tuple TCP timestamp solution got implemented Multiple IPs virtually hosted not possible with timestamp (because TS per OS) With clock skew not a problem, because they share hardware Interesting to track users Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 16 / 47

Attack Vector - Clock Skew 2005: Host Identification - Remediation Reduce device s clock skew (difficult!) Mask clock skew by multiplying timestamp with random value (breaks RFC) mod skewmask: Mask clock skew with constant Encrypt timestamps (breaks RFC) Table mapping between random 32-bit values and internal representation of real timestamps (breaks RFC) Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 17 / 47

Attack Vector - Clock Skew 2015: Host Identification Still possible 3... 3 Some honeypots try to avoid it Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 18 / 47

Attack Vector - Clock Skew 2005 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 19 / 47

Attack Vector - Clock Skew 2005: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 20 / 47

Attack Vector - Clock Skew 2005: Network Layout Information Gathering - Remediation Same as for host identification Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 21 / 47

Attack Vector - Clock Skew 2015: Network Layout Information Gathering Still possible... Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 22 / 47

Attack Vector - Clock Skew 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 23 / 47

Attack Vector - Clock Skew 2006: Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 24 / 47

Attack Vector - Clock Skew 2006: Reveal Hidden Services - Remediation Dummy Traffic Fixed QoS for all connections No anonymous stream affects another (problem: potential DoS if connections idle) Oven Controlled Crystal Oscillators (OCXO) Always run at maximum CPU load Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 25 / 47

Attack Vector - Clock Skew 2015: Reveal Hidden Services Still possible... Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 26 / 47

Possible Targets Users Servers Conclusion More or less everyone/everything is affected Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 27 / 47

More Fun with TCP Timestamps 2015 - Reveal Active-Active Loadbalancing Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 28 / 47

More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 29 / 47

More Fun with TCP Timestamps 2015 Load-Balanced Check! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 30 / 47

More Fun with TCP Timestamps 2007/2015 - Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 31 / 47

More Fun with TCP Timestamps 2015: Network Layout Information Gathering DEMO 4 4 https://github.com/luh2/timestamps Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 32 / 47

More Fun with TCP Timestamps 2015: Network Layout Information Gathering Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 33 / 47

More Fun with TCP Timestamps 2015: Network Layout Information Gathering Count IPs behind a NAT (if you are the receiving end of connections) (2007) Identify hosts behind a NAT (if you have multiple ports open) (2015) TCP timestamp is the same services on same host TCP timestamp is different services on different hosts Some ports answer with no timestamp Can t tell Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 34 / 47

More Fun with TCP Timestamps 2015: Network Layout Information Gathering No tool that exploits this knowledge Does someone want to write a Nmap script? Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 35 / 47

More Fun with TCP Timestamps 2007/2015: Network Layout Information Gathering - Remediation Increment randomly (defeats RTTM) Rewrite timestamp on NAT device Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 36 / 47

More Fun with TCP Timestamps 2015 - Improve OS Fingerprints of NAT-ed Devices Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 37 / 47

More Fun with TCP Timestamps 2015 Improve OS Fingerprints Repeat: What is a OS Fingerprint? Nmap doesn t assume aforementioned scenario, but direct fingerprinting Use knowledge which ports belong together Don t use closed ports Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 38 / 47

More Fun with TCP Timestamps 2015 Improve Fingerprints! DEMO Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 39 / 47

Proposed Solutions Terminate TCP connection at firewall Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 40 / 47

Why Haven t We Fixed This? Quote: Kohno et al. [... ] it is possible to extract security-relevant signals from data canonically considered to be noise. There are other ways to gather the same intel -excuse Not considered important Not many good solutions so far Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 41 / 47

More Timestamps ICMP Timestamp (CVE-1999-0524) TLS Timestamp (Tor Bug #7277) HTTP Timestamp (Murdoch, 2013)... Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 42 / 47

Summary of (presented) Attacks TCP Timestamps 2001 - Uptime Calculation 2005 - Host Identification 2015 - Network Layout Information Gathering 2015 - Reveal Active-Active Loadbalancing 2015 - Improve OS Fingerprints of NAT-ed Devices Clock Skew 2005 - Host Identification / User Tracking 2005 - Network Layout Information Gathering 2006 - Reveal Hidden Services Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 43 / 47

What Now? Good solutions/suggestions welcome! Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 44 / 47

For Further Reading B. Ransford and E. Rosensweig. SkewMask: Frustrating ClockSkew Fingerprinting Attempts. December, 2007 T. Kohno, A. Broid and K. Claffy. Remote physical device fingerprinting IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 2, pp. 93 108, May 2005. S. Sharma, A. Hussain and H. Saran. Experience with heterogenous clock-skew based device fingerprinting Proceeding LASER 12 Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, Pages 9-18. B. McDanel. TCP Timestamping - Obtaining System Uptime Remotely http://www.securiteam.com/securitynews/5np0c153pi.html, March 14, 2001 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 45 / 47

For Further Reading 2 V. Jacobson, R. Braden and D. Borman. TCP Extensions for High Performance. Network Working Group, Request for Comments: 1323, May 1992 S. Bellovin. Defending Against Sequence Number Attacks. Network Working Group, Request for Comments: 1948, May 1996 M. Silbersack. Improving TCP/IP security through randomization without sacrificing interoperability. University of Wisconsin Milwaukee, 2005 S. Murdoch. Hot or not: revealing hidden services by their clock skew. Proceeding CCS 06 Proceedings of the 13th ACM conference on Computer and communications security, Pages 27-36 Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 46 / 47

So Long and Thanks For All The Fish Me: @fenceposterror Thanks to people who inspired or helped: Krzysztof Kotowicz, Stefan Friedli, Max Hailperin Veit N. Hailperin (scip AG) (Still) Exploiting TCP Timestamps HiP 2015 47 / 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback