[Dailydave] A bag of hammers

[Dave Aitel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just as a warning, if you're a mathematician, you're going to cough up 
your skull at this post. I don't know first thing about real math. Don't 
say I didn't warn you.
_________________

So I often thing of some mathematical techniques as hammers that people 
use to smack at every nail, willy-nilly. For example in my sample bag of 
hammers:

o Expert Systems/Heuristics/Signatures [5]
o Neural Networks [3]
o Bayesian Classifiers/Probabilistic learning algos [4]
o Markov Chains
o FFT/DCT/Wavelets

There's lots of other examples, but some hammers are more generic and 
get used to smack at every nail, and the ones I listed are the ones you 
see every day.

I've been thinking a lot about remote OS detection, and TCP flags, and 
that sort of thing. Ofir Arkin's presentation[1] has a good point in it, 
I think. XProbe2 uses "fuzzy logic" which I assume is some sort of 
statistical heuristics based on a decision tree (Ofir's on this list, so 
we'll all get to find out the details I'm sure :>). NMap uses a 
signature lookup. I think both of those techniques could be improved on.

Essentially the problem, as I see it, is much harder than it originally 
looks. At first you think:

Attacker ------->Firewall----> Target

And you then proceed to compensate for packet loss, blocked packets, and 
whatnot. But in reality you're passing through a lot of different hardware.

Attacker --->Switch--->Firewall--->Router--->Firewall--->Target


And each of these can apply transformations to your packet, or choose to 
drop it, and each packet can go through different hosts each time, and 
come back over a different path, and your target might be different for 
each packet (say, if it is getting load balanced).  And of course, each 
port on your target might go to a different machine. Closed ports may be 
the firewall, port 80 might be the Apache server running on Linux, and 
port 25 might be forwarded to a mail gateway.

It's for this reason that CANVAS does only Application-Layer OS 
Fingerprinting now.  We try to fingerprint the OS using the same 
protocol you're trying to attack. That way we don't care that port 25 
goes to a different host entirely.

To do os fingerprinting via raw packets right you essentially have to 
discover state on a lossy network on each of maybe 20 network devices in 
between yourself and your target, which change in and out randomly, and 
even your target can be one host or multiple hosts. What you really want 
is something more like firewalk[2] that does OS detection (or at least 
"feature" detection) on all the potential devices in between you and 
your target before it does the OS detection against your target(s). 
Devices may or may not have an IP address or modify TTL, which is part 
of the fun.

w00t 07 had some interesting work[6] that optimized the ruleset for nmap 
to note that you only need one to three packets to do OS detection - 
which is a significant improvement. Of course, the benefit of having 
redundant information is that you can account more often for network 
interference during your scan, theoretically.

Anyways, my thought is this. Can you represent the network conditions in 
between you and your target(s) with a Markov Chain? Would this provide 
better results than signature/Neural Network/Classifier approaches? 
Hopefully someday soon we'll get to find out. :>

- -dave


[1]http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-*arkin*.pdf
[2]http://packetstormsecurity.org/UNIX/audit/firewalk/
[3]http://www.springerlink.com/content/j6dnbdnrjxdqbrk8/
[4]http://www.mit.edu/~rbeverly/papers/tcpclass-pam04.pdf
[5]http://synscan.sourceforge.net/taleck-synscan-2004.pdf
[6]http://www.usenix.org/event/woot07/tech/full_papers/greenwald/greenwald_html/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHuGs/tehAhL0gheoRArBcAJ4/XDV8sOHY1D5AhLHcDXO6tzMkwACcDB/D
V86UHZzivKM2PshBn2C/h5U=
=qC7q
-----END PGP SIGNATURE-----