Well, hi, hello. It's great to be here. Thank you for coming to see this talk. Just some things about me. I've been working in security for almost 20 years. It's not my first

time in Vegas, so it's great to be here again. What we are gonna talk about is OS fingerprinting, you know, that is something very interesting from different perspectives, you know, from the attacker point of view for defenders, administrators, vendors, you know, you really need to know

what kind of operating system you are trying to connect. If you try to attack, you need to know, for example, if it's a Windows XP without a service pack or whatever before

launching your exploit, you have to know the memory addresses. So it's described as passive collection of configuration attributes from remote devices, but it's not also this because there are a lot of approaches for operating system fingerprinting. You know, the old days when everything was like banner grabbing, that's manual reconnaissance. Then we moved to

active operating system fingerprinting with tools like Xboob, like Nmap. Then we have also the, that basic point of view where you are only analyzer, like a packet sniffer, all the

traffic that you are generating on the, on the, on your site, on the other side, just to get a useful information. But there is another approach that are the timing attacks. We are not gonna see it here. So, the first technique is banner grabbing is very simple. You connect, you

use Telnet, for example, to a web server to get all the headers information if you are dealing with, uh, an ESS or, or NGINX, whatever. You can also connect to FTP services, Telnet to see the banner. You can use SNMP. That's kind of active, uh, techniques. But you

can also get free information for other services, you know, in map, finger, and NTP. And if you have access to the remote machines, you can also play with some configuration files for the issue files, the, the banners. And, uh, you can try to port scan. Also, you can

try to do social engineering just to get information about the technologies used by any company. There are a lot of services that gives any other information. For, for example, FTP, use the SST command. That has information about the server operating systems. And you

have some, uh, some examples there. Another useful thing would be, for example, in FTP connecting to the, to the FTP, get, get any file that is inside. For example, the ELS, compress, cut, and try to get information on your local machine. For example, here you

can see that our files comp, uh, compiled for Linux, for SAN, whatever. You can also use, uh, all the kind of, uh, search engines like SODAN, like SENSIS, that get all this information for you. So you don't have, you don't have to interact with the, with the

other machine. For example, this is very useful because, I don't know if you can see there. Well, don't worry. If you try to scan, for example, mobile networks, you can try to look for, uh, ports 6, 2, 0, 7, 8, as well, uh, for jailbroken iPhones. And you can try to

connect with SSH with default credentials that are root and alpine and try to move on. So this is very important, uh, to know, to know what kind of operating system you are dealing with. In this case, I only use the mobile phones to jump to another machine and

finally attack the, the, my target. Try to get all the information, and, uh, and I try finally, uh, attack my, my final target. So, some things you need to know. TCP IP theory. This would be very basic, but it's something that people have to understand before going into, into, uh, fingerprinting. For example, in IP, you, you have to know

what kind of protocol you are dealing with. TCP, UDP, ICMP, that are the most important ones that we are, uh, uh, taking a look. Source address, destination address, something you know about in TCP. We will be dealing with, uh, SIM packets, ACK packets, push. We have

to know not every, almost every, uh, TCP option that is available, but you have to understand that every almost operating system use some, uh, TCP options in the same order, and maybe in Windows XP and Windows 2000, they have the same options, but they are in

different order. So, that's the way that we can, uh, make the difference and know what we are dealing with a Windows XP or Windows 2000. The same for, uh, UDP. Just to know source port, destination port, you will see that in Nmap, uh, it has, like, a

custom, uh, um, data that has a lot of Cs. And finally, uh, ICMP, that is used by, approved by Nmap. So, these are some basics that you will see that in any database, you get all this information. If there is a congestion flag, uh, that is

on, um, if the default fragment flag is on, so, for active operating system fingerprinting, we are gonna see just, uh, little tools that, for example, the, some of the first one that was called Queso, that is in, in Spanish is Que System

Operativo. It's like which operating system. And, uh, it will, uh, it was sending, like, seven kind of tests. You can see the scene, scene plus, uh, acknowledge, VIN. And then, they moved, um, and, and another project was released that called Xprove. Xprove deal, a lot of, uh, deal with a lot of packets, uh, of ICMP. Send

also UDP packets. But, this kind of tools are some old right now. And I think that almost everyone, uh, in the hacking scene security is using Nmap. And, uh, so, uh,

Nmap is a, is a master pen tester for everyone. And Nmap gives you a lot of information about what kind of device you are, you are dealing with. For example, the device type in this case is a general purpose because it's a computer. But it can also tell you if you are dealing with a printer, if you are dealing, uh, with a firewall, with a ruler, or if it doesn't know well, it can give you

information about this, maybe should be a router, or maybe it's a firewall. Next thing that will tell you is the family, in this case is Linux, and the generation. The generation is practically the, the version that, that you are running. Common platform enumeration, that's something standard. The details on the fingerprint. If

it's not a perfect match, because there are some times where you, you have like a firewall or you are not getting all the traffic, you can, uh, get a message like just guessing. So Nmap doesn't know exactly what kind of operating system is, but maybe it's telling you that you are dealing with a Solaris, maybe this version, maybe

another one. You know, a lot of information, the network distance, like if you were doing a trace route, obtain guess, TCP sequence prediction. But you can also use, uh, version scan. Version scan is very useful when you are dealing with a proxy, because if you try

to make the operating system fingerprinting, you are dealing really with the proxy, and you need to get information about the remote host. So in this case, it can get a lot of information about if, uh, it's an SSL service, uh, it is running TCP, in UDP, it can

deal with, uh, a map, whatever service. But the interesting thing here is how does Nmap works, how does it really work. The new work for this is that Nmap is leaving 15 TCP proofs to UDP and ICMP. All these tests are with a custom, uh, destination port, they have custom

flags, and the result for the Nmap database is something like that. I don't know if you can see it very fine, but you know you can find it in the slides, that you have a lot of information about every operating system that you are dealing. For example, the six first,

uh, TCP proofs. So, it has, like, this custom, uh, TCP options. If you want to get more information about this, it's really useful to get the, the official Nmap book. It has a lot of information about this. So, you can get, uh, all the TCP options that, uh, they

are using, the port, the remote port they are using, if they are looking for, uh, uh, network congestion flag, if the default fragment, uh, bit is set on ICMP. And it begins with the real proof that T1, uh, T2 to T7, when you have a lot of, uh, um, a lot of flags

that you will know, that you will receive. For example, packet, uh, T2 is no flags, fragment bit is on, its window size is 124. This is all the information I, I got. So, I can know which packets I should filter and I should, uh, manipulate and let all the

traffic, uh, go to the, all the traffic go to, to, to my machine. So, I, in this case, we will see, uh, a tool that is called OSFiller that is only dealing with a specific packets for Nmap. All the, all the traffic should be, should be treated by the, by, by the

kernel. This case is UDP. UDP has, uh, um, a special payload because it has, like, 300 times the letter C. So, it's very easy to, to recognize that kind of, of packets. Um, I have a small demo, but I, I think it will be better if we do it live because we can

make the, the screen bigger. So, the same thing is for passive operating system fingerprinting. You know, it's like dealing with a packet sniffer. What you are trying to do is copying the, the data without modifying it. You don't manipulate the traffic. You just get all the information and try to analyze it locally to get all the information you

can about the remote host. And for this, you got, for example, um, OSFiller, that's the tool, uh, I'm presenting, uh, can handle the, uh, all the information from the database from version 2. It's very simple. Every line is like this. The first is the

default, uh, fragment flag is on, the TCP options and the order, and some queries. For example, if you get a SIM packet, you shouldn't have any payload inside, but there are some operating systems that send this kind of information, so this is very useful to identify them. And finally, you got the, like, like the label for the operating

system. This is fully working, but then both move to another version as version 3. That is like a complete rewrite of the, of the original code. And it deals with, uh, TCP packets, the SIM packets, but, uh, the, the sync and the acknowledge packets, HTTP

request, so it's more complete. In this case, instead of rebuilding all OSFiller, what I'm trying to do is just to migrate this kind of, uh, database to the old format so we can, we can use it. If, if you can see, it's almost the same kind of information. You

have the time to leave, the length of the packet, maximum segment size, you have the TCP options, default fragment, some more quirks that are available, uh, available in, uh, this operating system. So, this is very easy to, to identify. And finally, there are a lot of people that are still using Ettercap. Ettercap is almost using the same

technique as both. It's only copying all the traffic and just try to analyze. And it has some, uh, database. If you can see all, practically all the, all the, all these tools use the same format, all the same information. It analyzes TCP options, length of the packet, what kind of information if it has a payload. So, in this case, um, in the

next release of OSFiller, I will migrate the same database from Ettercap to both. It's been passed by OSFiller and it's 100% complete. So, it works like a term. So, I will be

doing this, this change. But also, there are some commercial engines like SoarFire or Fireside that use this kind of techniques to, to identify all the traffic for, for the IPS or the IDS. When you get an alert, they told you, like, hey, you have been attacked by this kind of machine. Maybe it's a Linux, maybe it's a, maybe it's a

Windows machine. They are using almost the same information and the same information, you can, you can spoof the, that kind of, of fingerprint. So, you can try to confuse administrators, defenders. And this is really useful to know because there are other

online services, for example, for vendors of, for ads or whatever, that use this online. So, it's very useful for, for vendors, for example, to know if you are using not only, uh, Chrome or Safari, but if you are using, uh, uh, Macintosh, you are using, uh, Windows, you are using, uh, Solaris, whatever. So, in this case, it's very simple to

make the same thing in, in the, in the first approach. It thinks it's, uh, Linux version 3. And in the second one, we are running only OSFiller and you get, like, using same database, like, Puff or Tercap. So, it's very simple to deal with this. So,

other techniques to, to do this kind of fingerprinting could be analyzing the, the DHCP requests. So, when it, when it, for example, for options like the DNS, DNS server, default gateway, it ask in, in an exact order. So, you can try to do, there is a tool

called Satori, there is a very interesting, uh, white paper that you can download and take a look. And at last, you can use other techniques like identify the MAC addresses, for example, Apple or Sony, use some kind of patterns. So, you can use that to get all the information about the, the machine you want. So, at this point, we know how to do that

kind of active fingerprinting, basic fingerprinting, but which kind of countermeasures do we have to protect from this? I have collected some information about, uh, just, uh, some ones, for example, IP personality. It was very famous because,

um, depending on some parameters, it let you change sequence number, window size, ID's, uh, how it answer to TCP packets. But the problem is that, uh, it change a lot of, of, of the behavior of the TCP IP stack for Linux. And this, uh, one of the

working for all releases of the kernel. So, nowadays, it's not very useful. Uh, the other one was the stealth patch, uh, that was running from kernel 2.22 to 2.4. But this problem, did this, this tool have a problem that, um, if you change some parameters

when scanning, you can know that this, this, the, the remote machine is using this tool and you can identify because you know that stealth patch only works for some kernels. So, it makes easier to understand. Many others, it was, it, the loop, black hole, fingerprint fucker, morph, there were a lot of tools. But nowadays, I, I didn't find any useful tool

to, to avoid this. So, when I was working, I work for Telefonica. When I was working at security variation center, I have to deal with a customer that it was scanning all his network every day, every day. I, I, I didn't have, uh, time enough, I didn't have alerts

so fast to notice him that I know that he was scanning. So, I tried to make some kind of cool thing that this was detecting the, the scanings, uh, with a program I made in Perl. Um, but also tried to fool him and so, like, hey, you are scanning, but you have a PlayStation inside your network, you, you have a Sony World Man Ericsson, um, and

that's how we came to OS filler. OS filler, if you know, uh, packets are inside the kernel space and you are, uh, on, uh, on user space, so you cannot interact with packets in real time. So, uh, the solution was to use NFQ. NFQ is, uh, an extension for IP tables

that accept some, uh, some, uh, extensions and let you put all the packets inside some queues. So, you have two elements. You have a queue handler that deals with the, with the

packets with the kernel, so it tells the kernel, yes, give me the packets and it moves this to user space. In user space, you can receive those packets, manipulate them and send them back. The only problem here is that you have a maximum queue length that is 1424, so you have to manipulate all those packets very, very fast because if you don't and

the queue gets full, all the traffic will be re-, will be rejected and that's a big problem. So, if, just, just take a look, for example, let me see if I can, okay, okay, now

you have, I think that you can see the screen now. If you, for example, do an nmap scan for localhost, it will give no information why because I don't have any open

ports, so let's start, for example, secure cell. So, we have, I'm running a Kali, I have the Linux with kernel version 3, 3.7.2.3.10, so this is all the information that nmap

can gives me. So, we will be using our tool, it's always fueler, always fueler, it's working. So, what can you do? First of all, just let you know that here we are only

dealing with, in case of nmap, only dealing with the specific test for nmap. All the traffic, all, all the traffic should go directly to your computer and shouldn't be manipulated in any way. So, for example, if you just want to take a look at what kind of

operating systems do you have? Minus n. We are interacting with the official nmap database, so you can just update it and, and be working. So, this is almost all the operating systems that are available right now. There are a lot of them, just to let you know, that

it has like 5500 signatures, so there are a lot of operating systems to emulate. So, if you do the same thing, for example, with COF, the same. In this case, you have to

deal with what kind of operating system do you want, and then you go to the versions. In this case, nmap, you can, with host fueler, you can go in both ways. You can specify, I want to be like a Windows, and I need the version to be like a XP, or 2000, or

maybe you just specify the family, I need to be Windows, and every packet that you are sending will be in a loop, and you will be changing your ID inside Windows. For example, the first one will be XP, second one will be 98, the third one will be 2000, that kind of things randomly. There are not so much signatures for, for COF. There are

like 250, and there is a special flag that, if you just want to search, for example, give me all the information that you have, not for Windows, but let's see if you can,

something that is smaller. For PlayStation, nmap has like one, two, three, four, five signatures available for PlayStation, and you have one available for both. In this case, there are two queues for, for the traffic. One will go to, to both, to passive fingerprinting, the

other one will go only to nmap, so when you are running host fueler, you get those different queues, and in this case, the program is running in multi-threading. So, I have made some tests, no, some stress tests, because last day in the demo labs, people

asked me about the, about the performance. So, when using in a, in a web server, without a lot of connection, you have to understand that you have 1024 packets per queue, but in case of nmap, nmap sends like 20 packets. So, to get the, the queue full, you will

have like, you will need maybe like 200 attackers scanning at the same time, and yourself running a, a Celeron or something like that. So, if you just wanted to, let's search, if we

can do nmap, grab, no, let's search our windows of nmap. Uh, for example, this one.

Now I have the information, so let's emulate, to be Microsoft, Microsoft Windows 2000. And you get this info, you're mutating to nmap, you get the, in the database, the signature, you can see that there are some proofs that we should, we shouldn't respond, for

example, for UDP, for example, for, for ICMP, and if you open a new window, let's repeat the same test. You see, nmap thinks that we are running Microsoft Windows 2000,

or maybe XP, that's because the signatures are very similar, and nmap doesn't have all the information it needs to, to complete the, the profiling of my operating system. If you use

the verbose option, and you send, ow, no, and you launch the same scan, you will get information for every packet that you receive from nmap. So, for example, you remember I told you that UDP test in nmap has a payload of 300 Cs, you can see it here. So, this is

not only useful, to, uh, try to defeat nmap, but you can also let it run in the background, and write directly all this information to a log, and try to, to get

information when you are getting a scan. The same thing we can do with, for example, Puff, we search Windows, for example, let's work with 2002. So, family is Windows, details,

R, this, and interface would be localhost. The same thing we can do with Puff. The same, you get here the signature for Windows 2000, and let's get in Puff, just let me

launch some localhost connections. If you see, I have started a security cell

connection, and Puff thinks that we are running Microsoft Windows XP. If you stop always fueler, and do the same thing. In this case, it doesn't have information, because it's a, a newer kernel, and the old database of Puff doesn't have it, but it's not the

same signature. And you remember I told you that you can just specify the, the family. Just, I'm telling noise fueler to try to emulate almost every version of Windows it has on every new packet. So, if you launch Puff, you can, you can, you can

Windows CE, Windows 98, Windows 2000, Windows NT, Windows 98. So, on every connection, you will be changing, inside the same family, eh, eh, your, your

fingerprint. You can go, you can go to random, in this case it's a Soundtouch autoreceiver, Linux 2, 639, of just search for, search for, search for, search for, search

for, PlayStation. Now, let's see if we can get some more, something cooler. Sony Ericsson

Wollman mobile phone. Oh, and you see, same thing for this. So, it's very easy,

for the, it's very easy for the tool to get all this information, to read the

Nmap database, to read Puff databases. Nmap database is working like 95% of the same, because there are some signatures that doesn't have all the fields, and I have to change, eh, dinner working off of your fueler to, to change that, but in case of Puff, it's running, eh, with almost every operating system. And, I think that's all. Eh, you

can get those fueler, eh, using GitHub, or using PIP, and feel free to, to collaborate on certain issues that you, that you, that you find. So, if there is any, any question? Yes? I, I can hear you. No, no, no, in this case we are only dealing with, eh,

active, eh, eh, fingerprint. No, there are, there are, this is not bullet proof, this is

only a proof of concept for Nmap, and for Puff. If you make some modifications in Nmap, for example, and you deal with, eh, some small changes, you can get information about the remote host. So, this is not a bullet proof, but this only proof of, proof of concept for those specific tools. You can still use, like DHCP, you can use the MAC

address, you can use timing, eh, attacks to identify the, the operating system. So, this is not working for every technique, just should be working fine for, for these kind of tools. Yes? Excuse me? That's what I, I told you before, I, I, I've not, I have, I

haven't made any stress test, but, eh, think of that in the case of passive, you are only modifying the, the, the same packets, and in the case of Nmap, you are only dealing with,

with, eh, with almost 20 packets per, per scan. So, that's not, that shouldn't be, eh, a problem, you should maybe have a slow machine and have like 200 or 400 attackers scanning you at the same time to get the queue full, and the, the programs works with

multithreading, so, I, I, I haven't made a lot of, eh, tests, but it should be working fine. I'm using like, eh, on, on my pen test, when I'm trying to, to do research, and it's working fine, when with some service I have on internet, and it's, it's working okay. But if you, if any of you can, eh, get those, those, those information, that

information about the performance, it should be great to have it, eh, eh, inside the GitHub. Thank you.