Difference between pages "OS fingerprinting" and "SSL forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
m
 
Line 1: Line 1:
'''OS fingerprinting''' is the process of determining the [[operating system]] used by a host on a network.
+
'''SSL (TLS) forensics''' is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.
  
== Active fingerprinting ==
+
== Overview ==
Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.
+
  
== Passive fingerprinting ==
+
TLS (''Transport Layer Security'') provides authentication and [[encryption]] for many network protocols, such as: ''POP'', ''IMAP'', ''SMTP'', ''HTTP''. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as [http://stunnel.mirt.net/ stunnel].
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a [[sniffer]] and doesn't put any traffic on a network.
+
  
== Fingerprinting techniques ==
+
Generally, many TLS realizations require only server to be authenticated using signed certificate.
  
Almost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
+
== Data decryption ==
  
Common techniques are based on analysing:
+
Data exchanged through SSL (TLS) connections can be decrypted by performing ''man-in-the-middle'' attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).
  
* IP TTL values;
+
Some commercial [[network forensics]] systems can perform such an attack:
* IP ID values;
+
* Mera Systems [http://netbeholder.com/en/products/lawful_interception.html Sleek Buster] (supports signed by a trusted CA forged certificates)
* TCP Window size;
+
* [http://www.edecision4u.com/edecision4u/Products.html E-Detective HTTPS/SSL Network Packet Forensics Device]
* TCP Options (generally, in TCP SYN and SYN+ACK packets);
+
* DHCP requests;
+
* ICMP requests;
+
* HTTP packets (generally, User-Agent field).
+
  
Other techniques are based on analysing:
+
As well as some open-source tools:
 +
* [http://ettercap.sourceforge.net/ ettercap] (unsupported, last version - 2005/05/29)
 +
* [http://monkey.org/~dugsong/dsniff/ dsniff] (obsolete, last stable version - 2000/12/17)
  
* Running services;
+
== Other information ==
* Open port patterns.
+
  
== Limitations ==
+
The TLS protocol also leaks some significant information:
Many passive fingerprinters are getting confused when analysing packets from a NAT device.
+
* Current date and time on a TLS client and server (old versions of [[Firefox]] and [[Thunderbird]] leak system's uptime);
 +
* Hostname being accessed ("server_name" extension);
 +
* Original data size.
  
== Tools ==
+
== [[The Onion Router]] ==
Active fingerprinters:
+
* [[Nmap]]
+
  
Passive fingerprinters:
+
[[Tor]] tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional ''man-in-the-middle'' attack. [[Tor]] also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.
* [[NetworkMiner]]
+
* [[p0f]]
+
* [[Satori]]
+
 
+
== See Also ==
+
 
+
* [[NAT detection]]
+
  
 
== Links ==
 
== Links ==
* [http://nmap.org/book/osdetect.html Remote OS detection paper]
 
  
[[Category:Network Forensics]]
+
* [http://rfc.net/rfc2246.html RFC 2246 (TLS 1.0)]
 +
* [http://rfc.net/rfc4346.html RFC 4346 (TLS 1.1)]

Revision as of 12:42, 20 July 2008

SSL (TLS) forensics is the process of capturing information exchanged through SSL (TLS) connections and trying to make sense of it in some kind of forensics capacity.

Overview

TLS (Transport Layer Security) provides authentication and encryption for many network protocols, such as: POP, IMAP, SMTP, HTTP. However, it is possible to tunnel almost every TCP-based protocol through TLS using such tools as stunnel.

Generally, many TLS realizations require only server to be authenticated using signed certificate.

Data decryption

Data exchanged through SSL (TLS) connections can be decrypted by performing man-in-the-middle attack. Attacker can modify TLS handshake and provide new certificates (with attacker's encryption keys).

Some commercial network forensics systems can perform such an attack:

As well as some open-source tools:

  • ettercap (unsupported, last version - 2005/05/29)
  • dsniff (obsolete, last stable version - 2000/12/17)

Other information

The TLS protocol also leaks some significant information:

  • Current date and time on a TLS client and server (old versions of Firefox and Thunderbird leak system's uptime);
  • Hostname being accessed ("server_name" extension);
  • Original data size.

The Onion Router

Tor tunnels application data through TLS connections and it is not possible to decrypt such connections by performing traditional man-in-the-middle attack. Tor also sends application data in chunks to make it harder to guess exactly how many bytes users are communicating.

Links