Advanced Methods to remotely

determine Application Versions

Dr. Craig S Wright (GSE- Compliance)

SANS NS 2008 Las Vegas

Cyber Attack complexity
Continues To develop Cross site scripting
bots

stealth / advanced
Tools
High scanning techniques
Staged
packet spoofing denial of service attack
sniffers distributed
attack tools
Intruder sweepers www attacks
Knowledge
automated probes/scans
GUI
back doors
disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing
Attackers
Low
Source: CERT 1980 1985 1990 1995 2000
Abstract ( A little reading for later)

Statistical and Machine learning techniques make the hiding

of information difficult. Statistical methods such as neural
network perceptrons and classification algorithms including
Random Forest ensembles allow for the determination of
software version and patch levels.

These methods can be used to find server versions and patch

levels using standard calls to the application server. This
appears as standard traffic to the server and does not register
as an attack. This bypasses controls (such as the renaming of
DNS versions in Bind) allowing an attacker to remotely gather
information regarding the patch levels of a system.
 Implementing Procedure
Wenke Lee, Sal Stolfo, & Kui Mok., (1999)
A Data Mining Framework for Building Intrusion Detection Models,
Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 1999

Pre-Processing Process raw packet data

Feature construction Create statistic features

Apply algorithm Rule learning

Application Identification

Application Identification = Application Detection =

Application Fingerprinting = List of Known
Vulnerabilities and Exploits

Critical step successfully identifying an attacker

Passively monitor packets and host responses
Analyse normal traffic

Analysis of differences

Application Specific Settings In this case DNS

 Nmap Database OS Identification has been
around for a long time
Nmap is a network exploration tool and security scanner
includes OS detection based on the response of a host to 9 tests

Test send packet to port with flags enabled

T1 TCP open TCP SYN, ECN-Echo
T2 TCP open TCP no flags
T3 TCP open TCP URG, PSH, SYN, FIN
T4 TCP open TCP ACK
T5 TCP closed TCP SYN
T6 TCP closed TCP ACK
T7 TCP closed TCP URG, PSH, FIN
PU UDP closed UDP
TSeq TCP * 6 open TCP SYN
 Nmap signature database

Utilise the Nmap (and P0F) signature database

A signature is a set of rules describing how a specific
version / edition of an OS responds to the tests.
Example:
# Linux 2.6.1 x86
Fingerprint Linux 2.6.1 x86
Class Linux | Linux | 2.6.X | general purpose
TSeq(Class=RI%gcd=<6%SI=<2D3CFA0&>73C6B%IPID=Z%TS=1000HZ)
T1(DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=16A0%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
LOTS of Unpatched DNS Servers
LOTS of Unpatched DNS Servers

Results from 2008

Percentage
of Total
Vulnerable (MiTM, "Adequately Servers
Server Types Phishing etc) Secure" Sampled

ISC BIND 79.55% 21.87% 65.55%

Microsoft 84.15% 15.50% 16.56%

Tiny
DNS/PowerDNS NA NA 2.22%

Other (or
Unknown) NA NA 15.67%

Total / Overall -1- -2-

DNS The Issues

Random is not always random

Random enough may stop packet

interception, but not fingerprinting

Nearly 42,000 DNS Servers are vulnerable

to shell exploits from DNS vulnerabilities
alone!
Classifications

Classifications have been developed for:

BIND
Microsoft DNS
TinyDNS
PowerDNS
simple DNS
Cisco CNR
incognito DNS Commander
NSD, and
Other (all else)
These are divided into the following
Sub-Classes

These have the following sub-classifications:

BIND 9.5.0a1 - 9.5.0b1 Microsoft - Server 2003
BIND 9.4.0a - 9.4.2 Microsoft - Server 2003
BIND 9.2.3rc1 - 9.4.0a0 Microsoft NT 4.0
BIND 9.2.0rc7 - 9.2.2-P3
BIND 9.2.0rc4 - 9.2.0rc6
BIND 9.2.0a1 - 9.2.0rc3
BIND 9.1.0 - 9.1.3
BIND 9.0.1 - 9.1.0
BIND 9.0.0b5 - 9.0.1
BIND 8.4.7-P1
BIND 8 plus root-server modification
BIND 8 (all other versions)
BIND 4.x
Random Forests

Random forests are an ensemble

technique
They select from many decision trees
results
Random Forests

Comparing the LDA results and Random

Forest results can be highly revealing.
Where the Random Forest result is a much
smaller error rate than LDA,
either that the LDA analysis has not adequately
accounted for nonlinearities in covariate effects,
or that interactions may be important,
or both.
A random forest
algorithm is an
ensemble of
unpruned decision
trees.
What do we choose as the input?

Different versions of DNS software

(even to the patch level) respond
differently to unusual requests
What RRs are available?
Not all BIND servers support SRV
records
Random is not always quite random
Where do we
find Servers to
Test?

Reverse (In-
Addr.Arpa)
DNS is a
start.
Where do we
find Servers to
Test?

ISPs oblige
with zone
information
for most of
the rest
Random is not always Random

Different systems implement

randomness differently.
Microsoft Windows 2000
(selected hotfixes)
BIND 9.
Even when random

An analysis of Standard Variance,

Moving Average and other measures
can vary
Even when the data is random, there
can be differences
This gives Input into the algorithm

As Do the
Protocol
Differences
Differences in DNS information
also varies
1 Header 2 3 Question 4 5 Answer/etc
6 7 8 9 10
11 ID 12 13 QNAME 15 16 NAME
14
17 QR 25 26 QTYPE 27 28 TYPE
18 OPCODE 29 30 QCLASS 31 32 CLASS
19 AA
20 TC 33 34 35 36 TTL
21 RD 37 38 39 RDLENGTH
22 RA
23 Z
24 RCODE
40 QDCOUNT 41 42 43 RDATA
44
45 ANCOUNT 46 47 48
49 NSCOUNT 50 51
52 ARCOUNT 53 54
When things follow the Standards

The content of the question, answer, authority, and

additional sections of the DNS packet serve separate goals.
They are however always formatted in the same order and are
always structured the same.

The flags are divided as follows:

4 bits 3 bits (always 0)

| |
| |
[QR | OPCODE | AA| TC| RD| RA | zero | RCODE ]
|
| |___|___|___|___| |
| | 4 bits
| |
1 bit 1 bit
The DNS Question Section holds the query name, query type and query class values.
What if we set an Unusual Flag
Combination?

Not only is there a difference in

response from Microsoft, BIND etc
There are differences in patch levels
What do we do with all of this?

We have collected a large amount of data.

The question is HOW do we process it all?

Let RF find the patterns, then build

Perceptrons
Neural networks

Its possible to distinguish Application versions and patch level

based on the permutations of endpoints presented by the flags

The goal is to model the function which maps endpoints

combinations, IP Options, IP Fragmentation, IP Header details and
OS versions with a multilayer perceptron neural network

Several questions arise:

What Type of neural network to use?
What is the best way to organise the neurons?
How do endpoints combinations map to neural network inputs?
What is the best way to train the network?
Multilayer Perceptron Neural
Network
Multi-Layer layer topology

Input layer
one neuron for each Input
Map for IP Options, Malware and Buffer overflow
conditions, etc

Hidden neuron layer

each neuron represents combinations of inputs

Output layer
These supply the output is it an attack, needs
further investigation or ok
 What is a perceptron?

x1 xn are the inputs of the

neuron
wi,j,0 wi,j,n are the weights
f is a non linear activation
function
hyperbolic tangent (tanh)
vi,j is the output of the
neuron
Training of the network = finding the weights
for each neuron
Back propagation

Train the system with by back-propagation:

for the output layer
given an expected output y1 ym
calculate an estimation of the error

this is propagated to the previous layers as:

New weights

The new weights, at time t+1, are:

where:

learning rate momentum

Neural Network inputs
Assign a set of inputs neurons for each test
Details for tests T1 T7:

one neuron for ACK flag

one neuron per response: S, S++, O
one neuron for DF flag
one neuron per response: yes/no
one neuron for Flags field
one neuron for each flag: ACK, ECE, FIN, PSH, RST, SYN, URG
Multiple groups of neurons for Options fields
one neuron in each group according to the options
eg ECHOED, EOL, MAXSEG, NOP, TIMESTAMP, WINDOW
one neuron for W field (window size)
One Neuron for each malware flag
Correlation matrix
Compute the correlation matrix R:

After normalization becomes:

expected value

The correlation is a dimensionless measure of statistical dependence

closer to 1 or -1 indicates higher dependence
linear dependent columns of R indicate dependent variables
keep one solution and eliminate the others
constants have zero variance and are also eliminated
Extending the method

There is no reason why the method can not

be extended to have more versions of DNS -
other than time (this was a proof of concept
exercise).
The method can also be used for other
applications - eg Apache.
What Does all this Mean?

Though Obscurity is not dead (the

methods are too complex for most
people to run), it is Undead.
No Matter how many headers you
change, somebody can find what version
AND patch level you are running.
And then use this for an exploit
What is the REAL Issue

Hiding is NOT Patching

Obscure Servers are still Vulnerable
At least one 2LD Server was being used to
forward Kiddie Porn Sites
Matter now with the NSW Police
Future work

Improve the Analyse the key elements

Analysis of the final weights
Fuzzing for refined detection
Correlation matrix reduction
Principal Component Analysis
MARS (Multivariate Adaptive Regression Splines)

Add noise and Known software filtering

Modify input on known software presence
Integration into different Pen Test/Attacker Software (eg
Core Impact, Metasploit)
 Questions?

Thank you!

Craig.Wright@bdo.com.au