TUCoPS :: HP Unsorted F :: c07-1128.htm

fl0p - passive L7 flow fingerprinting
fl0p - passive L7 flow fingerprinting
fl0p - passive L7 flow fingerprinting



I'd like to announce the availability of a tool called fl0p, which I hope
might be of some interest to various network security dudes and dudettes
on the list (and will hopefully serve as a convenient framework for cool
research).

The tool is a simple flow-analyzing passive L7 fingerprinter. It examines
the sequence of client-server exchanges, their relative layer 7 payload
sizes, and transmission intervals (as opposed to inspecting the contents,
which is what most passive fingerprinters and "smart" sniffers would do to
analyze transmissions). This is then matched against a database of traffic
pattern signatures to infer some interesting facts about the traffic.

This is along the lines of research done by Solar Designer and Dug Song on
timing SSH sessions (though I do not focus on protocol design flaws); this
type of analysis got very little air time to date, but unjustly so - there
are several interesting benefits of even such a superficial flow analysis:

  - General insight into legitimate encrypted sessions can be gained:
    for example, it is trivial to remotely and automatically spot
    SSH login failures, and react accordingly: the timing and sequence
    of packets depending on the version of SSH, negotiated protocols,
    and authentication outcome, will differ quite drastically.

  - Human actions can be easily told apart from automated efforts
    based on the latency inherent to wetware I/O bus. As such, you can
    spot manual poking with your SMTP service despite the noise
    generated by Internet worms and spam zombies; or, you can tell
    even a subtle automated SSH login attempt from a typo done
    by a human being. This extends to most other text-based services.

    Even such subtle features as user security settings and displayed
    prompts can be determined: first-time cryptographic key trust question
    leaves its trace in session timings.

  - Rogue cryptography can be examined: general flow behavior remains
    relatively constant regardless of the technology used to hide
    the actual transferred data. As such, backdoors or firewall
    evasion techniques that use HTTPS on 443/tcp should be easy to
    diagnose, either by directly matching relaxed signatures for the
    tunneled traffic itself, or by spotting unusual client-server
    traffic / timing imbalances.

Now, of course, all this could be achieved before in a slow and painful
way - but with fl0p, you have a (primitive but working) tool to simply
say:

tcp * = < s27/15 c27/15 s300/100 > : SSH1 - client chose to refuse server key
tcp * = s12 c@1 s28 + c52 s@1 c@1 s@3 : SSH1 - invalid password attempt
tcp * = s12 c@1 s28 c52 s@1 c@1 s@3 : SSH1 - automated password guessing
tcp * = c30/30 + c1 c1 c1 : Possible manual Windows telnet input (2)

...then launch the program and go to the movies. An example of fl0p output
is as follows:

(tcp) 213.195.140.12:4667 -> 213.134.128.25:25
  Observed for: 188B, 6 packets, spans 17 seconds
  Matches: Possible manual line-by-line interaction (hit: 1)

(tcp) 83.31.193.40:3403 -> 213.134.128.25:22
  Observed for: 584B, 9 packets, spans 5 seconds
  Matches: SSH1 - client manually accepted key (hit: 1)

(tcp) 83.31.193.40:3406 -> 213.134.128.25:22
  Observed for: 820B, 18 packets, spans 9 seconds
  Matches: SSH1 - invalid password attempt (hit: 2)

(tcp) 83.31.193.40:3436 -> 213.134.128.25:22
  Observed for: 2.9kB, 19 packets, spans 2 seconds
  Matches: SSH2 - correct password (hit: 2)

The tool is available at:

http://lcamtuf.coredump.cx/fl0p-devel.tgz 

...and is of course LGPLed ("free as in communism").

It is fully functional, albeit still marked as "beta" because of a small
signature database (that I'm hoping to extend as a result of this
announcement) and (naturally) some spartan documentation. Because of this,
at this point, consider it more of a PoC / framework than a standalone
fire-and-forget server tool.

Your feedback, help, and above all, signature submissions, are as always
greatly appreciated.

Regards,
/mz

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH