fl0p - passive L7 flow fingerprinting
I'd like to announce the availability of a tool called fl0p, which I hope
might be of some interest to various network security dudes and dudettes
on the list (and will hopefully serve as a convenient framework for cool
research).
The tool is a simple flow-analyzing passive L7 fingerprinter. It examines
the sequence of client-server exchanges, their relative layer 7 payload
sizes, and transmission intervals (as opposed to inspecting the contents,
which is what most passive fingerprinters and "smart" sniffers would do to
analyze transmissions). This is then matched against a database of traffic
pattern signatures to infer some interesting facts about the traffic.
This is along the lines of research done by Solar Designer and Dug Song on
timing SSH sessions (though I do not focus on protocol design flaws); this
type of analysis got very little air time to date, but unjustly so - there
are several interesting benefits of even such a superficial flow analysis:
- General insight into legitimate encrypted sessions can be gained:
for example, it is trivial to remotely and automatically spot
SSH login failures, and react accordingly: the timing and sequence
of packets depending on the version of SSH, negotiated protocols,
and authentication outcome, will differ quite drastically.
- Human actions can be easily told apart from automated efforts
based on the latency inherent to wetware I/O bus. As such, you can
spot manual poking with your SMTP service despite the noise
generated by Internet worms and spam zombies; or, you can tell
even a subtle automated SSH login attempt from a typo done
by a human being. This extends to most other text-based services.
Even such subtle features as user security settings and displayed
prompts can be determined: first-time cryptographic key trust question
leaves its trace in session timings.
- Rogue cryptography can be examined: general flow behavior remains
relatively constant regardless of the technology used to hide
the actual transferred data. As such, backdoors or firewall
evasion techniques that use HTTPS on 443/tcp should be easy to
diagnose, either by directly matching relaxed signatures for the
tunneled traffic itself, or by spotting unusual client-server
traffic / timing imbalances.
Now, of course, all this could be achieved before in a slow and painful
way - but with fl0p, you have a (primitive but working) tool to simply
say:
tcp * = < s27/15 c27/15 s300/100 > : SSH1 - client chose to refuse server key
tcp * = s12 c@1 s28 + c52 s@1 c@1 s@3 : SSH1 - invalid password attempt
tcp * = s12 c@1 s28 c52 s@1 c@1 s@3 : SSH1 - automated password guessing
tcp * = c30/30 + c1 c1 c1 : Possible manual Windows telnet input (2)
...then launch the program and go to the movies. An example of fl0p output
is as follows:
(tcp) 213.195.140.12:4667 -> 213.134.128.25:25
Observed for: 188B, 6 packets, spans 17 seconds
Matches: Possible manual line-by-line interaction (hit: 1)
(tcp) 83.31.193.40:3403 -> 213.134.128.25:22
Observed for: 584B, 9 packets, spans 5 seconds
Matches: SSH1 - client manually accepted key (hit: 1)
(tcp) 83.31.193.40:3406 -> 213.134.128.25:22
Observed for: 820B, 18 packets, spans 9 seconds
Matches: SSH1 - invalid password attempt (hit: 2)
(tcp) 83.31.193.40:3436 -> 213.134.128.25:22
Observed for: 2.9kB, 19 packets, spans 2 seconds
Matches: SSH2 - correct password (hit: 2)
The tool is available at:
http://lcamtuf.coredump.cx/fl0p-devel.tgz
...and is of course LGPLed ("free as in communism").
It is fully functional, albeit still marked as "beta" because of a small
signature database (that I'm hoping to extend as a result of this
announcement) and (naturally) some spartan documentation. Because of this,
at this point, consider it more of a PoC / framework than a standalone
fire-and-forget server tool.
Your feedback, help, and above all, signature submissions, are as always
greatly appreciated.
Regards,
/mz