Presentation Title: presented at HITBSecConf Malaysia 2006

by Carlos Sarraute,

Tags: Security Analysis Cryptography

Summary : Using Neural Networks and Statistical Machinery to improve remote OS DetectionPresentation Details:The problem of remote Operating System (OS) Detection is a crucial step of the penetration test process, since the attacker needs to know the OS of the target host in order to choose the exploits that he will use. The first fingerprinting implementations were based on the analysis of differences between TCP/IP stack implementations. The next generation focused the analysis on application layer data such as the DCE RPC endpoint information. Even though more information was analyzed, some variation of the “best fit” algorithm was still used to interpret this new information, which will not work in non-standard situations and is unable to extract the key elements which uniquely identify an operating system.Our new approach involves an analysis of the composition of the information collected during the OS identification process to identify key elements and their relations. We will present an analysis, based on Neural Networks and statistical tools, of the tests used as stimulus to find out which are the most significant respect to OS detection, and show how these tests can be expanded and optimized.We will also present two working OS detection modules: one which uses DCE-RPC endpoints to distinguish Windows versions, and another which uses Nmap signatures to distinguish Windows, Linux, Solaris and BSD systems. We will explain the inner workings of the neural networks and the fine tuning of their parameters; and show successful results.About CarlosCarlos Sarraute has studied Mathematics at the University of Buenos Aires. He has been working since 2000 in CoreLabs, the research laboratory of Core Security Technologies. His areas of research are security vulnerabilities, attack planning and modeling, security events visualization, secure triggers, protocol design flaws (MySQL authentication, SSH timing analysis) and cryptoanalysis. He has given talks and courses about information security and cryptography in several universities in Argentina.** Presenting withJavier Burroni