Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Fingerprinting

 Fingerprinting

My presenatation for rannts#22 meetup

A8d8ca813a744866b9f85ea1cefb5813?s=128

Sergey Arkhipov

March 23, 2019
Tweet

Transcript

  1. None
  2. Фингерпринтинг Фингерпринтинг – это некоторая операция, которая однозначно идентифицирует клиента.

  3. Фингерпринтинг Фингерпринтинг для различения ПО: — Нужен для определения клиента

    как ПО, взаимодействующего с сервисом; — Необязательно составной; каждому клиенту допустимо иметь несколько фингерпринтов. Фингерпринтинг для идентификации пользователя: — Нужен для определения клиента как человека; — Может быть составным: несколько фингерпринтов объединяются в глобальный идентификатор; — Имеет «вирусную» природу.
  4. TLS HTTP JavaScript TCP/IP Идентификация пользователя Различимость ПО Сложно Просто

  5. TLS HTTP JavaScript TCP/IP

  6. JavaScript

  7. JavaScript

  8. JavaScript: Canvas Fingerprin:ng function fingerprint() { const canvas = document.createElement('canvas')

    const ctx = canvas.getContext('2d') const txt = 'i9asdm ..$#po((^@KbXrww!~cz' ctx.textBaseline = "top" ctx.font = "16px 'Arial'" ctx.textBaseline = "alphabetic" ctx.rotate(.05) ctx.fillStyle = "#f60" ctx.fillRect(125,1,62,20) ctx.fillStyle = "#069" ctx.fillText(txt, 2, 15) ctx.fillStyle = "rgba(102, 200, 0, 0.7)" ctx.fillText(txt, 4, 17) ctx.shadowBlur = 10 ctx.shadowColor = "blue" ctx.fillRect(-20,10,234,5) return canvas.toDataURL() }
  9. JavaScript: WebGL Fingerprin:ng

  10. JavaScript: Font Fingerprin:ng The quick brown fox jumps over the

    lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog 5IFRVJDLCSPXOGPYKVNQTPWFSUIFMB[ZEPH The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog The quick brown fox jumps over the lazy dog
  11. JavaScript: Fingerprint def fingerprint(previous_value, features): hasher = make_hasher(previous_value) for idx,

    feature in enumerate(features): hasher.update(chr(idx)) hasher.update(feature()) return hasher.digest()
  12. JavaScript: Canvas Fingerprin:ng

  13. TLS HTTP JavaScript TCP/IP

  14. HTTP: Cache poisoning HTTP/1.1 200 OK ETag: "27dc5-556d73fd7fa43-gzip" … GET

    /object HTTP/1.1 If-None-Match: "27dc5-556d73fd7fa43-gzip" …
  15. HTTP Host: some.hostname Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac

    OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/ 537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/ webp,image/apng,*/*;q=0.8 Accept-Encoding: deflate, gzip, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive
  16. HTTP Host: some.hostname Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac

    OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36 Accept: text/html,application/ xhtml+xml,application/xml;q=0.9,image/webp,image/ apng,*/*;q=0.8 Accept-Encoding: deflate, gzip, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive Host: some.hostname User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:66.0) Gecko/20100101 Firefox/66.0 Accept: text/html,application/ xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: deflate, gzip, br Connection: keep-alive Upgrade-Insecure-Requests: 1
  17. HTTP Хедеры по умолчанию + Cookie + Referer + Authorization

    + DNT 21 комбинация!
  18. HTTP def header_fingerprint(headers): fingerprint = hashlib.sha1() for name, value in

    headers: if (consider_value := header_types.get(name)) is not None: fingerprint.update("\x00" + name) if consider_value: fingerprint.update("\x01" + value) return fingerprint.digest()
  19. HTTP

  20. TLS HTTP JavaScript TCP/IP

  21. TLS

  22. TLS

  23. TLS: первый же пакет The New Illustrated TLS Connection (https://tls13.ulfheim.net

    + https://tls12.ulfheim.net) — Client version; — Cipher suites; — Extension — Supported Groups; — Extension — Signature Algorithms; — Supported versions;
  24. TLS def tls_fingerprint(first_frame): hasher = hashlib.sha1() hasher.update("\x00" + first_frame[9:11]) hasher.update("\x01"

    + first_frame[44:44 + int(first_frame[44])]) next_offset = 44 + int(first_frame[44]) + 1 cipher_suites_length = int.from_bytes(first_frame[next_offset:next_offset+2], byteorder="big") hasher.update("\x03" + first_frame[next_offset+2:next_offset+2+cipher_suites_length]) ... return hasher.digest()
  25. TLS

  26. TLS HTTP JavaScript TCP/IP

  27. TCP handshake —Initial packet size (16 bits) —Initial TTL (8

    bits) —Window size (16 bits) —Max segment size (16 bits) —Window scaling value (8 bits) —"don't fragment" flag (1 bit) —"sackOK" flag (1 bit) —"nop" flag (1 bit)
  28. None
  29. None