Fingerprinting

Transcript

1. View Slide

2. Фингерпринтинг
   Фингерпринтинг – это некоторая операция, которая однозначно
   идентифицирует клиента.
   

   View Slide

3. Фингерпринтинг
   Фингерпринтинг для различения ПО:
   — Нужен для определения клиента как ПО, взаимодействующего с сервисом;
   — Необязательно составной; каждому клиенту допустимо иметь несколько фингерпринтов.
   Фингерпринтинг для идентификации пользователя:
   — Нужен для определения клиента как человека;
   — Может быть составным: несколько фингерпринтов объединяются в глобальный идентификатор;
   — Имеет «вирусную» природу.
   

   View Slide

4. TLS HTTP JavaScript
   TCP/IP
   Идентификация пользователя
   Различимость ПО
   Сложно Просто
   

   View Slide

5. TLS HTTP JavaScript
   TCP/IP
   

   View Slide

6. JavaScript
   

   View Slide

7. JavaScript
   

   View Slide

8. JavaScript: Canvas Fingerprin:ng
   function fingerprint() {
   const canvas = document.createElement('canvas')
   const ctx = canvas.getContext('2d')
   const txt = 'i9asdm ..$#po((^@KbXrww!~cz'
   ctx.textBaseline = "top"
   ctx.font = "16px 'Arial'"
   ctx.textBaseline = "alphabetic"
   ctx.rotate(.05)
   ctx.fillStyle = "#f60"
   ctx.fillRect(125,1,62,20)
   ctx.fillStyle = "#069"
   ctx.fillText(txt, 2, 15)
   ctx.fillStyle = "rgba(102, 200, 0, 0.7)"
   ctx.fillText(txt, 4, 17)
   ctx.shadowBlur = 10
   ctx.shadowColor = "blue"
   ctx.fillRect(-20,10,234,5)
   return canvas.toDataURL()
   }
   

   View Slide

9. JavaScript: WebGL Fingerprin:ng
   

   View Slide

10. JavaScript: Font Fingerprin:ng
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    5IFRVJDLCSPXOGPYKVNQTPWFSUIFMB[ZEPH
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    The quick brown fox jumps over the lazy dog
    

    View Slide

11. JavaScript: Fingerprint
    def fingerprint(previous_value, features):
    hasher = make_hasher(previous_value)
    for idx, feature in enumerate(features):
    hasher.update(chr(idx))
    hasher.update(feature())
    return hasher.digest()
    

    View Slide

12. JavaScript: Canvas Fingerprin:ng
    

    View Slide

13. TLS HTTP JavaScript
    TCP/IP
    

    View Slide

14. HTTP: Cache poisoning
    HTTP/1.1 200 OK
    ETag: "27dc5-556d73fd7fa43-gzip"
    …
    GET /object HTTP/1.1
    If-None-Match: "27dc5-556d73fd7fa43-gzip"
    …
    

    View Slide

15. HTTP
    Host: some.hostname
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)
    AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/
    537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/
    webp,image/apng,*/*;q=0.8
    Accept-Encoding: deflate, gzip, br
    Accept-Language: en-US,en;q=0.9
    Connection: keep-alive
    

    View Slide

16. HTTP
    Host: some.hostname
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS
    X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko)
    Chrome/70.0.3538.67 Safari/537.36
    Accept: text/html,application/
    xhtml+xml,application/xml;q=0.9,image/webp,image/
    apng,*/*;q=0.8
    Accept-Encoding: deflate, gzip, br
    Accept-Language: en-US,en;q=0.9
    Connection: keep-alive
    Host: some.hostname
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS
    X 10.10; rv:66.0) Gecko/20100101 Firefox/66.0
    Accept: text/html,application/
    xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: deflate, gzip, br
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    

    View Slide

17. HTTP
    Хедеры по умолчанию
    + Cookie
    + Referer
    + Authorization
    + DNT
    21 комбинация!
    

    View Slide

18. HTTP
    def header_fingerprint(headers):
    fingerprint = hashlib.sha1()
    for name, value in headers:
    if (consider_value := header_types.get(name)) is not None:
    fingerprint.update("\x00" + name)
    if consider_value:
    fingerprint.update("\x01" + value)
    return fingerprint.digest()
    

    View Slide

19. HTTP
    

    View Slide

20. TLS HTTP JavaScript
    TCP/IP
    

    View Slide

21. TLS
    

    View Slide

22. TLS
    

    View Slide

23. TLS: первый же пакет
    The New Illustrated TLS Connection (https://tls13.ulfheim.net + https://tls12.ulfheim.net)
    — Client version;
    — Cipher suites;
    — Extension — Supported Groups;
    — Extension — Signature Algorithms;
    — Supported versions;
    

    View Slide

24. TLS
    def tls_fingerprint(first_frame):
    hasher = hashlib.sha1()
    hasher.update("\x00" + first_frame[9:11])
    hasher.update("\x01" + first_frame[44:44 + int(first_frame[44])])
    next_offset = 44 + int(first_frame[44]) + 1
    cipher_suites_length = int.from_bytes(first_frame[next_offset:next_offset+2], byteorder="big")
    hasher.update("\x03" + first_frame[next_offset+2:next_offset+2+cipher_suites_length])
    ...
    return hasher.digest()
    

    View Slide

25. TLS
    

    View Slide

26. TLS HTTP JavaScript
    TCP/IP
    

    View Slide

27. TCP handshake
    —Initial packet size (16 bits)
    —Initial TTL (8 bits)
    —Window size (16 bits)
    —Max segment size (16 bits)
    —Window scaling value (8 bits)
    —"don't fragment" flag (1 bit)
    —"sackOK" flag (1 bit)
    —"nop" flag (1 bit)
    

    View Slide

28. View Slide

29. View Slide