Bh Japan Laporte Kollmann v8
-
Upload
sachin-kamboj -
Category
Documents
-
view
230 -
download
0
Transcript of Bh Japan Laporte Kollmann v8
-
8/6/2019 Bh Japan Laporte Kollmann v8
1/39
Using DHCP for Passive OS Identification
David LaPorteHarvard University
Eric KollmannBoise State University
-
8/6/2019 Bh Japan Laporte Kollmann v8
2/39
WhoW
e Are
David LaPorte
Network Security Manager
Harvard University Network and Server Systems Co-developer of PacketFence, an open-source
NAC solution
Eric Kollmann
Systems Engineer, Boise State University Developer of Satori, a Windows-based passive OS
fingerprinting tool
-
8/6/2019 Bh Japan Laporte Kollmann v8
3/39
-
8/6/2019 Bh Japan Laporte Kollmann v8
4/39
Why DHCP is Unique
Broadcast protocol
Totally passive collection
Most networks come with a built-in probe DHCP relay agents!
Extremely accurate
-
8/6/2019 Bh Japan Laporte Kollmann v8
5/39
DHCP Primer
Dynamic Host Configuration Protocol
Entirely client-driven (currently)
Main types of packets DHCP Discover
DHCP Offer
DHCP Request
DHCP Acknowledgement
DHCP Information
DHCP Release
-
8/6/2019 Bh Japan Laporte Kollmann v8
6/39
DHCP Primer, contd.
Relevant RFCs RFC 1541
RFC 2131 Added DHCPINFORM, extended vendor classes
RFC 2132
Vendor Extensions
RFC 4361
Option 61 updates
RFC 4578
PXE Boot Information
-
8/6/2019 Bh Japan Laporte Kollmann v8
7/39
DHCP Primer, contd.Server Client Server(not selected) (selected)
v v v| | || Begins initialization || | || _____________/|\____________ ||/DHCPDISCOVER | DHCPDISCOVER \|| | |
Determines | Determinesconfiguration | configuration
|\ | || \ | ____________/|| \________ | /DHCPOFFER |
| DHCPOFFER\ |/ || \ | || Collects replies || \| || Selects configuration || | || _____________/|\____________ ||/ DHCPREQUEST | DHCPREQUEST\ || | || | Commits configuration| | || | _____________/|| |/ DHCPACK || | |
| Initialization complete || | |. . .. . .| | || Graceful shutdown || | || |\ ____________ || | DHCPRELEASE \|| | || | Discards lease| | |v v v
-
8/6/2019 Bh Japan Laporte Kollmann v8
8/39
Which
ones are useful Discover, Request, Information
All will help you identify the client OS, some aremore useful than others
Offer
Useful in a SOHO environment
Release
Seen on a graceful sh
utdown on some OS's
-
8/6/2019 Bh Japan Laporte Kollmann v8
9/39
-
8/6/2019 Bh Japan Laporte Kollmann v8
10/39
Fingerprinting th
ehard way, contd.
Seconds Elapsed Field
-
8/6/2019 Bh Japan Laporte Kollmann v8
11/39
Fingerprinting th
ehard way, contd.
What it should look like RFC's state they should wait 4, 8, 16, 32, up to 64,
all +/- 1 second
-
8/6/2019 Bh Japan Laporte Kollmann v8
12/39
Fingerprinting th
ehard way, contd.
Problem 1 Incorrect time difference
Problem 2 Incorrect use of 'secs' field
1 Second does not = 256
-
8/6/2019 Bh Japan Laporte Kollmann v8
13/39
Fingerprinting th
ehard way, contd.
Seconds Elapsed Field set to a constant RFC's state that the seconds field should not be set
to a constant value
-
8/6/2019 Bh Japan Laporte Kollmann v8
14/39
Fingerprinting th
ehard way, contd.
Two overlapping attempts at the same time
-
8/6/2019 Bh Japan Laporte Kollmann v8
15/39
IPTT
L on DHCP Packets
TTL 255Mac OS X
TTL 128MS Windows >95
TTL 64Linux Group 2
TTL 32MS Windows 95
TTL 16Linux Group 1
Provides a rough guide to OS
-
8/6/2019 Bh Japan Laporte Kollmann v8
16/39
More withTTL and DHCP
Typically, no guessing required
-
8/6/2019 Bh Japan Laporte Kollmann v8
17/39
Issues withTT
L with
DHCP DHCP Relay
Some Cisco devices will change the TTL to 255
Some HP devices will leave theTT
L field alone
-
8/6/2019 Bh Japan Laporte Kollmann v8
18/39
Fingerprinting th
e easy way Using DHCP Options
All of the options
Option 55 (requested parameter list) Option 60 (vendor id)
Option 61 (client id)
Option 77 (user class information)
Option 82 (relay agent information)
Option 93 (client system architecture)
-
8/6/2019 Bh Japan Laporte Kollmann v8
19/39
All of the Options
Of limited use, butmay get us to thefamily of the OS.
53, 61, 50, 54, 12, 55,43
-
8/6/2019 Bh Japan Laporte Kollmann v8
20/39
All of the Options, contd.
Still can't be ruled out Some systems will not provide you with other
options that you want
Windows 95 Discover Note that hostname below is what we put in, the OS isn't
nice enough to tell us this!
-
8/6/2019 Bh Japan Laporte Kollmann v8
21/39
Option 55 - requested parameter list The easiest and most accurate way to identify
a machine
-
8/6/2019 Bh Japan Laporte Kollmann v8
22/39
Option 55, contd. Number and order of requested
parameters forms a fingerprint
eg.,1,15,3,6,44,46,47,31,33,249,431,15,3,6,44,46,47,31,33,249,43,2521,15,3,6,44,46,47,31,33,249,43,252,1215,3,6,44,46,47,31,33,249,4315,3,6,44,46,47,31,33,249,43,25215,3,6,44,46,47,31,33,249,43,252,12
28,2,3,15,6,12,44,47
MS Windows XP
Apple iPhone1,3,6,15,119,78,79,95,2521,3,6,15,119,95,252,44,46,47
-
8/6/2019 Bh Japan Laporte Kollmann v8
23/39
Option 60 - vendor id Vendor ID
May be quite specific or very generic
May even be misleading
-
8/6/2019 Bh Japan Laporte Kollmann v8
24/39
Option 60, contd.
-
8/6/2019 Bh Japan Laporte Kollmann v8
25/39
Option 60, contd. Cisco VOIP devices
Generic
Cisco Systems, Inc. IP Phone Specific
Cisco Systems, Inc. IP Phone 7905
Cisco Systems, Inc. IP Phone 7912
Cisco Systems, Inc. IP Phone CP-7960G
-
8/6/2019 Bh Japan Laporte Kollmann v8
26/39
Option 60 (contd.) Some Linux distributions make it easy!
-
8/6/2019 Bh Japan Laporte Kollmann v8
27/39
Option 61 - client id Client Identifier
In most cases this will just be the MAC of thedevice, but, if you want to identify a MS RRASserver
-
8/6/2019 Bh Japan Laporte Kollmann v8
28/39
Option 77 - user class information User Class Information
Be careful with this one, it is user-defined!
If you need to identify MS RRAS
-
8/6/2019 Bh Japan Laporte Kollmann v8
29/39
-
8/6/2019 Bh Japan Laporte Kollmann v8
30/39
Option 82 - relay agent information RFC 3046, DHCP Relay Agent Information
Option Compatible devices tag DHCP packet with
additional information
What is included is varies by vendor
Exposes information about client or switch eg. Cisco provides port, vlan, and switch data. Data
format is model-dependentCode Len Agent Information Field+------+------+------+------+------+------+--...-+------+| 82 | N | i1 | i2 | i3 | i4 | | iN |+------+------+------+------+------+------+--...-+------+
SubOpt Len Sub-option Value+------+------+------+------+------+------+--...-+------+| 1 | N | s1 | s2 | s3 | s4 | | sN |+------+------+------+------+------+------+--...-+------+
DHCP Agent Sub-Option DescriptionSub-option Code--------------- ----------------------1 Agent Circuit ID Sub-option2 Agent Remote ID Sub-option
-
8/6/2019 Bh Japan Laporte Kollmann v8
31/39
-
8/6/2019 Bh Japan Laporte Kollmann v8
32/39
Mitigation Strategies Modify default DHCP client
Keep IP segments as small as is reasonable
/24 segment = 254 hosts /20 segment = 4094 hosts
-
8/6/2019 Bh Japan Laporte Kollmann v8
33/39
-
8/6/2019 Bh Japan Laporte Kollmann v8
34/39
Additional Links
Satori & DHCP Fingerprinting Whitepaper http://myweb.cableone.net/xnih
PacketFence (andW
RT
54G tool) http://www.packetfence.org
Next Generation DHCP (SysAdmin, 02/2005) http://insipid.com/NGDHCP.pdf
-
8/6/2019 Bh Japan Laporte Kollmann v8
35/39
Related Publications
'New scheme for passive OS fingerprintingusing DHCP message Joho Shori Gakkai Kenkyu Hokoku, 02/2003
'Next Generation DHCP Deployments SysAdmin Magazine, 02/2005
-
8/6/2019 Bh Japan Laporte Kollmann v8
36/39
Other Implementations
RINGS project
RogueScanner (Network Chemistry)
DHCPListener
Dhcprint Beacon (Great Bay)
-
8/6/2019 Bh Japan Laporte Kollmann v8
37/39
Summary DHCP is an accurate and overlooked source of
fingerprinting data
Multiple methods available Option 55, most reliable
Option 60, easiest (when accurate)
Many potential applications
NAC Asset inventory
-
8/6/2019 Bh Japan Laporte Kollmann v8
38/39
Demo
-
8/6/2019 Bh Japan Laporte Kollmann v8
39/39