SlideShare ist ein Scribd-Unternehmen logo

Os detection with arp

Als PPTX, PDF herunterladen
David Clark
David Clark
1 von 19
What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
ARP Packet Structure
Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?

Empfohlen

中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學
中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學
中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學National Cheng Kung University
 
Linux kernel
Linux kernelLinux kernel
Linux kernelMahmoud Shiri Varamini
 
Linux systems - Linux Commands and Shell Scripting
Linux systems - Linux Commands and Shell ScriptingLinux systems - Linux Commands and Shell Scripting
Linux systems - Linux Commands and Shell ScriptingEmertxe Information Technologies Pvt Ltd
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxScyllaDB
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Unix Shell and System Boot Process
Unix Shell and System Boot ProcessUnix Shell and System Boot Process
Unix Shell and System Boot ProcessArvind Krishnaa
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 

Empfohlen

中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學
中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學
中輟生談教育: 完全用開放原始碼軟體進行 嵌入式系統教學National Cheng Kung University
 
Linux kernel
Linux kernelLinux kernel
Linux kernelMahmoud Shiri Varamini
 
Linux systems - Linux Commands and Shell Scripting
Linux systems - Linux Commands and Shell ScriptingLinux systems - Linux Commands and Shell Scripting
Linux systems - Linux Commands and Shell ScriptingEmertxe Information Technologies Pvt Ltd
 
Optimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxOptimizing Servers for High-Throughput and Low-Latency at Dropbox
Optimizing Servers for High-Throughput and Low-Latency at DropboxScyllaDB
 
Security Onion - Brief
Security Onion - BriefSecurity Onion - Brief
Security Onion - BriefAshley Deuble
 
Unix Shell and System Boot Process
Unix Shell and System Boot ProcessUnix Shell and System Boot Process
Unix Shell and System Boot ProcessArvind Krishnaa
 
Using Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsUsing Machine Learning in Networks Intrusion Detection Systems
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
 
Introduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsIntroduction to Linux Kernel by Quontra Solutions
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
 
Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and CompilationBud Siddhisena
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
 
Software Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - PersianSoftware Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - PersianMobin Ranjbar
 
Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemdDavid Timothy Strauss
 
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~Daisuke Morishita
 
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明National Cheng Kung University
 
MinGw Compiler
MinGw CompilerMinGw Compiler
MinGw CompilerAvnish Patel
 
Unix files
Unix filesUnix files
Unix filesSunil Rm
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學潘 冠辰
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Windows internals
Windows internalsWindows internals
Windows internalsPiyush Jain
 
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介VirtualTech Japan Inc.
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in WindowsHigh-Tech Bridge SA (HTBridge)
 
The JVM is your friend
The JVM is your friendThe JVM is your friend
The JVM is your friendKai Koenig
 
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月VirtualTech Japan Inc.
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Oracle streams-step-by-step-ppt
Oracle streams-step-by-step-pptOracle streams-step-by-step-ppt
Oracle streams-step-by-step-pptabderrazak jouini
 
Introduction to batch normalization
Introduction to batch normalizationIntroduction to batch normalization
Introduction to batch normalizationJamie (Taka) Wang
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.pptAlmaOraevi
 

Weitere ähnliche Inhalte

Was ist angesagt?

Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and CompilationBud Siddhisena
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
 
Software Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - PersianSoftware Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - PersianMobin Ranjbar
 
Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemdDavid Timothy Strauss
 
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~Daisuke Morishita
 
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明National Cheng Kung University
 
Unix files
Unix filesUnix files
Unix filesSunil Rm
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學潘 冠辰
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Windows internals
Windows internalsWindows internals
Windows internalsPiyush Jain
 
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介VirtualTech Japan Inc.
 
The JVM is your friend
The JVM is your friendThe JVM is your friend
The JVM is your friendKai Koenig
 
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月VirtualTech Japan Inc.
 
Linux architecture
Linux architectureLinux architecture
Linux architecturemcganesh
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Oracle streams-step-by-step-ppt
Oracle streams-step-by-step-pptOracle streams-step-by-step-ppt
Oracle streams-step-by-step-pptabderrazak jouini
 
Introduction to batch normalization
Introduction to batch normalizationIntroduction to batch normalization
Introduction to batch normalizationJamie (Taka) Wang
 

Was ist angesagt? (20)

Kernel Configuration and Compilation
Kernel Configuration and CompilationKernel Configuration and Compilation
Kernel Configuration and Compilation
 
How Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar LeibovichHow Linux Processes Your Network Packet - Elazar Leibovich
How Linux Processes Your Network Packet - Elazar Leibovich
 
Software Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - PersianSoftware Cost Estimation Methods:A Review - Persian
Software Cost Estimation Methods:A Review - Persian
 
Effective service and resource management with systemd
Effective service and resource management with systemdEffective service and resource management with systemd
Effective service and resource management with systemd
 
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
エンジニアのためのOSSライセンス管理~OSS管理ツールの池の水全部抜く~
 
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
給自己更好未來的 3 個練習:嵌入式作業系統設計、實做,與移植 (2015 年春季 ) 課程說明
 
MinGw Compiler
MinGw CompilerMinGw Compiler
MinGw Compiler
 
Unix files
Unix filesUnix files
Unix files
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學TDD (Test-driven development, 測試驅動開發) 基本教學
TDD (Test-driven development, 測試驅動開發) 基本教學
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Windows internals
Windows internalsWindows internals
Windows internals
 
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介OpenStackを使用したGPU仮想化IaaS環境 事例紹介
OpenStackを使用したGPU仮想化IaaS環境 事例紹介
 
Userland Hooking in Windows
Userland Hooking in WindowsUserland Hooking in Windows
Userland Hooking in Windows
 
The JVM is your friend
The JVM is your friendThe JVM is your friend
The JVM is your friend
 
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
今さら聞けない人のためのDocker超入門 – OpenStack最新情報セミナー 2015年4月
 
Linux architecture
Linux architectureLinux architecture
Linux architecture
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 
Oracle streams-step-by-step-ppt
Oracle streams-step-by-step-pptOracle streams-step-by-step-ppt
Oracle streams-step-by-step-ppt
 
Introduction to batch normalization
Introduction to batch normalizationIntroduction to batch normalization
Introduction to batch normalization
 

Ähnlich wie Os detection with arp

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.pptVarunBehere1
 
Securing ARP in Software Defined Networks
Securing ARP in Software Defined NetworksSecuring ARP in Software Defined Networks
Securing ARP in Software Defined NetworksFarzaneh Pakzad
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxmarunkumareee77
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Securityprachi67
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Sachin Khanna
 

Ähnlich wie Os detection with arp (20)

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Securing ARP in Software Defined Networks
Securing ARP in Software Defined NetworksSecuring ARP in Software Defined Networks
Securing ARP in Software Defined Networks
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptx
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
 
Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP)
 

Os detection with arp

  • 1.
  • 2. What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
  • 3.
  • 4. Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
  • 5. Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
  • 6. What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
  • 8. Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
  • 9. ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
  • 10. Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
  • 11. Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
  • 12. Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
  • 13. Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
  • 14. Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
  • 15. Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
  • 16. Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
  • 17. Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
  • 18. Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
  • 19. Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?