2. What is OS fingerprinting?
Inferring a remote machine's operating system
type and version (Windows XP, Linux 2.4...) by
unique characteristics of it's packets and
network behavior.
Useful for,
•Network reconnaissance for pentests
•Network monitoring for administration
•Internal security audits
3.
4. Existing tools
•Nmap
oActiveprobing of TCP, UDP, and ICMP
oContains over 4,000 user submitted OS fingerprints
•xprobe2
oMany probes for TCP and ICMP
oSmaller database than nmap
•p0f
oPassive OS fingerprinter
oComplete rewrite to version 3 in 2012
5. Problem with nmap
Nmap requires the following to do an accurate OS scan,
•1 open TCP port
•1 closed TCP port
•1 closed UDP port
•Response to ICMP queries
Nmap scan report for 192.168.0.3
All 1000 scanned ports on 192.168.0.3 are closed
MAC Address: B8:C6:xx:xx:xx:xx (Unknown)
Too many fingerprints match this host to give specific OS details
6. What about ARP?
•Address Resolution Protocol
•Primarily used to translate IP addresses into
MAC addresses on link local networks
8. Neighbor Cache
•Sending an ARP request for every packet
would be a waste of network resources. Once
an IP address is resolved into a MAC address,
it is cached (Linux kernel calls this the
"neighbor cache").
• Cache values timeout, but often with
complicated timeout policies
• Valid ARP packets will update the cache, but
invalid ARP packets should be ignored
9. ARP Fingerprinting?
•Only tool that used ARP for any sort of
fingerprinting was a very minimal
implementation (arp-scan) that just sent a few
malformed ARP requests and looked for replies
• Finding no existing tools, I wrote my own
prototype fingerprinting tool for ARP,
oNeighbor Cache Fingerprinter (NCF)
10. Fingerprinting
NCF Response Elicitation
•NCF works in any of the following conditions,
oIf target responds to ICMP echo packets
oNCF sends ICMP echo to target as probe packet
oTarget will send back ICMP echo reply
oIf target has a single closed TCP port
oNCF sends a SYN as probe packet
oTarget will send back RST packet
oIf target has an open TCP port
oNCF sends a SYN as probe packet
oTarget sends back a SYN/ACK
oIf target has a closed UDP port
oNCF sends a UDP as probe packet to closed port
oTarget will send back ICMP unreachable packet
11. Fingerprinting
Number of ARP Requests
NCF: Probes target from spoofed IP address
Target: Who has IP x.x.x.x (spoofed IP)?
Target: Who has IP x.x.x.x (spoofed IP)?
...
• Windows XP: Gives up after 1 attempt
• Linux: Gives up after 3 attempts
• Android: Gives up after 1-2 attempts
NCF records the min and max retry attempts
12. Fingerprinting
Cache entry timeout
NCF: Probes target with spoofed IP address
Target: (ARP) who has x.x.x.x (spoofed IP address)?
NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC)
Target: Replies to probe
NCF: Sends another probe
Target: Replies to probe
NCF: Sends another probe
Target: Replies to probe
... some time later, the entry in the target's ARP cache expires
NCF: Sends another probe
Target: (ARP) who has x.x.x.x?
Record how long it took for the cache entry to expire
13. Fingerprinting
Detecting flood prevention
NCF: x.x.x.x is at x:x:x:x:x:80
NCF: x.x.x.x is at x:x:x:x:x:81
NCF: x.x.x.x is at x:x:x:x:x:82
NCF: Send probe packet
Target: Replies (but to which MAC address?)
If target has flood protection, it will reply to one
of the earlier MAC addresses. If not, it will reply
to the last one seen (...82).
14. Fingerprinting
Gratuitous ARP packets
•A gratuitous or unsolicited ARP reply is an ARP reply for
which there was no request
•ARP fields get confusing (great for implementation diversity)
oWho's the target IP of the message? Broadcast address?
Zero? Specification actually says target IP should be the
same as sender IP (looks like an ARP reply to yourself)
oWho's the target MAC of the message? Broadcast (this is in
the ethernet frame)? Same as the sender MAC address?
Neither: it should be zero according to the spec.
oEven the ARP opcode becomes confusing in the case of
unsolicited ARP packets. Is it a "request" for other machines
to update their cache? Or is it a
o"reply", even though it isn't a reply to anyone?
15. Fingerprinting
Gratuitous ARP packets
We craft gratuitous ARP packets, changing fields to match
common implementation errors and oddities.
Ethernet Frame Dst Address : Bcast or the MAC of our target
ARP Target Hardware Address: 0, bcast, or the MAC of our
target
ARP Target Protocol Address : 0 or the IP address of our target
ARP Opcode : REPLY or REQUEST
NCF generates 36 different permutations of gratuitous ARP
packets, and records if each one was accepted or ignored by the
target.
16. Fingerprinting
Gratuitous ARP packets
NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40
NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41
NCF: Probes target
Target: Replies to probe. If packet 2 was accepted and updated
the ARP cache, response is to MAC address x:x:x:x:x:41. If it
was ignored as an invalid packet, response is to MAC
x:x:x:x:x:40.
NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42
NCF: Probes target
Target: Replies to probe (to which spoofed MAC address?)
...
NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
17. Fingerprinting
•So many techniques, so little time...
•Correct Reply to RFC5227 (IPv4 Address
Conflict Detection) ARP probe
•Cache entry creation with gratuitous packet
•Dynamic cache timeout policies
18. Fingerprinting
Relatively small database
Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003
Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4
FreeBSD or OpenBSD, NetBSD
Android 4.0.4, Android 3.2,
Minix 3.2
ReactOS 0.3.13
Lexmark Printer
SonicWall OS
Wind River VxWorks
3com NBX V3000 (IP Telephone System)
Honeyd Honeypot
Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem
SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
19. Neighbor Cache
Fingerprinter
Source code, documentation, and issue tracker
github.com/PherricOxide/Neighbor-Cache-
Fingerprinter
Find bugs and report them on github.
Better yet, find bugs and submit patches.
Email me fingerprints to dtclark@asu.edu
Questions, comments, concerns?