bh japan laporte kollmann v8

8/6/2019 Bh Japan Laporte Kollmann v8

1/39

Using DHCP for Passive OS Identification

David LaPorteHarvard University

Eric KollmannBoise State University


2/39

WhoW

e Are

David LaPorte

Network Security Manager

Harvard University Network and Server Systems Co-developer of PacketFence, an open-source

NAC solution

Eric Kollmann

Systems Engineer, Boise State University Developer of Satori, a Windows-based passive OS

fingerprinting tool


3/39


4/39

Why DHCP is Unique

Broadcast protocol

Totally passive collection

Most networks come with a built-in probe DHCP relay agents!

Extremely accurate


5/39

DHCP Primer

Dynamic Host Configuration Protocol

Entirely client-driven (currently)

Main types of packets DHCP Discover

DHCP Offer

DHCP Request

DHCP Acknowledgement

DHCP Information

DHCP Release


6/39

DHCP Primer, contd.

Relevant RFCs RFC 1541

RFC 2131 Added DHCPINFORM, extended vendor classes

RFC 2132

Vendor Extensions

RFC 4361

Option 61 updates

RFC 4578

PXE Boot Information


7/39

DHCP Primer, contd.Server Client Server(not selected) (selected)

v v v| | || Begins initialization || | || _____________/|\____________ ||/DHCPDISCOVER | DHCPDISCOVER \|| | |

Determines | Determinesconfiguration | configuration

|\ | || \ | ____________/|| \________ | /DHCPOFFER |

| DHCPOFFER\ |/ || \ | || Collects replies || \| || Selects configuration || | || _____________/|\____________ ||/ DHCPREQUEST | DHCPREQUEST\ || | || | Commits configuration| | || | _____________/|| |/ DHCPACK || | |

| Initialization complete || | |. . .. . .| | || Graceful shutdown || | || |\ ____________ || | DHCPRELEASE \|| | || | Discards lease| | |v v v


8/39

Which

ones are useful Discover, Request, Information

All will help you identify the client OS, some aremore useful than others

Offer

Useful in a SOHO environment

Release

Seen on a graceful sh

utdown on some OS's


9/39


10/39

Fingerprinting th

ehard way, contd.

Seconds Elapsed Field


11/39

Fingerprinting th

ehard way, contd.

What it should look like RFC's state they should wait 4, 8, 16, 32, up to 64,

all +/- 1 second


12/39

Fingerprinting th

ehard way, contd.

Problem 1 Incorrect time difference

Problem 2 Incorrect use of 'secs' field

1 Second does not = 256


13/39

Fingerprinting th

ehard way, contd.

Seconds Elapsed Field set to a constant RFC's state that the seconds field should not be set

to a constant value


14/39

Fingerprinting th

ehard way, contd.

Two overlapping attempts at the same time


15/39

IPTT

L on DHCP Packets

TTL 255Mac OS X

TTL 128MS Windows >95

TTL 64Linux Group 2

TTL 32MS Windows 95

TTL 16Linux Group 1

Provides a rough guide to OS


16/39

More withTTL and DHCP

Typically, no guessing required


17/39

Issues withTT

L with

DHCP DHCP Relay

Some Cisco devices will change the TTL to 255

Some HP devices will leave theTT

L field alone


18/39

Fingerprinting th

e easy way Using DHCP Options

All of the options

Option 55 (requested parameter list) Option 60 (vendor id)

Option 61 (client id)

Option 77 (user class information)

Option 82 (relay agent information)

Option 93 (client system architecture)


19/39

All of the Options

Of limited use, butmay get us to thefamily of the OS.

53, 61, 50, 54, 12, 55,43


20/39

All of the Options, contd.

Still can't be ruled out Some systems will not provide you with other

options that you want

Windows 95 Discover Note that hostname below is what we put in, the OS isn't

nice enough to tell us this!


21/39

Option 55 - requested parameter list The easiest and most accurate way to identify

a machine


22/39

Option 55, contd. Number and order of requested

parameters forms a fingerprint

eg.,1,15,3,6,44,46,47,31,33,249,431,15,3,6,44,46,47,31,33,249,43,2521,15,3,6,44,46,47,31,33,249,43,252,1215,3,6,44,46,47,31,33,249,4315,3,6,44,46,47,31,33,249,43,25215,3,6,44,46,47,31,33,249,43,252,12

28,2,3,15,6,12,44,47

MS Windows XP

Apple iPhone1,3,6,15,119,78,79,95,2521,3,6,15,119,95,252,44,46,47


23/39

Option 60 - vendor id Vendor ID

May be quite specific or very generic

May even be misleading


24/39

Option 60, contd.


25/39

Option 60, contd. Cisco VOIP devices

Generic

Cisco Systems, Inc. IP Phone Specific

Cisco Systems, Inc. IP Phone 7905

Cisco Systems, Inc. IP Phone 7912

Cisco Systems, Inc. IP Phone CP-7960G


26/39

Option 60 (contd.) Some Linux distributions make it easy!


27/39

Option 61 - client id Client Identifier

In most cases this will just be the MAC of thedevice, but, if you want to identify a MS RRASserver


28/39

Option 77 - user class information User Class Information

Be careful with this one, it is user-defined!

If you need to identify MS RRAS


29/39


30/39

Option 82 - relay agent information RFC 3046, DHCP Relay Agent Information

Option Compatible devices tag DHCP packet with

additional information

What is included is varies by vendor

Exposes information about client or switch eg. Cisco provides port, vlan, and switch data. Data

format is model-dependentCode Len Agent Information Field+------+------+------+------+------+------+--...-+------+| 82 | N | i1 | i2 | i3 | i4 | | iN |+------+------+------+------+------+------+--...-+------+

SubOpt Len Sub-option Value+------+------+------+------+------+------+--...-+------+| 1 | N | s1 | s2 | s3 | s4 | | sN |+------+------+------+------+------+------+--...-+------+

DHCP Agent Sub-Option DescriptionSub-option Code--------------- ----------------------1 Agent Circuit ID Sub-option2 Agent Remote ID Sub-option


31/39


32/39

Mitigation Strategies Modify default DHCP client

Keep IP segments as small as is reasonable

/24 segment = 254 hosts /20 segment = 4094 hosts


33/39


34/39

Additional Links

Satori & DHCP Fingerprinting Whitepaper http://myweb.cableone.net/xnih

PacketFence (andW

RT

54G tool) http://www.packetfence.org

Next Generation DHCP (SysAdmin, 02/2005) http://insipid.com/NGDHCP.pdf


35/39

Related Publications

'New scheme for passive OS fingerprintingusing DHCP message Joho Shori Gakkai Kenkyu Hokoku, 02/2003

'Next Generation DHCP Deployments SysAdmin Magazine, 02/2005


36/39

Other Implementations

RINGS project

RogueScanner (Network Chemistry)

DHCPListener

Dhcprint Beacon (Great Bay)


37/39

Summary DHCP is an accurate and overlooked source of

fingerprinting data

Multiple methods available Option 55, most reliable

Option 60, easiest (when accurate)

Many potential applications

NAC Asset inventory


38/39

Demo


39/39

bh japan laporte kollmann v8

Documents