SlideShare une entreprise Scribd logo

Os detection with arp

Télécharger en tant que PPTX, PDF
David Clark
David Clark
1  sur  19
What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
ARP Packet Structure
Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?

Recommandé

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
DLM knowledge-sharing
DLM knowledge-sharingDLM knowledge-sharing
DLM knowledge-sharing
Eric Ren
 
USENIX ATC 2017: Visualizing Performance with Flame Graphs
USENIX ATC 2017: Visualizing Performance with Flame GraphsUSENIX ATC 2017: Visualizing Performance with Flame Graphs
USENIX ATC 2017: Visualizing Performance with Flame Graphs
Brendan Gregg
 
Introduction to SLURM
Introduction to SLURMIntroduction to SLURM
Introduction to SLURM
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 

Recommandé

A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
DLM knowledge-sharing
DLM knowledge-sharingDLM knowledge-sharing
DLM knowledge-sharing
Eric Ren
 
USENIX ATC 2017: Visualizing Performance with Flame Graphs
USENIX ATC 2017: Visualizing Performance with Flame GraphsUSENIX ATC 2017: Visualizing Performance with Flame Graphs
USENIX ATC 2017: Visualizing Performance with Flame Graphs
Brendan Gregg
 
Introduction to SLURM
Introduction to SLURMIntroduction to SLURM
Introduction to SLURM
CSUC - Consorci de Serveis Universitaris de Catalunya
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)
Angel Boy
 
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld 2013: ESXi Native Networking Driver Model - Delivering on Simplicity ...
VMworld
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
idsecconf
 
Go Programming Patterns
Go Programming PatternsGo Programming Patterns
Go Programming Patterns
Hao Chen
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
Sam Bowne
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossir
LionelTopotam
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
Amandaを使ってバックアップ管理を一元化
Amandaを使ってバックアップ管理を一元化Amandaを使ってバックアップ管理を一元化
Amandaを使ってバックアップ管理を一元化
賢 秋穂
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Lane Huff
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
RuggedBoardGroup
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
Introduction to SLURM
Introduction to SLURM Introduction to SLURM
Introduction to SLURM
CSUC - Consorci de Serveis Universitaris de Catalunya
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
Takuya ASADA
 
UEFI時代のブートローダ
UEFI時代のブートローダUEFI時代のブートローダ
UEFI時代のブートローダ
Takuya ASADA
 
Improve Android System Component Performance
Improve Android System Component PerformanceImprove Android System Component Performance
Improve Android System Component Performance
National Cheng Kung University
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
Ishraq Al Fataftah
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 

Contenu connexe

Tendances

HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
Linaro
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
CTIN
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Improve Android System Component Performance
Improve Android System Component PerformanceImprove Android System Component Performance
Improve Android System Component Performance
National Cheng Kung University
 

Tendances (20)

Go Programming Patterns
Go Programming PatternsGo Programming Patterns
Go Programming Patterns
 
CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)CNIT 124 Ch 13: Post Exploitation (Part 1)
CNIT 124 Ch 13: Post Exploitation (Part 1)
 
Petit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossirPetit potam slides-rtfm-ossir
Petit potam slides-rtfm-ossir
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
HKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting ReviewHKG15-311: OP-TEE for Beginners and Porting Review
HKG15-311: OP-TEE for Beginners and Porting Review
 
Amandaを使ってバックアップ管理を一元化
Amandaを使ってバックアップ管理を一元化Amandaを使ってバックアップ管理を一元化
Amandaを使ってバックアップ管理を一元化
 
Open Source Forensics
Open Source ForensicsOpen Source Forensics
Open Source Forensics
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
 
U-Boot Porting on New Hardware
U-Boot Porting on New HardwareU-Boot Porting on New Hardware
U-Boot Porting on New Hardware
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
Introduction to SLURM
Introduction to SLURM Introduction to SLURM
Introduction to SLURM
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化10GbE時代のネットワークI/O高速化
10GbE時代のネットワークI/O高速化
 
UEFI時代のブートローダ
UEFI時代のブートローダUEFI時代のブートローダ
UEFI時代のブートローダ
 
Improve Android System Component Performance
Improve Android System Component PerformanceImprove Android System Component Performance
Improve Android System Component Performance
 

Similaire à Os detection with arp

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
Ishraq Al Fataftah
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptx
marunkumareee77
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
degarden
 

Similaire à Os detection with arp (20)

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Securing ARP in Software Defined Networks
Securing ARP in Software Defined NetworksSecuring ARP in Software Defined Networks
Securing ARP in Software Defined Networks
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptx
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
 
Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP)
 

Os detection with arp

  • 1.
  • 2. What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
  • 3.
  • 4. Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
  • 5. Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
  • 6. What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
  • 8. Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
  • 9. ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
  • 10. Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
  • 11. Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
  • 12. Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
  • 13. Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
  • 14. Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
  • 15. Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
  • 16. Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
  • 17. Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
  • 18. Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
  • 19. Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?