Monday, June 23, 2014

Filters and updates

This was one of those learning moments.  You've used a tool for years and it has always worked for you and then all of a sudden you're getting results you aren't expecting.  After 30 mins of looking at the code, verifying it works in your primary location but not in the one you've provided to the rest of the world, it finally dawns on you that you've added filters into the program to limit the garbage that you have to process.

This could have been wireshark or a plethora of programs out there, but this was in Satori.

Historically I didn't use the filters much, it was something added at the request of someone else, but more are more at home I've found myself using them.  Problem is, I sometimes forget they are turned on.  I wanted all of my local 192.168.x.x traffic and any of my local IPv6 traffic (FE80::), but when doing DHCP work, it makes a big difference if you've added that last one in there.  Without I wasn't seeing any discover or request packets and for the life of me I couldn't figure out why!

It is always wise to go back to the basics when something all of a sudden stops working.  Get things back to a set starting point with no tweaks in place and make sure it is working there, before spending 30 mins digging through code and realizing there is nothing wrong with it and it works fine on that system!

Anyway, all that to lead up to the fact that I've updated web, tcp, webagents, sip and the main satori.exe file (that was one change to make sure Windows 8.1 was in the hard coded part of the program I've never got out to config files yet).

Thursday, May 29, 2014

DHCP Inform vuln?

I have not verified this, but since most of my work was around DHCP related fingerprinting I found it interesting.  I wonder how many other DHCP clients are vuln to this on my test systems.

Anyway, this is a direct repost off of FD from earlier today with only slight modifications for formatting issues:

Title:           Microsoft DHCP INFORM Configuration Overwrite
Version:         1.0
Issue type:      Protocol Security Flaw
Affected vendor: Microsoft
Release date:    28/05/2014
Discovered by:   Laurent GaffiĆ©
Advisory by:     Laurent GaffiĆ©
Issue status:    Patch not available


A vulnerability in Windows DHCP ( was
found on Windows OS versions ranging from Windows 2000 through to Windows server 2003.  This
vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to
publish a patch to resolve it.

Technical details

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.


Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.

Affected products

- 2000
- XP
- 2003

Proof of concept
The utility found within the Responder toolkit can be used to exploit this vulnerability.

git clone

Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was
asked what code change made this DHCP INFORM issue different on Windows
Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.

* Responder:

Thursday, May 8, 2014

Accelerometer fingerprinting in mobile devices

Interesting research here.

They say: “An accelerometer fingerprint can serve as an electronic cookie, empowering an adversary to consolidate data per user, and track them over space and time. Alarmingly, such a cookie is hard to erase, unless the accelerometer wears out to the degree that its fingerprint becomes inconsistent. We have not noticed any evidence of this in the nine months of experimentation with 107 accelerometers.”

Original writeup:


It would be interesting to know how accurate this really is once you start getting into 1000's and 100,000's of devices.  While I can see where you could determine general info about what device and accelerometer is it in, using it to track and individual user may be a bit more problematic.  With that said, I haven't read the 16 page right up yet, just the quick news article and with that I'll admit I scanned it.

Interesting approach and cool way to do it!

Tuesday, December 31, 2013

Satori and AV (SEP at least)

Funny thing today.  I went to download Satori and install it on my work computer and Symantec deleted it for reputation......

Looks like I need to put in a request to get them to whitelist it.  Guess I know what I get to do on my vacation.  Thanks a lot Symantec!  Nothing like not being able to install ones own software because the AV company decided it didn't like it (I know I'm not the first and won't be the last).

Update:  Look at that, Kaspersky has no issue with it on another system.

2/17/2014 - update.  If any of you using Satori are Symantec users, please submit false positive reports as this is what I got back!

We are writing in relation to your application through Symantec's on-line Software White-listing Request form for your software Satori.
Symantec has decided not to add this software to its white-list at this time.
Please note that this decision does not mean that Symantec products will necessarily detect your software in the future.
It simply means that Symantec could not conclude from its analysis at this time that your software should be included in its white-list.
Symantec does not disclose or discuss its decision or analysis; however, in the event Symantec products detect your software at any point and you believe the detection to be a false positive, you may notify us through Symantec's on-line Security Risk/False Positive Dispute Submission form available at:

Friday, July 5, 2013

SANS webinar - What Matters in Your Chatter?

I like to listen to a lot of SANS webinars and most I get a bit out of, but some I get a lot out of.

The presenter on this one pointed out that one of the big issues in our field is most of us aren't excited anymore about things, digging into them because we want to learn more, instead just spending time filtering through stuff we already know.  We need to be looking for new things and be excited doing it!

It reminded me of why I got into this field before and how excited I was when I found the ability to do DHCP fingerprinting.

It was by no means the best webinar I've ever listened to, but it was a good one to listen to.

Saturday, June 29, 2013

More on Interesting Patents

Amazing what you find when you start searching even more.  I'm really surprised Google Alerts never picked some of these up before and alerted me on them!

Detecting Rouge Wireless Devices via DHCP Fingerprinting:
Microsoft - 2011

Appears to be a similar one, but not sure of differences right now.
Microsoft - 2007

System and Method for Resolving OS or Service Identity Conflicts (using SMB, DHCP, etc)
SourceFire - 2011

So it looks like a few other places have put some patents on DHCP fingerprinting in the past few years also.

Patents on OS Fingerprinting - DHCP specifically

I'll admit, I've never looked much into patents and how they work (what protection they give you, how much they are worth, etc), but I'm curious how one gets one for OS fingerprinting?  Specifically on a technology that many people were freely writing about prior to the patent being filed.

Infoblox was one of my last posts after they popped up on a google alert and a buddy just sent me a link to this:

On Aug 23, 2006 they  filed this patent.  It took until Jun 4, 2013 for it to be approved if I read this correctly.

General history on DHCP fingerprinting from what I've found in my research on it over the years and my personal involvement in it:

Dave Hull and George F Willard III publish a paper on it from their research at KU.
Feb 2005 -

Many small spinoff programs start up based on the POC code and info.

March 2005 - I'm sitting in Iraq and find out about it myself for the first time looking through packets with no idea of the paper published the month before.  I was stoked when I first found out about using this technique and was a bit crushed when I found I wasn't the first to have found it.

I publish a general paper on OS fingerprinting and start discussing DHCP fingerprinting in more detail
August 2005 -

Sometime over the next two years I start working with David LaPorte from the PacketFence project to see if we can get something together to talk about DHCP fingeprinting at Blackhat.  We eventually get accepted to present it at BH Japan in 2007:
July 2007 -
October 2007 -

During the last of my research I found indications that everyone listed so far was at least 2 years behind on this idea when we started talking about it in 2005 since there was a group out of Japan in Feb 2003 that published something on it!  Though I never found a translated copy on it at the time, you may be able to order a copy in Japanese here:
"New scheme for passive OS fingerprinting using DHCP message" - Joho Shori Gakkai Kenkyu Hokoku, Feb 2003!

Since 2007 many large companies have finally gotten onto the band wagon of DHCP fingerprinting which I'm glad to see.  It has taken 10 years since the first papers I'm aware of and at going on 6 years after the BH 2007 event which seemed to generate a lot of interest.  I know this since I had calls and some emails from at least one very large company now doing it and many small companies over the years.

I'm hoping that this patent doesn't cause any issues in the world of using DHCP fingerprinting for OS identification, but only time will tell.

Wednesday, June 12, 2013

Infoblox, new player in the DHCP fingeprinting world

I got a new Google Alert yesterday on "DHCP Fingerprinting", hadn't had much traffic on it in quite awhile now. 

The notice I found was here.

I'll admit I know nothing about this company, though I did like their writeup on DHCP Fingerprinting.  It is only 2 pages long, so short and to the point, covering what most upper management needs.  What their writeup I assume they are only doing Option 55 fingerprinting.

With that said though I did find the original writeup a bit funny.

"With the new Infoblox DHCP Fingerprinting technology, network administrators can see device type information - such as iOS or Android devices, an Xbox, or a Linksys router -"

New?  Did they say new?  I presented on this in 2007 and a few people, myself included were discussing it as early as 2005.  So while it may be new for them, this is by no means new technology!

Ok, all of that aside, it is cool to see another company using it. 

Friday, March 15, 2013

File updates to go with site change

I've been quite happy with the quick turn around that those that are using or have links to Satori have been able to update blog posts, urls, and in this case a program to the new url.  I'm still waiting for some people to get back to me, but little by little it will get taken care of.
Jeff updated his two programs that point to my website to grab fingerprinting files.  They can be found/download here:

DHCP Fingerprint Manager

Fingerprint Editor


Wednesday, March 13, 2013


So my ISP decided to stop offering web hosting.  It wasn't great to start with, but it was free and is where my programs and papers have been hosted for 10+ years so I was a little sad to see go away.  It is out there in many news groups and many posts over at least the last 7-8 years of posts, but oh well.

I purchased the name as it was a name I've used for a lot of other things, this blog included, so I figured it made sense.

In looking for locations on the net, that I had access to post info at least, I began searching for where I could and found all over the place.

The nice thing about that, found 3 different articles where either I'm mentioned or Satori is that I didn't know about.

Starting with 2009, I believe a russian magazine.  They are actually talking about NetworkMiner, but there appears to be a link to Satori.  Page 39 here at xakep. (if there is anything bad about the site or anything else, my apologies!)

Late 2012, December time frame a Gold paper for SANS for his GCIA.  "What's running on your network?  Analyzing pcap data with tshark".  My only complaint, my name is misspelled as always :) But it can be found here.

And the 3rd one I found was an article in INternation Jounal of Computer Applications from Feb of this year.  "Investigation of DHCP Packets using Wireshark".  My last name got hosed again, but I'm quite used to it these days!  This paper can be found here and I was just a reference.

Can't say I've read either of the 2 papers there yet, but guess that will be this weekends project.