Tuesday, December 31, 2013

Satori and AV (SEP at least)

Funny thing today.  I went to download Satori and install it on my work computer and Symantec deleted it for reputation......

Looks like I need to put in a request to get them to whitelist it.  Guess I know what I get to do on my vacation.  Thanks a lot Symantec!  Nothing like not being able to install ones own software because the AV company decided it didn't like it (I know I'm not the first and won't be the last).

Update:  Look at that, Kaspersky has no issue with it on another system.

2/17/2014 - update.  If any of you using Satori are Symantec users, please submit false positive reports as this is what I got back!

We are writing in relation to your application through Symantec's on-line Software White-listing Request form for your software Satori.
Symantec has decided not to add this software to its white-list at this time.
Please note that this decision does not mean that Symantec products will necessarily detect your software in the future.
It simply means that Symantec could not conclude from its analysis at this time that your software should be included in its white-list.
Symantec does not disclose or discuss its decision or analysis; however, in the event Symantec products detect your software at any point and you believe the detection to be a false positive, you may notify us through Symantec's on-line Security Risk/False Positive Dispute Submission form available at: https://submit.symantec.com/false_positive/

Friday, July 5, 2013

SANS webinar - What Matters in Your Chatter?

I like to listen to a lot of SANS webinars and most I get a bit out of, but some I get a lot out of.

The presenter on this one pointed out that one of the big issues in our field is most of us aren't excited anymore about things, digging into them because we want to learn more, instead just spending time filtering through stuff we already know.  We need to be looking for new things and be excited doing it!

It reminded me of why I got into this field before and how excited I was when I found the ability to do DHCP fingerprinting.

It was by no means the best webinar I've ever listened to, but it was a good one to listen to.

Saturday, June 29, 2013

More on Interesting Patents

Amazing what you find when you start searching even more.  I'm really surprised Google Alerts never picked some of these up before and alerted me on them!

Detecting Rouge Wireless Devices via DHCP Fingerprinting:
Microsoft - 2011

Appears to be a similar one, but not sure of differences right now.
Microsoft - 2007

System and Method for Resolving OS or Service Identity Conflicts (using SMB, DHCP, etc)
SourceFire - 2011

So it looks like a few other places have put some patents on DHCP fingerprinting in the past few years also.

Patents on OS Fingerprinting - DHCP specifically

I'll admit, I've never looked much into patents and how they work (what protection they give you, how much they are worth, etc), but I'm curious how one gets one for OS fingerprinting?  Specifically on a technology that many people were freely writing about prior to the patent being filed.

Infoblox was one of my last posts after they popped up on a google alert and a buddy just sent me a link to this:

http://www.freepatentsonline.com/8458308.html

On Aug 23, 2006 they  filed this patent.  It took until Jun 4, 2013 for it to be approved if I read this correctly.

General history on DHCP fingerprinting from what I've found in my research on it over the years and my personal involvement in it:

Dave Hull and George F Willard III publish a paper on it from their research at KU.
Feb 2005 - http://kuscholarworks.ku.edu/dspace/bitstream/1808/584/1/NGDHCP.pdf

Many small spinoff programs start up based on the POC code and info.

March 2005 - I'm sitting in Iraq and find out about it myself for the first time looking through packets with no idea of the paper published the month before.  I was stoked when I first found out about using this technique and was a bit crushed when I found I wasn't the first to have found it.

I publish a general paper on OS fingerprinting and start discussing DHCP fingerprinting in more detail
August 2005 - http://chatteronthewire.org/download/OS%20Fingerprint.pdf

Sometime over the next two years I start working with David LaPorte from the PacketFence project to see if we can get something together to talk about DHCP fingeprinting at Blackhat.  We eventually get accepted to present it at BH Japan in 2007:
July 2007 - http://chatteronthewire.org/download/chatter-dhcp.pdf
October 2007 - http://chatteronthewire.org/download/bh-japan-laporte-kollmann-v8.ppt

During the last of my research I found indications that everyone listed so far was at least 2 years behind on this idea when we started talking about it in 2005 since there was a group out of Japan in Feb 2003 that published something on it!  Though I never found a translated copy on it at the time, you may be able to order a copy in Japanese here:
"New scheme for passive OS fingerprinting using DHCP message" - Joho Shori Gakkai Kenkyu Hokoku, Feb 2003!

Since 2007 many large companies have finally gotten onto the band wagon of DHCP fingerprinting which I'm glad to see.  It has taken 10 years since the first papers I'm aware of and at going on 6 years after the BH 2007 event which seemed to generate a lot of interest.  I know this since I had calls and some emails from at least one very large company now doing it and many small companies over the years.

I'm hoping that this patent doesn't cause any issues in the world of using DHCP fingerprinting for OS identification, but only time will tell.

Wednesday, June 12, 2013

Infoblox, new player in the DHCP fingeprinting world

I got a new Google Alert yesterday on "DHCP Fingerprinting", hadn't had much traffic on it in quite awhile now. 

The notice I found was here.

I'll admit I know nothing about this company, though I did like their writeup on DHCP Fingerprinting.  It is only 2 pages long, so short and to the point, covering what most upper management needs.  What their writeup I assume they are only doing Option 55 fingerprinting.

With that said though I did find the original writeup a bit funny.

"With the new Infoblox DHCP Fingerprinting technology, network administrators can see device type information - such as iOS or Android devices, an Xbox, or a Linksys router -"

New?  Did they say new?  I presented on this in 2007 and a few people, myself included were discussing it as early as 2005.  So while it may be new for them, this is by no means new technology!

Ok, all of that aside, it is cool to see another company using it. 

Friday, March 15, 2013

File updates to go with site change

I've been quite happy with the quick turn around that those that are using or have links to Satori have been able to update blog posts, urls, and in this case a program to the new url.  I'm still waiting for some people to get back to me, but little by little it will get taken care of.
 
Jeff updated his two programs that point to my website to grab fingerprinting files.  They can be found/download here:


DHCP Fingerprint Manager

Fingerprint Editor

 

Wednesday, March 13, 2013

Update

So my ISP decided to stop offering web hosting.  It wasn't great to start with, but it was free and is where my programs and papers have been hosted for 10+ years so I was a little sad to see http://myweb.cableone.net/xnih go away.  It is out there in many news groups and many posts over at least the last 7-8 years of posts, but oh well.

I purchased the name chatteronthewire.org as it was a name I've used for a lot of other things, this blog included, so I figured it made sense.

In looking for locations on the net, that I had access to post info at least, I began searching for where I could and found http://myweb.cableone.net/xnih all over the place.

The nice thing about that, found 3 different articles where either I'm mentioned or Satori is that I didn't know about.

Starting with 2009, I believe a russian magazine.  They are actually talking about NetworkMiner, but there appears to be a link to Satori.  Page 39 here at xakep. (if there is anything bad about the site or anything else, my apologies!)

Late 2012, December time frame a Gold paper for SANS for his GCIA.  "What's running on your network?  Analyzing pcap data with tshark".  My only complaint, my name is misspelled as always :) But it can be found here.

And the 3rd one I found was an article in INternation Jounal of Computer Applications from Feb of this year.  "Investigation of DHCP Packets using Wireshark".  My last name got hosed again, but I'm quite used to it these days!  This paper can be found here and I was just a reference.

Can't say I've read either of the 2 papers there yet, but guess that will be this weekends project.

Friday, February 15, 2013

Catching up

Erik has released a new version of caploader and you can find more information here.  One of the complaints I got when I posted about 1.0 was that people wanted a demo, and guess what, there is a demo version now along with a number of enhancements.

Most of my time of late has been playing with my Raspberry Pi and looking at different options I can do with it.

My main goal years ago for releasing my linux version of satori was to put it on a little system like this.  In that vein I've started looking at rewriting Satori in python and making the code available.  This has been a goal for a long time and is not going very far very fast, but eventually I hope to have something to release!

Friday, December 7, 2012

ICMP OS Fingerprinting

Interesting, this was in draft form, not sure how long it has been here, nor where I was going, but here it is as I left it.....

Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.

Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio: http://www.screencast.com/users/laurachappell/folders/Media%20Roll/media/75047d06-2801-49b7-87d3-0e41a3abd500

I really hate installing software that installs half a dozen other pieces of software (such as C++ Redistributable, I mean I understand why, but it just drives me nuts, I miss all inclusive programs)

Stuff in the Q...

These come into my google alerts some times, but I don't always get around to them very timely.

1.  This one was from back in Oct.  Memory-Only Operating System Fingerprinting in the Cloud

Has some interesting pieces of info in it.  On my list to get back to and actually read all the way through instead of just skimming it.

Abstract for those interested:
Precise fingerprinting of an operating system (OS) is critical to
many security and virtual machine (VM) management applications
in the cloud, such as VM introspection, penetration testing, guest
OS administration (e.g., kernel update), kernel dump analysis, and
memory forensics. The existing OS fingerprinting techniques primarily
inspect network packets or CPU states, and they all fall short
in precision and usability. As the physical memory of a VM is
always present in all these applications, in this paper, we present
OS-SOMMELIER, a memory-only approach for precise and efficient
cloud guest OS fingerprinting. Given a physical memory dump
of a guest OS, the key idea of OS-SOMMELIER is to compute the
kernel code hash for the precise fingerprinting. To achieve this
goal, we face two major challenges: (1) how to differentiate the
main kernel code from the rest of code and data in the physical
memory, and (2) how to normalize the kernel code to deal with
practical issues such as address space layout randomization. We
have designed and implemented a prototype system to address these
challenges. Our experimental results with over 45 OS kernels, including
Linux, Windows, FreeBSD, OpenBSD and NetBSD, show
that our OS-SOMMELIER can precisely fingerprint all the tested
OSes without any false positives

2.  I've been sitting on since back in September, though it may have been out much longer than that.  That was when the google alert showed up.

YAF does DHCP fingerprinting.  It appears tojust use the fingerprints from packetefence based on the writing, but it is nice to see another program out there taking up dhcp fingerprinting.

By looking at the order of the DHCP options in the DHCP requests from the Operating System's DHCP client, it may be possible to identify the client's OS version. The yaf DHCP fingerprinting plugin does exactly that. For flows that yaf has labeled as DHCP, yaf will look at the DHCP options if available in the payload captured for that flow. yaf specifically looks at Option 55. Option 55 requests a list of parameters. The order in which they are requested can usually identify the OS of the requesting IP address.