Wednesday, May 10, 2017

Fingerbank Collector

Ok, it has been eon's since my last post and this has more to do with other projects taking up my time in electronics than in fingerprinting, but I still like to dabble in this world as time permits.

Going back to 2007 and a lot of what Satori does/did, it looks like fingerbank has taken on, which is very cool to see!

ARP, DHCP v4 and v6, DNS and mDNS, HTTP and HTTPS, Radius (one I never tried to utilize) and TCP

They are doing it cloud based and it is closed source, but still cool to see what I was doing 7 years ago is making it main stream these days in yet another project.

Saturday, November 14, 2015

Satori rewrite

Ok, for years I've been planning on rewriting Satori in python (or something else) and never have gotten around to it.  Well 2 weeks ago I started playing with pyshark while working with SMB packets for FOR572 class.  More on that project in the future, but it got me thinking, why go to all of the headache of writing new code to parse all those packets, instead use the power of tshark, via pyshark.

So with that said, I really do plan on Satori 2.0 (or would it be 1.0 since I never made it out of the 0.7x arena).  The future releases of Satori will be pyshark/python based with tshark on the backend to do the heavy lifting.  I plan on just coding enough to pull the needed info and query the underlying .xml files for fingerprint data.  This will get it off the ground again, though may not make it as fast as it could be, but trade offs, it is that or I probably never get back to it :)

I'm not sure I can do everything I was doing with Satori before, but I can easily do dhcp, http agent string, and some of the smb stuff I was doing.

I'm thinking about adding some SSL fingerprinting to it also.

All of this to say, evidently Satori isn't dead from my end!  Just taken a bit of a break.

Tuesday, January 13, 2015

OS's - patching and support

In the past few weeks Microsoft has appeared a bit peeved with Google's disclosure policy.  They had a patched planned for Patch Tuesday (today) and the information about it hit the 90 day mark back at the end of December and was released by Google. 

There have been a number of threads going on the different lists I'm on, some supporting this saying Microsoft knew their policy and knew the dead line, while others upset at google who knew a patch was in the plans and released the data anyway.

I've been back and forth on Full Disclosure vs Responsible Disclosure over the years.  I see both sides and understand the needs.  I do believe the security researchers that find these bugs and push the vendors to get patches out the door are important, but I also believe a lot of these researchers (not all, but a lot) haven't had to support large organizations and deal with the "headache" these things cause.

In the end, supporting or trying to secure a large organization is tough to start with, made tougher by the numerous pieces of software and hardware that may be out there and made even tougher when you don't have total control over what is on your network (at least in the .edu space).  Add to that screwed up patches that get pulled and 3rd parties disclosing things "days" before a patch is due out, its almost enough to make you pull your hair out some days.

Microsoft has the problem of trying to make sure that things are backwards compatible, supporting things from 10+ years ago.  Google on the other hand just drives forward with a new OS and dropping support for older ones.

Case in point:

As we see more and more devices built on the Android OS and their support just ending, due to carriers not doing upgrades, or whatever, it will be interesting to see how things plays out in the future.  Will Google actually be the one that takes the heat or will the carrier (from the public).  Or will the idea of just throwing the old equipment away and constantly upgrading continue to be the norm?

I'm still running an old 2.3.x "smart" phone.  I don't surf the net with it, it gives me phone access and it gives me my calendar stuff.  It works for what I need, but I know its limitations and security implications if I surf the web with it.  How many users do?  Should we really be forced to spend that much every 2 years to replace older tech?  Maybe things change constantly, it isn't like when I started and we used to get new AV definitions every 6 months anymore :)  But I hate to see us continue to throw away perfectly working tech that could be patched.

Oh well, I digress.  Another Patch Tuesday is upon us and another will come next month.  Changes will continue to happen and those that have to support systems will continue to adapt or short of that move on to other things!

Friday, December 26, 2014

Pi clones

The raspberry pi was a great little device a few years ago.  Great price point, allowed you to run linux on a very small device that if lost/stolen wouldn't be the end of the world, but it also had very little horse power to do much of anything.  Trying to run a GUI on it was painfully slow due to the limited ram and single core proc running at 700 or so.

There have been a few different clones, found 2 I liked last night in searching around for things.

At $37 bucks hard to beat a quad cpu, 1 GB ram device.  It should provide a bit more omf when needed!  It is on my wish list to order now since I found it, perhaps today I'll do it.

The BPi-R1 -
Newegg is carrying these at $75 (  While not as powerful as the ODROID-C1, this one is the kitchen sink, designed specifically for a home router type setup, it has what I've wanted which is a built in switch.  I've wanted to build a box to route game traffic through and do some manipulation of the traffic.  Not sure if it will be powerful enough, but doing some tcpdumps off this may be an option.

For now I'll stick with the ODROID-C1 I think and just put a USB to ethernet jack on it so I have a 2nd wired port to route stuff through.

Anyway, raspberry pi has made some great things possible.  I hope we continue to see higher powered systems (more ram actually) at the sub $50 mark.

Maybe I'll just build a few of these with ARPWatch on them and drop them on some of my closed networks!

Monday, June 23, 2014

Filters and updates

This was one of those learning moments.  You've used a tool for years and it has always worked for you and then all of a sudden you're getting results you aren't expecting.  After 30 mins of looking at the code, verifying it works in your primary location but not in the one you've provided to the rest of the world, it finally dawns on you that you've added filters into the program to limit the garbage that you have to process.

This could have been wireshark or a plethora of programs out there, but this was in Satori.

Historically I didn't use the filters much, it was something added at the request of someone else, but more are more at home I've found myself using them.  Problem is, I sometimes forget they are turned on.  I wanted all of my local 192.168.x.x traffic and any of my local IPv6 traffic (FE80::), but when doing DHCP work, it makes a big difference if you've added that last one in there.  Without I wasn't seeing any discover or request packets and for the life of me I couldn't figure out why!

It is always wise to go back to the basics when something all of a sudden stops working.  Get things back to a set starting point with no tweaks in place and make sure it is working there, before spending 30 mins digging through code and realizing there is nothing wrong with it and it works fine on that system!

Anyway, all that to lead up to the fact that I've updated web, tcp, webagents, sip and the main satori.exe file (that was one change to make sure Windows 8.1 was in the hard coded part of the program I've never got out to config files yet).

Thursday, May 29, 2014

DHCP Inform vuln?

I have not verified this, but since most of my work was around DHCP related fingerprinting I found it interesting.  I wonder how many other DHCP clients are vuln to this on my test systems.

Anyway, this is a direct repost off of FD from earlier today with only slight modifications for formatting issues:

Title:           Microsoft DHCP INFORM Configuration Overwrite
Version:         1.0
Issue type:      Protocol Security Flaw
Affected vendor: Microsoft
Release date:    28/05/2014
Discovered by:   Laurent GaffiĆ©
Advisory by:     Laurent GaffiĆ©
Issue status:    Patch not available


A vulnerability in Windows DHCP ( was
found on Windows OS versions ranging from Windows 2000 through to Windows server 2003.  This
vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to
publish a patch to resolve it.

Technical details

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.


Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.

Affected products

- 2000
- XP
- 2003

Proof of concept
The utility found within the Responder toolkit can be used to exploit this vulnerability.

git clone

Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was
asked what code change made this DHCP INFORM issue different on Windows
Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.

* Responder:

Thursday, May 8, 2014

Accelerometer fingerprinting in mobile devices

Interesting research here.

They say: “An accelerometer fingerprint can serve as an electronic cookie, empowering an adversary to consolidate data per user, and track them over space and time. Alarmingly, such a cookie is hard to erase, unless the accelerometer wears out to the degree that its fingerprint becomes inconsistent. We have not noticed any evidence of this in the nine months of experimentation with 107 accelerometers.”

Original writeup:


It would be interesting to know how accurate this really is once you start getting into 1000's and 100,000's of devices.  While I can see where you could determine general info about what device and accelerometer is it in, using it to track and individual user may be a bit more problematic.  With that said, I haven't read the 16 page right up yet, just the quick news article and with that I'll admit I scanned it.

Interesting approach and cool way to do it!

Tuesday, December 31, 2013

Satori and AV (SEP at least)

Funny thing today.  I went to download Satori and install it on my work computer and Symantec deleted it for reputation......

Looks like I need to put in a request to get them to whitelist it.  Guess I know what I get to do on my vacation.  Thanks a lot Symantec!  Nothing like not being able to install ones own software because the AV company decided it didn't like it (I know I'm not the first and won't be the last).

Update:  Look at that, Kaspersky has no issue with it on another system.

2/17/2014 - update.  If any of you using Satori are Symantec users, please submit false positive reports as this is what I got back!

We are writing in relation to your application through Symantec's on-line Software White-listing Request form for your software Satori.
Symantec has decided not to add this software to its white-list at this time.
Please note that this decision does not mean that Symantec products will necessarily detect your software in the future.
It simply means that Symantec could not conclude from its analysis at this time that your software should be included in its white-list.
Symantec does not disclose or discuss its decision or analysis; however, in the event Symantec products detect your software at any point and you believe the detection to be a false positive, you may notify us through Symantec's on-line Security Risk/False Positive Dispute Submission form available at:

Friday, July 5, 2013

SANS webinar - What Matters in Your Chatter?

I like to listen to a lot of SANS webinars and most I get a bit out of, but some I get a lot out of.

The presenter on this one pointed out that one of the big issues in our field is most of us aren't excited anymore about things, digging into them because we want to learn more, instead just spending time filtering through stuff we already know.  We need to be looking for new things and be excited doing it!

It reminded me of why I got into this field before and how excited I was when I found the ability to do DHCP fingerprinting.

It was by no means the best webinar I've ever listened to, but it was a good one to listen to.

Saturday, June 29, 2013

More on Interesting Patents

Amazing what you find when you start searching even more.  I'm really surprised Google Alerts never picked some of these up before and alerted me on them!

Detecting Rouge Wireless Devices via DHCP Fingerprinting:
Microsoft - 2011

Appears to be a similar one, but not sure of differences right now.
Microsoft - 2007

System and Method for Resolving OS or Service Identity Conflicts (using SMB, DHCP, etc)
SourceFire - 2011

So it looks like a few other places have put some patents on DHCP fingerprinting in the past few years also.