Wednesday, December 24, 2008

EDHCPFingerprint

Jeff from Enterasys has been working with me and Erik (author of NetworkMiner) on tweaks to the dhcp schema. A lot of it was changes they wanted to see done to help extend it out. I was just the middle man since I own the file! :)

These changes will come in quite useful, in different ways, to all of us and I'm glad they were made. Hopefully we've finished for now with the latest change being done earlier this morning.

In the near future, hopefully I'll start leveraging the new info included in it better. Just need time!

Anyway, check out EDHCPFingerprint if you get a chance.

Wednesday, December 17, 2008

Updated Software

NetworkMiner -
Ok, been spending a lot of time trying to crash NetworkMiner for the author. Found a nice little bug he had going and a quite a few crashes. All of those are fixed in 0.87 which was recently released. If you are using NetworkMiner I highly recommend updating to the latest version to fix the nasty little bug earlier versions had on saving files.

Satori -
also been spending a lot of time with Erik, author of NetworkMiner, and Jeff (from a private company) on updating the dhcp.xml file schema. Jeff had a lot of good recommendations and has provided a few new fingerprints. Between the 3 of us we updated the schema to a very good 1.0 version I think. I may do an overhaul of it a year or two down the road to add some other functionality into it, but we'll see. Anyway, the new version allows us to group Devices much nicer than before. For Satori it will give me the ability to group Devices across fingerprinting files (dhcp, icmp, tcp) since all 3 have been updated to the new format. Not sure when I'll add the functionality to utilize it, but it is updated along with the removal of a lot of old information in the dhcp.xml file that came from the packetfence.org project. It was nice to have at one point, but since they do not track if it is a dhcp inform/discover/request packet, it doesn't do me any good anymore, so it was removed, along with some other fingerprints I got from files around the same time and did not get everything I needed!

Always looking for new fingerprints. And on that note, I setup an account dhcpfingerprints [AT] gmail.com specifically for fingerprints, originally for dhcp ones (since that is how most people keep finding out about Satori), but will probably use it for all fingerprints.

Saturday, November 15, 2008

Twitter

Well finally decided to setup a twitter account. Long story short, someone got a hold of me mentioning my DHCP paper, he was one of the original authors from KU on it and mentioned my paper was mentioned by yet someone else on twitter. Decided it was time to check it out.

My site probably will never see postings, but who knows. I'm basically just using it to follow some other sites, which I could probably do via other means, but....

Saturday, November 8, 2008

Active AP 802.11 Fingerprinting

Toorcon recently seems to have had a presentation on Fingerprinting APs to see if they are ones you should trust. (Click on the Title to see it)

Some interesting tests by tweaking flags sent and doing clock skew tests. Looks like it may have also been presented at Blackhat and ShmooCon also this year.

The presentation material for Toorcon seems to be a little longer than the ShmooCon one, though ShmooCon's seems to have a few different slides in it. Didn't go looking for it at Blackhat.

Makes me think I should work on getting Satori to be able to use my AirPCap adapter and start working at breaking down those 802.11 packets!

Advanced application level OS fingerprinting

A short (36 pages or so) powerpoint type paper on Application Level Fingerprinting.

I found it interesting how, depending on the OS the application was running on, it would act differently depending on what was sent at it. After doing some of this for going on 10 years, I'm surprised to find that I'm surprised by it, but I was.

Anyway, seems like a nice writeup on a new way of thinking/testing a few things. If I was still big into Active Fingerprinting I may have had to try to expand on this, but for now, I have enough projects.

Check it out. And if you don't like pdf's, check out the original post at SecurityFocus and grab one of the other formats. Otherwise click on the Title up top and you should hit the pdf version of it.

Sunday, November 2, 2008

Future papers & projects

After looking at what I had out there from my 2005 paper I realized there are a lot of things I've added to Satori that I really don't have documented well on how I did it. Since Satori and my papers are my way of giving back to the community, I'm going to try to go back and document each of the protocols I parse and use in Satori and do a quick whitepaper on each. Nothing like the DHCP one, since that was written specifically for Blackhat 2007, but enough to help others who are trying to duplicate what I've done.

Also, I've been thinking about writing my own DHCP client for Windows. It goes along with the idea irongeek worked on about changing your TCP stack. I have the initial plan in my head, but have not started coding it. Not sure it will ever come to completion, but will be fun to create a DHCP program to do DHCP Request, Inform, Discover, etc packets while looking like it is a Linux 2.2 box, or a Windows 95 box, etc. It will give me a chance to test some of the questions I had while writing the DHCP paper originally to see who well some DHCP servers adhere to things.

First things first though, 2 new certs to work on, hopefully coding or writing of the whitepapers will start by Dec 1, but who knows. Still need to get back to some Satori work one of these days!

Wikipedia post

Ok, not sure who originally updated the OS Fingerprinting post on wikipedia and added Satori, but it wasn't me. Glad to see NetworkMiner and Satori were added!

Since it was already there, I flushed out the Passive Fingerprinting stuff a bit more, putting links to my 2 papers on OS fingerprinting in general and to DHCP fingerprinting. I know shameless, but figured if that stuff was going to be mentioned it might as well have some decent reference material!

Wikipedia post can be seen at:
http://en.wikipedia.org/wiki/OS_fingerprinting

Thursday, October 16, 2008

Network Miner

One program that is currently using parts of Satori is NetworkMiner, which is actually where most of the other news about Satori has been coming out from lately.

NetworkMiner uses the dhcp fingerprinting DB in the currently released version at:
http://sourceforge.net/projects/networkminer/

I believe the next version that is released should also have the tcp fingerprinting piece from Satori based on emails with the author in the past.

Some good articles on NetworkMiner and what all it can do can be found here:
http://holisticinfosec.org/toolsmith/docs/august2008.pdf
http://www.net-security.org/dl/insecure/INSECURE-Mag-18.pdf

The 2nd one you'll need to jump to page 18.

NetworkMiner is a very nice program to pull information off the network and rebuild the files that are being downloaded. Driftnet for windows along with a lot of other nice features. Its OS identification is not nearly as polished as Satori, in my opinion at least, but that is not what it is geared towards.

Check it out

Satori in the news "out there"

The following sites/blogs have information on OS identification that mention Satori:
One of the first references to it that I recall was by Thierry Zoller in a post on full disclosure, then later on his blog

http://snoopsec.blogspot.com/2008/10/obfuscating-your-os-tcp-stack-or-way-to.html

http://www.binrev.com/forums/index.php?showtopic=39194&st=0&gopid=319785&#entry319785
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools
http://hackaday.com/2008/10/04/avoiding-os-fingerprinting-in-windows/

The hackaday post came out on Oct 4, 2008, the hits to my website jumped from roughly 100 hits a month, to about 350 in a 4-5 day period after that spot came out!