Friday, October 30, 2009

Yokoso!

The first I saw of this was on one of the Twitter posts from someone I follow. This is a sourceforge project.

On a read of the sourceforge page you'll see:
Yokoso is a project geared toward fingerprinting infrastructure. Yokoso will determine what web interfaces are available on a specific network.

But based on the net-security article it is a bit more. First it tries to exploit your browser, goes through and finds out what sites you may have admin rights on, and then does some type of fingerprinting.

I'm going to try to find some time in the next week or two to test this out, if/when I do I'll post back my results. It looks promising, but anything doing browser exploits makes me nervous.

Thursday, October 29, 2009

DHCP Fingerprint Manager updated

New release of DHCP Fingerprint Manager (1.00.01) released earlier today. In earlier versions you had to export the data out of wireshark in a text format and it would read that in and DHCP Fingerprint your data, in the latest release it now reads in .pcap files.

I've mentioned some of the features of this program before, that I'd love to steal and add into Satori, but I'll probably never get around to it. I love the statistics feature when it is done! It also gives you the ability to update the fingerprint data and then reparse the data from the pcap file and get the new fingerprint for the device if it happens to have changed.

Check it out and give him some feedback on the product when you get a chance.

Update (note from the author):
Note that open/save handles user data in XML format. It contains end-systems and fingerprints (content of both tabs).
The import function allows to get end-systems for DHCP trace (*.txt or *.pcap or *.cap) and to get fingerprints.
Note that fingerprints are "imported" by default when creating a new data file.

Here is a quick link to the program.

Saturday, October 24, 2009

Network Forensics Challenge #2

They are at it again, we barely got the answers for #1 and #2 got put up a few weeks ago. I did it originally within ~30 mins using the web, wireshark and a few other local programs on my machine. But I wanted to stand a chance of actually winning this time, so instead of just sending them the answers I actually started writing a few .exe programs to parse the data out. I have/had them done and then decided I better do something I was willing to share the source code on, so I wrote out a perl script.

Perl is not something I ever work in, have only done it a few times before, so it was a bit painful to do, especially coming from a Pascal background and not a c one! if statements and eq vs = and other little gotchas killed me today, but after about 4 hours or so I came up with a 258 line .pl file that parses it out nicely. There is a lot more I could add to it, but since I'm by no means a perl programmer and my hands are cramping up typing this as it is, it was time for a break and time to call good enough good enough!

I'll release the script after the deadline if i'm not picked as a finalist and it is added to their site.

This was another fun project to work on and it forced me to dig into a programming language I should have learned long ago, but never have. So always good to expand your knowledge some.

Wednesday, October 14, 2009

Small Linux Devices

Just a followup on the Wall-Wart type linux devices, something new came out.

If you thought the last one was small, then check this out. There are advantages to the Wall Wart design (usb to add wireless or a 2nd nic, etc), but if you are just looking at size this thing is great. Not sure if it is POE or how they power it, didn't look into details.

Wednesday, October 7, 2009

SANS Reading room

Not sure how new the article is based on the fact that all referenced material is from 2002 or before, but here it is. It is about using Telnet Negotiation Data to passively fingerprint a system.

Being that telnet isn't used much anymore, it may be a little dated now, but it popped up in my Google Alerts, so figured I'd at least put it here so I could find it easier in the future if need be.

While looking around SANS reading room I also came across this article which also appears to be dated, but still somewhat useful. It is about using passive fingerprinting to audit and discover network vulnerabilities.