Friday, December 7, 2012

ICMP OS Fingerprinting

Interesting, this was in draft form, not sure how long it has been here, nor where I was going, but here it is as I left it.....

Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.

Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio:

I really hate installing software that installs half a dozen other pieces of software (such as C++ Redistributable, I mean I understand why, but it just drives me nuts, I miss all inclusive programs)

Stuff in the Q...

These come into my google alerts some times, but I don't always get around to them very timely.

1.  This one was from back in Oct.  Memory-Only Operating System Fingerprinting in the Cloud

Has some interesting pieces of info in it.  On my list to get back to and actually read all the way through instead of just skimming it.

Abstract for those interested:
Precise fingerprinting of an operating system (OS) is critical to
many security and virtual machine (VM) management applications
in the cloud, such as VM introspection, penetration testing, guest
OS administration (e.g., kernel update), kernel dump analysis, and
memory forensics. The existing OS fingerprinting techniques primarily
inspect network packets or CPU states, and they all fall short
in precision and usability. As the physical memory of a VM is
always present in all these applications, in this paper, we present
OS-SOMMELIER, a memory-only approach for precise and efficient
cloud guest OS fingerprinting. Given a physical memory dump
of a guest OS, the key idea of OS-SOMMELIER is to compute the
kernel code hash for the precise fingerprinting. To achieve this
goal, we face two major challenges: (1) how to differentiate the
main kernel code from the rest of code and data in the physical
memory, and (2) how to normalize the kernel code to deal with
practical issues such as address space layout randomization. We
have designed and implemented a prototype system to address these
challenges. Our experimental results with over 45 OS kernels, including
Linux, Windows, FreeBSD, OpenBSD and NetBSD, show
that our OS-SOMMELIER can precisely fingerprint all the tested
OSes without any false positives

2.  I've been sitting on since back in September, though it may have been out much longer than that.  That was when the google alert showed up.

YAF does DHCP fingerprinting.  It appears tojust use the fingerprints from packetefence based on the writing, but it is nice to see another program out there taking up dhcp fingerprinting.

By looking at the order of the DHCP options in the DHCP requests from the Operating System's DHCP client, it may be possible to identify the client's OS version. The yaf DHCP fingerprinting plugin does exactly that. For flows that yaf has labeled as DHCP, yaf will look at the DHCP options if available in the payload captured for that flow. yaf specifically looks at Option 55. Option 55 requests a list of parameters. The order in which they are requested can usually identify the OS of the requesting IP address.

Sunday, November 25, 2012

SinFP and Syn/Ack fingerprinting

With SinFP3 v1.2 they claim to do one packet OS fingerprinting

"The latest version of SinFP3 (v1.20) introduces two new cool features: the ability to perform a SYN scan and doing OS fingerprinting at the same time. The idea is to use SYN|ACK answers to the SYN scanning process to acurately identify the remote operating system nature. The second new feature is a server mode allowing third-party applications to access the SinFP3 fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of SinFP3."

 It is cool that since they are already scanning the systems and looking for open ports they've added the ability to use the Syn/Ack response and passively fingerprint the return data.  p0f had a syn/ack feature and I added it to Satori back in the day, but I know p0fv2 didn't have a very big syn/ack DB and I honestly don't know how big Satori's is as I have it all rolled into the tcp.xml file. 

I need to look at their fingerprint file and see if it is something I can incorporate into Satori.  If it appears feasible to convert what I get back into the same format, i'll have to follow up with the authors and see about adding it in.  That just means finding time to play with SinFP now!  Not sure when that will happen, but added to the list.

Friday, October 5, 2012

Network Forensics - How to get better at

Ok, I like to toy in the network forensics world, but it is hard to get any better at it when I have so little time to dedicate to it on top of everything else going on with life and work!

Lets digress a bit, I like to play a game on facebook, almost 2 years sunk into it when I have spare time, called Battle Pirates.  In trying to track down an issue way back when the game started I realized that it sent some info in the clear about what was going on.  JSON files would provide you with whose ship was going across the map, where it was going on how strong the fleet was.  They might have a simple ship as the lead ship, making it look weak, but seeing it was a lvl 40 fleet you knew it was a farce.  I also realized I could see bases under their fog of war.  At the initial time the only way to find someone was to scout, remove the fog of war and find their base, but by scanning around the map, even with the FOW there I could still see underneath it because the data was on the wire to read if you knew how.

Eventually they lifted the whole idea of the fog of war and I stopped paying much attention what I could pull until I got bored with the game and was about to quit.  I noticed that I could actually tell, based on the JSON files exactly what was on a fleet when it was launched.  Once it was on the water all I could do was get updates on where it was going, etc, but if I was "watching" when it was launched, I could get exactly what was on it.  Only problem was it was in code looking something like this:
...[["create","oid",999999,"level",7,"on","Some User","type",3,"minidata",{"hullid":30},"x",999999900,"y",58500,"fleetid",3]],"updated_at":"99999999.837","transitionid":"99999999","data":{"fleet":{"mpm":0,"ships":[{"weapons":[104,112],"hullID":30,"tacticalModules":[],"armors":[303,303],"actives":{"flt":3,"fltp":1,"hp":192,"bid":99999,"f":1,"rank":5,"id":14},"specials":[550]},{"weapons":[121,104],"hullID":30,"tacticalModules":[],"armors":[310,310],"actives":{"flt":3,"fltp":4,"hp":172,"bid":99999,"f":0,"rank":3,"id":15},"spels":[550]},{"weapons":[104,121],"hullID":30,"tacticalModules":[],"armors":[302,302],"actives":{"flt":3,"fltp":2,"hp":132,"bid":99999,"f":0,"rank":5,"id":13},"specials":[550]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[312],"actives":{"flt":3,"fltp":3,"hp":362,"bid":99999,"f":0,"rank":0,"id":27},"specials":[530]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[320],"actives":{"flt":3,"fltp":5,"hp":225,"bid":99999,"f":0,"rank":0,"id":28},"specials":[500]}],"fspd":55,"adstats":[],"fnum":1,"mcap":28613,"fid":3}}

It provided me with where it was launched from, the rank and HP on the ship, the armor, any specials, and any tact modules along with the type of ship.

Only problem was looking through what I could find to translate those numbers to actual useful info.

I never did find it in the swf file, but didn't look too hard there, instead, little by little I launched my fleets, compared what I had on them to what it reported and built out a list.

I rarely use the program except to try to spot new ships being launched that I may not have, or to identify new weapons, armor, etc and then ask the people if they are ones I know.

My latest trick was to notice that at the end of the battle you can see what was on the fleet you just battled.  With that in mind and the tweaks they made today to BP, I decided to list out what was on the new fleets.  This is subject to change, as just before this writing, most Drac fleets disappeared off the map as I believe Kixeye may be revamping them due to outcry from those that don't like today's changes, but I digress.  Here are the ones I've checked so far (had to do this manually via a packet capture and my list of numbers as it wasn't programmed into my program to disect this):

1 - LightCruiser (HP:980)
2 - LightCruiser (HP:980)
3 - Battleship (HP:3188)
4 - Battlecruiser (HP:1478)
5 - LightCruiser (HP:642)

1 - LightCruiser (HP:980)
2 - Battlecruiser (HP:1732)
3 - Dreadnought (HP:8749)
4 - Battlecruiser (HP:1732)
5 - LightCruiser (HP:642)

1 - Battlecruiser (HP:2546)
2 - Battlecruiser (HP:2586)
3 - Battleship (HP: 5220)
4 - Battleship (HP:4515)
5 - Battleship (HP:4874)

(1) - Battleship (hp:6378)
(2) - Battleship (hp:6258)
(3) - Battleship (hp:6578)
(4) - Battleship (hp:6258)
(5) - Battleship (hp:6258)

One thing I've noticed of late is the armor on the drac fleets is different than what we as players have access to.  Also all the drac hull's, while named the same, are different ID's so they may have different specs than the ones players have.  The weapons and specials, for the most part though all seem to be the same as what we have access to except for some of the weapons and tacticals that were in the last 2 raids. 

Ok, so what does all this have to do with Network Forensics?  Only that you have to get comfortable with looking at tons of packet captures and be willing to go back over them afterwards, because you never know what you may have missed in the past!  The fact that I could see launched fleets and killed fleets was there from my packet captures a year ago, but up until recently I hadn't see it because I was filtering it down to what I thought I wanted to see and missing what I really wanted in the process!

Monday, July 23, 2012

Revenge of the PDU

Your next PDU? Taking the wall wart to the next level. I've been thrilled to see the little wall wart devices for the past 2 years or so and been saying how much fun they'd be in a Pen Test. While this one isn't one you'd want to abandon, due to the cost, it is the ultimate in stealth!

Nothing like having a PDU with a built in computer that phones home!

So many ideas, so little free time....

Thursday, July 12, 2012

DHCP dll for Satori updated

Quick note, updated the dhcp dll Satori uses.  I'm getting ~10 times faster processing for DHCP fingerprints now!

Run the updater.exe and look for the latest!

Wednesday, July 4, 2012

Satori 0.7.4 released

Short Info:
- Had a request from Randy to add a "not" feature to the filter. Added that and fixed the fact that it only filtered existing packets, not new packets. Thanks for the suggestion! Usage is: ![var] or just [var], sorry no ability to use && or || type logic.
- Also fixed a bug he noticed in the MAC Vendor not showing up in cases where it did know it.
- Last but not least packaged Satori with InstallForge (

Long Winded Info:
For those that don't want to do a full blown install, nice thing is InstallForge, while making it an .exe it is actually a .zip, so it can be extracted with any zip program. You'll end up with an extra dir, but works sweet even when using unzip.

I had a request to add the ability to do a NOT in the filter. Initially it was simple, the problem came with trying to get it to do more than just what was currently on the screen, ie all those new packets coming in at the same time. While the first piece of code was about 5 mins of trial and error and some logic issues, the piece to get it to update new packets was 3-4 of pain and suffering on my part. Nothing like have 7 year old code that you barely ever look at anymore and try to figure out everything that is actually happening there!

The same person pointed out a few other issues, one of which was that Satori sometimes shows the Vendor of a MAC, other times doesn't, with no rhythm or reason he could see. Initially neither could I, until I remembered that the DNS dll will put an IP down and if you end up going there later it will add the MAC. Problem was I wasn't doing a lookup then, just an update. Simple code change later and I think it is now fixed. Thankfully that was a 10 min fix!

And the last thing he noted was that the date/time stamp of files on my web server were sometimes older than local ones from an install. This has to do with doing the install via a simple zip file and when you extract it it takes "today's" date/time instead of the file depending on the zip program and its settings. It also has to do with the way I pull time locally vs remotely and GMT, so sometimes files are off by a day. While I didn't fix this entirely, I've wanted a decent and free installer program for a long time and I found InstallForge. Works nicely for what I need and I recommend checking them out and donating to them if you find it useful!

One cool feature of InstallForge is it is really a .zip file underneath, so for those of you that don't want to install Satori, you can still just right click on the .exe and tell 7zip, or whatever your zip program of choice is to unextract it and you should be good to go!

Monday, June 11, 2012

Adventures in new machines

Ok, switching to a new machine and moving all your tools to it always sucks, but really, I mean really, it shouldn't be this hard! I've been working on getting Delphi installed on my machine for the past 4+ hours so that I could start working on Satori again (yes it is written in Delphi, I still hate C and C++ though one of these days I swear I'll learn it). Ok, I'm running an ANCIENT version of Delphi, Delphi 6, but I refuse to pay $900 to get the latest version and since I didn't upgrade over the years I can't get by on the cheaper upgrade price of $500, or whatever it was. The saga starts, install Delphi 6. Program from 2001 or so, 1 CD install flies. Launch it, Windows 7 whines, Delphi 7 isn't supported.... Huh, this is Delphi 6, click past the stupid error and it works fine. It didn't like the debugger I don't think, but oh well, it installed. Oh new machine, Borland only lets you install 3 times or so before they make you email in on a rebuild to bump your license count. On a plus side, they got back in me in under 30 mins having bumped my license limit (thanks Bryce, very impressed). Ok, go to open Satori, missing VirtualStringTree, try to install that, missing XP Theme Manager, install that. Missing this component, then this, then that. Damn I'd forgotten how many little components I'd added to Satori over the years (time to write it command line only already, more on that shortly). While I was at it, oh lets go ahead and get the latest version of XYZ, hey why doesn't this work anymore, oh yeah, I'd added my own little code into their file for the convience factor since it needed extended. ARRGGGHHHH.... 4 hours later Satori opens and compiles again! YEAH! Satori cmd line - ok, I made a linux version 3 or so years ago, cmd line only, thinking of expanding that and doing a windows/linux version that is cmd line only. Been doing a ton of Snort stuff lately and the way Snort/Barnyard2/BASE all work together makes me think I should look at doing that again. Get Satori to just write to file as fast as it can, maybe doing the fingerprinting lookup, maybe leaving that to a 2ndary piece of software that would also dump it into a DB. Then get a pretty front end to read it near real time out of the DB. All a pipe dream now, no free time to do any of this, but it is on my mind to do one of these days. If I do do that, I'll be switching it all over to Free Pascal and Lazarus most likely or maybe I'll get real bold and convert the whole thing to C++, wouldn't that be a kick (why do I hate C/C++ so much.....). Anyway, long story short, Satori can be compiled on my machine again and maybe I'll do some updates. Oh and satori is getting used a bit more, more on that in another post down the road.

Saturday, June 9, 2012

Forensics Contest #10

Well it has been awhile since they released one to the public, but the Lake Missoula Group has released a new puzzle. Besides just network this time it appears to have some HD forensics required! If time permits I hope to get to this in the near future. You have until 7/23/12 to submit your answers. Contest #10 can be found here.

Tuesday, April 3, 2012

CapLoader 1.0

I've been playing with a beta of this product for the past month or so.

Straight from Erik's writeup:
Here are the main features of CapLoader:
• Fast loading of multi-gigabyte PCAP files (1 GB loads in less than 2 minutes on a standard PC and even faster on multi-core machines).
• GUI presentation of all TCP and UDP flows in the loaded PCAP files.
• Automatic identification of application layer protocols without relying on port numbers.
• Extremely fast drill-down functionality to open packets from one or multiple selected flows.
• Possibility to export packets from selected flows to a new PCAP file or directly open them in external tools like Wireshark and NetworkMiner.


These were observations in the beta versions, they may have been fixed since then:

I found 2 minor glitches when testing the beta and have reported them to Erik. One he found was due to out of wack timestamps in a random pcap I'd found on the internet and the other had to do with the Empty Flows on a 750 MB file that was mostly Empty Flows. For me the Empty Flow option was just something I tested, not something I'd use in what I do on a regular basis.

Overall a very sweet and fast product. I dumped a lot of 750 MB files into it and played around with it over the course of many days in a month. I wish I could get Satori to process files this quick!

Anyway, after processing the file(s), I clicked on the flow I wanted, drag and dropped it into wireshark and got what I was after. So much easier than loading a 750 MB file into wireshark (if it would ever load in the first place and not just die) and then write filter after filter and watch it process the whole file repeatedly. Instead pick the next flow I was after and drag it into wireshark!

The protocol fingerprinting database got a large overhaul between the 2 beta's I tested. I can't say how accurate the determination is as I have not had a chance to sit down and look deeply into it, but I know it is something I want to look at closer in the future.

Microsoft Tokens, Hashes and lots more

Ok, so nothing to do with fingerprinting, but it has been very interesting reading through this series:

#1 - Protecting Privileged Domain Accounts: Safeguarding Password Hashes

#2 - Protecting Privilged Domain Accounts: LM Hashes -- The Good, the Bad, and the Ugly

#3 - Protecting Privileged Domain Accounts: Disabling Encrypted Passwords

#4 - Protecting Priviledge Domain Accounts: Safeguarding Access Tokens

Monday, March 26, 2012

Fingerprint Editor updated to 1.00.09

Jeff updated the fingerprint editor he wrote that I utilize for .xml editing of the files Satori uses. We got the Terms of Service inputted into all of the .xml files now and the UTF-8 encoding fixed with saving of the file when the TOS is there. Some other minor fixes/updates as I believe.

Thanks for the changes!

Wednesday, March 7, 2012

Satori - update 0.7.3 and most dll's recompiled

I'm busy taking the SANS 503 IDS course, one of the things we do in that course is look at BPF style filters. Low and behold, I use these in Satori to do some prefiltering of packets before Satori hashes through them. While I have complete confidence in my coding skills (brief pause as I control the hysterical laughing fit I've found myself in), it never hurts to preprocess the packets before I get them.

History on the filters, we'll look at the TCP fingerprinting one:

Noticed vlan tagged traffic wasn't being picked up so, up until yesterday:
'tcp or vlan'

Yesterday first change:
'tcp or (vlan and tcp)' - decent update, meant only vlan traffic that was also tcp got sent to me, but wait, we only want TCP traffic with options, so...

'tcp[12] > 50 or (vlan and tcp[12] > 50)'

So now, instead of having to process all tcp traffic with Satori, winpcap only sends this dll tcp traffic that has tcp options!

Other protocols still read the whole tcp packet, or the whole packet for that matter, but now tcp processing should be a little quicker as I don't have to dig through the packet to see if it is tcp with options, I let winpcap do it. I still check to see if there are options on it and don't assume all is good, but I limit the initial packets that I have to process!

Ok, other updates besides BPF stuff....

Satori 0.7.3 released. Wanted a new .zip file as the last one was 0.7.1 and that was from quite awhile ago. 0.7.2 .exe was released 1.5 years ago! One thing I recently noticed with the update of the oui.txt file is that Satori reads it, but doesn't pick up any new changes in it unless I recompile the .exe. No idea why, on my list to fix some day.

Also released the SIP dll and profile. I wrote these back in 2010 and evidently never released them to the public. Which reminds me, I should probably upload the .xml file that goes with that also which means updating the .zip file that will be missing it also. Oh well, 5 more mins of my life.

Enjoy the updates, let me know if I broke anything as I haven't had a ton of testing time with the new changes as I'm supposed to be studying for SANS 503 stuff right now!

Oh last note, figured out some interesting "glitches" with the vlan tag and BPF, will try to do a different post once I verify it all and get some feed back.

Monday, February 13, 2012

p0fv3 - update

Well sat down and finally played with p0fv3...

DAMN that is fast! Reminds me how pathetically slow Satori is since I wander the .xml file EVERY packet that goes through instead of reading it in once, hashing it and doing a look up on that hash. Not sure how easy it will be, but after seeing how fast p0fv3 is (and prads in the past) just reminds me how much time I'm killing do to how I do lookups!

Anyway, back to p0fv3. Ran a 7 year old pcap file through it, there were about 7-10 devices that it didn't know. Mostly Netware 5 and 6 boxes, a few others that I don't know and would like to, and then a few XP ones that may have been because of the SP they were at or other services. Anyway, sent them on.

Very nice nice program as always mz!

Monday, February 6, 2012

Passive Aggressive Pwnage

15 min fire talk at Schmoocon 2012, mentions Satori in DHCP fingerprinting, which I was happy to see, missed the greater use of it, but at least it was mentioned!

Audio on this sucks, but was worth my 15 mins to listen to and get a few new ideas.

Thanks for the mention of Satori John!

Friday, January 27, 2012


It was posted to the fingerbank discussion list in the past week on the Alpha version of NetSlueth. I'd tagged it to go back and look at, and unlike most of the time I tag things for follow up I did it in less than 6 months!

I guess it was just 2 days ago, wow, not sure I've ever gotten back that quick.

Anyway, partial info from the list:
"I basically used tshark for low level processing, allowing me to focus on the logic of the analysis. It needs ALOT more work, including improving my sloppy coding skills. It requires a full installation of Wireshark and .Net Framework or later on the machine. I'm going to make it fully mono compatible shortly."

By using tshark he took a lot of the headache out of coding underlying pieces that I've dealt with in Satori. Anyway, I ran some initial pcap files I had around through it and it seemed to do quite nicely on identifying the OS running on them. I didn't have any luck with a live capture, but I didn't dig around very long on trying to figure out why either!

I need to dig into it more and see what all protocols they are utilizing, but if you need another little tool, this one may be worth looking at!

Thursday, January 12, 2012

Fingerprint Editor 1.00.08

Jeff recompiled his fingerprint editor for us with the latest .xml files from my fingerprint database!

Tuesday, January 10, 2012

p0f v3

And I though MZ gave up on p0f after no updates to v2 in years. I guess I'm proven wrong....

== What's new ==

Version 3 is a complete rewrite, bringing you much improved SYN and SYN+ACK fingerprinting capabilities, auto-calibrated uptime measurements, completely redone databases and signatures, new API design, IPv6 support (who knows, maybe it even works?), stateful traffic inspection with thorough cross-correlation of collected data, application-level fingerprinting modules (for HTTP now, more to come),
and a lot more.


On my list to test in the near future and provide some new fingerprints. Assuming time permits and how well it works (I have no doubts well, but...), I will look at what it is doing and see if I can incorporate new stuff/ideas into a newer tcp plugin for Satori.