Saturday, June 29, 2013

More on Interesting Patents

Amazing what you find when you start searching even more.  I'm really surprised Google Alerts never picked some of these up before and alerted me on them!

Detecting Rouge Wireless Devices via DHCP Fingerprinting:
Microsoft - 2011

Appears to be a similar one, but not sure of differences right now.
Microsoft - 2007

System and Method for Resolving OS or Service Identity Conflicts (using SMB, DHCP, etc)
SourceFire - 2011

So it looks like a few other places have put some patents on DHCP fingerprinting in the past few years also.

Patents on OS Fingerprinting - DHCP specifically

I'll admit, I've never looked much into patents and how they work (what protection they give you, how much they are worth, etc), but I'm curious how one gets one for OS fingerprinting?  Specifically on a technology that many people were freely writing about prior to the patent being filed.

Infoblox was one of my last posts after they popped up on a google alert and a buddy just sent me a link to this:

http://www.freepatentsonline.com/8458308.html

On Aug 23, 2006 they  filed this patent.  It took until Jun 4, 2013 for it to be approved if I read this correctly.

General history on DHCP fingerprinting from what I've found in my research on it over the years and my personal involvement in it:

Dave Hull and George F Willard III publish a paper on it from their research at KU.
Feb 2005 - http://kuscholarworks.ku.edu/dspace/bitstream/1808/584/1/NGDHCP.pdf

Many small spinoff programs start up based on the POC code and info.

March 2005 - I'm sitting in Iraq and find out about it myself for the first time looking through packets with no idea of the paper published the month before.  I was stoked when I first found out about using this technique and was a bit crushed when I found I wasn't the first to have found it.

I publish a general paper on OS fingerprinting and start discussing DHCP fingerprinting in more detail
August 2005 - http://chatteronthewire.org/download/OS%20Fingerprint.pdf

Sometime over the next two years I start working with David LaPorte from the PacketFence project to see if we can get something together to talk about DHCP fingeprinting at Blackhat.  We eventually get accepted to present it at BH Japan in 2007:
July 2007 - http://chatteronthewire.org/download/chatter-dhcp.pdf
October 2007 - http://chatteronthewire.org/download/bh-japan-laporte-kollmann-v8.ppt

During the last of my research I found indications that everyone listed so far was at least 2 years behind on this idea when we started talking about it in 2005 since there was a group out of Japan in Feb 2003 that published something on it!  Though I never found a translated copy on it at the time, you may be able to order a copy in Japanese here:
"New scheme for passive OS fingerprinting using DHCP message" - Joho Shori Gakkai Kenkyu Hokoku, Feb 2003!

Since 2007 many large companies have finally gotten onto the band wagon of DHCP fingerprinting which I'm glad to see.  It has taken 10 years since the first papers I'm aware of and at going on 6 years after the BH 2007 event which seemed to generate a lot of interest.  I know this since I had calls and some emails from at least one very large company now doing it and many small companies over the years.

I'm hoping that this patent doesn't cause any issues in the world of using DHCP fingerprinting for OS identification, but only time will tell.

Wednesday, June 12, 2013

Infoblox, new player in the DHCP fingeprinting world

I got a new Google Alert yesterday on "DHCP Fingerprinting", hadn't had much traffic on it in quite awhile now. 

The notice I found was here.

I'll admit I know nothing about this company, though I did like their writeup on DHCP Fingerprinting.  It is only 2 pages long, so short and to the point, covering what most upper management needs.  What their writeup I assume they are only doing Option 55 fingerprinting.

With that said though I did find the original writeup a bit funny.

"With the new Infoblox DHCP Fingerprinting technology, network administrators can see device type information - such as iOS or Android devices, an Xbox, or a Linksys router -"

New?  Did they say new?  I presented on this in 2007 and a few people, myself included were discussing it as early as 2005.  So while it may be new for them, this is by no means new technology!

Ok, all of that aside, it is cool to see another company using it.