Saturday, November 5, 2011

Using Machine Learnign Techniques for Advanced Passive Operating System Fingerprinting

Ok, guess I'm about a year out on this, but....

Anytime someone mentions your work in their master thesis, it is a nice thing to mention it and post a link!

His thesis can be found here.

He covers a lot of the same ground initially I did it my paper on OS Fingerprinting, but also covers a few tools and newer techniques that were not around back in 2005 or whenever it was that I wrote my paper on this subject. This is only in regards to the start of the paper, giving a quick overview of fingerprinting techniques and tools, he then dives deeply into other things that go well beyond what I've covered previously. I guess it is a master thesis,so it better!

He does bring up a good point/issue with passive fingerprinting and ipsec. Which since I'm working on a final project for school right now discussing network security and ipsec, it may be worth me looking into this a bit more!

DLink cloud managed solutions - offer dhcp fingerprinting in basic option

I don't have a lot of details here, I've been sitting on a lot of "Os fingerprinting" notices the past 6 months, been so busy with work and school I haven't posted much, but have some time to catch up this weekend.

Anyway, DLink has a cloud based solution that does DHCP OS Fingerprinting, more are more every day seem to finally be catching on on how to use this!

One of many articles can be found here.

OS fingerprinting with IPv6

I was sad to see they didn't go into DHCPv6 at all in this, but the author goes into IPv4 with IPv6 fingerprinting, some of what still works, some possible new stuff.

He did this for his GIAC Gold, maybe I should have used my DHCP presentation for Blackhat and got a Gold Cert on one of the many GIAC certs I hold. Oh well.

Check out the paper here.

ArubaOS adds DHCP fingerprinting

They are using their own DB, but now the ArubaOS supports doing DHCP fingerprinting of devices on the network. You can find the writeup here

It is good to see more products doing this!

My original introduction to them doing this was this blog post:

There haven't been a lot of things published on this, but it is something new they've added recently.

Fingerbank presentation at Defcon 19

Ok, I knew Oliver did a presentation fingerbank, but didn't realize it was recorded.

It can be found here.

I did find it interesting that he said he was introducing fingerbank when we did that back in 2007, but it did die off and they brought it back!

Anyway, check it out if you want.

Wednesday, August 24, 2011 is back

The people at packetfence have brought back. It has been awhile in the making, but they have 2 email lists setup now also to discuss unknown fingerprints and other topics on dhcp fingerprinting.

You can see their writeup here

Glad to see it back!

Tuesday, May 24, 2011

New tools to be aware of for pcap stuff

splitting and other parsing:
rawcapture (winpcap not required):

I'm sure there are a ton more buried in my email that I've missed recently, but these all looked promosing.

Directory Scanner

Not a tool I've played with, but on my list for one of these days if I ever have some time.

Supposedly can tell if it is AD, eDir, OpenLDAP, etc.

Thursday, May 5, 2011

Forensics Contest #8

Well after a VERY long break they've released the latest puzzle. This one has to do more with parsing and pulling info about wireless. While I probably have the skills to do it, I'm not sure I'll participate in this one. School is finishing up and my free time is very short in this next month.

If nothing else I may just figure out the answers without writing any specific program to be released for it.

It has been out a good week so far and I have yet to grab the pcap file and look it over. Satori will probably spit out an error as I have it set to reject wireless packets as I haven't wanted to parse out the extra header info in the past.

May run into through a converter so Satori can at least read it in, though I'll lose most of what they want you to find with SSID stuff and beacon packets.

Saturday, January 1, 2011


After a break from programming for awhile I think I'll take a look at some C programming again. I'm not sure how much time I'll be able to put into it with work/school/life, but I'd like to take a look at C again if I can come up with an IDE I like to program in. I really dislike most of the ones I've come across in the recent past.

Anyway, the prads project seems a good place to get involved if I can dedicate some time.

The main link for them are here:

The C stuff they've done so far covers most of what they had in the perl version before. As my favorite stuff is DHCP I'm going to see if I can write a new module to dump in there. If things work out I'll give them the code, if not it will just be me getting my feet wet in C again.

If nothing else maybe we can get some of the Satori fingerprints moved into their project. If they eventually get everything done they want to they'll be doing a lot of what I originally planned on doing with Satori!