Neighbor Cache Fingerprinter (NCF) is a tool that fingerprints operating systems through analysis of how targets respond to unusual Address Resolution Protocol (ARP) packets and behavior. NCF sends various crafted ARP packets and probes targets, observing factors like the number of ARP requests before timeout, response to gratuitous ARP packets, and cache entry timeout periods. NCF then compares these characteristics to a relatively small database of fingerprints to determine the likely operating system and version of the target.
GNU Toolchain is the de facto standard of IT industrial and has been improved by comprehensive open source contributions. In this session, it is expected to cover the mechanism of compiler driver, system interaction (take GNU/Linux for example), linker, C runtime library, and the related dynamic linker. Instead of analyzing the system design, the session is use case driven and illustrated progressively.
Presentation delivered at the 2017 LinuxCon China.
Container is a popular technology in cloud with the merits of fast provisioning, high density and near-native performance. New requirements have been rising to further use GPU to accelerate various applications in containers, e.g. media trans-coding, machine learning, etc. However there is still gap of managing GPU in such container usages. This presentation will first review the status of GPU support on both native container and Intel clear container, then provide an anatomy of technical gaps and enabling plans in major areas (orchestration layer, resource isolation and QoS performance isolation), then review our work for GPU virtualization in clear container and prototype work through extensions in docker plugin, cgroup and GPU scheduler to fix those gaps.
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
GNU Toolchain is the de facto standard of IT industrial and has been improved by comprehensive open source contributions. In this session, it is expected to cover the mechanism of compiler driver, system interaction (take GNU/Linux for example), linker, C runtime library, and the related dynamic linker. Instead of analyzing the system design, the session is use case driven and illustrated progressively.
Presentation delivered at the 2017 LinuxCon China.
Container is a popular technology in cloud with the merits of fast provisioning, high density and near-native performance. New requirements have been rising to further use GPU to accelerate various applications in containers, e.g. media trans-coding, machine learning, etc. However there is still gap of managing GPU in such container usages. This presentation will first review the status of GPU support on both native container and Intel clear container, then provide an anatomy of technical gaps and enabling plans in major areas (orchestration layer, resource isolation and QoS performance isolation), then review our work for GPU virtualization in clear container and prototype work through extensions in docker plugin, cgroup and GPU scheduler to fix those gaps.
[DockerCon 2019] Hardening Docker daemon with Rootless modeAkihiro Suda
https://dockercon19.smarteventscloud.com/connect/sessionDetail.ww?SESSION_ID=281879
Docker CE 19.03 is going to support "Rootless mode", which allows running the entire Docker daemon and its dependencies as a non-root user on the host, so as to protect the host from malicious containers in a simple but very strong way. Rootless mode is also attractive for users who cannot get `sudo` permission for installing Docker on shared computing machines. e.g. HPC users. In this talk, Akihiro Suda, the author of the Rootless mode (PR: moby#38050), will explain how users can get started with Rootless mode. He will also explain the implementation details of Rootless mode and planned enhancements such as LDAP integration.
The mapping of Layer 3 (IP) to Layer 2 (MAC) addresses is a key service in IP networks, and is achieved via the ARP protocol in IPv4, and the NDP protocol in IPv6. Due to their stateless nature and lack of authentication, both ARP and NDP are vulnerable to spoofing attacks, which can enable Denial of Service (DoS) or man-in-the-middle (MITM) attacks. In this paper, we discuss the problem of ARP spoofing in the context of Software Defined Networks (SDNs), and present a new mitigation approach which leverages the centralised network control of SDN.
It is a process at very first time, when you assigned a IP address to any host device, It goes through the GARP process so that there is no IP conflict
2. What is OS fingerprinting?
Inferring a remote machine's operating system
type and version (Windows XP, Linux 2.4...) by
unique characteristics of it's packets and
network behavior.
Useful for,
•Network reconnaissance for pentests
•Network monitoring for administration
•Internal security audits
3.
4. Existing tools
•Nmap
oActiveprobing of TCP, UDP, and ICMP
oContains over 4,000 user submitted OS fingerprints
•xprobe2
oMany probes for TCP and ICMP
oSmaller database than nmap
•p0f
oPassive OS fingerprinter
oComplete rewrite to version 3 in 2012
5. Problem with nmap
Nmap requires the following to do an accurate OS scan,
•1 open TCP port
•1 closed TCP port
•1 closed UDP port
•Response to ICMP queries
Nmap scan report for 192.168.0.3
All 1000 scanned ports on 192.168.0.3 are closed
MAC Address: B8:C6:xx:xx:xx:xx (Unknown)
Too many fingerprints match this host to give specific OS details
6. What about ARP?
•Address Resolution Protocol
•Primarily used to translate IP addresses into
MAC addresses on link local networks
8. Neighbor Cache
•Sending an ARP request for every packet
would be a waste of network resources. Once
an IP address is resolved into a MAC address,
it is cached (Linux kernel calls this the
"neighbor cache").
• Cache values timeout, but often with
complicated timeout policies
• Valid ARP packets will update the cache, but
invalid ARP packets should be ignored
9. ARP Fingerprinting?
•Only tool that used ARP for any sort of
fingerprinting was a very minimal
implementation (arp-scan) that just sent a few
malformed ARP requests and looked for replies
• Finding no existing tools, I wrote my own
prototype fingerprinting tool for ARP,
oNeighbor Cache Fingerprinter (NCF)
10. Fingerprinting
NCF Response Elicitation
•NCF works in any of the following conditions,
oIf target responds to ICMP echo packets
oNCF sends ICMP echo to target as probe packet
oTarget will send back ICMP echo reply
oIf target has a single closed TCP port
oNCF sends a SYN as probe packet
oTarget will send back RST packet
oIf target has an open TCP port
oNCF sends a SYN as probe packet
oTarget sends back a SYN/ACK
oIf target has a closed UDP port
oNCF sends a UDP as probe packet to closed port
oTarget will send back ICMP unreachable packet
11. Fingerprinting
Number of ARP Requests
NCF: Probes target from spoofed IP address
Target: Who has IP x.x.x.x (spoofed IP)?
Target: Who has IP x.x.x.x (spoofed IP)?
...
• Windows XP: Gives up after 1 attempt
• Linux: Gives up after 3 attempts
• Android: Gives up after 1-2 attempts
NCF records the min and max retry attempts
12. Fingerprinting
Cache entry timeout
NCF: Probes target with spoofed IP address
Target: (ARP) who has x.x.x.x (spoofed IP address)?
NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC)
Target: Replies to probe
NCF: Sends another probe
Target: Replies to probe
NCF: Sends another probe
Target: Replies to probe
... some time later, the entry in the target's ARP cache expires
NCF: Sends another probe
Target: (ARP) who has x.x.x.x?
Record how long it took for the cache entry to expire
13. Fingerprinting
Detecting flood prevention
NCF: x.x.x.x is at x:x:x:x:x:80
NCF: x.x.x.x is at x:x:x:x:x:81
NCF: x.x.x.x is at x:x:x:x:x:82
NCF: Send probe packet
Target: Replies (but to which MAC address?)
If target has flood protection, it will reply to one
of the earlier MAC addresses. If not, it will reply
to the last one seen (...82).
14. Fingerprinting
Gratuitous ARP packets
•A gratuitous or unsolicited ARP reply is an ARP reply for
which there was no request
•ARP fields get confusing (great for implementation diversity)
oWho's the target IP of the message? Broadcast address?
Zero? Specification actually says target IP should be the
same as sender IP (looks like an ARP reply to yourself)
oWho's the target MAC of the message? Broadcast (this is in
the ethernet frame)? Same as the sender MAC address?
Neither: it should be zero according to the spec.
oEven the ARP opcode becomes confusing in the case of
unsolicited ARP packets. Is it a "request" for other machines
to update their cache? Or is it a
o"reply", even though it isn't a reply to anyone?
15. Fingerprinting
Gratuitous ARP packets
We craft gratuitous ARP packets, changing fields to match
common implementation errors and oddities.
Ethernet Frame Dst Address : Bcast or the MAC of our target
ARP Target Hardware Address: 0, bcast, or the MAC of our
target
ARP Target Protocol Address : 0 or the IP address of our target
ARP Opcode : REPLY or REQUEST
NCF generates 36 different permutations of gratuitous ARP
packets, and records if each one was accepted or ignored by the
target.
16. Fingerprinting
Gratuitous ARP packets
NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40
NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41
NCF: Probes target
Target: Replies to probe. If packet 2 was accepted and updated
the ARP cache, response is to MAC address x:x:x:x:x:41. If it
was ignored as an invalid packet, response is to MAC
x:x:x:x:x:40.
NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42
NCF: Probes target
Target: Replies to probe (to which spoofed MAC address?)
...
NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
17. Fingerprinting
•So many techniques, so little time...
•Correct Reply to RFC5227 (IPv4 Address
Conflict Detection) ARP probe
•Cache entry creation with gratuitous packet
•Dynamic cache timeout policies
18. Fingerprinting
Relatively small database
Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003
Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4
FreeBSD or OpenBSD, NetBSD
Android 4.0.4, Android 3.2,
Minix 3.2
ReactOS 0.3.13
Lexmark Printer
SonicWall OS
Wind River VxWorks
3com NBX V3000 (IP Telephone System)
Honeyd Honeypot
Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem
SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
19. Neighbor Cache
Fingerprinter
Source code, documentation, and issue tracker
github.com/PherricOxide/Neighbor-Cache-
Fingerprinter
Find bugs and report them on github.
Better yet, find bugs and submit patches.
Email me fingerprints to dtclark@asu.edu
Questions, comments, concerns?