SlideShare a Scribd company logo

Os detection with arp

Download as PPTX, PDF
David Clark
David Clark

Neighbor Cache Fingerprinter (NCF) is a tool that fingerprints operating systems through analysis of how targets respond to unusual Address Resolution Protocol (ARP) packets and behavior. NCF sends various crafted ARP packets and probes targets, observing factors like the number of ARP requests before timeout, response to gratuitous ARP packets, and cache entry timeout periods. NCF then compares these characteristics to a relatively small database of fingerprints to determine the likely operating system and version of the target.

1 of 19
What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
ARP Packet Structure
Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?

Recommended

AARCH64 VMSA Under Linux Kernel
AARCH64 VMSA Under Linux KernelAARCH64 VMSA Under Linux Kernel
AARCH64 VMSA Under Linux Kernel
Haifeng Li
 
VPP事始め
VPP事始めVPP事始め
VPP事始め
npsg
 
UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編
hdais
 
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Netwalker lab kapper
 
Raspberry Piで始める自宅サーバー超入門
Raspberry Piで始める自宅サーバー超入門Raspberry Piで始める自宅サーバー超入門
Raspberry Piで始める自宅サーバー超入門
VirtualTech Japan Inc./Begi.net Inc.
 
UEFI時代のブートローダ
UEFI時代のブートローダUEFI時代のブートローダ
UEFI時代のブートローダ
Takuya ASADA
 
VHDL-2008が好きなんです
VHDL-2008が好きなんですVHDL-2008が好きなんです
VHDL-2008が好きなんです
windy12806
 
KVM+cgroup
KVM+cgroupKVM+cgroup
KVM+cgroup(^-^) togakushi
 

Recommended

AARCH64 VMSA Under Linux Kernel
AARCH64 VMSA Under Linux KernelAARCH64 VMSA Under Linux Kernel
AARCH64 VMSA Under Linux Kernel
Haifeng Li
 
VPP事始め
VPP事始めVPP事始め
VPP事始め
npsg
 
UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編UnboundとNSDの紹介 BIND9との比較編
UnboundとNSDの紹介 BIND9との比較編
hdais
 
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Beginner for install DOSBox-X and PC-98 emulation. 初めてのDOSBox-XインストールとPC-98エ...
Netwalker lab kapper
 
Raspberry Piで始める自宅サーバー超入門
Raspberry Piで始める自宅サーバー超入門Raspberry Piで始める自宅サーバー超入門
Raspberry Piで始める自宅サーバー超入門
VirtualTech Japan Inc./Begi.net Inc.
 
UEFI時代のブートローダ
UEFI時代のブートローダUEFI時代のブートローダ
UEFI時代のブートローダ
Takuya ASADA
 
VHDL-2008が好きなんです
VHDL-2008が好きなんですVHDL-2008が好きなんです
VHDL-2008が好きなんです
windy12806
 
KVM+cgroup
KVM+cgroupKVM+cgroup
KVM+cgroup(^-^) togakushi
 
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
KLab Inc. / Tech
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown
Hirotaka Kawata
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキング
Tomoya Hibi
 
I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜
Ryousei Takano
 
Hyper vを理解する
Hyper vを理解するHyper vを理解する
Hyper vを理解するNaoki Abe
 
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
Masahito Zembutsu
 
from Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Worksfrom Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Works
National Cheng Kung University
 
OSSライセンス入門
OSSライセンス入門OSSライセンス入門
OSSライセンス入門
KageShiron
 
Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!
Hori Tasuku
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
zenixls2
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor Graphics
LinuxCon ContainerCon CloudOpen China
 
避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -
Tomoki YAMASHITA
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
Yugo Shimizu
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみた
npsg
 
Wireshark入門(4)
Wireshark入門(4)Wireshark入門(4)
Wireshark入門(4)
彰 村地
 
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
NTT DATA Technology & Innovation
 
全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!
Kouhei Sutou
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 

More Related Content

What's hot

モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
KLab Inc. / Tech
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown
Hirotaka Kawata
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキング
Tomoya Hibi
 
I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜
Ryousei Takano
 
Hyper vを理解する
Hyper vを理解するHyper vを理解する
Hyper vを理解するNaoki Abe
 
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
Masahito Zembutsu
 
from Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Worksfrom Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Works
National Cheng Kung University
 
OSSライセンス入門
OSSライセンス入門OSSライセンス入門
OSSライセンス入門
KageShiron
 
Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!
Hori Tasuku
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
zenixls2
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor Graphics
LinuxCon ContainerCon CloudOpen China
 
避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -
Tomoki YAMASHITA
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
Kohei Tokunaga
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
Akihiro Suda
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
Yugo Shimizu
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみた
npsg
 
Wireshark入門(4)
Wireshark入門(4)Wireshark入門(4)
Wireshark入門(4)
彰 村地
 
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
NTT DATA Technology & Innovation
 
全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!
Kouhei Sutou
 

What's hot (20)

モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
モバイルオンラインゲームでの大規模観戦とチート対策 〜自社製リアルタイム通信システム「WSNet2」の事例〜
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown本当にわかる Spectre と Meltdown
本当にわかる Spectre と Meltdown
 
DPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキングDPDKによる高速コンテナネットワーキング
DPDKによる高速コンテナネットワーキング
 
I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜
 
Hyper vを理解する
Hyper vを理解するHyper vを理解する
Hyper vを理解する
 
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
忙しい人のための Rocky Linux 入門〜Rocky LinuxはCentOSの後継者たり得るか?〜
 
from Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Worksfrom Source to Binary: How GNU Toolchain Works
from Source to Binary: How GNU Toolchain Works
 
OSSライセンス入門
OSSライセンス入門OSSライセンス入門
OSSライセンス入門
 
Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!Play with DockerでDocker学習環境を整えよう!
Play with DockerでDocker学習環境を整えよう!
 
05.2 virtio introduction
05.2 virtio introduction05.2 virtio introduction
05.2 virtio introduction
 
GPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor GraphicsGPU Acceleration for Containers on Intel Processor Graphics
GPU Acceleration for Containers on Intel Processor Graphics
 
避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -避けては通れないバイナリ地獄 - NDEFってなんだろう -
避けては通れないバイナリ地獄 - NDEFってなんだろう -
 
今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた今話題のいろいろなコンテナランタイムを比較してみた
今話題のいろいろなコンテナランタイムを比較してみた
 
[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode[DockerCon 2019] Hardening Docker daemon with Rootless mode
[DockerCon 2019] Hardening Docker daemon with Rootless mode
 
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜 リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
リアルタイムサーバー 〜Erlang/OTPで作るPubSubサーバー〜
 
Dockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみたDockerと外部ルータを連携させる仕組みを作ってみた
Dockerと外部ルータを連携させる仕組みを作ってみた
 
Wireshark入門(4)
Wireshark入門(4)Wireshark入門(4)
Wireshark入門(4)
 
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
限界性能試験を自動化するOperatorを作ってみた(Kubernetes Novice Tokyo #14 発表資料)
 
全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!全文検索でRedmineをさらに活用!
全文検索でRedmineをさらに活用!
 

Similar to Os detection with arp

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
AlmaOraevi
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
Encarnación Marín Caballero
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
DarshaniKarunarathne
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
VarunBehere1
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
Shyama Bhuvanendran
 
Securing ARP in Software Defined Networks
Securing ARP in Software Defined NetworksSecuring ARP in Software Defined Networks
Securing ARP in Software Defined Networks
Farzaneh Pakzad
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
Subhash Kumar Singh
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptx
marunkumareee77
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentationdegarden
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
prachi67
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
Sachin Tripathi
 
Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP)
Sachin Khanna
 

Similar to Os detection with arp (20)

Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 
Packet sniffingin switch lans
Packet sniffingin switch lansPacket sniffingin switch lans
Packet sniffingin switch lans
 
Networking.pdf
Networking.pdfNetworking.pdf
Networking.pdf
 
01204427-scanner.ppt
01204427-scanner.ppt01204427-scanner.ppt
01204427-scanner.ppt
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
Securing ARP in Software Defined Networks
Securing ARP in Software Defined NetworksSecuring ARP in Software Defined Networks
Securing ARP in Software Defined Networks
 
Arp Cache Poisoning
Arp Cache PoisoningArp Cache Poisoning
Arp Cache Poisoning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
MAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptxMAC in the Address Resolution Protocol.pptx
MAC in the Address Resolution Protocol.pptx
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
Stream ciphers presentation
Stream ciphers presentationStream ciphers presentation
Stream ciphers presentation
 
Unit 3:Enterprise Security
Unit 3:Enterprise SecurityUnit 3:Enterprise Security
Unit 3:Enterprise Security
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Network Sniffing
Network SniffingNetwork Sniffing
Network Sniffing
 
Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP) Gratuitous Address Resolution Protocol(G-ARP)
Gratuitous Address Resolution Protocol(G-ARP)
 

Os detection with arp

  • 1.
  • 2. What is OS fingerprinting? Inferring a remote machine's operating system type and version (Windows XP, Linux 2.4...) by unique characteristics of it's packets and network behavior. Useful for, •Network reconnaissance for pentests •Network monitoring for administration •Internal security audits
  • 3.
  • 4. Existing tools •Nmap oActiveprobing of TCP, UDP, and ICMP oContains over 4,000 user submitted OS fingerprints •xprobe2 oMany probes for TCP and ICMP oSmaller database than nmap •p0f oPassive OS fingerprinter oComplete rewrite to version 3 in 2012
  • 5. Problem with nmap Nmap requires the following to do an accurate OS scan, •1 open TCP port •1 closed TCP port •1 closed UDP port •Response to ICMP queries Nmap scan report for 192.168.0.3 All 1000 scanned ports on 192.168.0.3 are closed MAC Address: B8:C6:xx:xx:xx:xx (Unknown) Too many fingerprints match this host to give specific OS details
  • 6. What about ARP? •Address Resolution Protocol •Primarily used to translate IP addresses into MAC addresses on link local networks
  • 8. Neighbor Cache •Sending an ARP request for every packet would be a waste of network resources. Once an IP address is resolved into a MAC address, it is cached (Linux kernel calls this the "neighbor cache"). • Cache values timeout, but often with complicated timeout policies • Valid ARP packets will update the cache, but invalid ARP packets should be ignored
  • 9. ARP Fingerprinting? •Only tool that used ARP for any sort of fingerprinting was a very minimal implementation (arp-scan) that just sent a few malformed ARP requests and looked for replies • Finding no existing tools, I wrote my own prototype fingerprinting tool for ARP, oNeighbor Cache Fingerprinter (NCF)
  • 10. Fingerprinting NCF Response Elicitation •NCF works in any of the following conditions, oIf target responds to ICMP echo packets oNCF sends ICMP echo to target as probe packet oTarget will send back ICMP echo reply oIf target has a single closed TCP port oNCF sends a SYN as probe packet oTarget will send back RST packet oIf target has an open TCP port oNCF sends a SYN as probe packet oTarget sends back a SYN/ACK oIf target has a closed UDP port oNCF sends a UDP as probe packet to closed port oTarget will send back ICMP unreachable packet
  • 11. Fingerprinting Number of ARP Requests NCF: Probes target from spoofed IP address Target: Who has IP x.x.x.x (spoofed IP)? Target: Who has IP x.x.x.x (spoofed IP)? ... • Windows XP: Gives up after 1 attempt • Linux: Gives up after 3 attempts • Android: Gives up after 1-2 attempts NCF records the min and max retry attempts
  • 12. Fingerprinting Cache entry timeout NCF: Probes target with spoofed IP address Target: (ARP) who has x.x.x.x (spoofed IP address)? NCF: (ARP) x.x.x.x is at x:x:x:x:x (spoofed MAC) Target: Replies to probe NCF: Sends another probe Target: Replies to probe NCF: Sends another probe Target: Replies to probe ... some time later, the entry in the target's ARP cache expires NCF: Sends another probe Target: (ARP) who has x.x.x.x? Record how long it took for the cache entry to expire
  • 13. Fingerprinting Detecting flood prevention NCF: x.x.x.x is at x:x:x:x:x:80 NCF: x.x.x.x is at x:x:x:x:x:81 NCF: x.x.x.x is at x:x:x:x:x:82 NCF: Send probe packet Target: Replies (but to which MAC address?) If target has flood protection, it will reply to one of the earlier MAC addresses. If not, it will reply to the last one seen (...82).
  • 14. Fingerprinting Gratuitous ARP packets •A gratuitous or unsolicited ARP reply is an ARP reply for which there was no request •ARP fields get confusing (great for implementation diversity) oWho's the target IP of the message? Broadcast address? Zero? Specification actually says target IP should be the same as sender IP (looks like an ARP reply to yourself) oWho's the target MAC of the message? Broadcast (this is in the ethernet frame)? Same as the sender MAC address? Neither: it should be zero according to the spec. oEven the ARP opcode becomes confusing in the case of unsolicited ARP packets. Is it a "request" for other machines to update their cache? Or is it a o"reply", even though it isn't a reply to anyone?
  • 15. Fingerprinting Gratuitous ARP packets We craft gratuitous ARP packets, changing fields to match common implementation errors and oddities. Ethernet Frame Dst Address : Bcast or the MAC of our target ARP Target Hardware Address: 0, bcast, or the MAC of our target ARP Target Protocol Address : 0 or the IP address of our target ARP Opcode : REPLY or REQUEST NCF generates 36 different permutations of gratuitous ARP packets, and records if each one was accepted or ignored by the target.
  • 16. Fingerprinting Gratuitous ARP packets NCF: (permutation 1) x.x.x.x is at x.x.x.x.x.40 NCF: (permutation 2) x.x.x.x is at x.x.x.x.x.41 NCF: Probes target Target: Replies to probe. If packet 2 was accepted and updated the ARP cache, response is to MAC address x:x:x:x:x:41. If it was ignored as an invalid packet, response is to MAC x:x:x:x:x:40. NCF: (permutation 3) x.x.x.x is at x.x.x.x.x.42 NCF: Probes target Target: Replies to probe (to which spoofed MAC address?) ... NCF: (permutation 36) x.x.x.x is at x.x.x.x.x.76
  • 17. Fingerprinting •So many techniques, so little time... •Correct Reply to RFC5227 (IPv4 Address Conflict Detection) ARP probe •Cache entry creation with gratuitous packet •Dynamic cache timeout policies
  • 18. Fingerprinting Relatively small database Windows 7, Windows 7 or Windows Server 2008, Windows XP or Windows Server 2003 Linux 3.x, Linux 2.6 (newer than 2.6.24), Linux 2.6 (older than 2.6.24), Linux 2.4 FreeBSD or OpenBSD, NetBSD Android 4.0.4, Android 3.2, Minix 3.2 ReactOS 0.3.13 Lexmark Printer SonicWall OS Wind River VxWorks 3com NBX V3000 (IP Telephone System) Honeyd Honeypot Scientific Atlanta DPC2100 Cable Modem, Terayon TJ715 Cable Modem SMC Barricade Broadband Router, MontaVista embedded Linux 2.4.17
  • 19. Neighbor Cache Fingerprinter Source code, documentation, and issue tracker github.com/PherricOxide/Neighbor-Cache- Fingerprinter Find bugs and report them on github. Better yet, find bugs and submit patches. Email me fingerprints to dtclark@asu.edu Questions, comments, concerns?