Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using DHCP for Passive OS Identification

Similar presentations

Presentation on theme: "Using DHCP for Passive OS Identification"— Presentation transcript:

1 Using DHCP for Passive OS Identification
dave David LaPorte Harvard University Eric Kollmann Boise State University

2 Who We Are David LaPorte Eric Kollmann
Network Security Manager Harvard University Network and Server Systems Co-developer of PacketFence, an open-source NAC solution Eric Kollmann Systems Engineer, Boise State University Developer of Satori, a Windows-based passive OS fingerprinting tool dave

3 Types of OS Fingerprinting
Active Port interrogation nmap Passive traffic analysis P0f DHCP fingerprinting dave

4 Why DHCP is Unique Broadcast protocol
Totally passive collection Most networks come with a built-in probe DHCP relay agents! Extremely accurate dave

5 DHCP Primer Dynamic Host Configuration Protocol
Entirely client-driven (currently) Main types of packets DHCP Discover DHCP Offer DHCP Request DHCP Acknowledgement DHCP Information DHCP Release dave DHCPFORCERENEW

6 DHCP Primer, contd. Relevant RFCs RFC 1541 RFC 2131
Added DHCPINFORM, extended vendor classes RFC 2132 Vendor Extensions RFC 4361 Option 61 updates RFC 4578 PXE Boot Information dave 61 = client identifier

7 DHCP Primer, contd. dave determines config = talk about relay, etc
Server Client Server (not selected) (selected) v v v | | | | Begins initialization | | _____________/|\____________ | |/DHCPDISCOVER | DHCPDISCOVER \| Determines | Determines configuration | configuration |\ | | | \ | ____________/| | \________ | /DHCPOFFER | | DHCPOFFER\ |/ | | \ | | | Collects replies | | \| | | Selects configuration | |/ DHCPREQUEST | DHCPREQUEST\ | | | Commits configuration | | _____________/| | |/ DHCPACK | | Initialization complete | | Graceful shutdown | | |\ ____________ | | | DHCPRELEASE \| | | Discards lease dave determines config = talk about relay, etc lease renewal at half-life finish at 14min

8 Which ones are useful Discover, Request, Information Offer Release
All will help you identify the client OS, some are more useful than others Offer Useful in a SOHO environment Release Seen on a graceful shutdown on some OS's eric

9 Fingerprinting the hard way
When there is no DHCP Server responding DHCP retransmission timing How long does each OS wait between DHCP Discover packets before it sends another one RFC's state they should wait 4, 8, 16, 32, up to 64, all +/- 1 second RFC's also state that the seconds field should not be set to a constant value eric

10 Fingerprinting the hard way, contd.
Seconds Elapsed Field eric

11 Fingerprinting the hard way, contd.
What it should look like RFC's state they should wait 4, 8, 16, 32, up to 64, all +/- 1 second eric

12 Fingerprinting the hard way, contd.
Problem 1 – Incorrect time difference Problem 2 – Incorrect use of 'secs' field 1 Second does not = 256 eric

13 Fingerprinting the hard way, contd.
Seconds Elapsed Field set to a constant RFC's state that the seconds field should not be set to a constant value eric

14 Fingerprinting the hard way, contd.
Two overlapping attempts at the same time eric

15 IP TTL on DHCP Packets Provides a rough guide to OS TTL 255 Mac OS X
MS Windows >95 TTL 64 Linux Group 2 TTL 32 MS Windows 95 TTL 16 Linux Group 1 eric

16 More with TTL and DHCP Typically, no guessing required eric

17 Issues with TTL with DHCP
DHCP Relay Some Cisco devices will change the TTL to 255 Some HP devices will leave the TTL field alone eric finish at 34min

18 Fingerprinting the easy way
Using DHCP Options All of the options Option 55 (requested parameter list)‏ Option 60 (vendor id)‏ Option 61 (client id)‏ Option 77 (user class information)‏ Option 82 (relay agent information)‏ Option 93 (client system architecture)‏ dave 61 = provide value other than MAC address to bind lease to (eg. multiple Ips on a single interface)

19 All of the Options Of limited use, but may get us to the “family” of the OS. 53, 61, 50, 54, 12, 55, 43 dave

20 All of the Options, contd.
Still can't be ruled out Some systems will not provide you with other options that you want Windows 95 Discover Note that hostname below is what we put in, the OS isn't nice enough to tell us this! dave should that be “is nice enough”?

21 Option 55 - requested parameter list
The easiest and most accurate way to identify a machine dave

22 Option 55, contd. Number and order of requested parameters forms a fingerprint eg., MS Windows XP 1,15,3,6,44,46,47,31,33,249,43 1,15,3,6,44,46,47,31,33,249,43,252 1,15,3,6,44,46,47,31,33,249,43,252,12 15,3,6,44,46,47,31,33,249,43 15,3,6,44,46,47,31,33,249,43,252 15,3,6,44,46,47,31,33,249,43,252,12 28,2,3,15,6,12,44,47 dave 252 = web proxy auto discover 12 = hostname 1 = subnet mask finish at 44min Apple iPhone 1,3,6,15,119,78,79,95,252 1,3,6,15,119,95,252,44,46,47

23 Option 60 - vendor id Vendor ID May be quite specific or very generic
May even be misleading eric

24 Option 60, contd. eric

25 Option 60, contd. Cisco VOIP devices Generic
Cisco Systems, Inc. IP Phone Specific Cisco Systems, Inc. IP Phone 7905 Cisco Systems, Inc. IP Phone 7912 Cisco Systems, Inc. IP Phone CP-7960G eric

26 Option 60 (contd.)‏ Some Linux distributions make it easy! eric

27 Option 61 - client id Client Identifier
In most cases this will just be the MAC of the device, but, if you want to identify a MS RRAS server eric

28 Option 77 - user class information
Be careful with this one, it is user-defined! If you need to identify MS RRAS… eric finish at 56min

29 Option 93 – client system architecture
PXE boot Determine the underlying hardware 9 EFI x86-64 4 Arc x86 8 EFI Xscale 3 DEC Alpha 7 EFI BC 2 EFI Itanium 6 EFI IA32 1 NEC/PC98 5 Intel Lean Client 0 Intel x86PC eric

30 Option 82 - relay agent information
RFC 3046, DHCP Relay Agent Information Option Compatible devices “tag” DHCP packet with additional information What is included is varies by vendor Exposes information about client or switch eg. Cisco provides port, vlan, and switch data. Data format is model-dependent dave 3550 provided the SNMP ifIndex value in the Circuit-ID field. Newer releases default to the vlan-mod-port "standard" Code Len Agent Information Field | 82 | N | i1 | i2 | i3 | i4 | | iN | SubOpt Len Sub-option Value | 1 | N | s1 | s2 | s3 | s4 | | sN | DHCP Agent Sub-Option Description Sub-option Code Agent Circuit ID Sub-option Agent Remote ID Sub-option

31 Use Cases Targeted identification or enumeration System Inventory
NAC integration to enforce OS-based policy PacketFence Cisco NAC Appliance dave

32 Mitigation Strategies
Modify default DHCP client Keep IP segments as small as is reasonable /24 segment = 254 hosts /20 segment = 4094 hosts dave dhclient “request” parameter -R

33 Repository Submit, search, and export DHCP fingerprints
169+ fingerprints collected eg., gaming consoles, DVRs, VoIP phones dave

34 Additional Links Satori & DHCP Fingerprinting Whitepaper
PacketFence (and WRT54G tool) Next Generation DHCP (SysAdmin, 02/2005) dave

35 Related Publications 'New scheme for passive OS fingerprinting using DHCP message’ Joho Shori Gakkai Kenkyu Hokoku, 02/2003 'Next Generation DHCP Deployments’ SysAdmin Magazine, 02/2005 dave

36 Other Implementations
RINGS project RogueScanner (Network Chemistry)‏ DHCPListener Dhcprint Beacon (Great Bay)‏ dave

37 Summary DHCP is an accurate and overlooked source of fingerprinting data Multiple methods available Option 55, most reliable Option 60, easiest (when accurate)‏ Many potential applications NAC Asset inventory dave

38 Demo dave finish at 78min


Download ppt "Using DHCP for Passive OS Identification"

Similar presentations

Ads by Google