Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Cisco Systems, Inc. IP Phone

advertisement 
Using DHCP for Passive OS Identification
David LaPorte
Harvard University
Eric Kollmann
Boise State University
Who We Are
• David LaPorte
– Network Security Manager
Harvard University Network and Server Systems
– Co-developer of PacketFence, an open-source
NAC solution
• Eric Kollmann
– Systems Engineer, Boise State University
– Developer of Satori, a Windows-based passive OS
fingerprinting tool
Types of OS Fingerprinting
• Active
– Port interrogation
• nmap
• Passive
– traffic analysis
• P0f
• DHCP fingerprinting
Why DHCP is Unique
• Broadcast protocol
– Totally passive collection
• Most networks come with a built-in probe
– DHCP relay agents!
• Extremely accurate
DHCP Primer
• Dynamic Host Configuration Protocol
• Entirely client-driven (currently)
• Main types of packets
–
–
–
–
–
–
DHCP Discover
DHCP Offer
DHCP Request
DHCP Acknowledgement
DHCP Information
DHCP Release
DHCP Primer, contd.
• Relevant RFCs
– RFC 1541
– RFC 2131
• Added DHCPINFORM, extended vendor classes
– RFC 2132
• Vendor Extensions
– RFC 4361
• Option 61 updates
– RFC 4578
• PXE Boot Information
DHCP Primer, contd.
Server
(not selected)
Client
Server
(selected)
v
v
v
|
|
|
|
Begins initialization
|
|
|
|
| _____________/|\____________ |
|/DHCPDISCOVER | DHCPDISCOVER \|
|
|
|
Determines
|
Determines
configuration
|
configuration
|\
|
|
| \
| ____________/|
| \________
| /DHCPOFFER
|
| DHCPOFFER\
|/
|
|
\ |
|
|
Collects replies
|
|
\|
|
|
Selects configuration
|
|
|
|
| _____________/|\____________ |
|/ DHCPREQUEST | DHCPREQUEST\ |
|
|
|
|
|
Commits configuration
|
|
|
|
| _____________/|
|
|/ DHCPACK
|
|
|
|
|
Initialization complete
|
|
|
|
.
.
.
.
.
.
|
|
|
|
Graceful shutdown
|
|
|
|
|
|\ ____________ |
|
| DHCPRELEASE \|
|
|
|
|
|
Discards lease
|
|
|
v
v
v
Which ones are useful
• Discover, Request, Information
– All will help you identify the client OS, some are
more useful than others
• Offer
– Useful in a SOHO environment
• Release
– Seen on a graceful shutdown on some OS's
Fingerprinting the hard way
• When there is no DHCP Server responding
– DHCP retransmission timing
• How long does each OS wait between DHCP Discover
packets before it sends another one
• RFC's state they should wait 4, 8, 16, 32, up to 64, all +/- 1
second
• RFC's also state that the seconds field should not be set to
a constant value
Fingerprinting the hard way, contd.
• Seconds Elapsed Field
Fingerprinting the hard way, contd.
• What it should look like
– RFC's state they should wait 4, 8, 16, 32, up to 64,
all +/- 1 second
Fingerprinting the hard way, contd.
• Problem 1 – Incorrect time difference
• Problem 2 – Incorrect use of 'secs' field
– 1 Second does not = 256
Fingerprinting the hard way, contd.
• Seconds Elapsed Field set to a constant
– RFC's state that the seconds field should not be set
to a constant value
Fingerprinting the hard way, contd.
• Two overlapping attempts at the same time
IP TTL on DHCP Packets
•Provides a rough guide to OS
Linux Group 1
MS Windows 95
TTL 16
TTL 32
Linux Group 2
TTL 64
MS Windows >95
TTL 128
Mac OS X
TTL 255
More with TTL and DHCP
• Typically, no guessing required
Issues with TTL with DHCP
• DHCP Relay
– Some Cisco devices will change the TTL to 255
– Some HP devices will leave the TTL field alone
Fingerprinting the easy way
• Using DHCP Options
–
–
–
–
–
–
–
All of the options
Option 55 (requested parameter list)
Option 60 (vendor id)
Option 61 (client id)
Option 77 (user class information)
Option 82 (relay agent information)
Option 93 (client system architecture)
All of the Options
• Of limited use, but
may get us to the
“family” of the OS.
– 53, 61, 50, 54, 12, 55,
43
All of the Options, contd.
• Still can't be ruled out
– Some systems will not provide you with other
options that you want
• Windows 95 Discover
– Note that hostname below is what we put in, the OS isn't
nice enough to tell us this!
Option 55 - requested parameter list
• The easiest and most accurate way to identify
a machine
Option 55, contd.
• Number and order of requested
parameters forms a fingerprint
– eg., MS Windows XP
1,15,3,6,44,46,47,31,33,249,43
1,15,3,6,44,46,47,31,33,249,43,252
1,15,3,6,44,46,47,31,33,249,43,252,12
15,3,6,44,46,47,31,33,249,43
15,3,6,44,46,47,31,33,249,43,252
15,3,6,44,46,47,31,33,249,43,252,12
28,2,3,15,6,12,44,47
Apple iPhone
1,3,6,15,119,78,79,95,252
1,3,6,15,119,95,252,44,46,47
Option 60 - vendor id
• Vendor ID
– May be quite specific or very generic
– May even be misleading
Option 60, contd.
Option 60, contd.
• Cisco VOIP devices
– Generic
• Cisco Systems, Inc. IP Phone
– Specific
• Cisco Systems, Inc. IP Phone 7905
• Cisco Systems, Inc. IP Phone 7912
• Cisco Systems, Inc. IP Phone CP-7960G
Option 60 (contd.)
• Some Linux distributions make it easy!
Option 61 - client id
• Client Identifier
– In most cases this will just be the MAC of the
device, but, if you want to identify a MS RRAS
server
Option 77 - user class information
• User Class Information
– Be careful with this one, it is user-defined!
– If you need to identify MS RRAS…
Option 93 – client system architecture
• PXE boot
• Determine the underlying hardware
0 Intel x86PC
5 Intel Lean Client
1 NEC/PC98
6 EFI IA32
2 EFI Itanium
7 EFI BC
3 DEC Alpha
8 EFI Xscale
4 Arc x86
9 EFI x86-64
Option 82 - relay agent information
• RFC 3046, DHCP Relay Agent Information
Option
– Compatible devices “tag” DHCP packet with
additional information
• What is included is varies by vendor
• Exposes information about client or switch
– eg. Cisco provides port, vlan, and switch data. Data
format is model-dependent
Code
Len
Agent Information Field
+------+------+------+------+------+------+--...-+------+
| 82 |
N | i1 | i2 | i3 | i4 |
| iN |
+------+------+------+------+------+------+--...-+------+
SubOpt Len
Sub-option Value
+------+------+------+------+------+------+--...-+------+
| 1
|
N | s1 | s2 | s3 | s4 |
| sN |
+------+------+------+------+------+------+--...-+------+
DHCP Agent
Sub-option Code
--------------1
2
Sub-Option Description
---------------------Agent Circuit ID Sub-option
Agent Remote ID Sub-option
Use Cases
• Targeted identification or enumeration
• System Inventory
• NAC integration to enforce OS-based policy
– PacketFence
– Cisco NAC Appliance
Mitigation Strategies
• Modify default DHCP client
• Keep IP segments as small as is reasonable
– /24 segment = 254 hosts
– /20 segment = 4094 hosts
Repository
• Submit, search, and export DHCP fingerprints
– 169+ fingerprints collected
– eg., gaming consoles, DVRs, VoIP phones
http://www.fingerbank.org
Additional Links
• Satori & DHCP Fingerprinting Whitepaper
– http://myweb.cableone.net/xnih
• PacketFence (and WRT54G tool)
– http://www.packetfence.org
• Next Generation DHCP (SysAdmin, 02/2005)
– http://insipid.com/NGDHCP.pdf
Related Publications
• 'New scheme for passive OS fingerprinting
using DHCP message’
– Joho Shori Gakkai Kenkyu Hokoku, 02/2003
• 'Next Generation DHCP Deployments’
– SysAdmin Magazine, 02/2005
Other Implementations
•
•
•
•
•
RINGS project
RogueScanner (Network Chemistry)
DHCPListener
Dhcprint
Beacon (Great Bay)
Summary
• DHCP is an accurate and overlooked source of
fingerprinting data
• Multiple methods available
– Option 55, most reliable
– Option 60, easiest (when accurate)
• Many potential applications
– NAC
– Asset inventory
Demo
Related documents
DHCP Security Analysis
DHCP Security Analysis
Windows 2000 DHCP Installation and Configuration
Windows 2000 DHCP Installation and Configuration
Setting DHCP Server via Winbox on Mikrotik PC Router
Setting DHCP Server via Winbox on Mikrotik PC Router
Configuring DHCP Scopes and Options
Configuring DHCP Scopes and Options
Introduction
Introduction
PT Activity 7.4.3: Troubleshooting DHCP and NAT (Instructor)
PT Activity 7.4.3: Troubleshooting DHCP and NAT (Instructor)
A Practical Guide to Red Hat® Linux® College Edition
A Practical Guide to Red Hat® Linux® College Edition
attachment
attachment
VMWare Networking
VMWare Networking
Download
advertisement