Using DHCP for Passive OS Identification - PowerPoint PPT Presentation

1 / 39

About This Presentation

Title:

Using DHCP for Passive OS Identification

Description:

Harvard University Network and Server Systems ... Apple iPhone. 1,3,6,15,119,78,79,95,252. 1,3,6,15,119,95,252,44,46,47. Option 60 - vendor id ... – PowerPoint PPT presentation

Number of Views:688

Avg rating:3.0/5.0

Slides: 40

Provided by: mywebCa

Category:

more less

Transcript and Presenter's Notes

Title: Using DHCP for Passive OS Identification

1
Using DHCP for Passive OS Identification

David LaPorteHarvard University
Eric KollmannBoise State University

2
Who We Are

David LaPorte
Network Security ManagerHarvard University
Network and Server Systems
Co-developer of PacketFence, an open-source NAC
solution
Eric Kollmann
Systems Engineer, Boise State University
Developer of Satori, a Windows-based passive OS
fingerprinting tool

3
Types of OS Fingerprinting

Active
Port interrogation
nmap
Passive
traffic analysis
P0f
DHCP fingerprinting

4
Why DHCP is Unique

Broadcast protocol
Totally passive collection
Most networks come with a built-in probe
DHCP relay agents!
Extremely accurate

5
DHCP Primer

Dynamic Host Configuration Protocol
Entirely client-driven (currently)
Main types of packets
DHCP Discover
DHCP Offer
DHCP Request
DHCP Acknowledgement
DHCP Information
DHCP Release

6
DHCP Primer, contd.

Relevant RFCs
RFC 1541
RFC 2131
Added DHCPINFORM, extended vendor classes
RFC 2132
Vendor Extensions
RFC 4361
Option 61 updates
RFC 4578
PXE Boot Information

7
DHCP Primer, contd.
Server Client
Server (not selected)
(selected) v
v v
Be
gins initialization

_____________/\____________
/DHCPDISCOVER DHCPDISCOVER
\
Determines
Determines configuration
configuration \
\
____________/
\________ /DHCPOFFER
DHCPOFFER\ /
\
Collects replies
\
Selects config
uration
____________
_/\____________ / DHCPREQU
EST DHCPREQUEST\

Commits configuration

___________
__/ / DHCPACK

Initialization
complete
.
. . .
. .

Graceful shutdown

\ ____________
DHCPRELEASE
\

Discards lease
v
v v
8
Which ones are useful

Discover, Request, Information
All will help you identify the client OS, some
are more useful than others
Offer
Useful in a SOHO environment
Release
Seen on a graceful shutdown on some OS's

9
Fingerprinting the hard way

When there is no DHCP Server responding
DHCP retransmission timing
How long does each OS wait between DHCP Discover
packets before it sends another one
RFC's state they should wait 4, 8, 16, 32, up to
64, all /- 1 second
RFC's also state that the seconds field should
not be set to a constant value

10
Fingerprinting the hard way, contd.

Seconds Elapsed Field

11
Fingerprinting the hard way, contd.

What it should look like
RFC's state they should wait 4, 8, 16, 32, up to
64, all /- 1 second

12
Fingerprinting the hard way, contd.

Problem 1 Incorrect time difference
Problem 2 Incorrect use of 'secs' field
1 Second does not 256

13
Fingerprinting the hard way, contd.

Seconds Elapsed Field set to a constant
RFC's state that the seconds field should not be
set to a constant value

14
Fingerprinting the hard way, contd.

Two overlapping attempts at the same time

15
IP TTL on DHCP Packets

Provides a rough guide to OS

16
More with TTL and DHCP

Typically, no guessing required

17
Issues with TTL with DHCP

DHCP Relay
Some Cisco devices will change the TTL to 255
Some HP devices will leave the TTL field alone

18
Fingerprinting the easy way

Using DHCP Options
All of the options
Option 55 (requested parameter list)?
Option 60 (vendor id)?
Option 61 (client id)?
Option 77 (user class information)?
Option 82 (relay agent information)?
Option 93 (client system architecture)?

19
All of the Options

Of limited use, but may get us to the family of
the OS.
53, 61, 50, 54, 12, 55, 43

20
All of the Options, contd.

Still can't be ruled out
Some systems will not provide you with other
options that you want
Windows 95 Discover
Note that hostname below is what we put in, the
OS isn't nice enough to tell us this!

21
Option 55 - requested parameter list

The easiest and most accurate way to identify a
machine

22
Option 55, contd.

Number and order of requested parameters forms a
fingerprint
eg.,

MS Windows XP
1,15,3,6,44,46,47,31,33,249,43
1,15,3,6,44,46,47,31,33,249,43,252
1,15,3,6,44,46,47,31,33,249,43,252,12
15,3,6,44,46,47,31,33,249,43 15,3,6,44,46,47,31,3
3,249,43,252 15,3,6,44,46,47,31,33,249,43,252,12
28,2,3,15,6,12,44,47
Apple iPhone
1,3,6,15,119,78,79,95,252 1,3,6,15,119,95,252,44,
46,47
23
Option 60 - vendor id

Vendor ID
May be quite specific or very generic
May even be misleading

24
Option 60, contd.
25
Option 60, contd.

Cisco VOIP devices
Generic
Cisco Systems, Inc. IP Phone
Specific
Cisco Systems, Inc. IP Phone 7905
Cisco Systems, Inc. IP Phone 7912
Cisco Systems, Inc. IP Phone CP-7960G

26
Option 60 (contd.)?

Some Linux distributions make it easy!

27
Option 61 - client id

Client Identifier
In most cases this will just be the MAC of the
device, but, if you want to identify a MS RRAS
server

28
Option 77 - user class information

User Class Information
Be careful with this one, it is user-defined!
If you need to identify MS RRAS

29
Option 93 client system architecture

PXE boot
Determine the underlying hardware

30
Option 82 - relay agent information

RFC 3046, DHCP Relay Agent Information Option
Compatible devices tag DHCP packet with
additional information
What is included is varies by vendor
Exposes information about client or switch
eg. Cisco provides port, vlan, and switch data.
Data format is model-dependent

Code Len Agent Information Field
--------------------------------------...-
------ 82 N i1 i2 i3 i4
iN ---------------------------
-----------...------- SubOpt Len Sub-o
ption Value -------------------------------
-------...------- 1 N s1 s2
s3 s4 sN ----------------
----------------------...-------
DHCP Agent Sub-Option Description
Sub-option Code --------------- -----------------
----- 1 Agent Circuit ID Sub-option
2 Agent Remote ID Sub-option
31
Use Cases