PaulDotCom mailing list archives
Re: spoofing another machine's fingerprints
From: Robin Wood <robin () digininja org>
Date: Mon, 2 Sep 2013 11:02:15 +0100
On 30 August 2013 15:18, Joshua Wright <jwright () hasborg com> wrote:
As I asked about recently, I'll soon be testing a NAC type device andso I was wondering, is there a tool which will let me watch a device then clone its network fingerprint? By fingerprint I mean things like network settings such as TTLs but also open ports (probably couldn't spoof the service but at least open the port).I know there is a tool that is designed to fool attackers by having alist of different OS's and you chose which you want to pretend to be but rather than pick from a list I want to be able to point it at another machine and say "clone that".What do you do for IP? Do you work out what is on the network throughpassive observation and then pick something that looks appropriate?Any other suggestions on testing/avoiding NAC? I've not tested with onein action before and don't have anything to practice against. This particular test is to see if it is doing its job properly so specifics on testing a NAC would be good. When I'm testing a NAC system I connect with a standard Windows or OS X client first, and explore what's accessible, trying to identify the NAC vendor. From there I'll do some passive analysis, and try to determine if there are any exception policies applied (such as a rule for iPad's not having to authenticate, etc.)
I already know the device, it is a Forescout CounterACT ( http://www.forescout.com/product/ ). They want to know from an almost black box situation what I can do with it then they will open it up and let me do a proper white box test on it - that is the current plan I think.
NAC vendors commonly perform OS fingerprinting to identify devices, and products like Cisco ISE use the fingerprints to apply rules to devices. They can't continually fingerprint the devices though, so they perform an initial analysis, and then subsequent analysis per the NAC configuration (IIRC, Cisco ISE's re-check interval has a minimum delay of 15 minutes, with a default of "check once"). I'll typically change my MAC to get another IP, and use Scapy to complete a 3-way handshake to any accessible host, just to trick the OS fingerprinting rule (Cisco ISE checks TCP option parameters including order of options, which is hard to spoof on Linux, and impossible on Windows, but Scapy does it just fine). Here is a sample script I have laying around: #!/usr/bin/python from scapy.all import * DSTIP="10.10.10.110" # Specify your target where NAC will observe it SPORT=RandNum(1024,65535) ip=IP(dst=DSTIP, flags="DF", ttl=64) tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None), ("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ] SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff, options=tcpopt) SYNACK=sr1(ip/SYN) # Send the packet and record the response as SYNACK my_ack = SYNACK.seq + 1 # Use the SYN/ACK response to get initial seq. number ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack, window=0xffff) send(ip/ACK) data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 [...]\r\n\r\n" PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack, window=0xffff) send(ip/PUSH/data) RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff) send(ip/RST)
I'll give this a try, do you know any lists of common settings so if on the white box test they say they allow a particular device I could set the script up to pretend to be that? Would there be enough info in OSfucate to set it up?
Before you use this script, make sure you apply an iptables rule to stop the Linux native stack from sending a TCP RST to the spoofed TCP SYN.
I might have to do this from a live CD as my primary OS is win7 and I don't want that firing off traffic before I get chance to do things with the Linux VM. I'll do a test with a USB NIC and see if Windows sends any traffic through that if it is attached to the VM before connecting to the network.
After I get some of this traffic through, I do some more testing to see what my connectivity looks like with netcat or manual Scapy connections.
Looks like I'm going to be learning some more Scapy, should be fun. Robin
HTH, -Josh _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 30)
- Re: spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Charles Watathi (Aug 31)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 31)
- Re: spoofing another machine's fingerprints Robin Wood (Sep 02)
- Re: spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 30)