Re: spoofing another machine's fingerprints

[Robin Wood <robin () digininja org>]

On 30 August 2013 15:18, Joshua Wright <jwright () hasborg com> wrote:

> > > As I asked about recently, I'll soon be testing a NAC type device and
> so I was wondering, is there a tool which will let me watch a device then
> clone its network fingerprint? By fingerprint I mean things like network
> settings such as TTLs but also open ports (probably couldn't spoof the
> service but at least open the port).
> > > I know there is a tool that is designed to fool attackers by having a
> list of different OS's and you chose which you want to pretend to be but
> rather than pick from a list I want to be able to point it at another
> machine and say "clone that".
> > What do you do for IP? Do you work out what is on the network through
> passive observation and then pick something that looks appropriate?
> > Any other suggestions on testing/avoiding NAC? I've not tested with one
> in action before and don't have anything to practice against. This
> particular test is to see if it is doing its job properly so specifics on
> testing a NAC would be good.
>
> When I'm testing a NAC system I connect with a standard Windows or OS X
> client first, and explore what's accessible, trying to identify the NAC
> vendor.  From there I'll do some passive analysis, and try to determine if
> there are any exception policies applied (such as a rule for iPad's not
> having to authenticate, etc.)
I already know the device, it is a Forescout CounterACT (
http://www.forescout.com/product/  ). They want to know from an almost
black box situation what I can do with it then they will open it up and let
me do a proper white box test on it - that is the current plan I think.


> NAC vendors commonly perform OS fingerprinting to identify devices, and
> products like Cisco ISE use the fingerprints to apply rules to devices.
>  They can't continually fingerprint the devices though, so they perform an
> initial analysis, and then subsequent analysis per the NAC configuration
> (IIRC, Cisco ISE's re-check interval has a minimum delay of 15 minutes,
> with a default of "check once").  I'll typically change my MAC to get
> another IP, and use Scapy to complete a 3-way handshake to any accessible
> host, just to trick the OS fingerprinting rule (Cisco ISE checks TCP option
> parameters including order of options, which is hard to spoof on Linux, and
> impossible on Windows, but Scapy does it just fine).  Here is a sample
> script I have laying around:
>
> #!/usr/bin/python
> from scapy.all import *
>
> DSTIP="10.10.10.110" # Specify your target where NAC will observe it
> SPORT=RandNum(1024,65535)
>
> ip=IP(dst=DSTIP, flags="DF", ttl=64)
> tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None),
>     ("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ]
> SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff,
> options=tcpopt)
> SYNACK=sr1(ip/SYN)       # Send the packet and record the response as
> SYNACK
>
> my_ack = SYNACK.seq + 1  # Use the SYN/ACK response to get initial seq.
> number
> ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack,
> window=0xffff)
> send(ip/ACK)
>
> data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS
> 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1
> [...]\r\n\r\n"
> PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack,
> window=0xffff)
> send(ip/PUSH/data)
>
> RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff)
> send(ip/RST)
I'll give this a try, do you know any lists of common settings so if on the
white box test they say they allow a particular device I could set the
script up to pretend to be that? Would there be enough info in OSfucate to
set it up?


> Before you use this script, make sure you apply an iptables rule to stop
> the Linux native stack from sending a TCP RST to the spoofed TCP SYN.

I might have to do this from a live CD as my primary OS is win7 and I don't
want that firing off traffic before I get chance to do things with the
Linux VM. I'll do a test with a USB NIC and see if Windows sends any
traffic through that if it is attached to the VM before connecting to the
network.


> After I get some of this traffic through, I do some more testing to see
> what my connectivity looks like with netcat or manual Scapy connections.
Looks like I'm going to be learning some more Scapy, should be fun.

Robin


> HTH,
>
> -Josh
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com