FingerBank - Open DHCP fingerprints database

Video thumbnail (Frame 0) Video thumbnail (Frame 819) Video thumbnail (Frame 1417) Video thumbnail (Frame 3100) Video thumbnail (Frame 12882) Video thumbnail (Frame 22664) Video thumbnail (Frame 23197) Video thumbnail (Frame 27296)
Video in TIB AV-Portal: FingerBank - Open DHCP fingerprints database

Formal Metadata

FingerBank - Open DHCP fingerprints database
no it's not about a bank of fingers...
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The presentation will first take a step back and offer a basic reminder of what passive fingerprinting is and, more precisely, DHCP fingerprinting. Then we will offer defensive and offensive use cases for DHCP fingerprinting. Next, we will cover the goals and resources offered by the new project and some future plans. As part of the announcement, two large fingerprint databases will be made available (both of which were bundled in separate projects: PacketFence and Satori). We hope this new resource will increase the quality and breadth of current DHCP fingerprint databases and increase adoption for this reliable fingerprinting technique. Olivier Bilodeau is a System Architect at Inverse developing PacketFence an open source Network Access Control (NAC) software. He also lectures on system security at ...cole de technologie superieure University (ETS) in Montreal, Canada. His past experiences made him travel into dusty Unix server rooms, obfuscated perl code and expensive enterprise networks. On his free time he enjoys several CTFs a year (with the CISSP Groupies and Amish Security teams), hacking perl, doing open source development and brewing beer.

Related Material

Video is accompanying material for the following resource
Dynamic Host Configuration Protocol Projective plane Database Database Inverse element Fingerprint Fingerprint Dynamic Host Configuration Protocol
Axiom of choice Presentation of a group Android (robot) Open source Information Software developer Multiplication sign Inverse element Communications protocol Optical disc drive Dynamic Host Configuration Protocol Goodness of fit Personal digital assistant Web-Designer Personal digital assistant System programming Family Fingerprint Fingerprint Identical particles
Axiom of choice Android (robot) Context awareness Local area network Covering space Internettelefonie Communications protocol Client (computing) Type theory Computer configuration Different (Kate Ryan album) Personal digital assistant Website Information security Software developer Electronic mailing list Instance (computer science) Dynamic Host Configuration Protocol Electronic signature Hand fan Web application Virtual LAN System programming Router (computing) Wide area network Point (geometry) Slide rule Sine Open source Firewall (computing) Disintegration Data storage device Number Broadcasting (networking) Goodness of fit Computer hardware Focus (optics) Key (cryptography) Information Server (computing) Computer network Web browser Software Personal digital assistant Video game Game theory Fingerprint Window INTEGRAL Multiplication sign Boom (sailing) Parameter (computer programming) Mereology IP address Usability Telephone number mapping Web 2.0 Hooking Flag Information Email Firewall (computing) Auto mechanic Communications protocol Element (mathematics) Type theory Dynamic Host Configuration Protocol Computer configuration Configuration space Website Smartphone Video game console Domain name Dataflow Server (computing) Game controller Ultraviolet photoelectron spectroscopy Web browser Prime ideal Revision control Natural number Internetworking Operator (mathematics) Software Uniqueness quantification System programming Software testing Fingerprint Operations research Noise (electronics) Internettelefonie Projective plane Correlation and dependence Database Local area network Software maintenance Backtracking Component-based software engineering Number Computer hardware
Email Dynamic Host Configuration Protocol Email Link (knot theory) Electronic mailing list Website Function (mathematics) Website Fingerprint Electronic signature
Server (computing) Software developer Multiplication sign File format Online help Revision control Type theory Collineation Website Booting Proxy server Fingerprint Rule of inference Focus (optics) Matching (graph theory) Mapping File format Feedback Inverse element Dynamic Host Configuration Protocol Hand fan Type theory Dynamic Host Configuration Protocol Software Fingerprint Asynchronous Transfer Mode
hi everybody I hope you're doing fine I am so I'm here to talk to you about a project that we've been thinking about for a little while at inverse where I work and it's called fingerbang so it's a dhcp fingerprint database ah come on my friends are making fun of me so yeah that's very funny assholes so so I'm here to talk about that and let's see how it goes today I'm going to first do
reminders about device fingerprinting passive fingerprinting the HTTP fingerprinting going to cover some defensive and offensive use cases then announce quote unquote fingerbang and talk about what's what what's next and what are we we are interested in two doing in the future so Who I am is I'm
alleviate bailado I guess would be a close english equivalent i'm working on pakistan's since 2009 as a lead developer there I'm also teaching info SEC in Montreal 200 graduates having a lot of fun doing that I do I'm a really an open source guy so really into android and linux and stuff i'm a new a new father i brought my kid here which is odd choice in vegas i I'm it's it's really not that great actually because she's crying all the time she's seven months old so it's well I wanted my family here so here they are this talk is implementing that you drink protocol so if I say something obviously stupid you can interrupt me and offer you a beer if you are smarter than me so let's that's it that way and also during the Q&A will have beer for good questions so here we go so device fingerprinting what
it does is that it identifies pieces of your software or hardware you've probably familiar with puff and stuff like that so there are various types of it operating systems device's browser web server web application it's another type of signature more or less if you want so as as as this is that you know what my tight okay so two approaches of gathering fingerprints there's an active approach and a passive one so the active is that you are doing stuff so it can be detected it's more intrusive by nature because it's active as opposed to the test of technique which you only listen on the land or on the on a router in between the network so it's really clear active passive and what it means so i guess i won't focus on that but it's really completely separated like the two techniques and some tools well most tools are focused on one approach but there are new tools that are doing both so sin FP sin FP is one of them they you can now feed it a pcap and it can it will do kind of an a passive approach of humor so why passive not why but reminder on passive fingerprinting so networks are really really noisy you probably already know that you open up at the anticipate down everywhere you get and it's always there's a lot of stuff going on and a lot is about broad broadcast and you get all the broadcast traffic sometimes also you are in between so you are the gateway and or you have a mirror port and so you see all the stuff that's going on the wall of sheep is a good example of that so if you can sit at a spot like that and sniff traffic then you will see a lot of stuff and fingerprinting because becomes really interesting because you'll be able to identify operating systems of your of your guests the the browser's version of software and stuff like that so on the the land there is dhcp which is a broadcast protocol that you can use for fingerprinting talking about that in the next slide there is no tcast dns the itune all that stuff is very very verbose noisy and helps you a lot of identifying software or hardware that you're using on the one honey pot is kind of you know you you could do fingerprinting with a honey pot and you'll see kind of the internet noise if you want so it's possible to do that on the one also passively of course so dhcp fingerprinting the meat of the matter okay so dhcp is a great network it helps you you know be online easily low maintenance and stuff so it's broadcast base and it's on every lag LAN segment so every VLAN if you want and like through time we found a way to well we people found a way to aggregate the hcp for instance with IP helpers sometimes called UDP helpers so you don't have a dhcp server on every physical segment which would mean a lot of costs so because of that you you have use IP helpers so you're a DHCP traffic is all aggregated upstream to few servers and this is a kind of a nice feature because you know all the information about what's going on ip-based is aggregated because of the IP helpers so dhcp fingerprint because of that are easy to collect and rarely spoofed so rarely spoofed by that i mean if you are let's say a pen tester and you want to expose yourself as a voice over IP phone for instance well not a lot of people know that and how to do that so it's really really rarely spoofed and by that I mean I i looked to do it and the only way I found I found no tools no automated tools to do to spoof dhcp fingerprints and the only way I found to do it was modifying the D H client configuration directly on Linux so it's seriously for now for now pretty rival and the future probably there'll be tools or people will kind of have a backtrack mimic a windows XP system but right now you can spot backtrack as a human to system with fingerprints so the fingerprinting again remind the web is possible to fingerprint on dhcp well it's you could focus on the the retransmission priming and all the timing stuff on the TTL so at I ptcl on the packets sorry but the greatest well what we've been using for packet fence actually is the option 55 which is the parameter so dhcp is kind of a key value thing you have you request a list of options and then the server sends you the values in it and there's the the two-way of the game so the client and the server have this you know option and then parameter and so option 55 is actually really really interesting because it's all the stuff that we use DHCP for and a lot of options that we don't use but they are still there so there's an example in the next slide but I mean hostname domain name and stuff like that is all it's all in there so if you want more details on dhcp there was a black hat a Japanese
and Asian which I built on for for the finger bang project that you can you can check it's Eric Coleman and a developer who presented and it's actually really nice really detailed into the topic so here are the option 55 list so we only focused on these so and with this option 55 only so no other parameters we've been we have a database of a 160 different os's and devices and it's kind of all blurry together nowadays OS device and stuff like that so I I usually / r / devices and and this includes a lot of stuff like scary stuff I mean you got the flu devices you've got switches and now I'm when I saw that I'm asking myself who the hell run dhcp on switches you know it's shouldn't all be fixed I things but anyway we got them we have a lot of it and so the option 55 it's simply a list of the the option as you can probably see on the slide is like 115 36 44 and it's all because of the client what they requested only that simple list helps us to uniquely identify a lot of stuff and like ups devices there's a pixie stuff thin clients it's really like gaming console smartphones and we can spot Android between each other so we have like the HTC android samsung android and so it's it's great seriously i was amazed by that and that's the reason why we're presenting or proposing finger bang I guess is that like it's on every lamb everyone has it everyone like has this resource that they can you know identify what's going on in network but no one was really you know pushing it or maybe it was all in proprietary stuff and I don't use proprietary softer side I just don't know about it but this is the big reason so on that's good let's get into some use cases of course i guess i am in two more a defensive stuff but here we go there's you can do really really easily LAN operating system inventory or even you know flagging people with Windows 95 and telling them a come on get you know something something serious please so here is a screenshot of what we would packet fans you see the last switch last sport last VLAN this is possible with the HCP option 82 which is a implemented in Cisco switches it's more or less reliable that still can help you so it's kind of powerful to have the two of them blended in because you will know for a host where it's located and because of the finger bang technology if I may call it like that no what Oh assets it's Ryan so it it's pretty powerful and interesting for for network operators to know that you can do firewall and relax control integration to blacklist enough life stuff for example or even better backtrack or Linux if you want so this this is also pretty powerful and we use that and packet fans a lot to you know and this is like sliding to the next point but we do that to automatically register voice over IP devices so that or printers so that the users don't have to do it themselves which is I know a security problem because we're relying on client-side stuff to actually behave on a network but I mean it's a usability problem you know someone has a choice to make but so if you are a pen tester then definitely I mean add in your toolkit i would say spoofing your dhcp option 8555 list because it make the network part of the infrastructure do behave differently based on what you are so offensive use cases obviously stealth land recon so you can like sit there hook a device and then just sniff the traffic and see what's there and I mean it's even better when you get a windows 98 popping up and saying hey I'm windows 98 and I want an IP address so now I mean you only have to own it like metasploit and boom it's done so the clients they come to you actually in that case you know instead of you having to n map the network and stuff so this is you know it's a big one it's really interesting but afterwards I was trying to find other use cases offensive use cases and actually I guess someone had will have to come up in the Q&A room and tell me other offensive use cases I failed at that so why did we decided to push a finger bang because you saw it it's so simple this stuff it's only a list of option numbers separated by commas but I hate information hidden in silos and we need to be together if you want a spot devices we get a lot of fingerprints and we just can't cope with the flow and they are all anonymous so we can you know ask back or even if we do ask back that's so we have the opportunity to us back people don't really know you know they run the software it listens to everything I don't even know the device that are broadcasting on their network so that is brought that the projects go is really about sharing it talking about it getting this out and so this is why we we're launching the website and the mailing list yeah so raise awareness and stuff like that so what is it actually it's pretty simple we popped open a
website and we decided to just output
the signatures and the documentation and
the mailing list we're probably going to open an IRC channel too but it's really links to the existing signature and we
just packed packaged it in a nice floor
map and then based on the feedback of the community I mean we there's a lot of stuff we could do with dhcp fingerprinting and based on who's interested and we're anticipating pick up by you know the larger Network vendors hopefully and so with that there will be definitely like more offensive tools focus on that defensive tools to and reporting and stuff so we'll see how it goes so for now who's backing it the guy who wrote the paper Eric Coleman wrote the dhcp fingerprint paper that was presented at black hat Japan he's also started to write another one on the HTTP version 6 so it's interesting I haven't read that yet but I really he's really into it and a lot into passive fingerprinting develo port was pakistan's original founder I think he's working at Harvard as a under network and ourselves in verse who's sponsoring time and servers and stuff not that much resources but still there they're still paying me to do it which is great so they're backing it so what's the future of finger Bank well again we need the maybe probably better tool to share because a lot of them actually are close to each other and you look at the fingerprints and so we would really need better tools to you know find closest match and stuff like that also right now the data formats packet fans uses a stupid any file format type and sat early which was which is eric collins tool is using xml so we want to consolidate it consolidate sorry the formats and so you know have better reuse over there with that and then we we want and this is the main focus is we really really want a lot of mindshare around the fingerprints and so that when we get new obscure fingerprints that actually someone who will be subscribed will know about it and we'll be able to you know say oh eh this is Intel when it's in a bios boot mode each actor it's actually doing the hcp and sending that so there's a lot of the obscure fingerprints that will need help on that's pretty much it and I hope
you enjoyed and we'll see you in the debriefing room if you're into fingerprinting I guess thank you