25 November 2012

One Packet OS Fingerprinting And API Access Unveiled

The latest version of SinFP3 (v1.20, as of this writing) introduces two new cool features: the ability to perform a SYN scan and doing OS fingerprinting at the same time. The idea is to use SYN|ACK answers to the SYN scanning process to accurately identify the remote operating system nature. The second new feature is a server mode allowing third-party applications to access the SinFP3 fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of SinFP3.

One packet OS fingerprinting

If you don’t have installed SinFP3 yet, you can follow these guides:

Then, try to identify your target’s classic TOP10 open ports as follows. The -synscan-fingerprint is the new argument giving access to the feature, and the new default output plugin is the simple one:

# sinfp3.pl -synscan-fingerprint -target openbsd.org -port top10 -best-score
[+] [J:0] Loaded Input:  Net::SinFP3::Input::SynScan
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Active
[+] [J:0] Loaded Search: Net::SinFP3::Search::Active
[+] [J:0] Loaded Output: Net::SinFP3::Output::Simple
[+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan]
[+] [J:1] Starting of job with Next [199.185.137.3]:25 flags: 0x12
[+] [J:2] Starting of job with Next [199.185.137.3]:80 flags: 0x12
[199.185.137.3  ]:80     reverse: unknown  [ 94%: OpenBSD 4.x]
[199.185.137.3  ]:80     reverse: unknown  [ 94%: OpenBSD 3.x]
[199.185.137.3  ]:25     reverse: unknown  [100%: OpenBSD 4.x]
[199.185.137.3  ]:25     reverse: unknown  [100%: OpenBSD 3.x]

You can see that two open ports have been found, and the detected operating system (on a per open port basis) appears to be OpenBSD 3.x or 4.x.

You can still access the more verbose output by launching the fingerprinting process in full mode (2 packets for Internet fingerprinting with -active-2 parameter) and displaying results with the console output plugin with -output-console parameter:

# sinfp3.pl -active-2 -target openbsd.org -port top10 -best-score -output-console 
[+] [J:0] Loaded Input:  Net::SinFP3::Input::SynScan
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Active
[+] [J:0] Loaded Search: Net::SinFP3::Search::Active
[+] [J:0] Loaded Output: Net::SinFP3::Output::Console
[+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan]
[+] [J:1] Starting of job with Next [199.185.137.3]:25 hostname[openbsd.org] \ 
   reverse[unknown] mac[00:24:d4:ae:f4:3c]
[+] [J:2] Starting of job with Next [199.185.137.3]:80 hostname[openbsd.org] \ 
   reverse[unknown] mac[00:24:d4:ae:f4:3c]
Result for target [199.185.137.3]:80:
S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4
S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S3 L24
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.3
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.5
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.8
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.6
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.0
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.6
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.8
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.5
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.2
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.7
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.9
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.7
IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.4
Result for target [199.185.137.3]:25:
S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4
S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S0 L24
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.3
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.5
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.8
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.6
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.0
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.6
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.8
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.5
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.2
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.7
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.9
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.7
IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.4

SinFP3 API access with the SinFP3 network protocol

The second feature allows access to the SinFP3 server. The idea is to launch SinFP3 in daemon mode, and have a client/server communication protocol to “ask” the fingerprinting engine to perform actions. This protocol is described within an RFC, available here.

You can implement this protocol in any language you want, and you will be able to use the fingerprinting engine in whatever language you prefer. For now, a Perl version of the communication protocol exists: Net::Frame::Layer::SinFP3.

Here is how to launch the SinFP3 server:

% sinfp3.pl -input-server -output-client -passive -best-score
[+] [J:0] Loaded Input:  Net::SinFP3::Input::Server
[+] [J:0] Loaded DB:     Net::SinFP3::DB::SinFP3
[+] [J:0] Loaded Mode:   Net::SinFP3::Mode::Passive
[+] [J:0] Loaded Search: Net::SinFP3::Search::Passive
[+] [J:0] Loaded Output: Net::SinFP3::Output::Client
[+] [J:0] Starting of Input [Net::SinFP3::Input::Server]

The server is now listening on localhost with port 32000/TCP. An example client application is available in the examples/ directory of Net::SinFP3 distribution. For now, only the passive mode is implemented within the server. If there is some interest from the community, we will enhance it to give access to the active mode.

The example below is crafting a client request embedding a TCP SYN packet in raw format (sent by the sinfp3-request-passive-netcat.pl script). It is sent to the SinFP3 server which is configured in passive mode. Then, the reply is analyzed by sinfp3-decode-netcat.pl script and printed on standard output.

% perl examples/sinfp3-request-passive-netcat.pl | nc localhost 32000 | \ 
   perl examples/sinfp3-decode-netcat.pl
SinFP3: version:1  type:0x04  flags:0x0270
SinFP3: code:0x01  tlvCount:4  length:88
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:372e34 [7.4]
SinFP3::Tlv: type:0x26  length:3  value:372e78 [7.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:372e33 [7.3]
SinFP3::Tlv: type:0x26  length:3  value:372e78 [7.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:382e33 [8.3]
SinFP3::Tlv: type:0x26  length:3  value:382e78 [8.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]
SinFP3::Tlv: type:0x24  length:7  value:46726565425344 [FreeBSD]
SinFP3::Tlv: type:0x25  length:3  value:382e32 [8.2]
SinFP3::Tlv: type:0x26  length:3  value:382e78 [8.x]
SinFP3::Tlv: type:0x29  length:1  value:64 [100%]

On the server, a new job has been processed:

[+] [J:1] Starting of job with Next [127.0.0.1]:37125

That’s all for today, folks. Feel free to follow @metabrik for updates, or subscribe to SinFP mailing list:

SinFP mailing list

Full list of changes for v1.20

1.20 Sun Nov 25 14:44:37 CET 2012
   - NEW: Input::Server: runs as a daemon to answer requests coming from
          clients. They must speak the SinFP3 protocol.
   - NEW: Output::Simple: now default mode instead of Output::Console
   - NEW: Input::SynScan: can be used to fingerprint target by just using the
          SYN|ACK response to our SYN (one packet fingerprinting \o/)
   - UPDATE: verbose mode 1 is now default. Many updates on log messages
             levels.
   - NEW: sinfp3.pl: -synscan-fingerprint argument
   - new: sinfp3.pl: -version prints Perl modules version
   - new: sinfp3.pl: -quiet to set verbose level 0
   - new: sinfp3.pl: -passive to set to Mode::Passive and Search::Passive
                     plugins
   - new: integration of p0f-3.06b passive signatures into sinfp3.db
   - update: Input::Sniff: must use Net::Frame::Dump 1.12 now
   - bugfix: on -dns-reverse, moved to Search modules, when generating Results
   - bugfix: Search::Passive: sets ip and port attributes for Results
   - bugfix: Global: when -port argument has an invalid format
   - bugfix: sinfp3.pl: usage help

8 November 2012

Installation Guide For SinFP3 Under Debian/Ubuntu

Installation of SinFP3 under Debian/Ubuntu may be a bit tricky. They decided to rename one of the best low-level-hiding-thingy library initially called libdnet. Under these Linux distributions, the new name is libdumbnet. We will explain in this guide how to manually install SinFP3 on a fresh Debian/Ubuntu installation.

Note: Net::Libdnet is now part of Ubuntu. An easier guide to install SinFP3 is available.

Installing required C libraries and development headers

First things first, you have to install libpcap and libdnet libraries and headers. Other libraries and headers are also required, like libexpat.

# aptitude install libdumbnet1 libdumbnet-dev libpcap-dev libexpat-dev

Installing Net::Pcap and Net::Libdnet

Net::Pcap should be straightforward to install. For later use, you must also install Class::Gomor:

# aptitude install libnet-pcap-perl libclass-gomor-perl cpanminus

For Net::Libdnet, you have to do it manually:

# cd /tmp
# wget http://search.cpan.org/CPAN/authors/id/G/GO/GOMOR/Net-Libdnet-0.97.tar.gz
# tar zxvf Net-Libdnet-0.97.tar.gz
# cd Net-Libdnet-0.97
# patch -p0 < ubuntu-new.patch
# perl Makefile.PL && make && make test && make install
[..]
Installing /usr/local/bin/dnet.pl
Appending installation info to /usr/local/lib/perl/5.14.2/perllocal.pod

You should have a working installation of Net::Pcap and Net::Libdnet, the base tools on which SinFP3 relies on.

Finalizing the installation

You did the hard part, to finish it is just a matter of launching a single `cpan’ command. You can answer all prompts with the default value.

# cpanm Net::SinFP3
--> Working on Net::SinFP3
Fetching http://www.cpan.org/authors/id/G/GO/GOMOR/Net-SinFP3-1.20.tar.gz ... OK
Configuring Net-SinFP3-1.20 ... OK
Building and testing Net-SinFP3-1.20 ... OK
Successfully installed Net-SinFP3-1.20
1 distribution installed

You can now fire SinFP3 by using `sinfp3.pl’ command. Happy fingerprinting to you. Ah, don’t forget to update the database:

# sinfp3.pl -db-update -verbose 1

24 October 2012

Conference Hacklu SinFP3: More Than A Complete Framework For Operating System Fingerprinting

We presented SinFP3 at hack.lu on 23rd of october. hack.lu was held in Luxembourg, Luxembourg, with around 200 attendees.

What is SinFP3

SinFP3 is a complete framework for network discovery. Its main purpose is to perform active fingerprinting, but it can also do passive fingerprinting. Both modes are available over IPv4 and IPv6. This new version introduces a plugin-based architecture, allowing anyone to develop their own tools around the framework.

The most important plugins are Input and Output ones. They allow you to specify how you acquire your targets (for instance: from a CSV file, an XML file or a database, …) and how you display the results (for instance: to a file, to a database, …). The default way of acquiring a target is through the Input::SynScan module, and the default way of displaying results is by using the Output::Console module.

Of course, you have many other kinds of modules, read the slides to know more.

Presentation slides

Slides may be found at the following link:

SinFP3, hack.lu, v1.0 (PDF)

This presentation was shorter than the one made at EuSecWest and ekopary. If you want more complete slides, you can gather them here:

SinFP3, EuSecWest and ekoparty, v1.1 (PDF)

Installing the tool

You can get the tool either by installing it from CPAN usually by just running this command as root:

# cpan Net::SinFP3

Or by following instructions available on the blog:

SinFP3 operating system fingerprinting tool released

Getting support

SinFP3 has its own mailing list for support:

SinFP mailing list

1 October 2012

SinFP3 Research To Be Presented At Hacklu 2012

We will present operating system fingerprinting research at upcoming top security conference hack.lu 2012 in Luxembourg, Luxembourg (october 23rd to 25th 2012).

SinFP3 is a complete framework for network reconnaissance, with a primary focus on performing active and passive operating system fingerprinting. To have an overview of some features, see our blog post made as a teaser for conferences: Network vizualisation with SinFP3 and Ubigraph.

This presentation will be shorter than the one presented at ekoparty and EuSecWest. You can expect a new version release for this occasion.

24 September 2012

Conferences EuSecWest and ekoparty – SinFP3: More Than A Complete Framework For Operating System Fingerprinting

We presented SinFP3 at EuSecWest on 19th of september, then at ekoparty on 21st of september. EuSecWest was held in Amsterdam, Holland, with around 50 attendees; and ekoparty was held in Buenos Aires, Argentina, with around 1200 attendees.

What is SinFP3

Of course, you have many other kinds of modules, read the slides to know more.

Presentation slides

Slides may be found at the following link:

SinFP3, EuSecWest and ekoparty, v1.1 (PDF)

Installing the tool

You can get the tool either by installing it from CPAN usually by just running this command as root:

# cpan Net::SinFP3

Or by following instructions available on the blog:

SinFP3 operating system fingerprinting tool released

Getting support

SinFP3 has its own mailing list for support:

SinFP mailing list

21 September 2012

SinFP3 Operating System Fingerprinting Tool Released

SinFP3 is now available (mass press coverage wanted 😉 ). You can download
latest version from CPAN:

Net-SinFP3

First, you have to install C libraries (either manually or using your system package manager):

libpcap (with devel headers)
libdnet (with devel headers)

Then, you will have to install some Perl modules available on CPAN. Type the following as root, or use your system’s package manager.

# cpan Class::Gomor
# cpan DBD::SQLite
# cpan Digest::MD5
# cpan Net::Frame
# cpan Net::Frame::Device
# cpan Net::Frame::Dump
# cpan Net::Frame::Layer::IPv6
# cpan Net::Frame::Simple
# cpan Net::Libdnet
# cpan Net::Netmask
# cpan Net::Write
# cpan Net::Write::Fast
# cpan Parallel::ForkManager

Then, if all goes well, install Net::SinFP3:

# tar zxvf Net-SinFP3-X.YZ.tar.gz
# cd Net-SinFP3-X.YZ
# perl Makefile.PL
# make
# make test
# make install

You can find some support at the following mailing list:

SinFP mailing list

8 September 2012

SinFP3 Research To Be Presented At Ekoparty 2012 And EuSecWest 2012

We will present operating system fingerprinting research at upcoming top security conferences EuSecWest 2012 in Amsterdam, Holland (september 19th and 20th 2012), and at ekoparty 2012 in Buenos Aires, Argentina (september 19th, 20th and 21st 2012).

SinFP3 is a complete framework for network reconnaissance, with a primary focus on performing active and passive operating system fingerprinting. To have an overview of some features, see our blog post made as a teaser for these conferences: Network vizualisation with SinFP3 and Ubigraph.

The tool will be published during the conference. Stay tuned on twitter, follow @metabrik.

4 September 2012

Network Vizualisation With SinFP3 And Ubigraph

One of the module shipping with SinFP3 uses Ubigraph to display results in 3D. That’s not the 3D with red and blue glasses, it’s the classic 3D (or 3D CGI).

Output::Ubigraph plugin is a bit different than other plugins shipping with SinFP3: you cannot use it directly as an output module. You have to go through an intermediate step before being able to display the network vizualisation.

The problem comes from Ubigraph that attributes an ID to every created node. To create an edge between two nodes, you have to know their respective node IDs. But SinFP3 is stateless (as of now). Each fingerprinted target runs in a specific process, and if you render it in Ubigraph, you will not be able to create an edge with another fingerprinted target by lack of knowing the other node ID.

A solution I once came up with was to create a convertion routine from an IP/port address to an ID. But Ubigraph does not allow the end-user to access the full 32-bits range of IDs, and even so, you only addressed the IPv4 range (IPv6 would require potentially much more IDs). So, I decided to create an output module to perform an intermediate step: Output::CSV. From that, you can use this CSV file to feed the final Output::Ubigraph module. The following describes how to proceed.

Scan your target

As root. Default CSV file will be named sinfp3-output.csv in current directory. To give it a different name, you can use -csv-file FILENAME.

# sinfp3.pl -target 10.100.0.0/24 -port top10 -output-csv -verbose 1

Read CSV file and output to Ubigraph

You have to turn off every other modules, thus you use *-null plugin arguments.

$ cd ~/tools/UbiGraph-alpha-0.2.4-Linux32-Fedora-9 $ ./bin/ubigraph_server & $ sinfp3.pl -input-null -mode-null -search-null -db-null -output-ubigraph -csv-file sinfp3-output.csv

Another possible option is to save the fingerprinting output to pcap files. It’s easy with SinFP3:

# sinfp3.pl -target 10.100.0.0/24 -port top10 -output-pcap -verbose 1

Then, you can launch again the fingerprinting process by using the captured files, and save output as a CSV file:

$ sinfp3.pl -input-pcap -pcap-file 'sinfp4-*.pcap' -output-csv -csv-file pcap2csv.csv

And now, some screenshots

Each color corresponds to an operating system.

Yellow for MacOS
Violet for SunOS
Green for Linux (ecology?)
Red for BSD systems (because red is evil)
Blue for Windows (like the blue screen of death)

What is important to note, and that’s a real advantage of SinFP3 versus Nmap, each open port is fingerprinted. Thus, each open port on a target may have a different operating system (or color) displayed. This example spoke about IPv4, but you can do exactly the same with IPv6.

Metabrik

There is a Brik for that

One Packet OS Fingerprinting And API Access Unveiled