Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the principle of Satori fingerprint identification and dhcp analysis. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article. Satori is a unique software in passive recognition, which is different from ettercap and other software, it specifically uses dhcp for recognition. This paper simply analyzes the identification mechanism of satori by testing and reading the source code, and interprets the paper of Satori developers in the last part.

After decompression, there are the following files

Among them, dhcp.xml and tcp.xml will be analyzed in detail below. P0f.fprecoverp0fa.fp is the same as p0f's fingerprint library, which can be understood a little, as shown below. P0f.fp is to analyze syn fingerprints.

P0fa.fp is to analyze the fingerprints of synack.

Run the test.

1and 149are both win7, but not very accurately identified because I added-d to my command, so I will print a fingerprint. I guess it is based on the received packet to compare the fingerprint database, and then give the result.

Take 192.168.96.1 as an example

[12] indicates that the weight that may belong to the system, the higher the value, the more likely it is that the number comes from the features and weights given in dhcp.xml. Find the fingerprint of vista in dhcp.xml.

Combined with the previous screenshot, the first one

With a weight of 5, the second item

With a weight of 5 and the third

, so 192.168.96.1 is the weight of vista is 12. Try windows2000 to verify the fingerprint of the conjecture Windows2000 as shown in the figure.

Of all its features, only match.

And

The weight adds up to 7. I tested another centos.

Satori didn't guess what system it might be. I manually matched it in the fingerprint database, and I couldn't find it.

Combined with bag capture analysis

Take 192.168.96.1 as an example, when probing, the output is

Corresponding to the first package of satori.pcap

The Option is the one in the fingerprint database that is hit by 53, 61, 12, 60, 55, 255 (at the end, negligible)

Option55 unfolds, respectively, in the fingerprint database hit by 1, 15, 3, 4, 4, 4, 46, 47, 31, 3, 121, 249, 43252.

Expand Option60 Vendorclass identifier to MSFT5.0

Hit the fingerprint database

So the weight of vista is 5 / 5 / 2 / 12 combined with DHCP protocol analysis: DHCP has a total of 8 kinds of messages, which are DHCPDiscover, DHCPOffer, DHCPRequest, DHCPACK, DHCPNAK, DHCPRelease, DHCPDecline and DHCPInform. The basic functions of various types of messages are as follows:

According to the traffic caught this time, there are three kinds of messages, which are DHCPRqeuest,DHCP ACK,DHCP Inform. Analyze only the option of DHCPInform

53 indicates the message type RFC2132 (https://tools.ietf.org/html/rfc2132?spm=a2c4e.11153940.blogcont491032.62.60a34540ToTPN5) can see that a type of 8 indicates inform

61 (RFC2132) is the client ID,DHCP client that uses this option to specify its unique identifier, which can include hardware type and hardware address

12 (RFC2132) indicates hostname and specifies the client name

60 is used to selectively identify the vendor type and configuration of DHCP clients

There is the following correspondence between MSFT5.0 windows dhcpcd4.0.1 Android 2.2 dhcpcd4.0.15 Android 3.0 dhcpcd-5.2.10 Android 4.0 dhcpcd-5.2.10:Linux-3.0.13:armv7l:MT6577 phone dhcpcd-5.5.6 Android 4.2 udhcp1.19.4 Polar routing or other router 55 values that are used to request specified configuration parameters. The requested parameter list is specified as n octets, where each octet is a valid DHCP option code defined in RFC2312

255 indicates the end of valid information

The developer of Satori wrote a paper about how to passively identify os fingerprints (http://chatteronthewire.org/papers.htm,chatter-dhcp.pdf) through dhcp packets. This part is my understanding of the notes based on paper: for passive fingerprint recognition, one of the advantages of DHCP is that it is a broadcast package, when a dhcp client wants to join. They send broadcasts to everyone (so the destination address in the packet caught by wireshark is 255.255.255.255). The author first introduces the most troublesome scheme: using the actual time of the packet shown in the capture, the difference between each DHCP packet, the type of packet, the value stored in the SecondsElapsed field and the TransactionID on the packet collection to distinguish the operating system, such as the comparison of windows95 and windows98 versions.

Then a simple scheme is introduced: to identify the operating system through options.

First of all, through option55 (the main scheme of Satori): use the parameters requested in option 55 and the order in which they are requested to identify the differences between versions of the operating system such as window.

Fedora and centos.

Because many of the underlying linux dhcp stacks are the same, as shown in the following figure

The use of option55 is not enough to identify, so for linux, the author proposes that it can be assisted by option51 (customer's desired lease time) and option57 (telling the DHCP server the size of DHCP packets it can accept). Then it introduces the use of other options assistance to identify the os option61, which can be used as a unique identifier to link the client to its lease and can be used to identify the MSRRAS server

The image above shows a MSRRAS Server,value equal to 01 + RAS +''+ MAC + 000000000000, while the picture below shows a Cisco device.

Option77 is user class information, which is usually used to help identify certain types of computers or user categories, such as the following figure

Then it introduces the distinction from PXEboot.

The related option includes: Option93, the architecture of the client system; the underlying hardware can be identified by option93

Option94, client network device interface

Finally, the author points out that lease information can be used to identify how many operating systems actually update their IP addresses when the lease expires and which wait until the next restart. Here are the systems that continue to use ip addresses

The following is the system that currently owns the address and then sends the dhcprenewel request

The above is the Satori fingerprint identification principle and dhcp analysis shared by the editor. If you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.