Roughly 6 months ago when I started a new position at my current company I was asked if I knew TCP/IP and OS Fingerprinting. I was quick to snap back “Sure, I was doing pen testing for 3 years before this I got that down.” I tell ya what, I couldn’t have been more naive in that answer. My actual understanding of TCP/IP and OS Fingerprinting was sub par but I had no idea. Grasping those basics of SYN – SYN ACK – ACK was lame, as was running Nmap, xprobe, or any other automated fingerprinting utility. Granted the knowledge I obtained from my last position doing pen testing helped me quite a bit in some of the stuff I’m doing these day’s. The bottom line however was, I didn’t know jACK!
Either way, in the last 6 months I’ve read RFC 793[1] and RFC 1180[2] about 10 times, RFC 1323 [3] about 4 times, and multiple other TCP / IP related RFC’s. I’ve read the TCP/IP Illustrated a few times over as well. Each time I grasp a little more. At this point I think I have a fairly good understanding of TCP/IP and a hell of a lot more knowledge on Nmap OS Fingerprints. After all, at this point I’ve read all of Fyoders old Phrack Articles, and can interpret an Nmap OS signature output and tell you what all the stuff means.
I’ve been absent from the blog over the last month because I’ve been fairly busy doing research into the internals of the BSD Operating System and Mac OSX, Embedded systems programming, debugging and analysis research, and learning the Instruction set for Power PC. If that weren’t enough, I also started up a new side company for personal finance, i’ve been trying to drive traffic towards that as well as write articles. If that wasn’t enough I also started back up on my graduate degree since I’m so close to the finish line. Which is where this post comes into play.
Last evening we were having a lecture about Authentication Mechanisms in Wireless networks, one thing I really enjoy about this class is it’s divergence from the normal curriculum my college seems to have which is either material from the prehistoric Internet ages, or it’s solid theory. No this course is different in the sense that it drives down into the RFC’s. So as the professor was lecturing I began wondering how many vendors had bad implementations of authentication protocols. Last year there was a lot of kernel vulnerabilities that came out in client side wireless drivers but I didn’t recall seeing too many from the Access Point, point of view. I started researching into a little and found there was a few things done but nothing that I saw having to do with the Protocols I wanted to test vendor implementations on. The Next step was Packet crafting. Despite how many pursuits I have going I’m actually pretty lazy and I’m not about reinventing wheels. Talking with Tebo he recalled Scapy[4] having some type of implementation for the protocol I was curious about. Running over and getting a feel for it… SCAPY KICKS ASS! You could really do some hard core OS Fingerprinting with this, Fuzzing, you name it!
>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
DHCP : DHCP options
DNS : DNS
DNSQR : DNS Question Record
DNSRR : DNS Resource Record
Dot11 : 802.11
Dot11ATIM : 802.11 ATIM
Dot11AssoReq : 802.11 Association Request
Dot11AssoResp : 802.11 Association Response
Dot11Auth : 802.11 Authentication
Dot11Beacon : 802.11 Beacon
Dot11Deauth : 802.11 Deauthentication
Dot11Disas : 802.11 Disassociation
Dot11Elt : 802.11 Information Element
Dot11ProbeReq : 802.11 Probe Request
Dot11ProbeResp : 802.11 Probe Response
Dot11QoS : 802.11 QoS
Dot11ReassoReq : 802.11 Reassociation Request
Dot11ReassoResp : 802.11 Reassociation Response
Dot11WEP : 802.11 WEP packet
Dot1Q : 802.1Q
Dot3 : 802.3
EAP : EAP
EAPOL : EAPOL
Ether : Ethernet
GPRS : GPRSdummy
GRE : GRE
HCI_ACL_Hdr : HCI ACL header
HCI_Hdr : HCI header
HDLC : None
HSRP : HSRP
ICMP : ICMP
ICMPerror : ICMP in ICMP
IP : IP
IPerror : IP in ICMP
IPv6 : IPv6 not implemented here.
ISAKMP : ISAKMP
ISAKMP_class : None
ISAKMP_payload : ISAKMP payload
ISAKMP_payload_Hash : ISAKMP Hash
ISAKMP_payload_ID : ISAKMP Identification
ISAKMP_payload_KE : ISAKMP Key Exchange
ISAKMP_payload_Nonce : ISAKMP Nonce
ISAKMP_payload_Proposal : IKE proposal
ISAKMP_payload_SA : ISAKMP SA
ISAKMP_payload_Transform : IKE Transform
ISAKMP_payload_VendorID : ISAKMP Vendor ID
IrLAPCommand : IrDA Link Access Protocol Command
IrLAPHead : IrDA Link Access Protocol Header
IrLMP : IrDA Link Management Protocol
L2CAP_CmdHdr : L2CAP command header
L2CAP_CmdRej : L2CAP Command Rej
L2CAP_ConfReq : L2CAP Conf Req
L2CAP_ConfResp : L2CAP Conf Resp
L2CAP_ConnReq : L2CAP Conn Req
L2CAP_ConnResp : L2CAP Conn Resp
L2CAP_DisconnReq : L2CAP Disconn Req
L2CAP_DisconnResp : L2CAP Disconn Resp
L2CAP_Hdr : L2CAP header
L2CAP_InfoReq : L2CAP Info Req
L2CAP_InfoResp : L2CAP Info Resp
L2TP : None
LLC : LLC
MGCP : MGCP
MobileIP : Mobile IP (RFC3344)
MobileIPRRP : Mobile IP Registration Reply (RFC3344)
MobileIPRRQ : Mobile IP Registration Request (RFC3344)
MobileIPTunnelData : Mobile IP Tunnel Data Message (RFC3519)
NBNSNodeStatusResponse : NBNS Node Status Response
NBNSNodeStatusResponseEnd : NBNS Node Status Response
NBNSNodeStatusResponseService : NBNS Node Status Response Service
NBNSQueryRequest : NBNS query request
NBNSQueryResponse : NBNS query response
NBNSQueryResponseNegative : NBNS query response (negative)
NBNSRequest : NBNS request
NBNSWackResponse : NBNS Wait for Acknowledgement Response
NBTDatagram : NBT Datagram Packet
NBTSession : NBT Session Packet
NTP : NTP
NetBIOS_DS : NetBIOS datagram service
NetflowHeader : Netflow Header
NetflowHeaderV1 : Netflow Header V1
NetflowRecordV1 : Netflow Record
NoPayload : None
PPP : PPP Link Layer
PPP_ECP : None
PPP_ECP_Option : PPP ECP Option
PPP_IPCP : None
PPP_IPCP_Option : PPP IPCP Option
PPPoE : PPP over Ethernet
PPPoED : PPP over Ethernet Discovery
Packet : None
Padding : Padding
PrismHeader : Prism header
RIP : RIP header
RIPEntry : RIP entry
RTP : RTP
RadioTap : RadioTap dummy
Radius : Radius
Raw : Raw
SMBMailSlot : SMB Mail Slot Protocol
SMBNegociate_Protocol_Request_Header : SMBNegociate Protocol Request Header
SMBNegociate_Protocol_Request_Tail : SMB Negociate Protocol Request Tail
SMBNegociate_Protocol_Response_Advanced_Security : SMBNegociate Protocol Response Advanced Security
SMBNegociate_Protocol_Response_No_Security : SMBNegociate Protocol Response No Security
SMBNegociate_Protocol_Response_No_Security_No_Key : None
SMBNetlogon_Protocol_Response_Header : SMBNetlogon Protocol Response Header
SMBNetlogon_Protocol_Response_Tail_LM20 : SMB Netlogon Protocol Response Tail LM20
SMBNetlogon_Protocol_Response_Tail_SAM : SMB Netlogon Protocol Response Tail SAM
SMBSession_Setup_AndX_Request : Session Setup AndX Request
SMBSession_Setup_AndX_Response : Session Setup AndX Response
SNAP : SNAP
SNMP : None
SNMPbulk : None
SNMPget : None
SNMPinform : None
SNMPnext : None
SNMPresponse : None
SNMPset : None
SNMPtrapv1 : None
SNMPtrapv2 : None
SNMPvarbind : None
STP : Spanning Tree Protocol
SebekHead : Sebek header
SebekV1 : Sebek v1
SebekV2 : Sebek v3
SebekV2Sock : Sebek v2 socket
SebekV3 : Sebek v3
SebekV3Sock : Sebek v2 socket
Skinny : Skinny
TCP : TCP
TCPerror : TCP in ICMP
TFTP : TFTP opcode
TFTP_ACK : TFTP Ack
TFTP_DATA : TFTP Data
TFTP_ERROR : TFTP Error
TFTP_OACK : TFTP Option Ack
TFTP_Option : None
TFTP_Options : None
TFTP_RRQ : TFTP Read Request
TFTP_WRQ : TFTP Write Request
UDP : UDP
UDPerror : UDP in ICMP
X509Cert : None
X509RDN : None
X509v3Ext : None
_IPv6OptionHeader : IPv6 not implemented here.
I’ve been playing with it a little today doing some packet manipulation but I can’t wait to take it for a drive with some protocol fuzzing for some of the wireless stuff. I did notice there are a few people out there that have existing fuzz scripts that use scapy, but I couldn’t seem to locate them. Anyway, its a far better learning experience when you play with it yourself versus using someone else’s scripts / fuzzers.
[1] – http://www.faqs.org/rfcs/rfc793.html
[2] – http://www.faqs.org/rfcs/rfc1180.html
[3] – http://tools.ietf.org/html/rfc1323
[4] – http://www.secdev.org/projects/scapy/
