Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Re: spoofing another machine's fingerprints
From: Charles Watathi <charleswatathi () gmail com>
Date: Fri, 30 Aug 2013 11:05:47 -0400

Dear Robin,

Personally I haven't tested a NAC environment but there are a few hints I
have got from @j0emccray. Get his talk "you spent all that money and still
got owned", he recommends get voip devices or printers. He used a tool vlan
to impersonate a voip device

In  "the evolution of pen testing high security environment" he says look
for a printer, printers and voip are usually excluded from the 802.1x
protocol.  print the default test page, you will get the mac and ip of the
printer. Spoof the mac.


On Fri, Aug 30, 2013 at 10:04 AM, Robin Wood <robin () digininja org> wrote:




On 30 August 2013 14:19, Joshua Wright <jwright () hasborg com> wrote:

Hi Robin,

On Aug 29, 2013, at 6:57 PM, Robin Wood <robin () digininja org> wrote:

As I asked about recently, I'll soon be testing a NAC type device and
so I was wondering, is there a tool which will let me watch a device then
clone its network fingerprint? By fingerprint I mean things like network
settings such as TTLs but also open ports (probably couldn't spoof the
service but at least open the port).

I know there is a tool that is designed to fool attackers by having a
list of different OS's and you chose which you want to pretend to be but
rather than pick from a list I want to be able to point it at another
machine and say "clone that".

I don't think that exists.  When I want to evade NAC systems, I usually
start with a Scapy-generated 3-way handshake that mimic's an iPad or other
device that I put together manually.


What do you do for IP? Do you work out what is on the network through
passive observation and then pick something that looks appropriate?

Any other suggestions on testing/avoiding NAC? I've not tested with one in
action before and don't have anything to practice against. This particular
test is to see if it is doing its job properly so specifics on testing a
NAC would be good.


If a tool doesn't exist, and I don't think it will, can someone remind
me of the name of the tool I described above and I'll have a look see if
that can be modified.

I think you mean OSFuscate by Irongeek:
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools
.


Thats the one.

Robin


-Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




-- 
Regards
Charles Watathi
http://netsecuritystuff.wordpress.com<https://netsecuritystuff.wordpress.com/>
 <http://netsecuritystuff.blogspot.com>
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault