Home page logo

pauldotcom logo PaulDotCom mailing list archives

Re: spoofing another machine's fingerprints
From: Robin Wood <robin () digininja org>
Date: Mon, 2 Sep 2013 11:02:15 +0100

On 30 August 2013 15:18, Joshua Wright <jwright () hasborg com> wrote:

As I asked about recently, I'll soon be testing a NAC type device and
so I was wondering, is there a tool which will let me watch a device then
clone its network fingerprint? By fingerprint I mean things like network
settings such as TTLs but also open ports (probably couldn't spoof the
service but at least open the port).

I know there is a tool that is designed to fool attackers by having a
list of different OS's and you chose which you want to pretend to be but
rather than pick from a list I want to be able to point it at another
machine and say "clone that".

What do you do for IP? Do you work out what is on the network through
passive observation and then pick something that looks appropriate?

Any other suggestions on testing/avoiding NAC? I've not tested with one
in action before and don't have anything to practice against. This
particular test is to see if it is doing its job properly so specifics on
testing a NAC would be good.

When I'm testing a NAC system I connect with a standard Windows or OS X
client first, and explore what's accessible, trying to identify the NAC
vendor.  From there I'll do some passive analysis, and try to determine if
there are any exception policies applied (such as a rule for iPad's not
having to authenticate, etc.)

I already know the device, it is a Forescout CounterACT (
http://www.forescout.com/product/  ). They want to know from an almost
black box situation what I can do with it then they will open it up and let
me do a proper white box test on it - that is the current plan I think.

NAC vendors commonly perform OS fingerprinting to identify devices, and
products like Cisco ISE use the fingerprints to apply rules to devices.
 They can't continually fingerprint the devices though, so they perform an
initial analysis, and then subsequent analysis per the NAC configuration
(IIRC, Cisco ISE's re-check interval has a minimum delay of 15 minutes,
with a default of "check once").  I'll typically change my MAC to get
another IP, and use Scapy to complete a 3-way handshake to any accessible
host, just to trick the OS fingerprinting rule (Cisco ISE checks TCP option
parameters including order of options, which is hard to spoof on Linux, and
impossible on Windows, but Scapy does it just fine).  Here is a sample
script I have laying around:

from scapy.all import *

DSTIP="" # Specify your target where NAC will observe it

ip=IP(dst=DSTIP, flags="DF", ttl=64)
tcpopt = [ ("MSS",1460), ("NOP",None), ("WScale",2), ("NOP",None),
    ("NOP",None), ("Timestamp",(123,0)), ("SAckOK",""), ("EOL",None) ]
SYN=TCP(sport=SPORT, dport=80, flags="S", seq=10, window=0xffff,
SYNACK=sr1(ip/SYN)       # Send the packet and record the response as

my_ack = SYNACK.seq + 1  # Use the SYN/ACK response to get initial seq.
ACK=TCP(sport=SPORT, dport=80, flags="A", seq=11, ack=my_ack,

data = "GET / HTTP/1.1\r\nHost: " + DSTIP + "\r\nMozilla/5.0 (iPad; CPU OS
5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1
PUSH=TCP(sport=SPORT,dport=80, flags="PA", seq=11, ack=my_ack,

RST=TCP(sport=SPORT,dport=80, flags="R", seq=11, ack=0, window=0xffff)

I'll give this a try, do you know any lists of common settings so if on the
white box test they say they allow a particular device I could set the
script up to pretend to be that? Would there be enough info in OSfucate to
set it up?

Before you use this script, make sure you apply an iptables rule to stop
the Linux native stack from sending a TCP RST to the spoofed TCP SYN.

I might have to do this from a live CD as my primary OS is win7 and I don't
want that firing off traffic before I get chance to do things with the
Linux VM. I'll do a test with a USB NIC and see if Windows sends any
traffic through that if it is attached to the VM before connecting to the

After I get some of this traffic through, I do some more testing to see
what my connectivity looks like with netcat or manual Scapy connections.

Looks like I'm going to be learning some more Scapy, should be fun.



Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]