HostDevice Identification

Host/Device Identification

After the TCP and UDP ports have been cataloged on a range of targets, it is useful to further classify the types of devices and hosts by operating system and firmware type (for example, Windows, IOS, Linux, and so on). While some of the open ports may suggest one operating system over another, it always helps to conduct additional testing using techniques that corroborate our hypothesis.

Attack Stack Fingerprinting

Popularity:

5

Simplicity:

6

Impact:

5

Risk Rating:

5

A clever technique for further identifying the innards of a target host or device is stack fingerprinting (http://www. insecure .org/nmap/nmap-fingerprinting-article.html), which observes the unique idiosyncrasies present in most OSs and firmware when they respond to certain network requests .

Let's try using the built-in OS detection option -O within Nmap on the VoIP devices in our internal SIP test bed environment to see how accurate it is:

 [root@domain2 ~]# nmap -O -P0 192.168.1.1-254 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 01:03 CST Interesting ports on 192.168.1.21: (The 1670 ports scanned but not shown below are in state: closed) PORT    STATE SERVICE 80/tcp  open  http 443/tcp open  https MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.264 days (since Sun Feb 19 18:43:56 2006) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on 192.168.1.22: (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 23/tcp open  telnet MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS3-04-3-00, PC030301) Interesting ports on 192.168.1.23: (The 1671 ports scanned but not shown below are in state: closed) PORT   STATE SERVICE 80/tcp open  http MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Device type: VoIP phoneVoIP adapter Running: Cisco embedded OS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone Adapter Interesting ports on 192.168.1.24: (The 1671 ports scanned but not shown below are in state: closed) PORT     STATE  SERVICE 80/tcp   open   http MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway Interesting ports on 192.168.1.25: (The 1670 ports scanned but not shown below are in state: filtered) PORT     STATE  SERVICE 80/tcp   open   http 4144/tcp closed wincim MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.01%P=i686-pc-linux-gnu%D=2/20%Tm=43F96A02%O=80%C=4144%M=000B82) TSeq(Class=TD%gcd=1%SI=1%IPID=I%TS=U) T1(Resp=Y%DF=Y%W=109%ACK=S++%Flags=AS%Ops=M) T2(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T2(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T2(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=109%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=1000%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Interesting ports on 192.168.1.27: (The 1670 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 80/tcp   open  http 5060/tcp open  sip MAC Address: 00:04:F2:03:15:46 (Polycom) Device type: X terminalload balancer Running: Neoware NetOS, HP embedded, Cisco embedded OS details: Cisco 11151/Arrowpoint 150 load balancer, Neoware (was HDS) NetOS V. 2.0.1 or HP Entria C3230A Interesting ports on 192.168.1.51: (The 1670 ports scanned but not shown below are in state: closed) PORT    STATE SERVICE 80/tcp  open  http 443/tcp open  https MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.265 days (since Sun Feb 19 18:43:55 2006) Interesting ports on 192.168.1.52: (The 1671 ports scanned but not shown below are in state: filtered) PORT   STATE SERVICE 23/tcp open  telnet MAC Address: 00:15:62:EA:69:E8 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS3-04-3-00, PC030301) Warning:  OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1672 scanned ports on 192.168.1.53 are: closed MAC Address: 00:04:0D:50:40:B0 (Avaya) Too many fingerprints match this host to give specific OS details Interesting ports on 192.168.1.54: (The 1671 ports scanned but not shown below are in state: closed) PORT   STATE SERVICE 80/tcp open  http MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1672 scanned ports on 192.168.1.55 are: closed MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center) Aggressive OS guesses: NetJet Version 3.0 - 4.0 Printer (94%), Cray UNICOS/mk 8.6 (93%), Intel NetportExpress XL Print Server (93%), Kyocera IB-21 Printer NIC (93%), Kyocera Printer (network module IB-21E 1.3.x) (93%), OkiData 20nx printer with OkiLAN ethernet module (93%), Okidata 7200 Printer (93%), Okidata OKI C5100 Laser Printer (93%), Okidata OKI C7200 Printer (93%), Zebra Technologies TLP2844-Z printer (93%) No exact OS matches for host (test conditions non-ideal). Interesting ports on 192.168.1.56: (The 1669 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 135/tcp  open  msrpc 139/tcp  open  netbios-ssn 1005/tcp open  unknown MAC Address: 00:0D:61:0B:EA:36 (Giga-Byte Technology Co.) Device type: general purpose Running: Microsoft Windows 2003/.NETNT/2K/XP OS details: Microsoft Windows 2003 Server or XP SP2 Interesting ports on 192.168.1.57: (The 1670 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 80/tcp   open  http 5060/tcp open  sip MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.01%P=i686-pc-linux-gnu%D=2/20%Tm=43F96A29%O=80%C=1%M=0001E1) TSeq(Class=TD%gcd=9C4%SI=0%IPID=I%TS=U) TSeq(Class=TD%gcd=9C4%SI=1%IPID=I%TS=U) TSeq(Class=TD%gcd=9C4%SI=0%IPID=I%TS=U) T1(Resp=Y%DF=N%W=578%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=N%W=578%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=F%UCK=E%ULEN=134%DAT=E) Interesting ports on 192.168.1.103: (The 1666 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 21/tcp   open  ftp 22/tcp   open  ssh 80/tcp   open  http 111/tcp  open  rpcbind 113/tcp  open  auth 3306/tcp open  mysql MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.265 days (since Sun Feb 19 18:44:17 2006) Interesting ports on 192.168.1.104: (The 1669 ports scanned but not shown below are in state: closed) PORT     STATE SERVICE 22/tcp   open  ssh 111/tcp  open  rpcbind 5060/tcp open  sip Device type: general purpose Running: Linux 2.4.X2.5.X2.6.X OS details: Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10 Uptime 0.261 days (since Sun Feb 19 18:49:06 2006) Nmap finished: 84 IP addresses (14 hosts up) scanned in 77.843 seconds 

Not too shabby! By the time this book goes to press, hopefully a few of the unknown device fingerprints will have been included in the latest version of Nmap. We plan on contributing the OS fingerprints that are currently undetected in our continuous testing to the Nmap tool in order to give back to the community.

Nmap is simply one of several tools that analyze TCP, UDP, and ICMP protocol requests for OS and device identification. Other tools include Xprobe2 by Ofir Arkin (http://www.sys-security.org/index.php?page=xprobe), Queso by El Apostols (http://packetstormsecurity.org/UNIX/ scanners /queso-980922.tar.gz), and Snacktime by Tod Beardsley (http://www.planb-security.net/wp/snacktime.html) to name a few.

Countermeasurs Host/Device Identification Countermeasures

Unfortunately, there's no easy fix to prevent attackers from determining an OS or device based on network responses. Preventing ICMP, TCP, and UDP port scanning will likely make this task much more difficult for an attacker. However, because of the variety of other detection methods available, this will likely not act as an effective deterrent. Shutting down unnecessary ports on services and devices (WWW, FTP, telnet, and so on) is the best way to prevent information leakage about your VoIP deployment.



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net