Punk Walrus
October 1st, 2003, 18:28
I always hear this is "easy to do," but I haven't found any useful documents online about it. Maybe I am not using the right keywords or looking in the right areas.

We have these propritary routers (for security, I am not allowed to say in a public forum, but they are really rare, and I can't find any online stuff about them, and I suspect they are out of business) that use the MAC address and data we believe is OS Fingerprinting (according to its own manuals) for authentication of configuration changes. They are a BEAR to work with, very fussy, and if it weren't for the initial investment, and the pain and cost of replacement, they would have been history years ago. Right now, we have them connected to NT 4.0 stations which use their software running as a service. For a while, it was a mystery why this worked until I did some packet sniffing and looked at the manuals (which are ungodly huge 3-ring binders of info). It seems that they give a unique OS fingerprint (which nmap was unable to decode, but a dump showed every box had the same thing - a simple hex value), and are bound to the MAC address (which is explained, in detail and bad English, in the binders).

The NT 4.0 boxes are failing and for very complicated reasons I won't go into, we can't get a similar setup on a newer machine. To implement a newer Cisco-based system, it will cost our department about $200,000, and so a kind of "contest" has been set up to try and avoid that. Some of us are using Linux and OpenBSD, and in Linux, they use this command for the MAC:

ifconfig < interface > ether lladdr < MAC-address >

This doesn't work in OpenBSD, apparently. But there is something called sea.c that supposedly does. I found that file online, but I am not sure what to do with it. Do I compile it alone, or with something else?

For the OS Fingerrinting, I found the OpenBSD man pages on pf.os, but I am not clear on if this was just a way to tell OpenBSD about incoming fingerprints, or changing the fingerprint of OpenBSD's outgoing data.

It's probably a long shot, but the winner (if one appears by next fiscal year, 2004) gets 2 weeks free vacation.

frisco
October 1st, 2003, 18:41
This doesn't work in OpenBSD, apparently. But there is something called sea.c that supposedly does. I found that file online, but I am not sure what to do with it. Do I compile it alone, or with something else?


Read the comments in the sea.c source - it has instructions on how to compile it (pretty straightforward but requires one lib to be linked it). Then it's 'sea [if] [mac]' to run it.

As for making OpenBSD appear to be a different OS, i'm not sure about that. I do remember reading about a kernel module for linux to do this, but don't remember what it was called.

Vile
October 2nd, 2003, 03:26
The openbsd pf os fingerprinting is a passive scanner. It requires you to make a connection to it which will then be able to (hopefully) tell you your OS and details about it.

Also, Fyodor of nmap, has recently sent out 2 emails to the nmap-hackers list about lots of new upgrades. The emails cover the releasing of nmap version 3.45 that includes huge imporvements in the OS detection and the second email about including p0f passive fingerprinting in nmap, but changing it and making it a part in the active fingerprinting scan in nmap.