 Hi everybody. I hope you're doing fine. I am. So I'm here to talk to you about a project that we've been thinking about for a little while at Inverse where I work. And it's called Fingerbank. So it's DHCP fingerprint database. Come on. My friends are making fun of me. Yeah, that's very funny assholes. So I'm here to talk about that and let's see how it goes. Today I'm going to first do reminders about device fingerprinting, passive fingerprinting, DHCP fingerprinting, going to cover some defensive and offensive use cases, then announce quote-unquote Fingerbank and talk about what's next and what we are interested in doing in the future. So who I am is Olivier Bailado, I guess would be a close English equivalent. I'm working on PacketFence since 2009 as a lead developer there. I'm also teaching InfoSec in Montreal to undergraduates, having a lot of fun doing that. I'm a really an open source guy, so really into Android and Linux and stuff. I'm a new father. I brought my kid here, which is Odd Choice in Vegas. It's really not that great actually because she's crying all the time, she's seven months old. So it's, well, I wanted my family here, so here they are. This talk is implementing the YouDrink protocol. So if I say something obviously stupid, you can interrupt me and I'll offer you a beer if you are smarter than me. So let's say it that way. And also during the Q&A, I'll have beer for good questions. So here we go. So device fingerprinting, what it does is that it identifies pieces of your software or hardware. You're probably familiar with Puff and stuff like that. So there are various types of it, operating systems, devices, browser, web server, web application. It's another type of signature more or less if you want. So as easy as that, you know what, my tight, okay. So two approaches of gathering fingerprints. There's an active approach and a passive one. So the active is that you are doing stuff, so it can be detected. It's more intrusive by nature because it's active as opposed to the passive technique, which you only listen on the LAN or on the router in between the network. So it's really clear, active, passive, what it means. So I guess I won't focus on that. But it's really completely separated, like the two techniques. And some tools, well, most tools are focused on one approach, but there are new tools that are doing both. SYNFP is one of them. You can now feed it a PCAP and it will do kind of a passive approach if you want. So why passive, not why, but a reminder on passive fingerprinting? So networks are really, really noisy. You probably already know that. You open up a TCP dump everywhere you get and there's a lot of stuff going on. And a lot is about broadcast and you get all the broadcast traffic. Sometimes also you are in between, so you are the gateway or you have a mirror port. And so you see all the stuff that's going on. A wall of sheep is a good example of that. So if you can sit at a spot like that and sniff traffic, then you will see a lot of stuff. And fingerprinting becomes really interesting because you'll be able to identify operating systems of your guests, the browsers, the version of software and stuff like that. So on the LAN there is DHCP, which is a broadcast protocol that you can use for fingerprinting, talking about that in the next slide. There is the multicast DNS, the iTunes, all that stuff is very, very verbose, noisy and helps you a lot of identifying software or hardware that you're using. On the LAN, Honeypot is kind of, you know, you could do fingerprinting with Honeypot and you'll see kind of the internet noise if you want. So it's possible to do that on the LAN also, passively of course. So DHCP fingerprinting, the meat of the matter. OK, so DHCP is a great network. It helps you, you know, be online easily, low maintenance and stuff. So it's broadcast based and it's on every LAN segment, so every VLAN if you want. And like through time we found a way to, well we, people found a way to aggregate DHCP for instance with IP helpers, sometimes called UDP helpers. So you don't have a DHCP server on every physical segment which would mean a lot of costs. So because of that, you have, you use IP helpers. So your DHCP traffic is all aggregated upstream to a few servers. And this is kind of a nice feature because, you know, all the information about what's going on IP based is aggregated because of the IP helpers. So DHCP fingerprint because of that are easy to collect and rarely spoofed. So rarely spoofed by that, I mean if you are, let's say, a pentester and you want to expose yourself as a voice over IP phone for instance, well not a lot of people know that and know how to do that. So it's really, really rarely spoofed. And by that I mean I looked to do it and the only way I found, I found no tools, no automated tools to do, to spoof DHCP fingerprints. And the only way I found to do it was modifying the DH client configuration directly on Linux. So it's seriously for now, for now pretty reliable. In the future probably there will be tools or people will kind of have a backtrack mimic a Windows XP system. But right now you can spot backtrack as a Ubuntu system with fingerprints. So the fingerprinting, again a reminder, what is possible to fingerprint on DHCP? Well it's, you could focus on the retransmission timing and all the timing stuff on the TTL, so IP TTL on the packets, sorry. But the greatest, well what we've been using for packet fence actually is the option 55, which is the parameters, so DHCP is kind of a key value thing. You have, you request a list of options and then the server sends you the values in it and there's the two way of the game, so the client and the server have this option and then parameter. And so option 55 is actually really, really interesting because it's all the stuff that we use DHCP for and a lot of options that we don't use but they are still there. So there's an example on the next slide but I mean host name, domain name and stuff like that is all in there. So if you want more details on DHCP, there was a Black Hat Japan presentation which I built on for the finger bank project that you can check. It's Eric Coleman and David Laporte who presented and it's actually really nice, really detailed into the topic. So here are the option 55 list. So we only focused on these. And with this option 55 only, so no other parameters, we have a database of 160 different OSes and devices and it's kind of all blurry together nowadays OS device and stuff like that. So I say slash OS, slash devices and this includes a lot of stuff, like scary stuff. I mean you got the flu devices, you've got switches and now when I saw that I'm asking myself who the hell run DHCP on switches. It should not be fixed IPs but anyway we got them. We have a lot of it and so the option 55 it's simply a list of the option as you can probably see on the slide. It is like 1, 15, 3, 6, 44 and it's all because of the client what they requested. Only that simple list helps us to uniquely identify a lot of stuff and like UPS devices, there's Pixi stuff, thin clients, it's really like gaming console smartphones and we can spot Android between each other. So we have like the HTC Android, the Samsung Android and so it's great, seriously. I was amazed by that and that's the reason why we're presenting or proposing finger bank I guess is that like it's on every LAN, everyone has it, everyone has this resource that they can identify what's going on in the network but no one was really pushing it or maybe it was all in proprietary stuff and I don't use proprietary software so I just don't know about it but this is the big reason. Let's get into some use cases of course, I guess I'm into more defensive stuff but here we go. You can do really, really easily LAN operating system inventory or even flagging people with Windows 95 and telling them, hey come on get something serious please. So here is a screenshot of what we would pack at fence. You see the last switch, last port, last VLAN, this is possible with DHCP option 82 which is implemented in Cisco switches. It's more or less reliable but still it can help you so it's kind of powerful to have the two of them blended in because you will know for a host where it's located and because of the finger bank technology if I may call it like that. Know what OS it's running so it's pretty powerful and interesting for network operators to know that. You can do firewall and network access control integration to blacklist and of live stuff for example or even better backtrack or Linux if you want so this is also pretty powerful and we use that in packet fence a lot and this is like sliding to the next point but we do that to automatically register voice over IP devices or printers so that the users don't have to do it themselves which is I know a security problem because we're relying on client side stuff to actually behave on the network but I mean it's a usability problem you know someone has a choice to make but so if you are a pen tester then definitely I mean add in your toolkit I would say spoofing your DHCP option 55 list because it can make the network part of the infrastructure do behave differently based on what you are. So offensive use cases obviously stealth land recon so you can like sit there hook a device and then just sniff the traffic and see what's there and I mean it's even better when you get Windows 98 popping up and saying hey I'm Windows 98 and I want an IP address so now I mean you only have to own it and boom it's done so the clients they come to you actually in that case you know instead of you having to end map the network and stuff so this is you know it's a big one it's really interesting but afterwards I was trying to find other use cases offensive use cases and actually I guess someone will have to come up in the Q and A room and tell me other offensive use cases I failed at that so why did we decided to push a finger bank because you saw it it's so simple this stuff it's only a list of option numbers separated by commas but I hate information hidden in silos and we need to be together if you want to spot devices we get a lot of fingerprints and we just can't cope with the flow and they are all anonymous so we can't you know ask back or even if we do ask back let's say we have the opportunity to ask back people don't really know you know they run the software it listens to everything and they don't even know the device that are broadcasting on their network so the project's goal is really about sharing it talking about it getting this out and so this is why we were launching the website and the mailing list yeah so raise awareness and stuff like that so what is it actually it's pretty simple we popped open a website and we decided to just output the signatures and the documentation and the mailing list we're probably going to open an IRC channel too but it's really links to the existing signature and we just packaged it in a nice format and then based on the feedback of the community I mean we there's a lot of stuff we could do with the HP fingerprinting and based on who's interested and we're anticipating pickup by you know the larger network vendors hopefully and so with that there will be definitely like more offensive tools focus on that defensive tools too and reporting and stuff so we'll see how it goes so for now who's backing it the guy who wrote the paper Eric Coleman wrote the HP fingerprint paper that was presented at Black Hat Japan he's also started to write another one on the HP version 6 so it's interesting I haven't read that yet but I really he's really into it and a lot into passive fingerprinting David LaPorte was Pegasus original founder I think he's working at Harvard on their network and ourselves inverse who's sponsoring time and servers and stuff not that much resources but still they're still paying me to do it which is great so they're backing it so what's the future of Fingerbank well again we need the maybe probably better tool to share because a lot of them actually are close to each other and when you look at the fingerprints and so we would really need better tools to you know find closest match and stuff like that also right now the data formats packet fence users stupid any file format type and Satterie which was which is Eric Coleman's tool is using XML so we want to consolidate the formats and so you know have better reuse over with that and then we want and this is the main focus is we really really want a lot of mind share around the fingerprints and so that when we get new obscure fingerprints that actually someone who will be subscribed will know about it and will be able to you know say oh hey this is Intel when it's in a bios boot mode it's actually doing the HEP and sending that so there's a lot of the obscure fingerprints that will need help on that's pretty much it and I hope you enjoyed and we'll see you in the DBRFingroom if you're into fingerprinting I guess thank you