Passive Information Gathering in Network

Written By Celal Erdik

As a result of the widespread use of internet technology, technology constantly renews itself and new systems emerge. The most common regulations of these technologies are devices such as uninterrupted web servers, firewalls, web application firewalls, IPS devices and Load Balancer. In many institutions, there is no direct access to application servers and you are greeted by another device in the middle. It is important who the actors are during the information gathering phase of penetration tests or during computer forensics of a compromised Linux or Windows system.

Below is the correction as an example,

  • When examining data generated on the local network, any institution may need to know which channel it communicates through, which browser, the type of server, its working time, or the transfer of HTTP features carried during the connection.

  • To learn the features of the systems that are configured on the corporate network in the internet environment and installed on outgoing internet connections.

  • When analyzing a compromised system, see connection actors' credentials and resulting details across network connections

There are a number of uses that will facilitate and simplify analyzes in scenarios such as these. It is very easy to do these with many open source software. If this is written, it will be explained how to perform this process with a tool called p0f.

What is p0f?

p0f is a tool that tries to detect connection actors in TCP/IP connection options using completely passive fingerprint methods, without any intervention in the connection. Some features of the application are as follows.

  • Extremely fast operating system recognition

  • Characteristics of uptime periods of systems, including systems of NAT systems

  • Identifying systems such as load balancer, NAT, proxy that work in front of the target systems

  • Identifying fake broadcasts and servers, etc.

How does it work ?

P0f examines data on IPv4 and IPv6 connections, TCP connections, and information during 3-way handshakes. In addition, it analyzes cables at the application level using some of its own payloads.

Features and Usage

You can download the current version of the p0f tool from http://lcamtuf.coredump.cx/p0f3/.

After the application is downloaded, the tar file is first opened.

root@root:~/Desktop# tar -zxvf p0f-3.08b.tgz

p0f-3.08b/

p0f-3.08b/languages.h

p0f-3.08b/alloc-inl.h

p0f-3.08b/tools/

p0f-3.08b/tools/p0f-sendsyn6.c

….

Then, when the compressed files are decompressed, the build.sh executable parts are run. All that needs to be done is to pay for the app and it can be run this way.

root@root:~/Desktop/p0f-3.08b# ./build.sh

Welcome to the build script for p0f 3.08b!

Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>

[+] Configure the production structure.

[*] Checking for a healthy building environment... OK

[*] Checking if GCC is running... OK

[*] Checking *Modern* GCC... OK

[*] Checking if memory alignment is required... no

[*] Checking if Libpcap is running... OK

[*] Checking if BPF is working... OK

[+] Okay, you look ready to go. Fingers crossed!

[*] Compiling p0f... OK

That's it. Be sure to check out the README. If you encounter any problems,

You can reach the author at <lcamtuf@coredump.cx>.

Now the application is ready. The features of the application can be viewed from the help menu.

Here are some frequently used ones.

-i iface - Specifies network descriptions to listen for

-r file – Used to read pcap cells offline

-p - Used to listen to the network in promiscuous mode

-L - List available network updates

-o file – Used to write the results to an external file

-d - Used to run as a deamon in the background

The rest time application logic of the eth0 interface will be easily understood from the use of any filter in its most basic form. An example output is as follows. Here, access to a web application via the browser was attempted to test the application. The table below shows that in order to establish a connection to the target site, a 3-way handshake is first seen between the test machine and the target site. In turn, it also reveals which operating system the machine is using.

root@host:~/Desktop/p0f-3.08b# ./p0f -i eth0

--- p0f 3.08b Written by: Michal Zalewski <lcamtuf@coredump.cx> ---

[+] 1 file descriptor has been closed.

[+] 320 signatures uploaded from 'p0f.fp'.

[+] Interruption of traffic on interface 'Eth0'.

[+] Default packet filtering is configured [+VLAN].

[+] Entered the main event loop.

.-[ 192.168.0.24/41902 -> 192.99.12.218/80 (sin)]-

|

| client = 192.168.0.24/41902

| operating system = Linux 3.x

| distance = 0

| parameters = public

| raw_sig = 4:64+0:0:1460:mss*10,10:mss,sok,ts,nop,ws:df,id+:0

|

`----

.-[ 192.168.0.24/41902 -> 192.99.12.218/80 (mtu) ]-

|

| client = 192.168.0.24/41902

| connection = Ethernet or modem

| raw_mtu = 1500

|

`----

.-[ 192.168.0.24/41902 -> 192.99.12.218/80 (syn+ack) ]-

|

| server = 192.99.12.218/80

| operating system = Linux 3.x

| distance = 16

| parameters = none

| raw_sig = 4:48+16:0:1460:mss*10,9:mss,sok,ts,nop,ws:df:0

|

`----

Looking at the continuation of the same application, an HTTP request made to the target site is output in p0f format as follows. Here the IP address of the printing machine, the browser information addressed by the link, and basic HTTP information are presented.

.-[ 192.168.0.24/41902 -> 192.99.12.218/80 (http request) ]-

|

| client = 192.168.0.24/41902

| application = Firefox 10.x or newer

| language = English

| parameters = none

| raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8],Accept-Language=[en-US,en ;q=0.5],Accept-Encoding=[gzip, deflate],?Cookie,Connection=[keep-alive]:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/ 20100101 Firefox/22.0 Iceweasel/22.0

|

`----

In an established TCP connection, not only the information of the output machine, but also the part information of the target application is used to detect with the p0f tool. For example, if a router made on bga.com.tr is examined with the p0f tool, the server information of the target application can be seen as below.

. -[ 192.168.0.27/45954 -> 50.22.202.163/80 (http reply)]-

|

| server = 50.22.202.163/80

| application = Apache 2.x

| language = none

| parameters = none

| raw_sig = 1:Date,Server,?Location,?Content-Length,Keep-Alive=[timeout=5, max=100],Connection=[Keep-Alive],Content-Type:Accept-Ranges:Apache

If you want to test the application online, you can visit http://lcamtuf.coredump.cx/p0f3/. When you click on the link, information about the machine on which the dimension connection setup is run will be displayed.

You can copy it yourself (http://lcamtuf.coredump.cx/p0f3/README) to see other capabilities of the application such as API access and NAT details.

Celal Erdik
Previous

PCI/DSS Log Requirements
Next

DOS Attacks on SSL Service