DHCP Fingerprinting David Westcott 4 1 CONFIDENTIAL Copyright

DHCP Fingerprinting - David Westcott 4 -1 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Resources • http: //community. arubanetworks. com/t 5/Discuss/ct-p/discuss – Search Airheads for “dhcp fingerprint” • http: //www. networksorcery. com/enp/protocol/bootp/options. htm – List of DHCP options • www. fingerbank. org – Database of DHCP fingerprints 4 -2 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

What Is DHCP Fingerprinting? • Passively identifies the client OS signature • Examines DHCP option information • Differentiates devices that use the same network – Instead of creating separate networks for each • Requires Aruba. OS 6. 0. 1. 0 or newer – Supported on 600, 3000, and M 3 controllers 4 -3 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Fingerprinting Process • • Identify the device value of the DHCP option Create a firewall role Write and apply a user derivation rule Test the rule 4 -4 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Identifying The Device Signature Enable DHCP debugging # configure terminal # logging level debugging network subcat dhcp 4 -5 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Make Sure The Client Is Disconnected Make sure that the client is disconnected # aaa user delete mac <client mac address> 4 -6 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Identify The Client Signature • Attach the client to the WLAN • View the log and look for the signature #show log network all | include Option Apr 23 07: 01: 55 : 202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan 1: REQUEST 00: 0 d: 4 b: 78: 9 f: 07 req. IP=192. 168. 1. 242 Options 36: c 0 a 80103 37: 0103060 f 0 c 0 c: 4 e 502 d 4 b 3041304458303236373936 4 -7 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Identify DHCP Option Apr 23 07: 01: 55 : 202536: <DBUG> |dhcpdwrap| |dhcp| Datapath vlan 1: REQUEST 00: 0 d: 4 b: 78: 9 f: 07 req. IP=192. 168. 1. 242 Options 36: c 0 a 80103 37: 0103060 f 0 c 0 c: 4 e 502 d 4 b 3041304458303236373936 • Search log output, looking for options 0 c, 37, 3 c, or 51 • Combine option and signature value, removing the colon eg. 37: 0103060 f 0 c becomes 370103060 f 0 c 4 -8 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Common Option 55 Signatures OS Match Android 2. x Android 2. 3 Blackberry i. Phone/i. Pad Macbook Maemo OS Nintendo DS Playstation 3 Symbian OS Win Mobile 6. x Win XP Win Vista Win 7 (korean) Win 7 (eng) Win (Multiple) Option (dec/hex) 55/0 x 37 55/0 x 37 55/0 x 37 55/0 x 37 Match Type Fingerprint starts-with equals equals equals equals starts-with 3701792103061 c 333 a 3 b 370103060 F 77 FC 370103060 F 775 FFC 2 C 2 E 2 F 370103060 c 0 f 111 c 28292 a 37010306 3701031 c 060 f 370 C 060 F 01031 C 78 370103060 f 2 c 2 e 2 f 37010 f 03062 c 2 e 2 f 1 f 21 f 92 b 37010 f 03062 c 2 ef 1 f 2179 f 92 b 37010 F 03062 C 2 E 2 F 1 4 -9 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved Samsung Galaxy S with Android 2. 3 unknown model of Blackberry Common to most Apple i-devices Apple Mac Book (assumed OS X) Nokia N 900 running Maemo OS Nokia N 97 / Sony. Ericsson Seen on HTC phones with Win Mobile 6. x exact match on Win. XP exact match on Vista exact match on Win 7 (korean edition) exact match on Win 7 Generic multi-version "windows"

Common Option 60 Signatures OS Match Option (dec/hex) Match Type Fingerprint Android 2. x (multiple) 60/0 x 3 c starts-with 3 c 6468637063642034 some linux partial match on “dhcpcd 4” – caution: may match Black. Berry 60/0 x 3 c equals 3 c 426 c 61636 b 4265727279 match 'Black. Berry' option Maemo OS 60/0 x 3 c starts-with 3 c 756468637020302 e 39 Nokia N 900 Phones partial match on "udhcpd 0. 9. 9", used in Windows CE 60/0 x 3 c equals 3 c 4 d 6963726 f 736 f 66742057696 e 646 f 777320434500 - this may match MANY devices match "Microsoft Windows CE" Windows (Multiple) 60/0 x 3 c equals 3 c 4 D 53465420352 E 30 match multiple windows versions with “MSFT 5. 0” 4 - 10 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Not So Common Signatures OS Match Type Fingerprint Cisco 1750 Option (dec/hex) 55/0 x 37 equals 3701060 F 2 C 0321962 B cisco 1750 VPN Linux generic 55/0 x 37 starts-with 37011 C 02030 F 0677 Debian/Linux 2. 6 generic Linux (unknown) 55/0 x 37 equals 37011 C 02030 F 06770 C 2 C 2 F 1 A 792 A tbd Linux Debian 2. 6. 35 55/0 x 37 equals 37011 c 02030 f 06770 c 2 c 2 f 1 a Backtrack 4 R 2 dhclient Palm PDA 55/0 x 37 equals 37011 C 02030 F 060 C unknown model of Palm Samsung s 8000 55/0 x 37 starts-with 370102030405060708090 C 0 D 0 F 1011171 A 1 C 2 A 2 C 3233353638 Win CE Casio Scanner 55/0 x 37 equals 370103060 F 2 C 2 E 2 F unknown model of Casio scanner Win CE Symbol Scanner 55/0 x 37 equals 370103060 F 2 C 2 E 2 F 4243 unknown model of Symbol scanner 4 - 11 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Create Firewall Role For The Device # config terminal # user-role roku # access-list session allowall # exit 4 - 12 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Create Firewall Derivation Rule (CLI) # config t # aaa derivation-rules user wc-user-rules # set role condition dhcp-option equals “ 370103060 f 0 c” set-value roku # exit 4 - 13 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Create Firewall Derivation Rule (Web. UI) 4 - 14 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Attach Derivation Rule To AAA Profile (CLI) # config terminal # aaa profile <aaa profile name> # user-derivation-rules wc-user-rules # exit 4 - 15 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Attach Derivation Rule To AAA Profile (Web. UI) 4 - 16 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Configure Logging To Monitor The Client Connection # config terminal # logging level debug user-debug <client mac address> # exit 4 - 17 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Verify The User Connected To The Right Role show log user-debug all | include <mac address of client> Apr 22 13: 01: 58 : 522026: Apr 22 13: 01: 58 : 522004: Apr 22 13: 01: 58 : 522019: <INFO> |authmgr| MAC=00: 0 d: 4 b: 78: 9 f: 07 IP=0. 0 User miss: ingress=0 x 10 ca, VLAN=1 <DBUG> |authmgr| MAC 00: 0 d: 4 b: 78: 9 f: 07, dhcp option 50, signature 32 C 0 A 801 F 2 <DBUG> |authmgr| MAC 00: 0 d: 4 b: 78: 9 f: 07, dhcp option 54, signature 36 C 0 A 80103 <DBUG> |authmgr| MAC 00: 0 d: 4 b: 78: 9 f: 07, dhcp option 55, signature 370103060 F 0 C <INFO> |authmgr| MAC=00: 0 d: 4 b: 78: 9 f: 07 IP=0. 0 Derived role 'Roku' from user rules: utype= L 2 4 - 18 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Show How Many Time Rule Was Triggered # show aaa derivation-rules user 4 - 19 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Common Rules (CLI) aaa derivation-rules user wc-user-rules set role condition dhcp-option equals "370103060 f 0 c" set-value roku set role condition dhcp-option equals "370103060 F" set-value blackberry set role condition dhcp-option equals "3701031 c 060 f" set-value playstation 3 4 - 20 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

Common Rules (Example-Web. UI) 4 - 21 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved

4 - 22 CONFIDENTIAL © Copyright 2011. Aruba Networks, Inc. All rights reserved