Dear all,
I also forward this mail to packetfence list because I believe it can
also be useful to others.
Best Regards
Enrico
-------- Messaggio Inoltrato --------
Oggetto: Re: [fingerbank-signatures] Fingerbank failure identify Macosx
Catalina...
Data: Mon, 23 Dec 2019 17:44:21 +0100
Mittente: Enrico Becchetti <enrico.becche...@pg.infn.it>
A: signatu...@fingerbank.org
Dear Julien,
let me explain how packetfence manage my network:
network
pf mode
auth
type
vlan id
name
cabled (procurve)
out of band
802.1x
radius
25
pf-wired
wifi (cisco vwlc)
out of band
802.1x
radius
26
pf-dot1x
wifi
inline
captive portal
saml (eternal idp)
27
pf-web
cabled
inline
28
isolation
cabled
inline
29
registration
All devices are automatically registered after login into the network
using one of the networks described above.
I would like your opinion to understand if with this network project I
can improve the accuracy of fingerbank by
inserting a portal that is displayed at every access to the network.
For example a simple welcome page that allows
Packetfence to have the Http user agent. What do you think about it ?
Best Regards
Enrico
Il 19/12/2019 17:53, Julien Semaan ha scritto:
Hi Enrico,
Getting your clients in an inline VLAN is an option, also getting them
on the portal to scan them is another solution.
Spanning HTTPS trafic is good, but HTTP is better to get the HTTP
User-Agent.
Best Regards,
--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 12/18/19 8:53 AM, Enrico Becchetti wrote:
Hi Julien,
I need to identify the devices because I use openvas to know if there
are vulnerabilities in the computers that are connecting to the network.
For this reason the scan engine is configured to be activated if the
device class is: Windows Macosx or Linux.
It would not make sense to activate openvas for other operating
systems or embedded devices.
I read the documentation to create a local entry and alter the
behavior Fingerbank but without an example I can't
do that.
Instead for http traffic (https?) to be sent to the packetfence
server depends on the type of network configuration
that we have.
In my case for example I use Inline and out-of-band and the PF
server always has an interface for each network.
For some of networks it is defaul gateway for others not. In this way
I think that it can see all the traffic.
Thanks.
Enrico
Il 17/12/2019 13:15, Julien Semaan ha scritto:
Hi Enrico,
You are actually only checking the device class and not the device
type which is much more precise.
Expanding the columns in PacketFence will allow you to see this.
The fact Fingerbank became "less effective" in the case you provided
is solely due to the lack of data points that are available.
Providing more data == more accurate device profiling.
There is simply nothing we can do in the example you provided.
Also, if you're basing your effectiveness theory solely on Apple
devices, then as I explained in my previous email, Apple has started
using the same kernel in different devices meaning Mac OS, iPhones,
iPads and even iWatches use the same kernel with the same DHCP
fingerprint. Due to that, you need to provide more data points to be
able to harvest the full power of Fingerbank.
So, to repeat again the solution to your problem, *Fingerbank needs
to see more traffic*. An easy one is to forward the HTTP traffic of
your devices to PacketFence so the Fingerbank collector sees it.
Only then will you be able to get more accurate results that are not
only based off the DHCP fingerprint (the only valuable information
you currently have) because once again *Apple reuses those in all
their devices* so you can't expect accurate profiling based only on
this. Although that wasn't the case a few years ago, it is now the
case and that's something Apple changed, not Fingerbank. We can only
do our best with the information we have and in your case, there
just isn't enough.
PacketFence has a short doc on creating local entries to alter the
behavior of Fingerbank and have your own profiling rules:
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_local_entries
For this you'll have to do the work our analysts do and attempt to
find something that is unique to the device you want to profile.
Since as I've said you pretty much only have DHCP information, then
you'll have to pin the DHCP fingerprint to Mac OS which will likely
make the iOS devices in your environment become Mac OS. If that fits
your needs, then there is your solution.
- Julien
On 12/17/19 6:02 AM, Enrico Becchetti wrote:
Hi Julien,
without going into the operation of PacketFence I would just like
to point out that the fingerbank mechanism has become less effective.
Just to give an example, there are now 63 registered nodes and 23
are of the "operating system" type without identification.
Many are Macosx Catalina someone instead is Windows. Do I have the
possibility to manually associate the operating system with a device ?
Can you test to see if Fingerbank can be improved?
Thanks again.
Best Regards
Enrico
Il 16/12/2019 17:50, Julien Semaan ha scritto:
Hi Enrico,
As I've said in my previous email, the information collected for
this MAC address (the cabled one) is not enough to allow proper
device profiling.
For PacketFence, these are 2 different independent devices.
You could try the command I gave you in the previous email (curl
-H "Authorization: Token `grep api_key
/usr/local/fingerbank/conf/fingerbank.conf | awk -F '=' '{ print
$2 }'`" https://127.0.0.1:4723/endpoint_data/%%MAC%%/details -k |
python -m json.tool | less) to figure out what attributes are
collected in one case and not in the other.
Once we can determine the difference in the attributes, I can help
you figure out what you need to collect.
My wild guess is that the MAC address that is profiled correctly
has valid user agents in its entry.
This could be because it was on the captive portal and not the
other one.
If that is the case, there is nothing more we can do. Fingerbank
works with the information it sees. If it doesn't see the right
information, it won't be able to perform accurate device profiling.
From what I can tell, you are using 802.1x to connect to your
network meaning PacketFence is very unlikely to see any HTTP user
agent.
For this reason, you need to have it forwarded via another way
like port-mirroring as PacketFence will not magically see the HTTP
traffic of the device just because it authenticated it.
Best Regards,
--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 12/16/19 11:42 AM, Enrico Becchetti wrote:
Dear Julien,
I've discovered that in this case for my equipment the identify
problem is only from cabled network:
Status
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=status>
Online/Offline
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=online>
MAC
Address<https://pfsrv.management:1443/node/simple_search/1?direction=desc&by=mac>
Computer Name
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=computername>
Owner
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=pid>
IP Address
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=last_ip>
Tenant
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=tenant_name>
Device Class
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=device_class>
Role
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=category>
registered unknown a4:5e:60:c1:80:c3
<https://pfsrv.management:1443/node/a4:5e:60:c1:80:c3/read?tenant_id=1>
becchetti-nb becch...@pg.infn.it
<https://pfsrv.management:1443/user/becch...@pg.infn.it/read>
10.26.1.2 default Mac OS X or macOS default
registered unknown a8:60:b6:0c:bb:ce
<https://pfsrv.management:1443/node/a8:60:b6:0c:bb:ce/read?tenant_id=1>
becchetti-nb becch...@pg.infn.it
<https://pfsrv.management:1443/user/becch...@pg.infn.it/read>
10.25.43.114 default Operating System default
as you can see when I connect from internal wifi adpater PF
detect the right class but when I try from external
thuderbolt (usb-eternet a8:60:b6:0c:bb:ce) it fail.
In attach the wifi login session capture from wireshark.
Thanks a lot !
Best Regards
Enrico
Il 16/12/2019 16:45, Julien Semaan ha scritto:
Hi Enrico,
Given the output you gave me, the Fingerbank collector simply
didn't see enough data from the device in order to provide
accurate device profiling.
Since Apple has been reusing DHCP fingerprints in all their
devices, its impossible just from the DHCP information to
profile them.
We need other data points like the user agent to be able to
profile it more accurately.
A way to obtain the user agents is to have the user hit the
captive portal or to mirror traffic from port 80 to the
PacketFence server.
Best Regards,
--
Julien Semaan
jsem...@inverse.ca :: +1 (866) 353-6153 *155 ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
On 12/16/19 10:37 AM, Enrico Becchetti wrote:
Dear Julien,
this is my notebook :
Status
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=status>
Online/Offline
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=online>
MAC
Address<https://pfsrv.management:1443/node/simple_search/1?direction=desc&by=mac>
Computer Name
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=computername>
Owner
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=pid>
IP Address
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=last_ip>
Tenant
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=tenant_name>
Device Class
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=device_class>
Role
<https://pfsrv.management:1443/node/simple_search/1?direction=asc&by=category>
registered unknown a4:5e:60:c1:80:c3
<https://pfsrv.management:1443/node/a4:5e:60:c1:80:c3/read?tenant_id=1>
becchetti-nb becch...@pg.infn.it
<https://pfsrv.management:1443/user/becch...@pg.infn.it/read>
10.26.1.2 default Operating System default
*
in attach curl output. Thanks again.
Best Regards
Enrico
Il 16/12/2019 13:24, Julien Semaan ha scritto:
Hi Enrico,
Can you provide the following:
- A screenshot of the Fingerbank tab of the node
- The output of the following command (make you you change
%%MAC%% to the appropriate value):
curl -H "Authorization: Token `grep api_key
/usr/local/fingerbank/conf/fingerbank.conf | awk -F '=' '{
print $2 }'`"
https://127.0.0.1:4723/endpoint_data/%%MAC%%/details -k |
python -m json.tool | less
Cheers!
- Julien
On 12/16/19 3:21 AM, Enrico wrote:
Dear All,
from some weeks I discovered that PF can't identify a new OS
from Apple.
I had configured fingerbank to classify the various OS and to
perform
scans with OpenVas, so now this task doesn't works fine.
Does anyone have seen this problem and How was it solved ?
Thanks a lot
Best Regards
Enrico
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
__________________________________________________
fingerbank-signatures mailing list
signatu...@fingerbank.org
https://inverse.ca/fingerbank/lists/arc/signatures
--
_______________________________________________________________________
Enrico Becchetti Servizio di Calcolo e Reti
Istituto Nazionale di Fisica Nucleare - Sezione di Perugia
Via Pascoli,c/o Dipartimento di Fisica 06123 Perugia (ITALY)
Phone:+39 075 5852777 Mail: Enrico.Becchetti<at>pg.infn.it
______________________________________________________________________
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users