This file is indexed.

/usr/bin/arp-fingerprint is in arp-scan 1.8.1-2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
#!/usr/bin/env perl
#
# Copyright 2006-2011 Roy Hills
#
# This file is part of arp-scan.
# 
# arp-scan is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# 
# arp-scan is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with arp-scan.  If not, see <http://www.gnu.org/licenses/>.
#
# $Id: arp-fingerprint 18122 2011-02-22 09:00:52Z rsh $
#
# arp-fingerprint -- Perl script to fingerprint system with arp-scan
#
# Author: Roy Hills
# Date: 30th May 2006
#
# This script uses arp-scan to fingerprint the operating system on the
# specified target.
#
# It sends various different ARP packets to the target, and records which
# ones it responds to.  From this, it constructs a fingerprint string
# which is used to match against a hash containing known fingerprints.
#
use warnings;
use strict;
use Getopt::Std;
#
my $arpscan="arp-scan -q -r 1";
#
# Hash of known fingerprints
#
# These fingerprints were observed on:
#
# FreeBSD 7.0	FreeBSD 7.0 on VMware
# FreeBSD 5.3	FreeBSD 5.3 on VMware
# FreeBSD 4.3	FreeBSD 4.3 on VMware
# DragonflyBSD 2.0	Dragonfly BSD 2.0.0 on VMware
# Win 3.11	Windows for Workgroups 3.11/DOS 6.22 on VMware
# 95		Windows 95 OSR2 on VMware
# Win98		Windows 98 SE on VMware
# WinME		Windows ME on VMware
# Windows7	Windows 7 Professional 6.1.7600 Build 7600 on Dell Vostro 220
# NT 3.51	Windows NT Server 3.51 SP0 on VMware
# NT4		Windows NT Workstation 4.0 SP6a on Pentium
# 2000		Windows 2000
# XP		Windows XP Professional SP2 on Intel P4
# 2003		Windows 2003 Server SP1 on Intel P4
# Vista		Windows Vista Beta 2 Build 5384 on VMware
# Vista		Windows Vista SP1 Build 6001 on Dell Inspiron
# 2008		Windows 2008 Server Beta on i386
# Linux 2.0	Linux 2.0.29 on VMware (debian 1.3.1)
# Linux 2.2	Linux 2.2.19 on VMware (debian potato)
# Linux 2.4	Linux 2.4.29 on Intel P3 (debian sarge)
# Linux 2.6	Linux 2.6.15.7 on Intel P3 (debian sarge)
# Cisco IOS	IOS 11.2(17) on Cisco 2503
# Cisco IOS	IOS 11.3(11b)T2 on Cisco 2503
# Cisco IOS	IOS 12.0(8) on Cisco 1601
# Cisco IOS	IOS 12.1(27b) on Cisco 2621
# Cisco IOS	IOS 12.2(32) on Cisco 1603
# Cisco IOS	IOS 12.3(15) on Cisco 2503
# Cisco IOS	IOS 12.4(3) on Cisco 2811
# Solaris 2.5.1	Solaris 2.5.1 (SPARC) on Sun SPARCstation 20
# Solaris 2.6	Solaris 2.6 (SPARC) on Sun Ultra 5
# Solaris 7	Solaris 7 (x86) on VMware
# Solaris 8	Solaris 8 (SPARC) on Sun Ultra 5 (64 bit)
# Solaris 9	Solaris 9 (SPARC) on Sun Ultra 5 (64 bit)
# Solaris 10	Solaris 10 (x86) on VMware
# ScreenOS 5.0	Juniper ScreenOS 5.0.0r9 on NetScreen 5XP
# ScreenOS 5.1	Juniper ScreenOS 5.1.0r1.0 on NetScreen 5GT
# ScreenOS 5.3	Juniper ScreenOS 5.3.0r4.0 on NetScreen 5GT
# ScreenOS 5.4	Juniper ScreenOS 5.4.0r1.0 on NetScreen 5GT
# MacOS 10.4	MacOS 10.4.6 on powerbook G4
# MacOS 10.3	MacOS 10.3.9 on imac G3
# IRIX 6.5	IRIX64 IRIS 6.5 05190004 IP30 on SGI Octane
# SCO OS 5.0.7	SCO OpenServer 5.0.7 on VMware
# 2.11BSD	2.11BSD patch level 431 on PDP-11/73 (SIMH simulated)
# 4.3BSD	4.3BSD (Quasijarus0c) on MicroVAX 3000 (SIMH simulated)
# OpenBSD 3.1	OpenBSD 3.1 on VMware
# OpenBSD 3.9	OpenBSD 3.9 on VMware
# NetBSD 2.0.2	NetBSD 2.0.2 on VMware
# NetBSD 4.0	NetBSD 4.0 on VMware
# IPSO 3.2.1	IPSO 3.2.1-fcs1 on Nokia VPN 210
# Netware 6.5	Novell NetWare 6.5 on VMware
# HP-UX 11	HP-UX B.11.00 A 9000/712 (PA-RISC)
# PIX OS	PIX OS (unknown vsn) on Cisco PIX 525
# PIX OS 4.4	PIX OS 4.4(4) on Cisco PIX 520
# PIX OS 5.1	PIX OS 5.1(2) on Cisco PIX 520
# PIX OS 5.2	PIX OS 5.2(9) on Cisco PIX 520
# PIX OS 5.3	PIX OS 5.3(2) on Cisco PIX 520
# PIX OS 6.0	PIX OS 6.0(4) on Cisco PIX 520
# PIX OS 6.1	PIX OS 6.1(5) on Cisco PIX 520
# PIX OS 6.2	PIX OS 6.2(4) on Cisco PIX 520
# PIX OS 6.3	PIX OS 6.3(5) on Cisco PIX 520
# PIX OS 7.0(1)	PIX OS 7.0(1) on Cisco PIX 515E
# PIX OS 7.0(2)	PIX OS 7.0(2) on Cisco PIX 515E
# PIX OS 7.0(4)	PIX OS 7.0(4) on Cisco PIX 515E
# PIX OS 7.0(6)	PIX OS 7.0(6) on Cisco PIX 515E
# PIX OS 7.1	PIX OS 7.1(1) on Cisco PIX 515E
# PIX OS 7.2	PIX OS 7.2(1) on Cisco PIX 515E
# PIX OS 8.0	PIX OS 8.0(2) on Cisco PIX 515E
# Minix 3	Minix 3 1.2a on VMware
# Nortel Contivity 6.00	Nortel Contivity V06_00 (VxWorks based)
# Nortel Contivity 6.05	Nortel Contivity V06_05.135
# AIX 4.3	IBM AIX Version 4.3 on RS/6000 7043-260
# AIX 5.3	IBM AIX Version 5.3 on RS/6000 7043-260
# Cisco VPN Concentrator 4.7	Cisco VPN Concentrator 3030 4.7.2E
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x	7940 SIP firmware version 5.3
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x	7940 SIP firmware version 6.3
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x	7940 SIP firmware version 7.5
# Cisco IP Phone 79xx SIP 8.x	7940 SIP firmware version 8.6
# Catalyst 1900	Cisco Catalyst 1900 V9.00.03 Standard Edition
# Catalyst IOS 12.2	Cisco Catalyst 3550-48 running IOS 12.2(35)SE
# Catalyst IOS 12.0	Cisco Catalyst 2924-XL running IOS 12.0(5)WC17
# Catalyst IOS 12.1	Cisco Catalyst 3550-48 running IOS 12.1(11)EA1a SMI
# FortiOS 3.00	FortiGate 100A running FortiOS 3.00,build0406,070126
# Plan9		Plan9 release 4 on VMware
# Blackberry OS	Blackberry OS v5.0.0.681 on Blackberry 8900
#
my %fp_hash = (
   '11110100000' => 'FreeBSD 5.3, 7.0, DragonflyBSD 2.0, Win98, WinME, NT4, 2000, XP, 2003, Catalyst IOS 12.0, 12.1, 12.2, FortiOS 3.00',
   '01000100000' => 'Linux 2.2, 2.4, 2.6',
   '01010100000' => 'Linux 2.2, 2.4, 2.6, Vista, 2008, Windows7', # Linux only if non-local IP is routed
   '00000100000' => 'Cisco IOS 11.2, 11.3, 12.0, 12.1, 12.2, 12.3, 12.4',
   '11110110000' => 'Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11',
   '01000111111' => 'ScreenOS 5.0, 5.1, 5.3, 5.4',
   '11110000000' => 'Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7, Catalyst 1900',
   '11110100011' => 'MacOS 10.3, FreeBSD 4.3, IRIX 6.5, AIX 4.3, AIX 5.3',
   '10010100011' => 'SCO OS 5.0.7',
   '10110100000' => 'Win 3.11, 95, NT 3.51',
   '11110000011' => '2.11BSD, 4.3BSD, OpenBSD 3.1, OpenBSD 3.9, Nortel Contivity 6.00, 6.05',
   '10110110000' => 'NetBSD 2.0.2, 4.0',
   '10110111111' => 'PIX OS 4.4, 5.1, 5.2, 5.3',
   '11110111111' => 'PIX OS 6.0, 6.1, 6.2, ScreenOS 5.0 (transparent), Plan9, Blackberry OS',
   '00010110011' => 'PIX OS 6.3, 7.0(1), 7.0(2)',
   '01010110011' => 'PIX OS 7.0(4)-7.0(6), 7.1, 7.2, 8.0',
   '00000110000' => 'Netware 6.5',
   '00010100000' => 'Unknown 1', # 14805 79.253 Cisco
   '00000110011' => 'Cisco IP Phone 79xx SIP 5.x,6.x,7.x',
   '11110110011' => 'Cisco IP Phone 79xx SIP 8.x', # Also 14805 63.11 Fujitsu Siemens
   );
#
my $usage =
qq/Usage: arp-fingerprint [options] <target>
Fingerprint the target system using arp-scan.

'options' is one or more of:
        -h Display this usage message.
        -v Give verbose progress messages.
	-o <option-string> Pass specified options to arp-scan
/;
my %opts;
my $user_opts="";
my $verbose;
my $fingerprint="";
my $fp_name;
#
# Process options
#
die "$usage\n" unless getopts('hvo:',\%opts);
if ($opts{h}) {
   print "$usage\n";
   exit(0);
}
$verbose=$opts{v} ? 1 : 0;
if ($opts{o}) {
   $user_opts = $opts{o};
}
#
if ($#ARGV != 0) {
   die "$usage\n";
}
my $target=shift;
#
# Check that the target is not an IP range or network.
#
if ($target =~ /\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+/ ||
    $target =~ /\d+\.\d+\.\d+\.\d+\/\d+/ ||
    $target =~ /\d+\.\d+\.\d+\.\d+:\d+\.\d+\.\d+\.\d+/) {
   die "argument must be a single IP address or hostname\n";
}
#
# Check that the system responds to an arp-scan with no options.
# If it does, then fingerprint the target.
#
if (&fp("","$target") eq "1") {
# 1: source protocol address = localhost
   $fingerprint .= &fp("--arpspa=127.0.0.1","$target");
# 2: source protocol address = zero
   $fingerprint .= &fp("--arpspa=0.0.0.0","$target");
# 3: source protocol address = broadcast
   $fingerprint .= &fp("--arpspa=255.255.255.255","$target");
# 4: source protocol address = non local (network 1 is reserved)
   $fingerprint .= &fp("--arpspa=1.0.0.1","$target");	# Non-local source IP
# 5: invalid arp opcode
   $fingerprint .= &fp("--arpop=255","$target");
# 6: arp hardware type = IEEE_802.2
   $fingerprint .= &fp("--arphrd=6","$target");
# 7: invalid arp hardware type
   $fingerprint .= &fp("--arphrd=255","$target");
# 8: invalid arp protocol type
   $fingerprint .= &fp("--arppro=0xffff","$target");
# 9: arp protocol type = Novell IPX
   $fingerprint .= &fp("--arppro=0x8137","$target");
# 10: invalid protocol address length
   $fingerprint .= &fp("--arppln=6","$target");
# 11: Invalid hardware address length
   $fingerprint .= &fp("--arphln=8","$target");
#
   if (defined $fp_hash{$fingerprint}) {
      $fp_name = "$fp_hash{$fingerprint}";
   } else {
      $fp_name = "UNKNOWN";
   }
   print "$target\t$fingerprint\t$fp_name\n";
} else {
   print "$target\tNo Response\n";
}
#
# Scan the specified IP address with arp-scan using the given options.
# Return "1" if the target responds, or "0" if it does not respond.
#
sub fp ($$) {
   my $ip;
   my $options;
   my $response = "0";
   ($options, $ip) = @_;

   open(ARPSCAN, "$arpscan $user_opts $options $ip |") || die "arp-scan failed";
   while (<ARPSCAN>) {
      if (/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\t/) {
         $response = "1";
         last;
      }
   }
   close(ARPSCAN);

   if ($verbose && $options ne "") {
      if ($response) {
         print "$options\tYes\n";
      } else {
         print "$options\tNo\n";
      }
   }

   return $response;
}