/usr/sbin/arp-fingerprint is in arp-scan 1.9-3.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 | #!/usr/bin/env perl
#
# Copyright 2006-2013 Roy Hills
#
# This file is part of arp-scan.
#
# arp-scan is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# arp-scan is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with arp-scan. If not, see <http://www.gnu.org/licenses/>.
#
# $Id: arp-fingerprint 19605 2013-05-03 15:01:34Z rsh $
#
# arp-fingerprint -- Perl script to fingerprint system with arp-scan
#
# Author: Roy Hills
# Date: 30th May 2006
#
# This script uses arp-scan to fingerprint the operating system on the
# specified target.
#
# It sends various different ARP packets to the target, and records which
# ones it responds to. From this, it constructs a fingerprint string
# which is used to match against a hash containing known fingerprints.
#
use warnings;
use strict;
use Getopt::Std;
#
my $arpscan="arp-scan -q -r 1";
#
# Hash of known fingerprints
#
# These fingerprints were observed on:
#
# FreeBSD 9.1 FreeBSD 9.1 i386 on VMware
# FreeBSD 8.2 FreeBSD 8.2 i386 on VMware
# FreeBSD 7.0 FreeBSD 7.0 i386 on VMware
# FreeBSD 5.3 FreeBSD 5.3 i386 on VMware
# FreeBSD 4.3 FreeBSD 4.3 i386 on VMware
# DragonflyBSD 2.0 Dragonfly BSD 2.0.0 i386 on VMware
# DragonflyBSD 3.0 Dragonfly BSD 3.0.2 i386 on VMware
# DragonflyBSD 3.2 Dragonfly BSD 3.2.2 amd64 on VMware
# Win 3.11 Windows for Workgroups 3.11/DOS 6.22 on VMware
# 95 Windows 95 OSR2 on VMware
# Win98 Windows 98 SE on VMware
# WinME Windows ME on VMware
# Windows7 Windows 7 Professional 6.1.7600 Build 7600 on Dell Vostro 220
# Windows8 Windows 8 Pro x64 6.2.9200 Build 9200 on VMware
# NT 3.51 Windows NT Server 3.51 SP0 on VMware
# NT4 Windows NT Workstation 4.0 SP6a on Pentium
# 2000 Windows 2000
# XP Windows XP Professional SP2 on Intel P4
# 2003 Windows 2003 Server SP1 on Intel P4
# Vista Windows Vista Beta 2 Build 5384 on VMware
# Vista Windows Vista SP1 Build 6001 on Dell Inspiron
# 2008 Windows 2008 Server Beta on i386
# Linux 2.0 Linux 2.0.29 on VMware (debian 1.3.1)
# Linux 2.2 Linux 2.2.19 on VMware (debian potato)
# Linux 2.4 Linux 2.4.29 on Intel P3 (debian sarge)
# Linux 2.6 Linux 2.6.15.7 i686 on Intel P3 (debian sarge)
# Linux 2.6 Kindle 3.1 on Amazon Kindle 3
# Linux 2.6 Linux 2.6.32.60 x86_64 on VMware (debian squeeze)
# Linux 3.2 Linux 3.2.0 686 on VMware (debian wheezy)
# Linux 3.8 Linux 3.8.8 x86_64 on VMware (fedora 17)
# Cisco IOS IOS 11.2(17) on Cisco 2503
# Cisco IOS IOS 11.3(11b)T2 on Cisco 2503
# Cisco IOS IOS 12.0(8) on Cisco 1601
# Cisco IOS IOS 12.1(27b) on Cisco 2621
# Cisco IOS IOS 12.2(32) on Cisco 1603
# Cisco IOS IOS 12.3(15) on Cisco 2503
# Cisco IOS IOS 12.4(3) on Cisco 2811
# Cisco IOS IOS 12.4(24)T1 on Cisco 1841
# Solaris 2.5.1 Solaris 2.5.1 (SPARC) on Sun SPARCstation 20
# Solaris 2.6 Solaris 2.6 (SPARC) on Sun Ultra 5
# Solaris 7 Solaris 7 (x86) on VMware
# Solaris 8 Solaris 8 (SPARC) on Sun Ultra 5 (64 bit)
# Solaris 9 Solaris 9 (SPARC) on Sun Ultra 5 (64 bit)
# Solaris 10 Solaris 10 (x86) on VMware
# ScreenOS 5.0 Juniper ScreenOS 5.0.0r9 on NetScreen 5XP
# ScreenOS 5.1 Juniper ScreenOS 5.1.0r1.0 on NetScreen 5GT
# ScreenOS 5.3 Juniper ScreenOS 5.3.0r4.0 on NetScreen 5GT
# ScreenOS 5.4 Juniper ScreenOS 5.4.0r1.0 on NetScreen 5GT
# ScreenOS 5.4 Juniper ScreenOS 5.4.0r22.0 on NetScreen 5GT
# ScreenOS 6.2 Juniper ScreenOS 6.2.0r12.0 on Juniper SSG5
# MacOS 10.4 MacOS 10.4.6 on powerbook G4
# MacOS 10.3 MacOS 10.3.9 on imac G3
# IRIX 6.5 IRIX64 IRIS 6.5 05190004 IP30 on SGI Octane
# SCO OS 5.0.7 SCO OpenServer 5.0.7 on VMware
# 2.11BSD 2.11BSD patch level 431 on PDP-11/73 (SIMH simulated)
# 4.3BSD 4.3BSD (Quasijarus0c) on MicroVAX 3000 (SIMH simulated)
# OpenBSD 3.1 OpenBSD 3.1 i386 on VMware
# OpenBSD 3.9 OpenBSD 3.9 i386 on VMware
# OpenBSD 4.8 OpenBSD 4.8 i386 on VMware
# OpenBSD 5.1 OpenBSD 5.1 amd64 on VMware
# NetBSD 2.0.2 NetBSD 2.0.2 i386 on VMware
# NetBSD 4.0 NetBSD 4.0 i386 on VMware
# NetBSD 5.1 NetBSD 5.1.2 i386 on VMware
# NetBSD 6.0-amd64 NetBSD 6.0.1 amd64 on VMware
# IPSO 3.2.1 IPSO 3.2.1-fcs1 on Nokia VPN 210
# Netware 6.5 Novell NetWare 6.5 on VMware
# HP-UX 11 HP-UX B.11.00 A 9000/712 (PA-RISC)
# PIX OS PIX OS (unknown vsn) on Cisco PIX 525
# PIX OS 4.4 PIX OS 4.4(4) on Cisco PIX 520
# PIX OS 5.1 PIX OS 5.1(2) on Cisco PIX 520
# PIX OS 5.2 PIX OS 5.2(9) on Cisco PIX 520
# PIX OS 5.3 PIX OS 5.3(2) on Cisco PIX 520
# PIX OS 6.0 PIX OS 6.0(4) on Cisco PIX 520
# PIX OS 6.1 PIX OS 6.1(5) on Cisco PIX 520
# PIX OS 6.2 PIX OS 6.2(4) on Cisco PIX 520
# PIX OS 6.3 PIX OS 6.3(5) on Cisco PIX 520
# PIX OS 7.0(1) PIX OS 7.0(1) on Cisco PIX 515E
# PIX OS 7.0(2) PIX OS 7.0(2) on Cisco PIX 515E
# PIX OS 7.0(4) PIX OS 7.0(4) on Cisco PIX 515E
# PIX OS 7.0(6) PIX OS 7.0(6) on Cisco PIX 515E
# PIX OS 7.1 PIX OS 7.1(1) on Cisco PIX 515E
# PIX OS 7.2 PIX OS 7.2(1) on Cisco PIX 515E
# PIX OS 8.0 PIX OS 8.0(2) on Cisco PIX 515E
# Minix 3 Minix 3 1.2a on VMware
# Nortel Contivity 6.00 Nortel Contivity V06_00 (VxWorks based)
# Nortel Contivity 6.05 Nortel Contivity V06_05.135
# AIX 4.3 IBM AIX Version 4.3 on RS/6000 7043-260
# AIX 5.3 IBM AIX Version 5.3 on RS/6000 7043-260
# Cisco VPN Concentrator 4.7 Cisco VPN Concentrator 3030 4.7.2E
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x 7940 SIP firmware version 5.3
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x 7940 SIP firmware version 6.3
# Cisco IP Phone 79xx SIP 5.x,6.x,7.x 7940 SIP firmware version 7.5
# Cisco IP Phone 79xx SIP 8.x 7940 SIP firmware version 8.6
# Catalyst 1900 Cisco Catalyst 1900 V9.00.03 Standard Edition
# Catalyst IOS 12.2 Cisco Catalyst 3550-48 running IOS 12.2(35)SE
# Catalyst IOS 12.0 Cisco Catalyst 2924-XL running IOS 12.0(5)WC17
# Catalyst IOS 12.1 Cisco Catalyst 3550-48 running IOS 12.1(11)EA1a SMI
# FortiOS 3.00 FortiGate 100A running FortiOS 3.00,build0406,070126
# Plan9 Plan9 release 4 on VMware
# Blackberry OS Blackberry OS v5.0.0.681 on Blackberry 8900
# GNU/Hurd Debian GNU/Hurd (GNU-Mach 1.3.99/Hurd-0.3) on VMware
# BeOS BeOS 5.0.3 PE Max on VMware
# RiscOS 5.19 RiscOS 5.19 on Raspberry Pi
#
my %fp_hash = (
'11110100000' => 'FreeBSD 5.3, 7.0, 8.2, 9.1, DragonflyBSD 2.0, 3.0, 3.2, Win98, WinME, NT4, 2000, XP, 2003, Catalyst IOS 12.0, 12.1, 12.2, FortiOS 3.00',
'01000100000' => 'Linux 2.2, 2.4, 2.6',
'01010100000' => 'Linux 2.2, 2.4, 2.6, 3.2, 3.8, Vista, 2008, Windows7, Windows8', # Linux only if non-local IP is routed
'00000100000' => 'Cisco IOS 11.2, 11.3, 12.0, 12.1, 12.2, 12.3, 12.4, 12.4T',
'11110110000' => 'Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11, NetBSD 6.0-amd64',
'01000111111' => 'ScreenOS 5.0, 5.1, 5.3, 5.4, 6.2',
'11110000000' => 'Linux 2.0, MacOS 10.4, IPSO 3.2.1, Minix 3, Cisco VPN Concentrator 4.7, Catalyst 1900, BeOS',
'11110100011' => 'MacOS 10.3, FreeBSD 4.3, IRIX 6.5, AIX 4.3, AIX 5.3',
'10010100011' => 'SCO OS 5.0.7',
'10110100000' => 'Win 3.11, 95, NT 3.51',
'11110000011' => '2.11BSD, 4.3BSD, OpenBSD 3.1, 3.9, 4.8, 5.1, Nortel Contivity 6.00, 6.05, RiscOS 5.19',
'10110110000' => 'NetBSD 2.0.2, 4.0, 5.1',
'10110111111' => 'PIX OS 4.4, 5.1, 5.2, 5.3',
'11110111111' => 'PIX OS 6.0, 6.1, 6.2, ScreenOS 5.0 (transparent), Plan9, Blackberry OS',
'00010110011' => 'PIX OS 6.3, 7.0(1), 7.0(2)',
'01010110011' => 'PIX OS 7.0(4)-7.0(6), 7.1, 7.2, 8.0',
'00000110000' => 'Netware 6.5',
'00010100000' => 'Unknown 1', # 14805 79.253 Cisco
'00000110011' => 'Cisco IP Phone 79xx SIP 5.x,6.x,7.x',
'11110110011' => 'Cisco IP Phone 79xx SIP 8.x', # Also 14805 63.11 Fujitsu Siemens
'01010000000' => 'GNU/Hurd',
);
#
my $usage =
qq/Usage: arp-fingerprint [options] <target>
Fingerprint the target system using arp-scan.
'options' is one or more of:
-h Display this usage message.
-v Give verbose progress messages.
-o <option-string> Pass specified options to arp-scan
/;
my %opts;
my $user_opts="";
my $verbose;
my $fingerprint="";
my $fp_name;
#
# Process options
#
die "$usage\n" unless getopts('hvo:',\%opts);
if ($opts{h}) {
print "$usage\n";
exit(0);
}
$verbose=$opts{v} ? 1 : 0;
if ($opts{o}) {
$user_opts = $opts{o};
}
#
if ($#ARGV != 0) {
die "$usage\n";
}
my $target=shift;
#
# Check that the target is not an IP range or network.
#
if ($target =~ /\d+\.\d+\.\d+\.\d+-\d+\.\d+\.\d+\.\d+/ ||
$target =~ /\d+\.\d+\.\d+\.\d+\/\d+/ ||
$target =~ /\d+\.\d+\.\d+\.\d+:\d+\.\d+\.\d+\.\d+/) {
die "argument must be a single IP address or hostname\n";
}
#
# Check that the system responds to an arp-scan with no options.
# If it does, then fingerprint the target.
#
if (&fp("","$target") eq "1") {
# 1: source protocol address = localhost
$fingerprint .= &fp("--arpspa=127.0.0.1","$target");
# 2: source protocol address = zero
$fingerprint .= &fp("--arpspa=0.0.0.0","$target");
# 3: source protocol address = broadcast
$fingerprint .= &fp("--arpspa=255.255.255.255","$target");
# 4: source protocol address = non local (network 1 is reserved)
$fingerprint .= &fp("--arpspa=1.0.0.1","$target"); # Non-local source IP
# 5: invalid arp opcode
$fingerprint .= &fp("--arpop=255","$target");
# 6: arp hardware type = IEEE_802.2
$fingerprint .= &fp("--arphrd=6","$target");
# 7: invalid arp hardware type
$fingerprint .= &fp("--arphrd=255","$target");
# 8: invalid arp protocol type
$fingerprint .= &fp("--arppro=0xffff","$target");
# 9: arp protocol type = Novell IPX
$fingerprint .= &fp("--arppro=0x8137","$target");
# 10: invalid protocol address length
$fingerprint .= &fp("--arppln=6","$target");
# 11: Invalid hardware address length
$fingerprint .= &fp("--arphln=8","$target");
#
if (defined $fp_hash{$fingerprint}) {
$fp_name = "$fp_hash{$fingerprint}";
} else {
$fp_name = "UNKNOWN";
}
print "$target\t$fingerprint\t$fp_name\n";
} else {
print "$target\tNo Response\n";
}
#
# Scan the specified IP address with arp-scan using the given options.
# Return "1" if the target responds, or "0" if it does not respond.
#
sub fp ($$) {
my $ip;
my $options;
my $response = "0";
($options, $ip) = @_;
open(ARPSCAN, "$arpscan $user_opts $options $ip |") || die "arp-scan failed";
while (<ARPSCAN>) {
if (/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\t/) {
$response = "1";
last;
}
}
close(ARPSCAN);
if ($verbose && $options ne "") {
if ($response) {
print "$options\tYes\n";
} else {
print "$options\tNo\n";
}
}
return $response;
}
|