Tuesday, June 20, 2017

Finding windows XP/2003 winhosts using fortigate device ID

Fortigate has a simple OS device id function. You can easily enabled this on  any interfaces except

  • ssl 
  • vpn
  • vdom-link
  • loopbacks
  • etc....

To enable the device-identification you only need to  set the following on each interface that you want to  id;



config sys interface
     edit lan
           set device-identification enable
     end

And then wait for a few minutes before reviewing the  output of the detected devices.


FGT100D (root) # diag user device  os-summary
host operating systems discovered
  OS                   count
  unknown                  8
  Linux                    13
  NX-OS                    9 
  Cisco Catalyst L3 S      1
  Windows                 88


The  device id is simple to understand & follow.

e.g

( nexus switch  learned via  lldp )

   type 16 'Router/NAT Device'  src lldp  c 1  gen 4
    os 'NX-OS'  version ''  src lldp  id  36  c 1

 ( a linux host learned via tcp-fingerprint )

   vd root/0  00:00:ca:00:00:03  gen 13859  req 38  redir 0  last 0s  wan1
    ip 185.165.29.97
    type 6 'Linux PC'  src tcp  c 0  gen 6
    os 'Linux'  version '3.11'  src tcp  id  364  c 1

( a windows product  learned via IIS webservices)

   type 8 'Windows PC'  src http  c 1  gen 14
    os 'Windows'  version 'NT 10.0'  src http  id  1850  c 1

(  here's a user on mindsprings using pop3 unsecured  )
 c0:8c:60:b0:e7:00  gen 120009  req 0  redir 0  last 0s  Inside
    ip 10.5.5.55
    type 8 'Windows PC'  src http  c 1  gen 35
    os 'Windows'  version '7 (x64)'  src http  id  2168  c 1
    host 'CHO-0000002'  src mwbs
    user 'useronpop@mindspring.com'  src pop3

( unknown )

   00:01:d1:2d:12:43  gen 1501701  req 3c  redir 0  last 0s  DMZ
    ip 1.1.1.1
    os unknown  sig 'W mss 4;T 255;D 1;S 60;O m1440 s t n w7;'  src tcp


Now that you have understanding of what the device-id does,  you can now grep out for the strings of windowOS or the strings of interest.

e.g

 diag user device   list | grep  -i  "Windows"


Here's a  few windows  XP hosts that was located



And here's a  XP string





Now your security analyst   and IT team members  can target and  eliminate the non-compliance hosts.

Ken Felix



NSE ( network security expert) and Route/Switching En gineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment