ARP replies to malformed requests allow fingerprinting honeyd with the arp-scan/arp-fingerprint tool

[PherricOxide]

Honeyd can easily be detected at the moment with ARP fingerprinting. The arp-scan package in Ubuntu contains a tool called arp-fingerprint, which is a Perl script that uses arp-scan to generate illegal ARP requests.

I'm not sure if it's worth trying to tie ARP fingerprinting into the templates, because most of the fingerprint fields rely on incorrect implementations and bugs, so it's terribly inaccurate on normal Linux and Windows machines (they just get lumped into a fingerprint like "Linux 2.2, 2.4, 2.6, Vista, 2008, Windows7" fingerprint). I think just fixing the invalid replies that make it stand out in the fingerprint would be sufficient.

Things to fix to make it match the "normal" fingerprint mentioned above,

• Should not respond to requests that have sender IP address in the ARP field of 127.0.0.0
• Should not respond to requests that have sender IP address in the ARP field of 255.255.255.255
• Should not respond to ARP packets that have a Hardware Type field of 255 (invalid)
• Should not respond to ARP packets that have a Protocol Type of 0xffff (invalid)
• Should not respond to ARP packets with incorrect Hardware Addr Length (should be 6 on Ethernet)
• Should not respond to ARP packets with incorrect Protocol Addr Length (should be 4 on ipv4)

[PherricOxide]

Fixed in 81b0204a345a1e5f4610da1730a1501c0cd8d793

Arp-fingerprinting now matches,

$ sudo arp-fingerprint 192.168.10.103
192.168.10.103  01010100000 Linux 2.2, 2.4, 2.6, Vista

Which is a far more common fingerprint than the old one of,

 192.168.10.103 11110111111 PIX OS 6.0, 6.1, 6.2, ScreenOS 5.0 (transparent)