ioctl SIOCGARP failed! errno: 6

[Ohm Trivedi]

I am a graduate student and I am trying to use this tool, Hershelplus (https://github.com/zk7/hershelplus/tree/master/multi-platform), for OS fingerprinting.

The tool attempts to send an ARP request to destination MAC, but it fails. The output is as follows:

ohmtrivedi@ohm-HP-ENVY:~/Documents/ms-thesis/hershelplus$ sudo ./hershelplus 420OS_db.txt 420OS_mapping.txt 186.32.55.31 80

Reading from 420OS_db.txt...
Stored 21000 signatures in map
Starting Live fingerprinting of 186.32.55.31:80...
Listing system adapters:

1. enx00e151b0014d at 10.15.15.111

2. lo at 127.0.0.1

Enter the adapter number between 1 and 2: 1

-----------------------------------------------
Opening device enx00e151b0014d
Adapter enx00e151b0014d opened successfully
Local MAC Address Is: 00--31-81--80-01-77
Local IP: 10.15.15.111
ioctl SIOCGARP failed! errno: 6
Creation of Send Packet failed
Error getting fingerprint

The error "ioctl SIOCGARP failed! errno: 6" is coming from file LiveFingerprinter.cpp, line# 600. (https://github.com/zk7/hershelplus/blob/master/multi-platform/LiveFingerprinter.cpp)

I can't find any resources on internet which can tell me what this error is about. Hope someone can help me out here. I am not very experienced in Linux/C++.

[Rainer Weikusat]

Ohm Trivedi <ohmtr...@gmail.com> writes:
> I am a graduate student and I am trying to use this tool, Hershelplus (https://github.com/zk7/hershelplus/tree/master/multi-platform), for OS fingerprinting.
>
> The tool attempts to send an ARP request to destination MAC, but it fails. The output is as follows:
>
> ohmtrivedi@ohm-HP-ENVY:~/Documents/ms-thesis/hershelplus$ sudo ./hershelplus 420OS_db.txt 420OS_mapping.txt 186.32.55.31 80
>
> Reading from 420OS_db.txt...
> Stored 21000 signatures in map
> Starting Live fingerprinting of 186.32.55.31:80...
> Listing system adapters:
>
> 1. enx00e151b0014d at 10.15.15.111
>
> 2. lo at 127.0.0.1
>
> Enter the adapter number between 1 and 2: 1
>
> -----------------------------------------------
> Opening device enx00e151b0014d
> Adapter enx00e151b0014d opened successfully
> Local MAC Address Is: 00--31-81--80-01-77
> Local IP: 10.15.15.111
> ioctl SIOCGARP failed! errno: 6
> Creation of Send Packet failed
> Error getting fingerprint
>
> The error "ioctl SIOCGARP failed! errno: 6" is coming from file
> LiveFingerprinter.cpp, line#
> 600. (https://github.com/zk7/hershelplus/blob/master/multi-platform/LiveFingerprinter.cpp)

The headers /usr/include/asm-generic/errno-base.h and
/usr/include/asm-generic/errno.h defined macros for all system error
numbers and also list the standard error messages associated with them
in comments. In this case, that's

#define ENXIO 6 /* No such device or address */

(from errno-base.h)

The kernel returns this if there was no ARP-table entry for the address
whose ARP-table entry was supposed to be queried.

[Jorgen Grahn]

On Fri, 2018-06-08, Ohm Trivedi wrote:
> I am a graduate student and I am trying to use this tool,
> Hershelplus
> (https://github.com/zk7/hershelplus/tree/master/multi-platform), for
> OS fingerprinting.
>
> The tool attempts to send an ARP request to destination MAC, but it
> fails. The output is as follows:
>
> ohmtrivedi@ohm-HP-ENVY:~/Documents/ms-thesis/hershelplus$ sudo \
> ./hershelplus 420OS_db.txt 420OS_mapping.txt 186.32.55.31 80
>
> Reading from 420OS_db.txt...
> Stored 21000 signatures in map
> Starting Live fingerprinting of 186.32.55.31:80...
> Listing system adapters:
>
> 1. enx00e151b0014d at 10.15.15.111
>
> 2. lo at 127.0.0.1
>
> Enter the adapter number between 1 and 2: 1

That's a weird user interface -- first accepting command-line options,
and then suddenly start prompting for more information. Did you try
the more mainstream 'nmap' utility for OS fingerprinting.

> -----------------------------------------------
> Opening device enx00e151b0014d
> Adapter enx00e151b0014d opened successfully
> Local MAC Address Is: 00--31-81--80-01-77
> Local IP: 10.15.15.111
> ioctl SIOCGARP failed! errno: 6
> Creation of Send Packet failed
> Error getting fingerprint
>
> The error "ioctl SIOCGARP failed! errno: 6" is coming from file
> LiveFingerprinter.cpp, line# 600.
> (https://github.com/zk7/hershelplus/blob/master/multi-platform/LiveFingerprinter.cpp)
>
> I can't find any resources on internet which can tell me what this
> error is about. Hope someone can help me out here. I am not very
> experienced in Linux/C++.

This is the reason most software never prints the errno number, but
the corresponding text. After digging around on my system I found it
in /usr/include/asm-generic/errno-base.h:

#define ENXIO 6 /* No such device or address */

What this means in this context, I don't know ... additional clues can
be found
- by reading the arp(7) man page
- by running the tool inside strace to see (perhaps) that it's passing
garbage to the ioctl() function

I note that "enx00e151b0014d" seems to be at the limit for how long an
interface name (if you can call that a name) can be:

struct arpreq {
struct sockaddr arp_pa; /* protocol address */
struct sockaddr arp_ha; /* hardware address */
int arp_flags; /* flags */
struct sockaddr arp_netmask; /* netmask of protocol address */
char arp_dev[16];
};

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

[Ohm Trivedi]

Thanks for your help. After communicating with the developer of this tool, it was found that there is a bug in the tool. (https://github.com/zk7/hershelplus/issues/1)

[Ohm Trivedi]

On Friday, June 8, 2018 at 3:42:59 PM UTC-4, Jorgen Grahn wrote:
> On Fri, 2018-06-08, Ohm Trivedi wrote:
> > I am a graduate student and I am trying to use this tool,
> > Hershelplus
> > (https://github.com/zk7/hershelplus/tree/master/multi-platform), for
> > OS fingerprinting.
> >
> > The tool attempts to send an ARP request to destination MAC, but it
> > fails. The output is as follows:
> >
> > ohmtrivedi@ohm-HP-ENVY:~/Documents/ms-thesis/hershelplus$ sudo \
> > ./hershelplus 420OS_db.txt 420OS_mapping.txt 186.32.55.31 80
> >
> > Reading from 420OS_db.txt...
> > Stored 21000 signatures in map
> > Starting Live fingerprinting of 186.32.55.31:80...
> > Listing system adapters:
> >
> > 1. enx00e151b0014d at 10.15.15.111
> >
> > 2. lo at 127.0.0.1
> >
> > Enter the adapter number between 1 and 2: 1
>
> That's a weird user interface -- first accepting command-line options,
> and then suddenly start prompting for more information. Did you try
> the more mainstream 'nmap' utility for OS fingerprinting.

I have been using nmap as well. But nmap is not able to identify OS for many IP addresses, so I am trying to find another tool to use alongwith nmap. I have been strugling with xprobe2. If it interests anyone, you can check the issue I am facing here: https://www.linuxquestions.org/questions/showthread.php?p=5859188#post5859188

[Rainer Weikusat]

IOW, the guy is just about as clueless as you claim to be as he's using
undocumented ioctls without determining what they actually do ...

[Jorgen Grahn]

On Fri, 2018-06-08, Ohm Trivedi wrote:
> On Friday, June 8, 2018 at 3:42:59 PM UTC-4, Jorgen Grahn wrote:
>> On Fri, 2018-06-08, Ohm Trivedi wrote:
>> > I am a graduate student and I am trying to use this tool,
>> > Hershelplus
>> > (https://github.com/zk7/hershelplus/tree/master/multi-platform), for
>> > OS fingerprinting.
>> >

...

>> Did you try the more mainstream 'nmap' utility for OS
>> fingerprinting.

> I have been using nmap as well. But nmap is not able to identify OS
> for many IP addresses, so I am trying to find another tool to use
> alongwith nmap.

Make sure to use recent versions of nmap; fingerprinting is something
they have to tweak now and then.

Out of curiosity, why are you using OS fingerprinting? I have found
it interesting to use it now and then (and it illustrates that there
are different IP stack implementations out there with different
characteristics) but for actual attacks surely it's the /services/
(and I guess the firewall) that are interesting?

BTW (and this should have occurred to me much earlier) it's odd that
ARP comes into the picture. ARP can only reach hosts on a local,
switched network, unlike IP which can reach all of the Internet.

[Ohm Trivedi]

On Saturday, June 9, 2018 at 3:24:25 AM UTC-4, Jorgen Grahn wrote:
> On Fri, 2018-06-08, Ohm Trivedi wrote:
> > On Friday, June 8, 2018 at 3:42:59 PM UTC-4, Jorgen Grahn wrote:
> >> On Fri, 2018-06-08, Ohm Trivedi wrote:
> >> > I am a graduate student and I am trying to use this tool,
> >> > Hershelplus
> >> > (https://github.com/zk7/hershelplus/tree/master/multi-platform), for
> >> > OS fingerprinting.
> >> >
> ...
> >> Did you try the more mainstream 'nmap' utility for OS
> >> fingerprinting.
>
> > I have been using nmap as well. But nmap is not able to identify OS
> > for many IP addresses, so I am trying to find another tool to use
> > alongwith nmap.
>
> Make sure to use recent versions of nmap; fingerprinting is something
> they have to tweak now and then.
>
> Out of curiosity, why are you using OS fingerprinting? I have found
> it interesting to use it now and then (and it illustrates that there
> are different IP stack implementations out there with different
> characteristics) but for actual attacks surely it's the /services/
> (and I guess the firewall) that are interesting?

My research is focused on determining OS-specific vulnerabilities, hence I am working on OS fingerprinting.

>
> BTW (and this should have occurred to me much earlier) it's odd that
> ARP comes into the picture. ARP can only reach hosts on a local,
> switched network, unlike IP which can reach all of the Internet.

The tool in question creates IP packets to send to a target. So in the process of creating IP packet, it uses ARP for getting the MAC address. That's my understanding so far.

[Jorgen Grahn]

On Sun, 2018-06-10, Ohm Trivedi wrote:
> On Saturday, June 9, 2018 at 3:24:25 AM UTC-4, Jorgen Grahn wrote:

...

>> BTW (and this should have occurred to me much earlier) it's odd that
>> ARP comes into the picture. ARP can only reach hosts on a local,
>> switched network, unlike IP which can reach all of the Internet.
>
> The tool in question creates IP packets to send to a target. So in
> the process of creating IP packet, it uses ARP for getting the MAC
> address. That's my understanding so far.

I suppose it's like this:

- You can use the mechanisms in raw(7) to send an IP message, but there are
limits to how mmuch you can manipulate the header.

- Alternatively, you can send raw link-layer frames using pcap_inject()
or something. Then, if it's Ethernet, you have to:
- know the relevant next-hop's MAC. Might be the destination's MAC,
but only if it's on the same network as you.
- know your interface and its MAC

[Rainer Weikusat]

Ohm Trivedi <ohmtr...@gmail.com> writes:
> On Saturday, June 9, 2018 at 3:24:25 AM UTC-4, Jorgen Grahn wrote:

[...]

>> BTW (and this should have occurred to me much earlier) it's odd that
>> ARP comes into the picture. ARP can only reach hosts on a local,
>> switched network, unlike IP which can reach all of the Internet.
>
> The tool in question creates IP packets to send to a target. So in the
> process of creating IP packet, it uses ARP for getting the MAC
> address. That's my understanding so far.

The bozo who wrote this presumably read somewhere that "ARP queries"
would be used to determine the MAC address associated with an IP
address. He then apparently 'concluded' that this would be the same as
querying the neighbour cache in the kernel for entries (the purpose of
the SIOCGARP ioctl).

There is no such thing as "an IP packet". That's called a datagram. As
IP is a protocol for internetworking, IP datagrams don't include any
link-layer headers, hence, link-layer addresses are not used when
constructing IP datagrams.