TCP/IP stack fingerprinting
From Wikipedia, the free encyclopedia
TCP/IP stack fingerprinting (a.k.a. OS fingerprinting) is the process of determining the operating system used by a remote target.
There are two types of OS fingerprinting: active and passive.
Contents |
[edit] Passive OS Fingerprinting
Passive fingerprinting is undetectable by an intrusion detection system on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this it’s undetectable. The downside of this method is that the client must either connect directly to the fingerprinting device, or be on the same hub as the other servers and clients in order to capture any packets on the wire.
[edit] How Passive OS Fingerprinting Works
Passive fingerprinting works because TCP/IP flag settings are specific to various operating systems. These settings vary from one TCP stack implementation to another and include the following:
- Initial TTL (8 bits)
- Window size (16 bits)
- Maximum segment size (16 bits)
- "Don't fragment" flag (1 bit)
- sackOK option (1 bit)
- nop option (1 bit)
- Window scaling option (8 bits)
- Initial packet size (16 bits)
"When combined, these flag settings provide a unique, 67-bit signature for every system."[1]
[edit] Active OS Fingerprinting
Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network, and with the active method you can learn more information about the target than with passive OS fingerprinting. The downside is that the fingerprinter can be identified by an intrusion detection system.
[edit] Active Fingerprinting Methods
TCP Stack Querying:
Banner Grabbing
Port Probing
[edit] Protecting Against and Detecting Fingerprinting
Block all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, block any ICMP echo replies. Watch for excessive TCP SYN packets. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a black hole. Extensive knowledge of TCP/IP networking is recommended before engaging in traffic blocking.
[edit] Fingerprinting Tools
Nmap is a tool that performs active TCP/IP stack fingerprinting.
p0f and Ettercap are tools that perform passive TCP/IP stack fingerprinting.
[edit] External links
- p0f v2 signature contribution page
- SinFP OS Fingerprinting Tool
- Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)
- Defeating TCP/IP Stack Fingerprinting
- Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later
- Security Cloak - Mask against TCP/IP Fingerprinting in Windows
- Sealing Wafter - Defend against OS Fingerprinting on OpenBSD
- AutoScan Network - Network Monitoring and Management Tool
[edit] References
- ^ Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
