TCP/IP stack fingerprinting

Passive OS Fingerprinting method and diagram.

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

TCP/IP Fingerprint Specifics

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.[1] The TCP/IP fields that may vary include the following:

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.[2] Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.[3]

Protection against and detecting fingerprinting

Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking address masks and timestamps from outgoing ICMP control-message traffic, and blocking ICMP echo replies. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting its fingerprint.[4]

Disallowing TCP/IP fingerprinting provides protection from vulnerability scanners looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.[5]

Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for MS Windows,[6] Linux[7] and FreeBSD,.[8]

Fingerprinting tools

A list of TCP/OS Fingerprinting Tools

References

  1. "Know Your Enemy: Passive Fingerprinting". Project.honeynet.org. Retrieved 2011-11-25.
  2. Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
  3. "Passive OS Fingerprinting, NETRESEC Network Security Blog". Netresec.com. 2011-11-05. Retrieved 2011-11-25.
  4. "iplog". Retrieved 2011-11-25.
  5. "OS detection not key to penetration". Seclists.org. Retrieved 2011-11-25.
  6. "OSfuscate". Irongeek.com. 2008-09-30. Retrieved 2011-11-25.
  7. Carl-Daniel Hailfinger, carldani@4100XCDT. "IPPersonality". Ippersonality.sourceforge.net. Retrieved 2011-11-25.
  8. "Defeating TCP/IP stack fingerprinting". Usenix.org. 2002-01-29. Retrieved 2011-11-25.
  9. "PacketFence". PacketFence. 2011-11-21. Retrieved 2011-11-25.
  10. http://noc.to

External links