Wikipedia

TCP/IP stack fingerprinting: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
ok
Tags: Reverted nowiki added Visual edit Mobile edit Mobile web edit
Bender the Bot (talk | contribs)
Bots
1,064,377 edits
 
(3 intermediate revisions by 3 users not shown)
Line 2:
[[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]
 
'''TCP/IP stack fingerprinting''' is the remote detection of the characteristics of a [[TCP/IP stack|iphone6s]]<nowiki/> implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].
 
== TCP/IP Fingerprint Specifics ==
Line 22:
== Protection against and detecting fingerprinting ==
 
Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing [[Internet Control Message Protocol|ICMP]] control-message traffic, and blocking [[ICMP Echo Reply|ICMP echo replies]]. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint.<ref>{{cite web|url=httphttps://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>
 
Disallowing TCP/IP fingerprinting provides protection from [[vulnerability scanner]]s looking to target machines running a certain operating system. Fingerprinting facilitatesmakes attacks easier. Blocking thosethese ICMP messages is onlyjust one of ana arraynumber of defenses requiredneeded forto fullfully protectionprotect against attacks.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>
 
Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for [[Microsoft Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]]<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=httphttps://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> and [[FreeBSD]].<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref>
 
== Fingerprinting tools ==
Line 35:
* [[p0f]] – comprehensive passive TCP/IP stack fingerprinting.
* NetSleuth – free passive fingerprinting and analysis tool
* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network Accessaccess Controlcontrol|NAC]] with passive DHCP fingerprinting.
* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
* SinFP – single-port active/passive fingerprinting.
* XProbe2 – active TCP/IP stack fingerprinting.
* queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems.
 
== References ==
Line 46:
== External links ==
* [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]
* [https://bilisim.ahmetcadirci.com/ Bilişim Kodları ve Kısaltmaları]
 
{{DEFAULTSORT:Tcp Ip Stack Fingerprinting}}
Retrieved from "https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting"