TCP/IP stack fingerprinting: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:33, 21 June 2007 edit 192.223.226.5 (talk) →How Passive OS Fingerprinting Works ← Previous edit		Latest revision as of 03:41, 11 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m →Protection against and detecting fingerprinting: HTTP to HTTPS for SourceForge Tag: AWB
(111 intermediate revisions by 69 users not shown)
Line 1: {{Short description\|Remote detection of the characteristics of a TCP/IP stack}} [[Image:passive figure.png\|thumbnail\|right\|200px\|Passive OS Fingerprinting method and diagram.]] ~~'''OS fingerprinting''' is a process of determining the [[operating system]] used by the remote target.~~ '''TCP/IP stack fingerprinting''' is the remote detection of the characteristics of a [[TCP/IP stack]] implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]]. ~~There are two types of OS Fingerprinting; '''Active OS fingerprinting''' and '''Passive OS fingerprinting'''.~~ == TCP/IP Fingerprint Specifics == == Passive OS Fingerprinting ==▼ Passive fingerprinting is undetectable by an [[Intrusion-detection system\|IDS]] on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this nature it’s undetectable. The downside to passive fingerprinting is the fact that the fingerprinter must be on the same [[Ethernet hub\|hub]] as the other servers and clients in order to capture any packets on the wire. Certain parameters within the [[TCP protocol]] definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary == How Passive OS Fingerprinting Works ==▼ include the following: ~~Passive fingerprinting works because TCP/IP flag settings are specific to various operating system stacks. These settings vary from one TCP stack implementation to another and include the following:~~ * Initial TTL (8 bits)▼ * Initial [[Network packet\|packet]] size (16 bits)▼ ▲* Initial [[Time to live\|TTL]] (8 bits) * Window size (16 bits) * [[Maximum segment size\|Max segment size]] (16 bits) * ~~"Don't~~Window ~~fragment"~~scaling ~~flag~~value (18 ~~bit~~bits) * ~~sackOK~~"don't ~~option~~fragment" flag (1 bit) * ~~nop~~"sackOK" ~~option~~flag (1 bit) * ~~Window~~"nop" ~~scaling option~~flag (81 ~~bits~~bit) ▲* Initial packet size (16 bits) These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web\|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting \|title=Passive OS Fingerprinting, NETRESEC Network Security Blog \|publisher=Netresec.com \|date=2011-11-05 \|accessdate=2011-11-25}}</ref> ~~When combined, these flag settings provide a unique, 67-bit signature for every system.~~ == Protection against and detecting fingerprinting == ~~== Active OS Fingerprinting ==~~ Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network and with the active fingerprinting method you can learn more information about the target than passive OS fingerprinting. The downside to this method is that the fingerprinter can be identified by an [[Intrusion-detection_system\|IDS]] on the network. Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing [[Internet Control Message Protocol\|ICMP]] control-message traffic, and blocking [[ICMP Echo Reply\|ICMP echo replies]]. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint.<ref>{{cite web\|url=https://ojnk.sourceforge.net/stuff/iplog.readme \|title=iplog \|date= \|accessdate=2011-11-25}}</ref> ~~== Active Fingerprinting Methods ==~~ ~~TCP Stack Querying:~~ * [[Internet Control Message Protocol\|ICMP]] * [[Transmission Control Protocol\|TCP]] * [[Simple Network Management Protocol\|SNMP]] Disallowing TCP/IP fingerprinting provides protection from [[vulnerability scanner]]s looking to target machines running a certain operating system. Fingerprinting makes attacks easier. Blocking these ICMP messages is just one of a number of defenses needed to fully protect against attacks.<ref>{{cite web\|url=http://seclists.org/pen-test/2007/Sep/0030.html \|title=OS detection not key to penetration \|publisher=Seclists.org \|date= \|accessdate=2011-11-25}}</ref> ~~Banner Grabbing~~ * [[File Transfer Protocol\|FTP]] * [[TELNET]] * [[Hypertext Transfer Protocol\|HTTP]] Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for [[Microsoft Windows]],<ref>{{cite web\|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools \|title=OSfuscate \|publisher=Irongeek.com \|date=2008-09-30 \|accessdate=2011-11-25}}</ref> [[Linux]]<ref>{{cite web\|author=Carl-Daniel Hailfinger, carldani@4100XCDT \|url=https://ippersonality.sourceforge.net/ \|title=IPPersonality \|publisher=Ippersonality.sourceforge.net \|date= \|accessdate=2011-11-25}}</ref> and [[FreeBSD]].<ref>{{cite web\|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html \|title=Defeating TCP/IP stack fingerprinting \|publisher=Usenix.org \|date=2002-01-29 \|accessdate=2011-11-25}}</ref> ~~Port Probing~~ ▲== ~~How Passive OS~~ Fingerprinting ~~Works~~tools == ~~== Protecting and Detecting Against Fingerprinting ==~~ ▲==A ~~Passive~~list of TCP/OS Fingerprinting ==Tools ~~Block all unnecessary outgoing ICMP traffic especially unusual ones like address mask and timestamp also block any [[ICMP Echo Reply\|ICMP echo replies]]. Watch for excessive TCP SYN packets.~~ * [[Zardaxt.py]]<ref>{{cite web\|url=https://github.com/NikolaiT/zardaxt \|title=Zardaxt.py \|publisher=Github \|date=2021-11-25 \|accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool. ~~[[p0f]] and~~* [[Ettercap (computing)\|Ettercap]] ~~are tools that perform~~– passive TCP/IP stack fingerprinting.▼ * [[Nmap]] is– ~~a tool that performs~~comprehensive active ~~TCP/IP~~ stack fingerprinting.▼ * [[p0f]] – comprehensive passive TCP/IP stack fingerprinting. * NetSleuth – free passive fingerprinting and analysis tool * [[PacketFence]]<ref>{{cite web\|url=http://www.packetfence.org/ \|title=PacketFence \|publisher=PacketFence \|date=2011-11-21 \|accessdate=2011-11-25}}</ref> – open source [[Network access control\|NAC]] with passive DHCP fingerprinting. * Satori – passive [[Cisco Discovery Protocol\|CDP]], DHCP, ICMP, [[HP Switch Protocol\|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting. * SinFP – single-port active/passive fingerprinting. * XProbe2 – active TCP/IP stack fingerprinting. * queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems. == ~~Fingerprinting Tools~~References == {{reflist\|1}} ▲[[Nmap]] is a tool that performs active TCP/IP stack fingerprinting. ▲[[p0f]] and [[Ettercap (computing)\|Ettercap]] are tools that perform passive TCP/IP stack fingerprinting. == External links == * [http://lcamtuf.coredump.cx/p0f-help/ p0f v2 signature contribution page] * [http://www.darknet.org.uk/2006/12/sinfp-204-os-detection-now-works-on-windows/ SinFP OS Fingerprinting Tool] * [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)] * [https://bilisim.ahmetcadirci.com/ Bilişim Kodları ve Kısaltmaları] * [http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/smart_html/ Defeating TCP/IP Stack Fingerprinting] * [http://lcamtuf.coredump.cx/newtcp/ Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later] ~~{{compu-network-stub}}~~ [[Category:TCP/IP]]▼ {{DEFAULTSORT:Tcp Ip Stack Fingerprinting}} ~~[[fr:Prise d'empreinte de la pile TCP/IP]]~~ [[Category:Attacks against TCP\|Stack Fingerprinting]] ▲[[Category:~~TCP/IP~~Internet Protocol]] [[Category:Fingerprinting algorithms]]