Content deleted Content added
No edit summary |
m →Protection against and detecting fingerprinting: HTTP to HTTPS for SourceForge |
||
| (141 intermediate revisions by 88 users not shown) | |||
Line 1:
{{Short description|Remote detection of the characteristics of a TCP/IP stack}}
[[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]
'''TCP/IP stack fingerprinting''' is the remote detection of the characteristics of a [[TCP/IP stack]] implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].
== TCP/IP Fingerprint Specifics ==
[[Nmap]] is a common tool that performs TCP/IP stack fingerprinting.▼
Certain parameters within the [[TCP protocol]] definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary
== External links ==▼
include the following:
* [http://www.insecure.org/nmap/nmap-fingerprinting-article.txt Remote OS detection via TCP/IP Stack FingerPrinting]▼
* Initial [[Network packet|packet]] size (16 bits)
* Initial [[Time to live|TTL]] (8 bits)
* Window size (16 bits)
*[[Maximum segment size|Max segment size]] (16 bits)
* Window scaling value (8 bits)
* "don't fragment" flag (1 bit)
* "sackOK" flag (1 bit)
* "nop" flag (1 bit)
These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>
[[Category:Computer networks]]▼
== Protection against and detecting fingerprinting ==
Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing [[Internet Control Message Protocol|ICMP]] control-message traffic, and blocking [[ICMP Echo Reply|ICMP echo replies]]. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint.<ref>{{cite web|url=https://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>
Disallowing TCP/IP fingerprinting provides protection from [[vulnerability scanner]]s looking to target machines running a certain operating system. Fingerprinting makes attacks easier. Blocking these ICMP messages is just one of a number of defenses needed to fully protect against attacks.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>
Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for [[Microsoft Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]]<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=https://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> and [[FreeBSD]].<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref>
== Fingerprinting tools ==
A list of TCP/OS Fingerprinting Tools
* [[Zardaxt.py]]<ref>{{cite web|url=https://github.com/NikolaiT/zardaxt |title=Zardaxt.py |publisher=Github |date=2021-11-25 |accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool.
* [[Ettercap (computing)|Ettercap]] – passive TCP/IP stack fingerprinting.
* [[Nmap]] – comprehensive active stack fingerprinting.
* NetSleuth – free passive fingerprinting and analysis tool
* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network access control|NAC]] with passive DHCP fingerprinting.
* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
* SinFP – single-port active/passive fingerprinting.
* queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems.
== References ==
{{reflist|1}}
▲== External links ==
▲* [http://
* [https://bilisim.ahmetcadirci.com/ Bilişim Kodları ve Kısaltmaları]
{{DEFAULTSORT:Tcp Ip Stack Fingerprinting}}
▲[[fr:TCP/IP stack fingerprinting]]
[[Category:Attacks against TCP|Stack Fingerprinting]]
[[Category:Fingerprinting algorithms]]
| |||