TCP/IP stack fingerprinting: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 13:02, 20 March 2011 edit J Clear (talk \| contribs) Autopatrolled, Extended confirmed users, Pending changes reviewers, Rollbackers 7,045 edits →Protection against and detecting fingerprinting: wikify a bit more ← Previous edit		Latest revision as of 03:41, 11 August 2025 edit undo Bender the Bot (talk \| contribs) Bots 1,064,377 edits m →Protection against and detecting fingerprinting: HTTP to HTTPS for SourceForge Tag: AWB
(46 intermediate revisions by 34 users not shown)
Line 1: {{Short description\|Remote detection of the characteristics of a TCP/IP stack}} [[Image:passive figure.png\|thumbnail\|right\|200px\|Passive OS Fingerprinting method and diagram.]] '''TCP/IP stack fingerprinting''' is the ~~passive~~remote ~~collection~~detection of ~~configuration~~the ~~attributes~~characteristics ~~from~~of a ~~remote device during standard~~ [[~~OSI~~TCP/IP ~~model\|layer 4~~stack]] ~~network communications~~implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]]. == TCP/IP Fingerprint Specifics == Certain parameters within the [[TCP protocol]] definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP~~<ref>[http://project.honeynet.org/papers/finger/ Know Your Enemy: Passive Fingerprinting]</ref>~~. The TCP/IP fields that may vary include the following: * Initial [[Network packet\|packet]] size (16 bits) * Initial [[Time to live\|TTL]] (8 bits) * Window size (16 bits) [[Maximum segment size\|Max segment size]] (16 bits) Window scaling value (8 bits) * "don't fragment" flag (1 bit) Line 17 ⟶ 18: * "nop" flag (1 bit) These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web\|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting \|title=Passive OS Fingerprinting, NETRESEC Network Security Blog \|publisher=Netresec.com \|date=2011-11-05 \|accessdate=2011-11-25}}</ref> == Protection against and detecting fingerprinting == Protection against all types of TCP/IP fingerprinting is achieved through TCP/IP fingerprint obfuscators. Also known as fingerprint scrubbing, tools exist for [[MS Windows]]<ref>[http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools OSfuscate]</ref>, [[Linux]]<ref>[http://ippersonality.sourceforge.net/ IPPersonality]</ref>, [[FreeBSD]]<ref>[http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html Defeating TCP/IP stack fingerprinting]</ref>, and likely others.▼ ~~Moreover, protection~~Protection against ~~active~~the ~~fingerprinting~~fingerprint doorway to ~~attempts~~attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include ~~the~~blocking ~~following:~~''address ~~blocking~~masks'' ofand ~~all~~''timestamps'' ~~unnecessary~~from outgoing [[Internet Control Message Protocol\|ICMP]] control-message traffic, ~~especially unusual packet types like address masks~~ and ~~timestamps. Also,~~ blocking ~~of any~~ [[ICMP Echo Reply\|ICMP echo replies]]. BeA ~~warned~~security ~~that blocking things without knowing exactly what they are for~~tool can ~~very well lead~~alert to apotential ~~broken~~fingerprinting: ~~network;~~it ~~for~~can ~~instance,~~match ~~your~~another ~~network~~machine ~~could~~as ~~become~~having a ~~[[Black~~fingerprinter ~~hole~~configuration ~~(networking)\|black~~by ~~hole]].~~detecting ~~Alternatively,~~''its'' ~~active fingerprinting tools themselves have fingerprints that can be detected~~fingerprint.<ref>~~[http~~{{cite web\|url=https://ojnk.sourceforge.net/stuff/iplog.readme \|title=iplog] \|date= \|accessdate=2011-11-25}}</ref>. ~~Defeating~~Disallowing TCP/IP fingerprinting ~~may provide limited~~provides protection from ~~potential attackers who employ a~~ [[vulnerability scanner]]s looking to ~~select~~target machines ofrunning a ~~specific~~certain ~~target~~operating OSsystem. Fingerprinting ~~However,~~makes aattacks ~~determined~~easier. ~~adversary~~Blocking ~~may~~these ~~simply~~ICMP ~~try~~messages is just one of a ~~series~~number of ~~different~~defenses ~~attacks~~needed ~~until~~to ~~one~~fully isprotect ~~successful~~against attacks.<ref>{{cite web\|url=http://seclists.org/pen-test/2007/Sep/0030.html \|title=OS detection not key to penetration \|publisher=Seclists.org \|date= \|accessdate=2011-11-25}}</ref> ▲~~Protection~~Targeting ~~against~~the ~~all~~ICMP ~~types~~datagram, ofan ~~TCP/IP~~obfuscator ~~fingerprinting~~running ison ~~achieved~~top ~~through~~of ~~TCP/~~IP ~~fingerprint~~in ~~obfuscators.~~the internet ~~Also~~layer ~~known~~acts as ~~fingerprint~~a "scrubbing, ~~tools~~tool" to confuse the TCP/IP fingerprinting data. These exist for [[MSMicrosoft Windows]],<ref>[{{cite web\|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools \|title=OSfuscate] \|publisher=Irongeek.com \|date=2008-09-30 \|accessdate=2011-11-25}}</ref>, [[Linux]]<ref>~~[http~~{{cite web\|author=Carl-Daniel Hailfinger, carldani@4100XCDT \|url=https://ippersonality.sourceforge.net/ \|title=IPPersonality] \|publisher=Ippersonality.sourceforge.net \|date= \|accessdate=2011-11-25}}</ref>, and [[FreeBSD]].<ref>[{{cite web\|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html \|title=Defeating TCP/IP stack fingerprinting] \|publisher=Usenix.org \|date=2002-01-29 \|accessdate=2011-11-25}}</ref>~~, and likely others.~~ == Fingerprinting tools == A list of TCP/OS Fingerprinting Tools * [[Zardaxt.py]]<ref>{{cite web\|url=https://github.com/NikolaiT/zardaxt \|title=Zardaxt.py \|publisher=Github \|date=2021-11-25 \|accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool. * [[PRADS]] - Passive comprehensive TCP/IP stack fingerprinting and service detection * [[Ettercap (computing)\|Ettercap]] -– passive TCP/IP stack fingerprinting. * [[~~NetworkMiner~~Nmap]] -– ~~passive~~comprehensive ~~[[DHCP]] and TCP/IP~~active stack fingerprinting ~~(combines p0f, Ettercap and Satori databases)~~. * [[~~Nmap~~p0f]] -– comprehensive ~~active~~passive TCP/IP stack fingerprinting. * ~~[[p0f]]~~NetSleuth -– ~~comprehensive~~free passive ~~TCP/IP~~fingerprinting ~~stack~~and ~~fingerprinting.~~analysis tool * [[PacketFence]]<ref>[{{cite web\|url=http://www.packetfence.org/ \|title=PacketFence] \|publisher=PacketFence \|date=2011-11-21 \|accessdate=2011-11-25}}</ref> -– open source [[Network ~~Access~~access ~~Control~~control\|NAC]] with passive DHCP fingerprinting. * Satori -– passive [[Cisco Discovery Protocol\|CDP]], DHCP, ICMP, [[HP Switch Protocol\|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting. * SinFP -– single-port active/passive fingerprinting. * XProbe2 -– active TCP/IP stack fingerprinting. * queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems. == External links ==▼ * [http://lcamtuf.coredump.cx/p0f-help/ p0f v2 signature contribution page] * [http://www.darknet.org.uk/2006/12/sinfp-204-os-detection-now-works-on-windows/ SinFP OS Fingerprinting Tool] * [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]▼ * [http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/smart_html/ Defeating TCP/IP Stack Fingerprinting] * [http://lcamtuf.coredump.cx/newtcp/ Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later] * [http://www.darknet.org.uk/2006/03/security-cloak-mask-against-tcpip-fingerprinting-for-windows/ Security Cloak - Mask against TCP/IP Fingerprinting in Windows] * [http://www.darknet.org.uk/2006/03/sealing-wafter-defend-against-os-fingerprinting-for-openbsd-ready/ Sealing Wafter - Defend against OS Fingerprinting on OpenBSD] * [http://autoscan-network.com/ AutoScan Network - Network Monitoring and Management Tool] == References == {{reflist\|1}} ▲== External links == ~~{{DEFAULTSORT:Tcp/Ip Stack Fingerprinting}}~~ ▲* [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)] [[Category:TCP/IP\|Stack Fingerprinting]]▼ * [https://bilisim.ahmetcadirci.com/ Bilişim Kodları ve Kısaltmaları] ~~[[de~~{{DEFAULTSORT:~~OS-~~Tcp Ip Stack Fingerprinting]]}} ▲[[Category:Attacks against TCP~~/IP~~\|Stack Fingerprinting]] ~~[[fr:Prise d'empreinte de la pile TCP/IP]]~~ [[Category:Internet Protocol]] ~~[[it:P0f]]~~ [[Category:Fingerprinting algorithms]] ~~[[ka:TCP/IP ფენების ანაბეჭდის დადგენა]]~~ ~~[[pl:P0f]]~~