Wikipedia

TCP/IP stack fingerprinting: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
Addbot (talk | contribs)
Bots
2,838,809 edits
m Bot: Migrating 5 interwiki links, now provided by Wikidata on d:q1747834 (Report Errors)
Bender the Bot (talk | contribs)
Bots
1,064,377 edits
 
(30 intermediate revisions by 24 users not shown)
Line 1:
{{Short description|Remote detection of the characteristics of a TCP/IP stack}}
[[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]
 
'''TCP/IP stack fingerprinting''' is the passiveremote collectiondetection of configurationthe attributescharacteristics fromof a remote device during standard [[OSITCP/IP model|layer 4stack]] network communicationsimplementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].
 
== TCP/IP Fingerprint Specifics ==
 
Certain parameters within the [[TCP protocol]] definition are left up to the implementation.   Different operating systems, and different versions of the same operating system, set different defaults for these values.  By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.<ref>{{cite web|url=http://project.honeynet.org/papers/finger/ |title=Know Your Enemy: Passive Fingerprinting |publisher=Project.honeynet.org |date= |accessdate=2011-11-25}}</ref> The TCP/IP fields that may vary
include the following:
 
* Initial [[Network packet|packet]] size (16 bits)
* Initial [[Time to live|TTL]] (8 bits)
* Window size (16 bits)
*[[Maximum segment size|Max segment size]] (16 bits)
* Window scaling value (8 bits)
* "don't fragment" flag (1 bit)
Line 17 ⟶ 18:
* "nop" flag (1 bit)
 
These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>
 
== Protection against and detecting fingerprinting ==
Protection against all types of TCP/IP fingerprinting is achieved through TCP/IP fingerprint obfuscators. Also known as fingerprint scrubbing, tools exist for [[MS Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]],<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=http://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> [[FreeBSD]],<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref> and likely others.
 
Moreover, protectionProtection against activethe fingerprintingfingerprint doorway to attemptsattack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include theblocking following:''address blockingmasks'' ofand all''timestamps'' unnecessaryfrom outgoing [[Internet Control Message Protocol|ICMP]] control-message traffic, especially unusual packet types like address masks and timestamps. Also, blocking of any [[ICMP Echo Reply|ICMP echo replies]]. BeA warnedsecurity that blocking things without knowing exactly what they are fortool can very well leadalert to apotential brokenfingerprinting: network;it forcan instance,match youranother networkmachine couldas becomehaving a [[Blackfingerprinter holeconfiguration (networking)|blackby hole]]. Alternatively, active fingerprinting tools themselves have fingerprints that candetecting be''its'' detectedfingerprint.<ref>{{cite web|url=httphttps://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>
 
DefeatingDisallowing TCP/IP fingerprinting may provide limitedprovides protection from potential attackers who employ a [[vulnerability scanner]]s looking to selecttarget machines ofrunning a specificcertain targetoperating OSsystem. Fingerprinting However,makes aattacks determinedeasier. adversaryBlocking maythese simplyICMP trymessages is just one of a seriesnumber of differentdefenses attacksneeded untilto onefully isprotect successfulagainst attacks.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>
 
ProtectionTargeting againstthe allICMP typesdatagram, ofan TCP/IPobfuscator fingerprintingrunning ison achievedtop throughof TCP/IP fingerprintin obfuscators.the internet Alsolayer knownacts as fingerprinta "scrubbing, toolstool" to confuse the TCP/IP fingerprinting data. These exist for [[MSMicrosoft Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]],<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=httphttps://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> and [[FreeBSD]],.<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref> and likely others.
 
== Fingerprinting tools ==
A list of TCP/OS Fingerprinting Tools
* [[Zardaxt.py]]<ref>{{cite web|url=https://github.com/NikolaiT/zardaxt |title=Zardaxt.py |publisher=Github |date=2021-11-25 |accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool.
* [[Ettercap (computing)|Ettercap]] – passive TCP/IP stack fingerprinting.
* [[NetworkMiner]] – passive [[DHCP]] and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
* [[Nmap]] – comprehensive active stack fingerprinting.
* [[p0f]] – comprehensive passive TCP/IP stack fingerprinting.
* NetSleuth – free passive fingerprinting and analysis tool
* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network Accessaccess Controlcontrol|NAC]] with passive DHCP fingerprinting.
* [[PRADS]] – Passive comprehensive TCP/IP stack fingerprinting and service detection
* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
* SinFP – single-port active/passive fingerprinting.
* XProbe2 – active TCP/IP stack fingerprinting.
* queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems.
* Device Fingerprint Website<ref>http://noc.to</ref> - Displays the passive TCP SYN fingerprint of your browser's computer (or intermediate proxy)
 
== References ==
Line 45 ⟶ 46:
== External links ==
* [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]
* [https://bilisim.ahmetcadirci.com/ Bilişim Kodları ve Kısaltmaları]
 
{{DEFAULTSORT:Tcp Ip Stack Fingerprinting}}
[[Category:TransmissionAttacks Controlagainst ProtocolTCP|Stack Fingerprinting]]
[[Category:Internet Protocol]]
[[Category:Fingerprinting algorithms]]
Retrieved from "https://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting"