TCP/IP stack fingerprinting

Passive fingerprinting is undetectable by an IDS on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this nature it’s undetectable. The downside to passive fingerprinting is the fact that the fingerprinter must be on the same hub as the other servers and clients in order to capture any packets on the wire.

Passive fingerprinting works because TCP/IP flag settings are specific to various operating system stacks. These settings vary from one TCP stack implementation to another and include the following:

• Initial TTL (8 bits)
• Window size (16 bits)
• Maximum segment size (16 bits)
• "Don't fragment" flag (1 bit)
• sackOK option (1 bit)
• nop option (1 bit)
• Window scaling option (8 bits)
• Initial packet size (16 bits)

When combined, these flag settings provide a unique, 67-bit signature for every system.^[1]

Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network and with the active fingerprinting method you can learn more information about the target than passive OS fingerprinting. The downside to this method is that the fingerprinter can be identified by an IDS on the network.

TCP Stack Querying:

• ICMP
• TCP
• SNMP

Banner Grabbing

• FTP
• TELNET
• HTTP

Port Probing

Block all unnecessary outgoing ICMP traffic especially unusual ones like address mask and timestamp also block any ICMP echo replies. Watch for excessive TCP SYN packets.

Nmap is a tool that performs active TCP/IP stack fingerprinting.

p0f and Ettercap are tools that perform passive TCP/IP stack fingerprinting.

• p0f v2 signature contribution page
• SinFP OS Fingerprinting Tool
• Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)
• Defeating TCP/IP Stack Fingerprinting
• Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later