TCP/IP stack fingerprinting: Difference between revisions

Content deleted Content added

Inline

Latest revision as of 22:18, 16 July 2023

Passive OS Fingerprinting method and diagram.

TCP/IP stack fingerprinting is the remote detection of the characteristics of a TCP/IP stack implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

TCP/IP Fingerprint Specifics[edit]

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary include the following:

Initial packet size (16 bits)
Initial TTL (8 bits)
Window size (16 bits)
Max segment size (16 bits)
Window scaling value (8 bits)
"don't fragment" flag (1 bit)
"sackOK" flag (1 bit)
"nop" flag (1 bit)

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.^[1] Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.^[2]

Protection against and detecting fingerprinting[edit]

Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking address masks and timestamps from outgoing ICMP control-message traffic, and blocking ICMP echo replies. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting its fingerprint.^[3]

Disallowing TCP/IP fingerprinting provides protection from vulnerability scanners looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.^[4]

Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for Microsoft Windows,^[5] Linux^[6] and FreeBSD.^[7]

Fingerprinting tools[edit]

A list of TCP/OS Fingerprinting Tools

Zardaxt.py^[8] – Passive open-source TCP/IP Fingerprinting Tool.
Ettercap – passive TCP/IP stack fingerprinting.
Nmap – comprehensive active stack fingerprinting.
p0f – comprehensive passive TCP/IP stack fingerprinting.
NetSleuth – free passive fingerprinting and analysis tool
PacketFence^[9] – open source NAC with passive DHCP fingerprinting.
Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
SinFP – single-port active/passive fingerprinting.
XProbe2 – active TCP/IP stack fingerprinting.
queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems

References[edit]

^ Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
^ "Passive OS Fingerprinting, NETRESEC Network Security Blog". Netresec.com. 2011-11-05. Retrieved 2011-11-25.
^ "iplog". Retrieved 2011-11-25.
^ "OS detection not key to penetration". Seclists.org. Retrieved 2011-11-25.
^ "OSfuscate". Irongeek.com. 2008-09-30. Retrieved 2011-11-25.
^ Carl-Daniel Hailfinger, carldani@4100XCDT. "IPPersonality". Ippersonality.sourceforge.net. Retrieved 2011-11-25.{{cite web}}: CS1 maint: numeric names: authors list (link)
^ "Defeating TCP/IP stack fingerprinting". Usenix.org. 2002-01-29. Retrieved 2011-11-25.
^ "Zardaxt.py". Github. 2021-11-25. Retrieved 2021-11-25.
^ "PacketFence". PacketFence. 2011-11-21. Retrieved 2011-11-25.

External links[edit]

Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)

[1] Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.

[2] "Passive OS Fingerprinting, NETRESEC Network Security Blog". Netresec.com. 2011-11-05. Retrieved 2011-11-25.

[3] "iplog". Retrieved 2011-11-25.

[4] "OS detection not key to penetration". Seclists.org. Retrieved 2011-11-25.

[5] "OSfuscate". Irongeek.com. 2008-09-30. Retrieved 2011-11-25.

[6] Carl-Daniel Hailfinger, carldani@4100XCDT. "IPPersonality". Ippersonality.sourceforge.net. Retrieved 2011-11-25.{{cite web}}: CS1 maint: numeric names: authors list (link)

[7] "Defeating TCP/IP stack fingerprinting". Usenix.org. 2002-01-29. Retrieved 2011-11-25.

[8] "Zardaxt.py". Github. 2021-11-25. Retrieved 2021-11-25.

[9] "PacketFence". PacketFence. 2011-11-21. Retrieved 2011-11-25.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

@@ Line 1: / Line 1: @@
+{{Short description|Remote detection of the characteristics of a TCP/IP stack}}
 [[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]
-'''TCP/IP stack fingerprinting''' (a.k.a. '''OS fingerprinting''') is the process of determining the [[operating system]] and unique characteristics of a remote target. The uses of TCP/IP stack fingerprinting include [[Vulnerability_scanner|vulnerability]] discovery and [[Device fingerprint|device fingerprinting]] for fraud detection.
+'''TCP/IP stack fingerprinting''' is the remote detection of the characteristics of a [[TCP/IP stack]] implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].
-There are two types of OS fingerprinting: '''active''' and '''passive'''.
+== TCP/IP Fingerprint Specifics ==
-== Passive OS Fingerprinting ==
-Passive fingerprinting is undetectable by an [[intrusion detection system]] on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this it’s undetectable. The downside of this method is that the client must either connect directly to the fingerprinting device, or be on the same [[network hub|hub]] as the other servers and clients in order to capture any packets on the wire.
+Certain parameters within the [[TCP protocol]] definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary
-=== How Passive OS Fingerprinting Works ===
+include the following:
-Passive fingerprinting works because TCP/IP flag settings are specific to various operating systems. These settings vary from one TCP stack implementation to another and include the following:
-* Initial TTL (8 bits)
+* Initial [[Network packet|packet]] size (16 bits)
+* Initial [[Time to live|TTL]] (8 bits)
 * Window size (16 bits)
-* Maximum segment size (16 bits)
+*[[Maximum segment size|Max segment size]] (16 bits)
-* "Don't fragment" flag (1 bit)
+* Window scaling value (8 bits)
-* sackOK option (1 bit)
+* "don't fragment" flag (1 bit)
-* nop option (1 bit)
+* "sackOK" flag (1 bit)
-* Window scaling option (8 bits)
+* "nop" flag (1 bit)
-* Initial packet size (16 bits)
-"When combined, these flag settings provide a unique, 67-bit signature for every system."<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref>
+These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>
+== Protection against and detecting fingerprinting ==
-== Active OS Fingerprinting ==
-Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network, and with the active method you can learn more information about the target than with passive OS fingerprinting. The downside is that the fingerprinter can be identified by an intrusion detection system.
+Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing [[Internet Control Message Protocol|ICMP]] control-message traffic, and blocking [[ICMP Echo Reply|ICMP echo replies]]. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint.<ref>{{cite web|url=http://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>
-=== Active Fingerprinting Methods ===
-TCP Stack Querying:
-* [[Internet Control Message Protocol|ICMP]]
-* [[Transmission Control Protocol|TCP]]
-* [[Simple Network Management Protocol|SNMP]]
+Disallowing TCP/IP fingerprinting provides protection from [[vulnerability scanner]]s looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>
-Banner Grabbing
-* [[File Transfer Protocol|FTP]]
-* [[TELNET]]
-* [[Hypertext Transfer Protocol|HTTP]]
+Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for [[Microsoft Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]]<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=http://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> and [[FreeBSD]].<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref>
-Port Probing
+== Fingerprinting tools ==
-== Protecting Against and Detecting Fingerprinting ==
+A list of TCP/OS Fingerprinting Tools
-Block all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, block any [[ICMP Echo Reply|ICMP echo replies]]. Watch for excessive TCP SYN packets. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a [[Black hole (networking)|black hole]]. Extensive knowledge of TCP/IP networking is recommended before engaging in traffic blocking.
+* [[Zardaxt.py]]<ref>{{cite web|url=https://github.com/NikolaiT/zardaxt |title=Zardaxt.py |publisher=Github |date=2021-11-25 |accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool.
+* [[Ettercap (computing)|Ettercap]] – passive TCP/IP stack fingerprinting.
+* [[Nmap]] – comprehensive active stack fingerprinting.
+* [[p0f]] – comprehensive passive TCP/IP stack fingerprinting.
+* NetSleuth – free passive fingerprinting and analysis tool
+* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network Access Control|NAC]] with passive DHCP fingerprinting.
+* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
+* SinFP – single-port active/passive fingerprinting.
+* XProbe2 – active TCP/IP stack fingerprinting.
+* queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems
-== Fingerprinting Tools ==
+== References ==
+{{reflist|1}}
-[[Nmap]] and [http://autoscan-network.com AutoScan-Network] are tools that performs active TCP/IP stack fingerprinting.
-[[p0f]] and [[Ettercap (computing)|Ettercap]] are tools that perform passive TCP/IP stack fingerprinting.
 == External links ==
-* [http://autoscan-network.com/ AutoScan-Network] - Network Monitoring and Management Tool
-* [http://lcamtuf.coredump.cx/p0f-help/ p0f v2 signature contribution page]
-* [http://www.darknet.org.uk/2006/12/sinfp-204-os-detection-now-works-on-windows/ SinFP OS Fingerprinting Tool]
 * [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]
-* [http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/smart_html/ Defeating TCP/IP Stack Fingerprinting]
-* [http://lcamtuf.coredump.cx/newtcp/ Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later]
-== References ==
-{{reflist|1}}
-{{compu-network-stub}}
-[[Category:TCP/IP]]
-[[de:OS-Fingerprinting]]
+{{DEFAULTSORT:Tcp Ip Stack Fingerprinting}}
+[[Category:Attacks against TCP|Stack Fingerprinting]]
-[[fr:Prise d'empreinte de la pile TCP/IP]]
+[[Category:Internet Protocol]]
+[[Category:Fingerprinting algorithms]]