Operating System Fingerprinting
   HOME

TheInfoList



Click Here for Items Related To - Operating System Fingerprinting
OR:
Operating System Fingerprinting on:   [Wikipedia]   [Google]   [Amazon]

TCP/IP stack fingerprinting is the remote detection of the characteristics of a TCP/IP stack implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a
device fingerprint A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprint ...
.


TCP/IP Fingerprint Specifics

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary include the following: * Initial packet size (16 bits) * Initial TTL (8 bits) * Window size (16 bits) * Max segment size (16 bits) * Window scaling value (8 bits) * "don't fragment" flag (1 bit) * "sackOK" flag (1 bit) * "nop" flag (1 bit) These values may be combined to form a 67-bit signature, or fingerprint, for the target machine. Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.


Protection against and detecting fingerprinting

Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing
ICMP The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when com ...
control-message traffic, and blocking ICMP echo replies. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint. Disallowing TCP/IP fingerprinting provides protection from
vulnerability scanner A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. These scanners are used to discover the weaknesses of a given system. They are used in the identification and detection ...
s looking to target machines running a certain operating system. Fingerprinting makes attacks easier. Blocking these ICMP messages is just one of a number of defenses needed to fully protect against attacks. Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for
Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...
,
Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...
and
FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...
.


Fingerprinting tools

A list of TCP/OS Fingerprinting Tools * Zardaxt.py – Passive open-source TCP/IP Fingerprinting Tool. * Ettercap – passive TCP/IP stack fingerprinting. * Nmap – comprehensive active stack fingerprinting. * p0f – comprehensive passive TCP/IP stack fingerprinting. * NetSleuth – free passive fingerprinting and analysis tool * PacketFence – open source NAC with passive DHCP fingerprinting. * Satori – passive CDP, DHCP, ICMP, HPSP,
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
, TCP/IP and other stack fingerprinting. * SinFP – single-port active/passive fingerprinting. * XProbe2 – active TCP/IP stack fingerprinting. * queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems.


References


External links


Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)

Bilişim Kodları ve Kısaltmaları
{{DEFAULTSORT:Tcp Ip Stack Fingerprinting Stack Fingerprinting Internet Protocol Fingerprinting algorithms