Jump to content

TCP/IP stack fingerprinting: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
No edit summary
m avoid unnec redirect
 
(31 intermediate revisions by 24 users not shown)
Line 1: Line 1:
{{Short description|Remote detection of the characteristics of a TCP/IP stack}}
[[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]
[[Image:passive figure.png|thumbnail|right|200px|Passive OS Fingerprinting method and diagram.]]


'''TCP/IP stack fingerprinting''' is the passive collection of configuration attributes from a remote device during standard [[OSI model|layer 4]] network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].
'''TCP/IP stack fingerprinting''' is the remote detection of the characteristics of a [[TCP/IP stack]] implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, '''OS fingerprinting'''), or incorporated into a [[device fingerprint]].


== TCP/IP Fingerprint Specifics ==
== TCP/IP Fingerprint Specifics ==


Certain parameters within the [[TCP protocol]] definition are left up to the implementation.  Different operating systems, and different versions of the same operating system, set different defaults for these values.  By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.<ref>{{cite web|url=http://project.honeynet.org/papers/finger/ |title=Know Your Enemy: Passive Fingerprinting |publisher=Project.honeynet.org |date= |accessdate=2011-11-25}}</ref> The TCP/IP fields that may vary
Certain parameters within the [[TCP protocol]] definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary
include the following:
include the following:


* Initial packet size (16 bits)
* Initial [[Network packet|packet]] size (16 bits)
* Initial TTL (8 bits)
* Initial [[Time to live|TTL]] (8 bits)
* Window size (16 bits)
* Window size (16 bits)
* Max segment size (16 bits)
*[[Maximum segment size|Max segment size]] (16 bits)
* Window scaling value (8 bits)
* Window scaling value (8 bits)
* "don't fragment" flag (1 bit)
* "don't fragment" flag (1 bit)
Line 17: Line 18:
* "nop" flag (1 bit)
* "nop" flag (1 bit)


These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>
These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.<ref>Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.</ref> Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.<ref>{{cite web|url=http://www.netresec.com/?page=Blog&month=2011-11&post=Passive-OS-Fingerprinting |title=Passive OS Fingerprinting, NETRESEC Network Security Blog |publisher=Netresec.com |date=2011-11-05 |accessdate=2011-11-25}}</ref>


== Protection against and detecting fingerprinting ==
== Protection against and detecting fingerprinting ==
Protection against all types of TCP/IP fingerprinting is achieved through TCP/IP fingerprint obfuscators. Also known as fingerprint scrubbing, tools exist for [[MS Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]],<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=http://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> [[FreeBSD]],<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref> and likely others.


Moreover, protection against active fingerprinting attempts is achieved by limiting the type and amount of traffic a system responds to. Examples include the following: blocking of all unnecessary outgoing [[Internet Control Message Protocol|ICMP]] traffic, especially unusual packet types like address masks and timestamps. Also, blocking of any [[ICMP Echo Reply|ICMP echo replies]]. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a [[Black hole (networking)|black hole]]. Alternatively, active fingerprinting tools themselves have fingerprints that can be detected.<ref>{{cite web|url=http://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>
Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking ''address masks'' and ''timestamps'' from outgoing [[Internet Control Message Protocol|ICMP]] control-message traffic, and blocking [[ICMP Echo Reply|ICMP echo replies]]. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting ''its'' fingerprint.<ref>{{cite web|url=http://ojnk.sourceforge.net/stuff/iplog.readme |title=iplog |date= |accessdate=2011-11-25}}</ref>


Defeating TCP/IP fingerprinting may provide limited protection from potential attackers who employ a [[vulnerability scanner]] to select machines of a specific target OS. However, a determined adversary may simply try a series of different attacks until one is successful.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>
Disallowing TCP/IP fingerprinting provides protection from [[vulnerability scanner]]s looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.<ref>{{cite web|url=http://seclists.org/pen-test/2007/Sep/0030.html |title=OS detection not key to penetration |publisher=Seclists.org |date= |accessdate=2011-11-25}}</ref>

Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for [[Microsoft Windows]],<ref>{{cite web|url=http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools |title=OSfuscate |publisher=Irongeek.com |date=2008-09-30 |accessdate=2011-11-25}}</ref> [[Linux]]<ref>{{cite web|author=Carl-Daniel Hailfinger, carldani@4100XCDT |url=http://ippersonality.sourceforge.net/ |title=IPPersonality |publisher=Ippersonality.sourceforge.net |date= |accessdate=2011-11-25}}</ref> and [[FreeBSD]].<ref>{{cite web|url=http://www.usenix.org/events/sec00/full_papers/smart/smart_html/index.html |title=Defeating TCP/IP stack fingerprinting |publisher=Usenix.org |date=2002-01-29 |accessdate=2011-11-25}}</ref>


== Fingerprinting tools ==
== Fingerprinting tools ==
A list of TCP/OS Fingerprinting Tools
A list of TCP/OS Fingerprinting Tools
* [[Zardaxt.py]]<ref>{{cite web|url=https://github.com/NikolaiT/zardaxt |title=Zardaxt.py |publisher=Github |date=2021-11-25 |accessdate=2021-11-25}}</ref> – Passive open-source TCP/IP Fingerprinting Tool.
* [[Ettercap (computing)|Ettercap]] – passive TCP/IP stack fingerprinting.
* [[Ettercap (computing)|Ettercap]] – passive TCP/IP stack fingerprinting.
* [[NetworkMiner]] – passive [[DHCP]] and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
* [[Nmap]] – comprehensive active stack fingerprinting.
* [[Nmap]] – comprehensive active stack fingerprinting.
* [[p0f]] – comprehensive passive TCP/IP stack fingerprinting.
* [[p0f]] – comprehensive passive TCP/IP stack fingerprinting.
* NetSleuth – free passive fingerprinting and analysis tool
* NetSleuth – free passive fingerprinting and analysis tool
* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network Access Control|NAC]] with passive DHCP fingerprinting.
* [[PacketFence]]<ref>{{cite web|url=http://www.packetfence.org/ |title=PacketFence |publisher=PacketFence |date=2011-11-21 |accessdate=2011-11-25}}</ref> – open source [[Network access control|NAC]] with passive DHCP fingerprinting.
* [[PRADS]] – Passive comprehensive TCP/IP stack fingerprinting and service detection
* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
* Satori – passive [[Cisco Discovery Protocol|CDP]], DHCP, ICMP, [[HP Switch Protocol|HPSP]], [[HTTP]], TCP/IP and other stack fingerprinting.
* SinFP – single-port active/passive fingerprinting.
* SinFP – single-port active/passive fingerprinting.
* XProbe2 – active TCP/IP stack fingerprinting.
* XProbe2 – active TCP/IP stack fingerprinting.
* queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems
* Device Fingerprint Website<ref>http://noc.to</ref> - Displays the passive TCP SYN fingerprint of you browser's computer (or intermediate proxy)


== References ==
== References ==
Line 46: Line 47:
* [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]
* [http://insecure.org/nmap/osdetect/ Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)]


{{DEFAULTSORT:Tcp/Ip Stack Fingerprinting}}
{{DEFAULTSORT:Tcp Ip Stack Fingerprinting}}
[[Category:Transmission Control Protocol|Stack Fingerprinting]]
[[Category:Attacks against TCP|Stack Fingerprinting]]
[[Category:Internet Protocol]]
[[Category:Internet Protocol]]
[[Category:Fingerprinting algorithms]]

[[de:OS-Fingerprinting]]
[[fr:Prise d'empreinte de la pile TCP/IP]]
[[it:P0f]]
[[ka:TCP/IP ფენების ანაბეჭდის დადგენა]]
[[pl:P0f]]

Latest revision as of 14:59, 12 November 2024

Passive OS Fingerprinting method and diagram.

TCP/IP stack fingerprinting is the remote detection of the characteristics of a TCP/IP stack implementation. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

TCP/IP Fingerprint Specifics

[edit]

Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems and implementations of TCP/IP. The TCP/IP fields that may vary include the following:

  • Initial packet size (16 bits)
  • Initial TTL (8 bits)
  • Window size (16 bits)
  • Max segment size (16 bits)
  • Window scaling value (8 bits)
  • "don't fragment" flag (1 bit)
  • "sackOK" flag (1 bit)
  • "nop" flag (1 bit)

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.[1] Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.[2]

Protection against and detecting fingerprinting

[edit]

Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking address masks and timestamps from outgoing ICMP control-message traffic, and blocking ICMP echo replies. A security tool can alert to potential fingerprinting: it can match another machine as having a fingerprinter configuration by detecting its fingerprint.[3]

Disallowing TCP/IP fingerprinting provides protection from vulnerability scanners looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.[4]

Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for Microsoft Windows,[5] Linux[6] and FreeBSD.[7]

Fingerprinting tools

[edit]

A list of TCP/OS Fingerprinting Tools

  • Zardaxt.py[8] – Passive open-source TCP/IP Fingerprinting Tool.
  • Ettercap – passive TCP/IP stack fingerprinting.
  • Nmap – comprehensive active stack fingerprinting.
  • p0f – comprehensive passive TCP/IP stack fingerprinting.
  • NetSleuth – free passive fingerprinting and analysis tool
  • PacketFence[9] – open source NAC with passive DHCP fingerprinting.
  • Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
  • SinFP – single-port active/passive fingerprinting.
  • XProbe2 – active TCP/IP stack fingerprinting.
  • queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems

References

[edit]
  1. ^ Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
  2. ^ "Passive OS Fingerprinting, NETRESEC Network Security Blog". Netresec.com. 2011-11-05. Retrieved 2011-11-25.
  3. ^ "iplog". Retrieved 2011-11-25.
  4. ^ "OS detection not key to penetration". Seclists.org. Retrieved 2011-11-25.
  5. ^ "OSfuscate". Irongeek.com. 2008-09-30. Retrieved 2011-11-25.
  6. ^ Carl-Daniel Hailfinger, carldani@4100XCDT. "IPPersonality". Ippersonality.sourceforge.net. Retrieved 2011-11-25.{{cite web}}: CS1 maint: numeric names: authors list (link)
  7. ^ "Defeating TCP/IP stack fingerprinting". Usenix.org. 2002-01-29. Retrieved 2011-11-25.
  8. ^ "Zardaxt.py". Github. 2021-11-25. Retrieved 2021-11-25.
  9. ^ "PacketFence". PacketFence. 2011-11-21. Retrieved 2011-11-25.
[edit]
Retrieved from "https://en.wikipedia.org/enwiki/w/index.php?title=TCP/IP_stack_fingerprinting&oldid=1256977314"