TCP/IP stack fingerprinting

The term OS fingerprinting ( English for " OS fingerprinting " ), a special TCP / IP stack fingerprinting ( English for " TCP / IP protocol stack fingerprinting " ), refers to the recognition of operating systems by observing various modes of reaction the systems on the network remotely. To detect the operating system can be used active and passive methods.

About the TCP / IP protocol stack, the operating system must be determined for both methods possible; additionally can be analyzed in the active variant nor the banner of a program.

TCP / IP Protocol Stack

A widely used method of analysis is that the operating system using the TCP / IP protocol stack. The property is used that each operating system has its own TCP / IP protocol stack implementation, the settings can be found in the headers of network packets, and which differ from those of other operating systems. The following fields vary within different implementations:

  • Initial Time to Live ( 8 bits)
  • Receive Window size (16 bits)
  • Maximum Segment size (16 bits)
  • "Do not fragment" flag (1 bit)
  • SackOK option (1 bit)
  • Nop option (1 bit)
  • Window Scale option (8-bit )
  • Initial packet size (16 bits)

Together, the data is a 67 - bit signature.

But to analyze the TCP / IP protocol stack is not always successful because let in many operating systems, configure the fields above, so you can spend even as a different operating system than you actually uses.

Passive

Passive methods are characterized by the fact that they can be absolutely carried out latent. In these methods, only the running traffic between the observer and the target system is evaluated and analyzed. For example, offer by the simultaneous analysis by a passive OS fingerprinting detailed information about a target system, a simple web session.

Active

Active methods are distinguished in that they take the initiative to transfer data to the destination host, in the hope that the resulting response from an analysis is possible. Therefore, this method is more aggressive nature and is not always welcome. It is also possible for Intrusion Detection Systems (IDS ) to identify current active fingerprinting.

Banner grabbing

In addition to the above-mentioned method by means of TCP / IP protocol stack, it is also possible to find out the operating system by means of the so-called banner. Banners are text lines, which reveal themselves when establishing a connection, for example, HTTP or FTP services. Contains a banner in the best case information on both the corresponding service as well as through the operating system. This technique is also known as banner grabbing and is also some port scanners.

Example with telnet and ftp:

$ Telnet localhost 21 Trying 127.0.0.1 ... Connected to ftp.localhost. Escape character is ' ^] '. 220 Super FTP Service Example with netcat:

$ Nc 127.0.0.1 22 SSH - 2.0 - OpenSSH_4.5p1 FreeBSD - 20061110 But a banner grabbing is not always successful because many programs either have the ability to disable the banner or to edit, yielding either receives no information or another operating system is suggested to be used as effectively.

OS fingerprinting tools

  • P0f ( passive)
  • Ettercap (active)
  • Xprobe2 (active)
  • Nmap (active)
  • AutoScan - Network (active)
Ettercap (software)
623236
de