TCP/IP stack fingerprinting
From Wikipedia, the free encyclopedia
TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.
Contents |
[edit] TCP/IP Fingerprint Specifics
Certain parameters within the TCP protocol definition are left up to the implementation. Different operating systems, and different versions of the same operating system, set different defaults for these values. By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP[1]. The TCP/IP fields that may vary include the following:
- Initial packet size (16 bits)
- Initial TTL (8 bits)
- Window size (16 bits)
- Max segment size (16 bits)
- Window scaling value (8 bits)
- "don't fragment" flag (1 bit)
- "sackOK" flag (1 bit)
- "nop" flag (1 bit)
These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.[2]
[edit] Protecting against and detecting fingerprinting
Protect against all types of fingerprinting attempts by using a TCP/IP fingerprint obfuscator. Also known as fingerprint scrubbing, tools exist for MS Windows[3], Linux[4], FreeBSD[5], and likely others.
Otherwise, protect against active fingerprinting attempts by limiting the type and amount of traffic your system responds to. Examples include the following: block all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, block any ICMP echo replies. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a black hole. Alternatively, active fingerprinting tools themselves have fingerprints that can be detected.[6].
Many service software packages allow you to customize or remove the banners that they present.
Similarly, protect against passive fingerprint attempts by limiting the the type and amount of traffic your system generates, and limit the number of destinations that it communicates with. Anyone who can see your traffic could passively fingerprint you, and once you send a packet, it's out of your control.
Receipt of excessive TCP SYN packets may indicate active fingerprinting.
Defeating TCP/IP stack or banner fingerprinting does not provide system security. If attackers cannot determine the target operating system type, they can simply try a series of different attacks until one is successful.[7]
[edit] Fingerprinting tools
A list of TCP/OS Fingerprinting Tools
- Ettercap - passive TCP/IP stack fingerprinting.
- NetworkMiner - passive DHCP and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
- Nmap - comprehensive active stack fingerprinting.
- p0f - comprehensive passive TCP/IP stack fingerprinting.
- PacketFence[8] - open source NAC with passive DHCP fingerprinting.
- Satori - passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
- SinFP - single-port active/passive fingerprinting.
- XProbe2 - active TCP/IP stack fingerprinting.
[edit] Uses of TCP/IP Fingerprinting
TCP Fingerprinting is a valuable tool for
- Vulnerability scanning - TCP Fingerprinting is a valuable tool for scanning for vulnerabilities in a webserver or enterprise defense. Knowing the Operating System provides a clue as to what sort of tools or attacks a hacker can use.
- Fraud Detection[9] - more recently TCP/IP stack fingerprinting has been used as an additional tool for fingerprinting a device during a transaction in order to detect anomalies.
[edit] External links
- p0f v2 signature contribution page
- SinFP OS Fingerprinting Tool
- Remote OS detection via TCP/IP Stack FingerPrinting (2nd Generation)
- Defeating TCP/IP Stack Fingerprinting
- Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later
- Security Cloak - Mask against TCP/IP Fingerprinting in Windows
- Sealing Wafter - Defend against OS Fingerprinting on OpenBSD
- AutoScan Network - Network Monitoring and Management Tool
[edit] References
- ^ [[http://project.honeynet.org/papers/finger/ Know Your Enemy: Passive Fingerprinting]]
- ^ Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
- ^ [OSfuscate]
- ^ [IPPersonality]
- ^ [Defeating TCP/IP stack fingerprinting]
- ^ [iplog]
- ^ http://seclists.org/pen-test/2007/Sep/0030.html OS detection not key to penetration
- ^ PacketFence
- ^ Device Fingerprinting Knol Article - Device Fingerprinting Fraud Protection
