Passive OS fingerprinting is a technique that is gaining popularity in both the cracker world as well as in the security world. Passive OS fingerprinting allows a person to identify an operating system by analyzing its TCP/IP stack. This technique is as stealth as stealth can get because all you need is a packet sniffer and some time. An attacker using a sniffer does not have to worry about sending strange packets to determine what OS he is up against.

Almost all operating systems have default settings, including settings for TCP/IP. An example of this is Linux. If you look at /proc/sys/net/ipv4 in Listing 1 you'll find a wide range of settings that contain default information that the system uses in its daily task(s).

Listing 1 /proc/sys/net/ipv4

Conf

icmp_destunreach_rate

icmp_echo_ignore_all

icmp_echo_ignore_broadcasts

icmp_echoreply_rate

icmp_ignore_bogus_error_responses

icmp_paramprob_rate

icmp_timeexceed_rate

igmp_max_memberships

ip_always_defrag

ip_autoconfig

ip_default_ttl

ip_dynaddr

ip_forward

ip_local_port_range

ip_masq_debug

ip_no_pmtu_disc

ipfrag_high_thresh

ipfrag_low_thresh

ipfrag_time

neigh

route

tcp_fin_timeout

tcp_keepalive_probes

tcp_keepalive_time

tcp_max_ka_probes

tcp_max_syn_backlog

tcp_retrans_collapse

tcp_retries1

tcp_retries2

tcp_rfc1337

tcp_sack

tcp_stdurg

tcp_syn_retries

tcp_syncookies

tcp_timestamps

tcp_window_scaling

Let's look at a few of these parameters and determine what they do and how they affect the operating system.

- ip_default-ttl: This parameter sets the default time-to-live value to 64. It can be changed on a Linux box by echo 128 >> ip_default_ttl.

- ip_forward: Although this parameter does not directly affect passive OS fingerprinting, it does have a big effect on OS security. By default, ip_forward is set to 0, which disables IP forwarding. Setting it to 1 enables IP forwarding.

- ip_local_port_range: This parameter identifies the default source port range that Linux will use. Normally, this is set to 1024-4999. This is good information to know if you are attempting to determine whether a packet is good or bad.

- tcp_sack: This parameter lets the operating system know whether it supports the Selective Acknowledgment standard (RFC 2883). By default (Linux), this is set to 1 (supports this standard).

- tcp_timestamps: This parameter lets the operating system know whether it supports the timestamp function. By default (Linux), this is set to 1.

- tcp_window_scaling: This parameter lets the operating system know whether it supports the window scaling function. This option is used to decrease congestion. By default (Linux), this is set to 1.

Listing1 hows only the parameters that are related to passive OS fingerprinting. Although we have only covered Linux default settings so far, every OS has its own set of default settings. A good example is the Windows platform; Windows 98, NT, and 2000 all use default TTL of 128.

Let's look at a few other operating systems and their default TCP/IP settings:

- Microsoft (98, NT)

Packet size (just headers) = 44 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment flag and the Maximum Segment Size (MSS)flag

TTL = 128

- Microsoft (2000)

Packet size (just headers) = 48 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, two (2) NOPs, and the Selective Acknowledgment flag.

TTL = 128

- Linux (Red Hat 6.2)

Packet size (just headers) = 60 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, NOPs, Selective Acknowledgment flag, Timestamp, Window Scaling (wscale). These hold true for initial SYN. SYN|ACK Linux responds according to the computer that made the initial SYN.

TL = 64, on a RESET packet the TTL is 255

Knowing this, you can identify operating systems by looking at network traffic. One thing to keep in mind is that, if a sys-admin or cracker changes any of the parameters, it will throw off your analysis. Therefore, passive OS fingerprinting is not 100% accurate, but, then again, nothing is. Listing 2 hows two packets and will help us identify an OS, using passive fingerprinting.

Listing 2 Identifying Operating Systems

15:59:52.533502 > my_isp.net.1100 > 134.11.235.232.www: S 325233392:325233392(0) win 

32120 <mss 1460,sackOK,timestamp 88950 0,nop,wscale 0> (DF) (ttl 64, id 505)

             4500 003c 01f9 4000 4006 0522 xxxx xxxx

             860b ebe8 044c 0050 1362 aaf0 0000 0000

             a002 7d78 7887 0000 0204 05b4 0402 080a

             0001 5b76 0000 0000 0103 0300

16:00:14.188756 >my_isp.net.1105 > 134.11.235.232.www: R 346737591:346737591(0) win 0 

(ttl 255, id 544)

             4500 0028 0220 0000 ff06 860e xxxx xxxx

             860b ebe8 0451 0050 14aa cbb7 0000 0000

             5004 0000 973c 0000

In Listing 2 you see two packets. The first is a SYN packet, and the second is a RST packet. Looking at the SYN packet, notice some important indicators:

- The SYN has a TTL of 64.

- The SYN sets its mss, sackOK, nop, and wscale parameters and the DF flag. Also, pay close attention to the header size (3c = 60 bytes).

- Look at the source port as well. Port 1100 falls with in the default source port range of 1024 through 4999.

These indicators point to…LINUX. That's right, the OS we were looking at in Listing 2 coming from a Linux machine. Let's take a brief look at the RST packet. First, look at the TTL (255). When Red Hat Linux sends an RST, it will use a default TTL of 255, whereas, when it is trying to establish a connection, it uses a TTL of 64. Another characteristic of Linux RST packets is their size. Normally, a Red Hat packet is 60 bytes in length. When setting the RST flag, RH Linux has a packet length of only 40 bytes.

How does OS fingerprinting and Linux tie back into reconnaissance? If a cracker uses any of the previously mentioned techniques, he can obtain very valuable information about a computer network. That type of information includes network mapping, IP addresses, patch levels, and discovery of different operating systems.