In: Categories » Electronics and communication » Network security » Passive Operating System Identification Fingerprinting
| Passive OS fingerprinting is a technique that is gaining popularity in both the cracker world as well as in the security world. Passive OS fingerprinting allows a person to identify an operating system by analyzing its TCP/IP stack. This technique is as stealth as stealth can get because all you need is a packet sniffer and some time. An attacker using a sniffer does not have to worry about sending strange packets to determine what OS he is up against. Almost all operating systems have default settings, including settings for TCP/IP. An example of this is Linux. If you look at /proc/sys/net/ipv4 in Listing 1 you'll find a wide range of settings that contain default information that the system uses in its daily task(s). Listing 1 /proc/sys/net/ipv4Conf icmp_destunreach_rate icmp_echo_ignore_all icmp_echo_ignore_broadcasts icmp_echoreply_rate icmp_ignore_bogus_error_responses icmp_paramprob_rate icmp_timeexceed_rate igmp_max_memberships ip_always_defrag ip_autoconfig ip_default_ttl ip_dynaddr ip_forward ip_local_port_range ip_masq_debug ip_no_pmtu_disc ipfrag_high_thresh ipfrag_low_thresh ipfrag_time neigh route tcp_fin_timeout tcp_keepalive_probes tcp_keepalive_time tcp_max_ka_probes tcp_max_syn_backlog tcp_retrans_collapse tcp_retries1 tcp_retries2 tcp_rfc1337 tcp_sack tcp_stdurg tcp_syn_retries tcp_syncookies tcp_timestamps tcp_window_scaling Let's look at a few of these parameters and determine what they do and how they affect the operating system. - ip_default-ttl: This parameter sets the default time-to-live value to 64. It can be changed on a Linux box by echo 128 >> ip_default_ttl. - ip_forward: Although this parameter does not directly affect passive OS fingerprinting, it does have a big effect on OS security. By default, ip_forward is set to 0, which disables IP forwarding. Setting it to 1 enables IP forwarding. - ip_local_port_range: This parameter identifies the default source port range that Linux will use. Normally, this is set to 1024-4999. This is good information to know if you are attempting to determine whether a packet is good or bad. - tcp_sack: This parameter lets the operating system know whether it supports the Selective Acknowledgment standard (RFC 2883). By default (Linux), this is set to 1 (supports this standard). - tcp_timestamps: This parameter lets the operating system know whether it supports the timestamp function. By default (Linux), this is set to 1. - tcp_window_scaling: This parameter lets the operating system know whether it supports the window scaling function. This option is used to decrease congestion. By default (Linux), this is set to 1. Listing1 hows only the parameters that are related to passive OS fingerprinting. Although we have only covered Linux default settings so far, every OS has its own set of default settings. A good example is the Windows platform; Windows 98, NT, and 2000 all use default TTL of 128. Let's look at a few other operating systems and their default TCP/IP settings: - Microsoft (98, NT) Packet size (just headers) = 44 bytes (default) SYN or SYN|ACK packets = Sets the Don't Fragment flag and the Maximum Segment Size (MSS)flag TTL = 128 - Microsoft (2000) Packet size (just headers) = 48 bytes (default) SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, two (2) NOPs, and the Selective Acknowledgment flag. TTL = 128 - Linux (Red Hat 6.2) Packet size (just headers) = 60 bytes (default) SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, NOPs, Selective Acknowledgment flag, Timestamp, Window Scaling (wscale). These hold true for initial SYN. SYN|ACK Linux responds according to the computer that made the initial SYN. TL = 64, on a RESET packet the TTL is 255 Knowing this, you can identify operating systems by looking at network traffic. One thing to keep in mind is that, if a sys-admin or cracker changes any of the parameters, it will throw off your analysis. Therefore, passive OS fingerprinting is not 100% accurate, but, then again, nothing is. Listing 2 hows two packets and will help us identify an OS, using passive fingerprinting. Listing 2 Identifying Operating Systems15:59:52.533502 > my_isp.net.1100 > 134.11.235.232.www: S 325233392:325233392(0) win 32120 <mss 1460,sackOK,timestamp 88950 0,nop,wscale 0> (DF) (ttl 64, id 505) 4500 003c 01f9 4000 4006 0522 xxxx xxxx 860b ebe8 044c 0050 1362 aaf0 0000 0000 a002 7d78 7887 0000 0204 05b4 0402 080a 0001 5b76 0000 0000 0103 0300 16:00:14.188756 >my_isp.net.1105 > 134.11.235.232.www: R 346737591:346737591(0) win 0 (ttl 255, id 544) 4500 0028 0220 0000 ff06 860e xxxx xxxx 860b ebe8 0451 0050 14aa cbb7 0000 0000 5004 0000 973c 0000 In Listing 2 you see two packets. The first is a SYN packet, and the second is a RST packet. Looking at the SYN packet, notice some important indicators: - The SYN has a TTL of 64. - The SYN sets its mss, sackOK, nop, and wscale parameters and the DF flag. Also, pay close attention to the header size (3c = 60 bytes). - Look at the source port as well. Port 1100 falls with in the default source port range of 1024 through 4999. These indicators point to…LINUX. That's right, the OS we were looking at in Listing 2 coming from a Linux machine. Let's take a brief look at the RST packet. First, look at the TTL (255). When Red Hat Linux sends an RST, it will use a default TTL of 255, whereas, when it is trying to establish a connection, it uses a TTL of 64. Another characteristic of Linux RST packets is their size. Normally, a Red Hat packet is 60 bytes in length. When setting the RST flag, RH Linux has a packet length of only 40 bytes. How does OS fingerprinting and Linux tie back into reconnaissance? If a cracker uses any of the previously mentioned techniques, he can obtain very valuable information about a computer network. That type of information includes network mapping, IP addresses, patch levels, and discovery of different operating systems.
 |
legal disclaimer
1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service
Useful tools and features
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.
related articles
The article devoted to the proprietary and standards-based improvements for currently vulnerable 802.11 safeguards. The most publicized 802.11 vulnerability is the insecurity of WEP. We have already reviewed the cryptographic weaknesses of WEP linked to the key IV space reuse and insecure key-from-string generation algorithm. There are also well-known WEP key management issues: All symmetric cipher implementations suffer secure key distribution problems. WEP is no exception. In the original design,...
2. Penetration Testing as Your First Line of Defense
It is hard to overemphasize the importance of penetration testing in the overall information security structure and the value of viewing your network through the cracker's eyes prior to further hardening procedures. There are a variety of issues specific to penetration testing on wireless networks. First of all, the penetration tester should be very familiar with RF theory and specific RF security problems (i.e., signal leak and detectability, legal regulations pertaining to the transmitter power output, and characteris...
3. Asymmetric Cryptography
Message authentication using HMACs works just fine, but how do we distribute symmetric cipher keys among the users? We can pass them around on floppies or fancy USB pen-drives with encrypted partitions on them, but what if many users live all over the world? What if the physical key distribution method takes time and the keys must be frequently changed? This is the case with the traditional WEP, which should be rotated every few minutes. Key-encrypting keys (KEKs) were offered as symmetric cipher keys used only to encrypt...
4. Examples and Analysis of Common Wireless Attack Signatures
The best way of knowing these signatures is trying out the tools in question and sniffing out their output: "Attack through defending, defend through attacking" (Dr. Mudge). The best source on wireless network intrusion tool detection and attack signatures we are aware of is Joshua Wright's "Layer 2 Analysis of WLAN Discovery Applications for Intrusion Detection" and "Detecting Wireless LAN MAC Address Spoofing" papers. A large part of this tutorial is inspired by these brilliant articles and our experience of analyzing WLAN tr...
5. Deploying a Wireless IDS Solution for Your WLAN
How many IDS solutions that implement the recommendations and follow the guidelines we have already discussed are present on the modern wireless market? The answer is none. There are many wireless IDS solutions that look for illicit MAC addresses and ESSIDs on the monitored WLAN. Some of these solutions are even implemented as specialized hardware devices. Although something is better than nothing, in our opinion such "solutions" are a waste of both money and time. They might also give you a false sense of security. Let's...
6. Hash Functions Their Performance and HMACs
Other widely used hash functions include 128-bit MD5 from RSA Data Security, Inc., which is a very fast and commonly implemented hash. MD5 is traditionally used to encrypt Linux user passwords (hashes start with the "$1$" character), authenticate routing protocols like RIPv2 and OSPF, create checksums of binaries in RPMs, and verify the integrity of Free/OpenBSD ports files. The specifications of MD5 are available in RFC 1321. Host intrusion detection tools like Tripwire (http://www.tripwire.com) use MD5 to take snapshots of a syst...
7. Introduction to Applied Cryptography and Steganography
One can set up a reasonably secure wireless or wired network without knowing which ciphers are used and how the passwords are encrypted. This, however, is not an approach endorsed by us and discussed here. Hacking is about understanding, not blindly following instructions; pressing the buttons without knowing what goes on behind the scenes is a path that leads nowhere. Besides, security and quality of service are tightly interwoven, incorrect selection of the cipher and its implementation method can lead to a secure but sluggish...