(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version


Remote OS fingerprinting


2009/08/31

Girish Venkatachalam


Girish Venkatachalam is a UNIX hacker with more than a decade of networking and crypto programming experience. His hobbies include yoga,cycling, cooking and he runs his own business. Details here:

http://gayatri-hitech.com
http://spam-cheetah.com

What is meant by OS fingerprinting?

It must be familiar to UNIX geeks. There are popular tools like nmap that help you identify which hosts run Windows and which hosts run Linux. This can be as specific as even getting to know if a patch or service pack in Windows was installed.

But there is a problem with nmap OS fingerprinting as it uses active fingerprinting. Not a great idea. We want to use passive OS fingerprinting. In passive OS fingerprinting we rely on TCP SYN packets from the remote host to identify the OS. This is quite reliable though it can be trivially spoofed. I would imagine that if we use passive OS fingerprinting we can be reasonably sure about the remote OS.

It can be used as a policy tool to implement firewalling that can protect us against Windows worms or viruses. We can have a logical separation between Windows hosts and other hosts.

Passive OS fingerprinting can help us in many other ways too. We can find out many things that are hidden from the eyes of systems administrators. A tool called p0f is famous for doing passive OS fingerprinting correctly. And OpenBSD pf, the firewall in OpenBSD has inbuilt ability to do fingerprinting. You can also change the string that it displays for identifying the OS by specifying it in a file /etc/pf.os on any OpenBSD machine.

p0f and OpenBSD pf both use the TCP default Window size, time to live, the presence of absence of the DF(dont fragment) bit in IP header, the size of the SYN packet and the options in TCP header to identify the remote OS through passive fingerprinting.

You can identify what software people have installed by looking at the greeting message of TCP protocols by simply connecting to them with netcat. You can know if people use sendmail, postfix or MS Exchange. You can identify the OpenSSH version, you can know which web server people use and many other networking forensic data can be collected.

If you wish to know the countries that hit your web server, then GeoIP can help you lookup IP address and know where the ISP is located. This is not accurate as most free tools don't have the correct database. You have to do some crosschecks before arriving at the right tool.

Network forensic analysis is towing the thin line between hacking and cracking. We are not interested in prying into other people's or other network's innards. But you can use such tools for several useful applications without intruding into other's privacy.

Network scanning is also useful to know which services are running on UNIX hosts and request users to turn off harmful services. NAT is a blessing in disguise because most machines are not accessible to the big bad Internet. If that were not the case we would be having a lot more attacks than now.

References

  1. nmap homepage
  2. p0f homepage
  3. OpenBSD pf FAQ




More Articles by Girish Venkatachalam




Click here to add your comments




Tue Sep 1 03:16:55 2009: Subject:   xnih

gravatar
p0f is a good start but only touches on TCP Syn/Ack/Reset packets. It misses out on higher level stuff and other protocols completely.

The paper is getting old now (Aug 2005), but:
http://myweb.cableone.net/xnih/download/OS%20FingerPrint.pdf

It touches on other protocols that can be used for passive fingerprinting. Easy stuff like web agent fingerprinting, smb packets, mdns, sap/ipx, etc.

Or a full paper just on DHCP fingerprinting:
http://myweb.cableone.net/xnih/download/chatter-dhcp.pdf

Again, all passive stuff.

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar


/Girish/os-fingerprinting.html copyright August 2009 Girish Venkatachalam All Rights Reserved

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments



Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.


book graphic unix and linux troubleshooting guide

My Troubleshooting E-Book will show you how to solve tough problems on Linux and Unix systems!



 I sell and support
 Kerio Mail server






More:
       - Security


Unix/Linux Consultants

Skills Tests

Guest Post Here