9.2 TCP Stack Fingerprinting

 <  Day Day Up  >  

TCP stack fingerprinting involves hurling a variety of packet probes at a target and predicting the remote OS by comparing changes in responses against a database. Nmap, by Fyodor of Insecure .org, is considered the best tool for the job. Nmap runs on Linux and Windows and can craft custom- fragmented packets.

9.2.1 Nmap Test

Let's try downloading Nmap (http://www.insecure.org/nmap) and using it against a remote host, with the following command:

 nmap -v -sS -O ###.com 

In this case, we're scanning a remote host running a pre-release version of Windows .NET Server RC2, so it's going to be tough to accurately fingerprint .

 Host ###.com (xxx.xx.xx.xx) appears to be up ... good. Initiating SYN half-open stealth scan against ###.com (xxx.xx.xx.xx) Adding TCP port 88 (state open). Adding TCP port 17 (state open). Adding TCP port 389 (state open). Adding TCP port 9 (state open). Adding TCP port 19 (state open). Adding TCP port 1068 (state open). Adding TCP port 636 (state open). Adding TCP port 593 (state open). Adding TCP port 1067 (state open). Adding TCP port 53 (state open). Adding TCP port 13 (state open). Adding TCP port 464 (state open). Adding TCP port 445 (state open). Adding TCP port 135 (state open). Adding TCP port 5000 (state open). Adding TCP port 7 (state open). Adding TCP port 1026 (state open). Adding TCP port 3389 (state open). The SYN scan took 0 seconds to scan 1523 ports. For OSScan assuming that port 7 is open and port 1 is closed and neither are firewalled Interesting ports on ###.com (xxx.xx.xx.xx): (The 1505 ports scanned but not shown below are in state: closed) Port       State       Service 7/tcp      open        echo 9/tcp      open        discard 13/tcp     open        daytime 17/tcp     open        qotd 19/tcp     open        chargen 53/tcp     open        domain 88/tcp     open        kerberos-sec 135/tcp    open        loc-srv 389/tcp    open        ldap 445/tcp    open        microsoft-ds 464/tcp    open        kpasswd5 593/tcp    open        http-rpc-epmap 636/tcp    open        ldapssl 1026/tcp   open        nterm 1067/tcp   open        instl_boots 1068/tcp   open        instl_bootc 3389/tcp   open        msrdp 5000/tcp   open        fics TCP Sequence Prediction: Class=random positive increments Difficulty=14410 (Worthy challenge) Sequence numbers: 3AD7953F 3AD8570E 3AD97977 3ADA2100 3ADB1400 3ADB9658 Remote operating system guess: Windows 2000 RC1 through final release Nmap run completed -- 1 IP address (1 host up) scanned in 1 second 

Nmap was impressively close, but not quite correct. The challenge was a little unfair, though, since the OS is a pre-release version. We used this example to emphasize the fact that TCP stack fingerprinting is based on an empirical database that must be regularly updated.

9.2.2 Nmap Techniques

Fyodor has written a classic paper (listed in the references at the end of this chapter) that delves into the intricacies of the Nmap fingerprinting engine. Nmap uses the following techniques:


FIN probe

Sends a FIN packet to an open port and looks for a response. The correct RFC 793 behavior is to not respond, but incorrect implementations such as MS Windows send a RESET back.


BOGUS flag probe

First used by the Queso scanner, this sets an undefined flag in the TCP header of a SYN packet to help identify an OS.


TCP ISN sampling

Used to find patterns in the initial sequence numbers (ISNs) chosen by TCP implementations when responding to connection requests .


DF bit

Operating systems that set the IP "don't fragment" bit give clues that can narrow down their identity.


TCP initial window

By checking the window size on returned packets, you can often identify the OS.


ACK value

Various OS implementations use distinct values for the ACK field.


ICMP error message quenching

Operating systems that correctly follow RFC 1812 limit the rate at which various error messages are sent. You can assay this implementation by sending many packets to a random high UDP port and counting the number of unreachables received.


ICMP message quoting

For a port-unreachable message, most OSs send only the required IP header + eight bytes back. However, Solaris sends back more than this standard, and Linux sends back even more than Solaris. This technique allows Nmap to recognize Linux and Solaris hosts even if they don't have any ports listening.


ICMP error message echoing integrity

Nmap assays ICMP errors to detect subtle, OS-dependent changes.


Type of service

Changes in the type-of-service (TOS) value packets sent back in ICMP port-unreachable messages give clues about the remote OS.


Fragmentation handling

Uses variations in how different OSs handle overlapping IP fragments .


TCP options

Options vary by OS implementation, which can be useful in fingerprinting.


Exploit chronology

Perhaps the most elegant of all fingerprinting methods , this technique involves launching sequential denial-of-service attacks in increasing chronology (not recommended). After each attack, simply ping the target to see if it has crashed. When you finally crash the target, you will likely have narrowed the OS down to the granularity of a single service pack or hotfix .

9.2.3 Defeating Nmap

There have been attempts to provide fingerprinting countermeasures. One example is IP Personality (http://ippersonality. sourceforge .net), a Linux netfilter module that allows you to vary the IP stack behavior in response to particular attack probes. The patch allows you to emulate the behavior of any system listed in Nmap's list of OS fingerprints . In essence, each variety of probe elicits a different "personality" from the module, resulting in a different response. Some features can even be applied to routed traffic and thus fool scans directed to machines that are behind the router.

Note that Nmap assumes that if a port is open, the service associated with that port number is up ”not always a useful assumption. For example, some port monitoring programs hold ports open in an attempt to fool scanners and keep the connection open so they can spy on the attacker.

 <  Day Day Up  >  


Security Warrior
Security Warrior
ISBN: 0596005458
EAN: 2147483647
Year: 2004
Pages: 211

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net