9.4 Passive Fingerprinting

 <  Day Day Up  >  

Nmap launches fragmented packets against a target, also known as active fingerprinting . In contrast, passive fingerprinting uses a sniffer to quietly map a network without sending any packets.

Passive fingerprinting works because TCP/IP flag settings are specific to various operating system stacks. These settings vary from one TCP stack implementation to another and include the following:

  • Initial TTL (8 bits)

  • Window size (16 bits)

  • Maximum segment size (16 bits)

  • "Don't fragment" flag (1 bit)

  • sackOK option (1 bit)

  • nop option (1 bit)

  • Window scaling option (8 bits)

  • Initial packet size (16 bits)

When combined, these flag settings provide a unique, 67-bit signature for every system. p0f (the passive OS fingerprinting tool) is an example of a passive fingerprinting tool (http://www.stearns.org/p0f/).

p0f performs passive OS fingerprinting based on information from a remote host when it establishes a connection to your system. This works because incoming packets often contain enough information to determine the source OS. Unlike active scanners such as Nmap, p0f can fingerprint without sending anything to the source host. The real advantage is that the source host (i.e., an attacker) is not aware that you are fingerprinting his machine. So even if he is well firewalled, his outgoing packets can betray the name and version of his OS.

p0f was written for Linux, but using cygwin you can run it on almost any version of Windows. The cygwin environment emulates a Unix environment on top of your Windows machine. It is available for free from http://www.cygwin.com. p0f also needs the WinPcap drivers to be installed. These are also free and are available from http://winpcap.polito.it.

Once these are installed, make sure to place p0f.fp in your /etc directory in the cygwin environment or in the current directory. p0f has the following syntax:

 p0f [ -f file ] [ -i device ] [ -o file ] [ -s file ] [ -vKUtq ]   -f file   read fingerprint information from file  -i device read packets from device  -s file   read packets from file  -o file   write output to file (best with -vt)  -v        verbose mode  -U        do not display unknown signatures  -K        do not display known signatures  -q        be quiet (do not display banners)  -t        add timestamps 

Verbose mode gives you information on the source and destination IP addresses and source and destination ports.

p0f relies on a database of known OS fingerprints . This database is stored in a file in the /etc directory called p0f.fp . Each entry in this file is a description of the unique TCP parameters specific to the first SYN packet sent by a remote party while establishing a connection.

These unique TCP parameters include window size (wss), maximum segment size (mss), the "don't fragment" flag (DF), window scaling (wscale), the sackOK flag, the nop flag, initial time-to-live (TTL), and SYN packet size (as declared).

The format for the fingerprints is as follows :

 wwww:ttt:mmm:D:W:S:N:I:OS Description 

with the following composition:

 wwww - window size ttt  - time-to-live mmm  - maximum segment size D    - don't fragment flag  (0=unset, 1=set)  W    - window scaling (-1=not present, other=value) S    - sackOK flag (0=unset, 1=set) N    - nop flag (0=unset, 1=set) I    - packet size (-1=irrelevant) 

The following are example OS fingerprint signatures used in the p0f database, based on empirical data:

 31072:64:3884:1:0:1:1:-1:Linux 2.2.12-20 (RH 6.1) 512:64:1460:0:0:0:0:44:Linux 2.0.35 - 2.0.38 32120:64:1460:1:0:1:1:60:Linux 2.2.9 - 2.2.18 16384:64:1460:1:0:0:0:44:FreeBSD 4.0-STABLE, 3.2-RELEASE 8760:64:1460:1:0:0:0:-1:Solaris 2.6 (2) 9140:255:9140:1:0:0:0:-1:Solaris 2.6 (sunsite) 49152:64:1460:0:0:0:0:44:IRIX 6.5 / 6.4 8760:255:1460:1:0:0:0:44:Solaris 2.6 or 2.7 (1) 8192:128:1460:1:0:0:0:44:Windows NT 4.0 (1) 8192:128:1460:1:0:1:1:48:Windows 9x (1) 8192:128:536:1:0:1:1:48:Windows 9x (2) 2144:64:536:1:0:1:1:60:Windows 9x (4) 16384:128:1460:1:0:1:1:48:Windows 2000 (1) 

Now, let's run p0f and examine a sample of its output:

 >p0f p0f: passive os fingerprinting utility, version 1.8.3 (C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox. p0f: file: '/etc/p0f.fp', 207 fprints, iface: '\', rule: 'all'. 208.239.76.103: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 207.161.10.186 [22 hops]: Windows NT 5.0 (2) 211.28.55.225 [21 hops]: Windows XP Pro, Windows 2000 Pro 68.58.136.227 [17 hops]: Windows NT 4.0 (1) * 80.133.65.39: UNKNOWN [65535:118:1440:1:0:1:1:52]. 209.195.250.214 [19 hops]: Windows NT 5.0 (2) 213.7.50.19 [20 hops]: Windows NT 5.0 (2) 142.177.114.37 [19 hops]: Windows 2000 Pro (2128) 142.177.114.37 [19 hops]: Windows 2000 Pro (2128) 66.231.192.134 [14 hops]: Windows NT 5.0 (2) 208.239.76.97: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 12.230.149.236 [17 hops]: Windows XP Pro, Windows 2000 Pro 208.239.76.97: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 12.226.219.102 [19 hops]: Windows 9x (1) * 68.0.210.22 [17 hops]: Windows 2000 (9) 208.239.76.97: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 64.65.61.213 [17 hops]: Linux 2.2.9 - 2.2.18 206.169.77.31 [19 hops]: Windows XP Pro, Windows 2000 Pro 206.169.77.31 [19 hops]: Windows XP Pro, Windows 2000 Pro 208.239.76.97: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 133.11.36.25 [19 hops]: Linux 2.4.2 - 2.4.14 (1) 208.239.76.97: UNKNOWN [64240:116:1380:1:-1:1:1:48]. 64.72.132.72 [11 hops]: Linux 2.4.2 - 2.4.14 (1) 

p0f does a good job of fingerprinting most known operating systems. The main advantage of p0f is that it does not alert the source host that you are fingerprinting it. As you can see from the above output, p0f also reports the TCP parameters of each unknown OS, so that you can test new platforms and add your own rules to the database file.

The only thing you have to do yourself is determine the initial TTL of a packet. It's usually equal to the first power of 2 greater than the TTL you're seeing, assuming your remote party is not too far away (i.e., traceroute shows less than 25 hops). If you get a TTL of 55 in a fingerprint returned by p0f, the initial TTL was probably 64.

p0f Version 2 also introduced numerous improvements. Notable features of Version 2 include the SYN+ACK and RST+ fingerprinting modes, for silently identifying systems you connect to in the usual way (such as via a web browser) or even systems to which you cannot connect at all.

Another notable feature of p0f Version 2 is masquerade detection, implemented by using the -M flag. Masquerade detection calculates a score based on known operating systems signatures. The scoring system is as follows:


Differences in OS fingerprints for the same IP
  • -3 if the same OS

  • +4 if different signature for the same OS genre

  • +6 if different OS genres


NAT and firewall flags set
  • +4 if Network Address Translation (NAT) flags differ for the same signature

  • +4 if firewall (fw) flags differ for the same signature

  • +1 for each NAT and fw flag if signatures differ (maximum 4)


Link type differences
  • +4 if media type differs


Distance differences
  • +1 if host distance differs


Time from the previous occurence
  • /2 if more than half the cache size of the previous occurrence

 <  Day Day Up  >  


Security Warrior
Security Warrior
ISBN: 0596005458
EAN: 2147483647
Year: 2004
Pages: 211

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net