TCP/IP stack fingerprinting
TCP/IP stack fingerprinting is the remote detection of the characteristics of a
TCP/IP Fingerprint Specifics
Certain parameters within the
- Initial packet size (16 bits)
- Initial TTL (8 bits)
- Window size (16 bits)
- Max segment size (16 bits)
- Window scaling value (8 bits)
- "don't fragment" flag (1 bit)
- "sackOK" flag (1 bit)
- "nop" flag (1 bit)
These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.[1] Just inspecting the Initial TTL and window size fields is often enough to successfully identify an operating system, which eases the task of performing manual OS fingerprinting.[2]
Protection against and detecting fingerprinting
Protection against the fingerprint doorway to attack is achieved by limiting the type and amount of traffic a defensive system responds to. Examples include blocking address masks and timestamps from outgoing
Disallowing TCP/IP fingerprinting provides protection from vulnerability scanners looking to target machines running a certain operating system. Fingerprinting facilitates attacks. Blocking those ICMP messages is only one of an array of defenses required for full protection against attacks.[4]
Targeting the ICMP datagram, an obfuscator running on top of IP in the internet layer acts as a "scrubbing tool" to confuse the TCP/IP fingerprinting data. These exist for Microsoft Windows,[5] Linux[6] and FreeBSD.[7]
Fingerprinting tools
A list of TCP/OS Fingerprinting Tools
- Zardaxt.py[8] – Passive open-source TCP/IP Fingerprinting Tool.
- Ettercap– passive TCP/IP stack fingerprinting.
- Nmap – comprehensive active stack fingerprinting.
- p0f – comprehensive passive TCP/IP stack fingerprinting.
- NetSleuth – free passive fingerprinting and analysis tool
- PacketFence[9] – open source NAC with passive DHCP fingerprinting.
- Satori – passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
- SinFP – single-port active/passive fingerprinting.
- XProbe2 – active TCP/IP stack fingerprinting.
- queso - well-known tool from the late 1990s which is no longer being updated for modern operating systems
References
- ^ Chuvakin A. and Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
- ^ "Passive OS Fingerprinting, NETRESEC Network Security Blog". Netresec.com. 2011-11-05. Retrieved 2011-11-25.
- ^ "iplog". Retrieved 2011-11-25.
- ^ "OS detection not key to penetration". Seclists.org. Retrieved 2011-11-25.
- ^ "OSfuscate". Irongeek.com. 2008-09-30. Retrieved 2011-11-25.
- ^ Carl-Daniel Hailfinger, carldani@4100XCDT. "IPPersonality". Ippersonality.sourceforge.net. Retrieved 2011-11-25.
{{cite web}}
: CS1 maint: numeric names: authors list (link) - ^ "Defeating TCP/IP stack fingerprinting". Usenix.org. 2002-01-29. Retrieved 2011-11-25.
- ^ "Zardaxt.py". Github. 2021-11-25. Retrieved 2021-11-25.
- ^ "PacketFence". PacketFence. 2011-11-21. Retrieved 2011-11-25.