TCP/IP stack fingerprinting


TCP/IP stack fingerprinting
Passive OS Fingerprinting method and diagram.

TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint.

Contents

TCP/IP Fingerprint Specifics

Certain parameters within the TCP protocol definition are left up to the implementation.  Different operating systems, and different versions of the same operating system, set different defaults for these values.  By collecting and examining these values, one may differentiate among various operating systems, and implementations of TCP/IP.[1] The TCP/IP fields that may vary include the following:

  • Initial packet size (16 bits)
  • Initial TTL (8 bits)
  • Window size (16 bits)
  • Max segment size (16 bits)
  • Window scaling value (8 bits)
  • "don't fragment" flag (1 bit)
  • "sackOK" flag (1 bit)
  • "nop" flag (1 bit)

These values may be combined to form a 67-bit signature, or fingerprint, for the target machine.[2] Just inspecting the Initial TTL and window size fields is often enough in order to successfully identify an operating system, which eases the task of performing manual OS fingerprinting[3].

Protection against and detecting fingerprinting

Protection against all types of TCP/IP fingerprinting is achieved through TCP/IP fingerprint obfuscators. Also known as fingerprint scrubbing, tools exist for MS Windows,[4] Linux,[5] FreeBSD,[6] and likely others.

Moreover, protection against active fingerprinting attempts is achieved by limiting the type and amount of traffic a system responds to. Examples include the following: blocking of all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, blocking of any ICMP echo replies. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a black hole. Alternatively, active fingerprinting tools themselves have fingerprints that can be detected.[7]

Defeating TCP/IP fingerprinting may provide limited protection from potential attackers who employ a vulnerability scanner to select machines of a specific target OS. However, a determined adversary may simply try a series of different attacks until one is successful.[8]

Fingerprinting tools

A list of TCP/OS Fingerprinting Tools

  • PRADS - Passive comprehensive TCP/IP stack fingerprinting and service detection
  • Ettercap - passive TCP/IP stack fingerprinting.
  • NetworkMiner - passive DHCP and TCP/IP stack fingerprinting (combines p0f, Ettercap and Satori databases)
  • Nmap - comprehensive active stack fingerprinting.
  • p0f - comprehensive passive TCP/IP stack fingerprinting.
  • PacketFence[9] - open source NAC with passive DHCP fingerprinting.
  • Satori - passive CDP, DHCP, ICMP, HPSP, HTTP, TCP/IP and other stack fingerprinting.
  • SinFP - single-port active/passive fingerprinting.
  • XProbe2 - active TCP/IP stack fingerprinting.

References

External links


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • TCP/IP stack fingerprinting — Prise d empreinte de la pile TCP/IP La prise d empreinte de la pile TCP/IP (en anglais : TCP/IP stack fingerprinting ou OS fingerprinting) est un procédé permettant en informatique de déterminer l identité du système d exploitation utilisé… …   Wikipédia en Français

  • Fingerprinting — (englisch) bezeichnet übertragen vom Fingerabdruck Methoden, um zwei Personen oder Dinge anhand bestimmter Merkmale (Fingerprint, dt. „Fingerabdruck“) voneinander unterscheiden zu können, etwa: Acoustic Fingerprinting oder Audio Fingerprinting… …   Deutsch Wikipedia

  • OS fingerprinting — Prise d empreinte de la pile TCP/IP La prise d empreinte de la pile TCP/IP (en anglais : TCP/IP stack fingerprinting ou OS fingerprinting) est un procédé permettant en informatique de déterminer l identité du système d exploitation utilisé… …   Wikipédia en Français

  • Prise d'empreinte TCP/IP — Prise d empreinte de la pile TCP/IP La prise d empreinte de la pile TCP/IP (en anglais : TCP/IP stack fingerprinting ou OS fingerprinting) est un procédé permettant en informatique de déterminer l identité du système d exploitation utilisé… …   Wikipédia en Français

  • Prise d'empreinte de la pile tcp/ip — La prise d empreinte de la pile TCP/IP (en anglais : TCP/IP stack fingerprinting ou OS fingerprinting) est un procédé permettant en informatique de déterminer l identité du système d exploitation utilisé sur une machine distante en analysant …   Wikipédia en Français

  • Prise d'empreinte de la pile TCP/IP — La prise d empreinte de la pile TCP/IP (en anglais : TCP/IP stack fingerprinting ou OS fingerprinting) est un procédé permettant en informatique de déterminer l identité du système d exploitation utilisé sur une machine distante en analysant …   Wikipédia en Français

  • OS-Fingerprinting — Unter dem Begriff OS Fingerprinting (englisch für „Betriebssystem Fingerabdruck“), spezieller auch TCP/IP Stack Fingerprinting (englisch für „TCP/IP Protokollstapel Fingerabdruck“), versteht man die Erkennung von Betriebssystemen durch die… …   Deutsch Wikipedia

  • Implementaciones de TCP — Este artículo o sección sobre tecnología necesita ser wikificado con un formato acorde a las convenciones de estilo. Por favor, edítalo para que las cumpla. Mientras tanto, no elimines este aviso puesto el 2 de abril de 2011. También puedes… …   Wikipedia Español

  • Device fingerprint — A device fingerprint (or machine fingerprint) is a compact summary of software and hardware settings collected from a remote computing device. Basic web browser configuration information has long been collected by web analytics services in an… …   Wikipedia

  • SCTP — (англ. Stream Control Transmission Protocol «протокол передачи с управлением потоком»), протокол транспортного уровня в компьютерных сетях, появившийся в 2000 году в IETF. RFC 4960 описывает этот протокол, а RFC 3286 содержит техническое… …   Википедия