- "Do I Know This Already?" Quiz
- Foundation Topics: Overview of the Seven-Step Information-Gathering Process
- Information Gathering
- Determining the Network Range
- Identifying Active Machines
- Finding Open Ports and Access Points
- OS Fingerprinting
- Fingerprinting Services
- Mapping the Network Attack Surface
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Exercises
- Review Questions
- Suggested Reading and Resources
This chapter is from the book
This chapter is from the book
This chapter is from the book
OS Fingerprinting
At this point in the information-gathering process, the hacker has made some real headway. IP addresses, active systems, and open ports have been identified. Although the hacker might not yet know the type of systems he is dealing with, he is getting close. Fingerprinting is the primary way to identify a specific system. Fingerprinting works because each vendor implements the TCP/IP stack in different ways. For example, it’s much the same as when you text a specific friend who typically says something like, “Hey, what’s up?” while another friend simply says, “Hi.” There are two ways in which the hacker can attempt to identify the targeted devices. The hacker’s first choice is passive fingerprinting. The hacker’s second choice is to perform active fingerprinting, which basically sends malformed packets to the target in hope of eliciting a response that will identify it. Although active fingerprinting is more accurate, it is not as stealthy as passive fingerprinting.
Passive fingerprinting is really sniffing, because the hacker is sniffing packets as they come by. These packets are examined for certain characteristics that can be pointed out to determine the OS. The following are four commonly examined items that are used to fingerprint the OS:
IP TTL value: Different operating systems set the TTL to unique values on outbound packets.
TCP window size: OS vendors use different values for the initial window size.
IP DF option: Not all OS vendors handle fragmentation in the same way. 1500 bytes is a common size with Ethernet.
IP Type of Service (TOS) option: TOS is a 3-bit field that controls the priority of specific packets. Again, not all vendors implement this option in the same way.
These are just four of many possibilities that can be used to passively fingerprint an OS. Other items that can be examined include IP identification number (IPID), IP options, TCP options, and even ICMP. Ofir Arkin has written an excellent paper on this, titled “ICMP Usage in Scanning.” An example of a passive fingerprinting tool is the Linux-based tool P0f. P0f attempts to passively fingerprint the source of all incoming connections after the tool is up and running. Because it’s a truly passive tool, it does so without introducing additional traffic on the network. P0fv2 is available at http://lcamtuf.coredump.cx/p0f.tgz.
Active fingerprinting is more powerful than passive fingerprint scanning because the hacker doesn’t have to wait for random packets, but as with every advantage, there is usually a disadvantage. This disadvantage is that active fingerprinting is not as stealthy as passive fingerprinting. The hacker actually injects the packets into the network. Active fingerprinting has a much higher potential for being discovered or noticed. Like passive OS fingerprinting, active fingerprinting examines the subtle differences that exist between different vendor implementations of the TCP/IP stack. Therefore, if hackers probe for these differences, the version of the OS can most likely be determined. One of the individuals who has been a pioneer in this field of research is Fyodor. He has an excellent chapter on remote OS fingerprinting at https://nmap.org/book/osdetect.html. Listed here are some of the basic methods used in active fingerprinting:
The FIN probe: A FIN packet is sent to an open port, and the response is recorded. Although RFC 793 states that the required behavior is not to respond, many operating systems such as Windows will respond with an RST.
Bogus flag probe: As you might remember from Table 3-6, the flag field is only 1 byte in the TCP header. A bogus flag probe sets one of the used flags along with the SYN flag in an initial packet. Linux will respond by setting the same flag in the subsequent packet.
Initial sequence number (ISN) sampling: This fingerprinting technique works by looking for patterns in the ISN. Although some systems use truly random numbers, others, such as Windows, increment the number by a small fixed amount.
IPID sampling: Many systems increment a systemwide IPID value for each packet they send. Others, such as older versions of Windows, do not put the IPID in network byte order, so they increment the number by 256 for each packet.
TCP initial window: This fingerprint technique works by tracking the window size in packets returned from the target device. Many operating systems use exact sizes that can be matched against a database to uniquely identify the OS.
ACK value: Again, vendors differ in the ways they have implemented the TCP/IP stack. Some operating systems send back the previous value +1, whereas others send back more random values.
Type of service: This fingerprinting type tweaks ICMP port unreachable messages and examines the value in the TOS field. Whereas some use 0, others return different values.
TCP options: Here again, different vendors support TCP options in different ways. By sending packets with different options set, the responses will start to reveal the server’s fingerprint.
Fragmentation handling: This fingerprinting technique takes advantage of the fact that different OS vendors handle fragmented packets differently. RFC 1191 specifies that the maximum transmission unit (MTU) is normally set between 68 and 65535 bytes. This technique was originally discovered by Thomas Ptacek and Tim Newsham.
Active Fingerprinting Tools
One of the first tools to be widely used for active fingerprinting back in the late 1990s was Queso. Although no longer updated, it helped move this genre of tools forward. Nmap is the tool of choice for active fingerprinting and is one of the most feature-rich free fingerprint tools in existence today. Nmap’s database can fingerprint literally hundreds of different operating systems. Fingerprinting with Nmap is initiated by running the tool with the -O option. When started with this command switch, Nmap probes port 80 and then ports in the 20 to 23 range. Nmap needs one open and one closed port to make an accurate determination of what OS a particular system is running.
Here is an example:
C:\ nmap-7.70>nmap -O 192.168.123.108 Starting nmap 6.25 (https://nmap.org/) at 2005-10-0715:47 Central Daylight Time Interesting ports on 192.168.1.108: (The 1653 ports scanned but not shown below are in state: closed) PORTSTATE SERVICE 80/tcpopenhttp 139/tcp opennetbios-ssn 515/tcp openprinter 548/tcp openafpovertcp Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 0.282 days (since Fri Oct 07 09:01:33 2018) Nmap run completed -- 1 IP address (1 host up) scanned in 4.927 seconds
You might also want to try Nmap with the -v or -vv switch. There are devices such as F5 Load Balancer that will not identify themselves using a normal -O scan but will reveal their ID with the -vv switch. Just remember that with Nmap or any other active fingerprinting tool, you are injecting packets into the network. This type of activity can be tracked and monitored by an IDS. Active fingerprinting tools, such as Nmap, can be countered by tweaking the OS’s stack. Anything that tampers with this information can affect the prediction of the target’s OS version.
Nmap’s dominance of active fingerprinting is being challenged by a new breed of tools. One such tool is Xprobe2, a Linux-based active OS fingerprinting tool with a different approach to OS fingerprinting. Xprobe is unique in that it uses a mixture of TCP, UDP, and ICMP to slip past firewalls and avoid IDS systems. Xprobe2 relies on fuzzy signature matching. In layman’s terms, this means that targets are run through a variety of tests. These results are totaled, and the user is presented with a score that tells the probability of the targeted machine’s OS—for example, 75% Windows 10 and 1% Windows Vista.
Because some of you might actually prefer GUI tools, the final fingerprinting tool for discussion is Winfingerprint. This Windows-based tool can harvest a ton of information about Windows servers. It allows scans on a single host or the entire network neighborhood. You can also input a list of IP addresses or specify a custom IP range to be scanned. After a target is found, Winfingerprint can obtain NetBIOS shares, disk information, services, users, groups, detection of the service pack, and even hotfixes. Figure 3-12 shows a screenshot of Winfingerprint.
)
Figure 3-12 Winfingerprint
