TCP/IP stack fingerprinting

From Wikipedia, the free encyclopedia

(Redirected from OS fingerprinting)
Jump to: navigation, search
Passive OS Fingerprinting method and diagram.
Passive OS Fingerprinting method and diagram.

TCP/IP stack fingerprinting (a.k.a. OS fingerprinting) is the process of determining the operating system used by a remote target.

There are two types of OS fingerprinting: active and passive.

Contents

Passive fingerprinting is undetectable by an intrusion detection system on the network. A passive fingerprinter (a person or an application) does not send any data across the network (wire); because of this it’s undetectable. The downside of this method is that the fingerprinter must be on the same hub as the other servers and clients in order to capture any packets on the wire.

Passive fingerprinting works because TCP/IP flag settings are specific to various operating systems. These settings vary from one TCP stack implementation to another and include the following:

  • Initial TTL (8 bits)
  • Window size (16 bits)
  • Maximum segment size (16 bits)
  • "Don't fragment" flag (1 bit)
  • sackOK option (1 bit)
  • nop option (1 bit)
  • Window scaling option (8 bits)
  • Initial packet size (16 bits)

When combined, these flag settings provide a unique, 67-bit signature for every system.[1]

Active fingerprinting is aggressive in nature. An active fingerprinter transmits to and receives from the targeted device. It can be located anywhere in the network, and with the active method you can learn more information about the target than with passive OS fingerprinting. The downside is that the fingerprinter can be identified by an intrusion detection system.

TCP Stack Querying:

Banner Grabbing

Port Probing

Block all unnecessary outgoing ICMP traffic, especially unusual packet types like address masks and timestamps. Also, block any ICMP echo replies. Watch for excessive TCP SYN packets. Be warned that blocking things without knowing exactly what they are for can very well lead to a broken network; for instance, your network could become a black hole. Extensive knowledge of TCP/IP networking is recommended before engaging in traffic blocking.

Nmap is a tool that performs active TCP/IP stack fingerprinting.

p0f and Ettercap are tools that perform passive TCP/IP stack fingerprinting.

  1. ^ Peikari, C: "Security Warrior.", page 229. O'Reilly Media Inc., 2004.
This computer network-related article is a stub. You can help Wikipedia by expanding it.
Retrieved from "http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.