Girish Venkatachalam is a UNIX hacker with more than a decade of
networking and crypto programming experience.
His hobbies include yoga,cycling, cooking and he runs his own
business. Details here:
What is meant by OS fingerprinting?
It must be familiar to UNIX geeks. There are popular tools like nmap
that help you identify which hosts run Windows and which hosts run
Linux. This can be as specific as even getting to know if a patch or
service pack in Windows was installed.
But there is a problem with nmap OS fingerprinting as it uses active
fingerprinting. Not a great idea. We want to use passive OS
fingerprinting. In passive OS fingerprinting we rely on TCP SYN packets
from the remote host to identify the OS. This is quite reliable though
it can be trivially spoofed. I would imagine that if we use passive OS
fingerprinting we can be reasonably sure about the remote OS.
It can be used as a policy tool to implement firewalling that can
protect us against Windows worms or viruses. We can have a logical
separation between Windows hosts and other hosts.
Passive OS fingerprinting can help us in many other ways too. We can
find out many things that are hidden from the eyes of systems
administrators. A tool called p0f is famous for doing passive OS
fingerprinting correctly. And OpenBSD pf, the firewall in OpenBSD has
inbuilt ability to do fingerprinting. You can also change the string
that it displays for identifying the OS by specifying it in a file
/etc/pf.os on any OpenBSD machine.
p0f and OpenBSD pf both use the TCP default Window size, time to live,
the presence of absence of the DF(dont fragment) bit in IP header, the
size of the SYN packet and the options in TCP header to identify the
remote OS through passive fingerprinting.
You can identify what software people have installed by looking at the
greeting message of TCP protocols by simply connecting to them with
netcat. You can know if people use sendmail, postfix or MS Exchange. You
can identify the OpenSSH version, you can know which web server people
use and many other networking forensic data can be collected.
If you wish to know the countries that hit your web server, then GeoIP
can help you lookup IP address and know where the ISP is located. This
is not accurate as most free tools don't have the correct database. You
have to do some crosschecks before arriving at the right tool.
Network forensic analysis is towing the thin line between hacking and
cracking. We are not interested in prying into other people's or other
network's innards. But you can use such tools for several useful
applications without intruding into other's privacy.
Network scanning is also useful to know which services are running on
UNIX hosts and request users to turn off harmful services. NAT is a
blessing in disguise because most machines are not accessible to the big
bad Internet. If that were not the case we would be having a lot more
attacks than now.
OpenBSD pf FAQ
Got something to add? Send me email.
Increase ad revenue 50-250% with Ezoic
More Articles by Girish Venkatachalam
© 2012-07-01 Girish Venkatachalam