# # Remote OS fingerprinting
APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Remote OS fingerprinting

I've removed advertising from most of this site and will eventually clean up the few pages where it remains.

While not terribly expensive to maintain, this does cost me something. If I don't get enough donations to cover that expense, I will be shutting the site down in early 2020.

If you found something useful today, please consider a small donation.



Some material is very old and may be incorrect today

© August 2009 Girish Venkatachalam
Girish Venkatachalam

Girish Venkatachalam is a UNIX hacker with more than a decade of networking and crypto programming experience. His hobbies include yoga,cycling, cooking and he runs his own business. Details here:

http://gayatri-hitech.com
http://spam-cheetah.com

What is meant by OS fingerprinting?

It must be familiar to UNIX geeks. There are popular tools like nmap that help you identify which hosts run Windows and which hosts run Linux. This can be as specific as even getting to know if a patch or service pack in Windows was installed.

But there is a problem with nmap OS fingerprinting as it uses active fingerprinting. Not a great idea. We want to use passive OS fingerprinting. In passive OS fingerprinting we rely on TCP SYN packets from the remote host to identify the OS. This is quite reliable though it can be trivially spoofed. I would imagine that if we use passive OS fingerprinting we can be reasonably sure about the remote OS.

It can be used as a policy tool to implement firewalling that can protect us against Windows worms or viruses. We can have a logical separation between Windows hosts and other hosts.

Passive OS fingerprinting can help us in many other ways too. We can find out many things that are hidden from the eyes of systems administrators. A tool called p0f is famous for doing passive OS fingerprinting correctly. And OpenBSD pf, the firewall in OpenBSD has inbuilt ability to do fingerprinting. You can also change the string that it displays for identifying the OS by specifying it in a file /etc/pf.os on any OpenBSD machine.

p0f and OpenBSD pf both use the TCP default Window size, time to live, the presence of absence of the DF(dont fragment) bit in IP header, the size of the SYN packet and the options in TCP header to identify the remote OS through passive fingerprinting.

You can identify what software people have installed by looking at the greeting message of TCP protocols by simply connecting to them with netcat. You can know if people use sendmail, postfix or MS Exchange. You can identify the OpenSSH version, you can know which web server people use and many other networking forensic data can be collected.

If you wish to know the countries that hit your web server, then GeoIP can help you lookup IP address and know where the ISP is located. This is not accurate as most free tools don't have the correct database. You have to do some crosschecks before arriving at the right tool.

Network forensic analysis is towing the thin line between hacking and cracking. We are not interested in prying into other people's or other network's innards. But you can use such tools for several useful applications without intruding into other's privacy.

Network scanning is also useful to know which services are running on UNIX hosts and request users to turn off harmful services. NAT is a blessing in disguise because most machines are not accessible to the big bad Internet. If that were not the case we would be having a lot more attacks than now.

References

  1. nmap homepage
  2. p0f homepage
  3. OpenBSD pf FAQ

running cheetah
SpamCheetah
Stop spam dead in its tracks!

If you found something useful today, please consider a small donation.



Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> Remote OS fingerprinting

1 comment


Inexpensive and informative Apple related e-books:

Photos for Mac: A Take Control Crash Course

Take Control of iCloud

Take Control of Upgrading to El Capitan

El Capitan: A Take Control Crash Course

Sierra: A Take Control Crash Course





More Articles by © Girish Venkatachalam







Tue Sep 1 03:16:55 2009: 6830   xnih

gravatar
p0f is a good start but only touches on TCP Syn/Ack/Reset packets. It misses out on higher level stuff and other protocols completely.

The paper is getting old now (Aug 2005), but:
(link)

It touches on other protocols that can be used for passive fingerprinting. Easy stuff like web agent fingerprinting, smb packets, mdns, sap/ipx, etc.

Or a full paper just on DHCP fingerprinting:
(link)

Again, all passive stuff.

------------------------


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us


Printer Friendly Version





The three chief virtues of a programmer are: Laziness, Impatience and Hubris. (Larry Wall)




Linux posts

Troubleshooting posts


This post tagged:

Security



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode