Passive
Host Fingerprinting
Small examples of mundane traffic: Win2000 vs Redhat 6.1
[Max
Vision]
|
UPDATE: |
Passive Host Fingerprinting is the practice of determining a remote operating system by measuring the peculiarities of observed traffic without actively sending probes to the host. Traditional active OS fingerprinting is accomplished by sending various standard and nonstandard probes to the host in question to elicit responses that can be measured and compared to known fingerprints. The following examples describe some observed peculiarities between Microsoft Windows 2000 5.0.2195 and Redhat Linux 6.1. The purpose of this write-up is to publicize the discussion of passive fingerprinting and hopefully to receive some feedback from the security community regarding their own experiences or knowledge of OS peculiarities.
The
first example is a single ping, as received by a machine 12 network hops away.
Note that the packet contents, size, and initial TTL could each be altered
at the command line from either machine. To approximate the original TTL,
you can usually round up to the nearest 16 or 32. Common initial TTL's are
30, 60, 64, 128, and 255. Note that this particular traffic is dependant on
the application generating it (/bin/ping or ping.exe) and can vary with different
ping software, regardless of the OS and IP stack used.
| Initial
TTL: Windows=128, Linux=64 Packet content and length differ. |
||
| Windows
2000 (ping -n 1 victim.example.com) 02/14-00:01:06.354792 source -> victim.example.com ICMP TTL:116 TOS:0x0 ID:55333 ID:2 Seq:2 ECHO 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 abcdefghijklmnop 71 72 73 74 75 76 77 61 62 63 64 65 66 67 68 69 qrstuvwabcdefghi |
||
| Redhat
6.1 (ping -c 1 victim.example.com) 02/14-00:02:11.320435 source -> victim.example.com ICMP TTL:52 TOS:0x0 ID:8235 ID:1216 Seq:0 ECHO AE C4 A7 38 72 68 05 00 08 09 0A 0B 0C 0D 0E 0F ...8rh.......... 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F ................ 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F !"#$%&'()*+,-./ 30 31 32 33 34 35 36 37 01234567 |
This
second example is a capture of a web page retrieval request (only initial
three-way handshake shown). This may be particular to my system, but I consistently
see the same IP Options set by each operating system. There may be a correlation
with the initial TCP Receive Window size. Windows seems to often include extraneous
data in ACK packets that many Unix do not. The TTL is the same here as it
was with the ICMP ping testing.
|
Initial TTL: Windows=128, Linux=64 IP Options differ. |
||
| Windows
2000 (using IE 5.00.2920 to visit victim.example.com) 02/14-00:04:59.921958 source:1503 -> victim.example.com:80 TCP TTL:116 TOS:0x0 ID:55496 DF **S***** Seq: 0x2C0705B1 Ack: 0x0 Win: 0x7FFF TCP Options => MSS: 1460 NOP NOP SackOK 02/14-00:04:59.922145
victim.example.com:80 -> source:1503 02/14-00:05:00.104972
source:1503 -> victim.example.com:80 |
||
| Redhat
6.1 (using Lynx 2.8.3dev.18 to visit victim.example.com) 02/14-00:07:50.345859 source:1046 -> victim.example.com:80 TCP TTL:52 TOS:0x10 ID:8768 DF **S***** Seq: 0x92DF3DBF Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 1503255 0 NOP WS: 0 02/14-00:07:50.346156
victim.example.com:80 -> source:1046 02/14-00:07:50.575331
source:1046 -> victim.example.com:80 |
Specifics of the default behavior of various Operating Systems could be mapped and used to fingerprint incoming traffic in a passive manner. Obviously there is a lot of work to be done in actually creating an map of Passive OS Fingerprints. "I leave that as an excercise for the reader".