d

Fingerprinting: The Complete Documentation

• This category contains 20 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Analysis of Remote Active Operating System Fingerprinting Tools

Published on May 2003, by Ryan Spangler, ©Packetwatch Research.

There are many tools today that are used for remote active operating system fingerprinting. They all have their own fingerprinting techniques. This paper gives an in-depth analysis of three such tools: Nmap, RINGv2, and Xprobe2. The purpose of the paper is to show how these tools work, and to understand the advantages and disadvantages they each offer.

Art of Fingerprinting (The)

Published on 2004, by Maximillian Dornseif and Ilja van Sprundel, ©Maximillian Dornseif and Ilja van Sprundel.

Fingerprinting is the art of extracting features from a resource and comparing it to a database to draw conclusions about the probed resource. We show the current state of the art of fingerprinting on all layers of the TCPstack, will evaluate existing tools and relase our own new fingerprinting engine.

Defeating TCP/IP Stack Fingerprinting

Published on August 17, 2000, by Matthew Smart, G. Robert Malan, Farnam Jahanian, ©University of Michigan.

This paper describes the design and implementation of a TCP/IP stack fingerprint scrubber. The fingerprint scrubber is a new tool to restrict a remote user's ability to determine the operating system of another host on the network. Allowing entire subnetworks to be remotely scanned and characterized opens up security vulnerabilities. Specifically, operating system exploits can be efficiently run against a pre-scanned network because exploits will usually only work against a specific operating system or software running on that platform. The fingerprint scrubber works at both the network and transport layers to convert ambiguous traffic from a heterogeneous group of hosts into sanitized packets that do not reveal clues about the hosts' operating systems. This paper evaluates the performance of a fingerprint scrubber implemented in the FreeBSD® kernel and looks at the limitations of this approach.

Demystifying Remote Host

Published on October 09, 2003, by Abhisek Datta, ©HackinTheBox.

This manual will present a concise overview on the methods used to gather necessary information about a remote host targeted for hacking or for some its cracking. Starting from basic newbie friendly methods like Banner Grabbing, TTL value detection, this manual will cover advanced method of detecting the Operating System running by the remote host like ICMP Error Messaging Quenching, ICMP Error Message Quoting, Initial Sequence Number Sampling, Sniffing Packets etc. Note: Basic knowledge about TCP/IP implementation is suggested. This is the part one of this manual. In here I’ll explain methods of accurate Operating System detection.

ICMP based fingerprinting approach

Published on August 2001, by Fyodor Yarochkin and Ofir Arkin, ©sys-security.com.

TCP based remote OS fingerprinting is quite old and well-known these days, here we would like to introduce an alternative method to determine an OS remotely based on ICMP responses which are received from the host. Certain accuracy level has been achieved with different platforms, which, with some systems or or classes of platforms (i.g. Win), is significally more precise than demonstrated with TCP based fingerprinting methods.

ICMP Usage in Scanning Or Understanding some of the ICMP Protocol’s Hazards

Published on 2000, by Ofir Arkin, ©sys-security.com.

The Internet Control Message Protocol is one of the debate full protocols in the TCP/IP protocol suite regarding its security hazards. There is no consent between the experts in charge for securing Internet networks (Firewall Administrators, Network Administrators, System Administrators, Security Officers, etc.) regarding the actions that should be taken to secure their network infrastructure in order to prevent those risks.

Identifying ICMP Hackery Tools Used In The Wild Today

Published on December 04, 2000, by Ofir Arkin, www.sys-security.com.

Several tools exist in the wild today that allow a malicious computer attacker to send crafted ICMP datagrams. Those datagrams can be used for various tasks: host detection, advanced host detection, Operating System Fingerprinting and more. This article will examine whether we can identify the different tools used for ICMP hackery that are available in the wild today. If we can identify the tool, we may be able to identify the underlying operating system or a number of operating systems that this tool might be running on top of. We will use the fact that some of these tools inherit some values from the underlying OS. This will be done passively, without actively querying the malicious computer attacker's machine.

IDing remote hosts, without them knowing - Passive Fingerprinting

Published on 2000-04-27, by Lance Spitzner, ©Project Honeynet.

One of the challenges of network security is learning about the bad guys. To understand your threats and better protect against them, you have to Know Your Enemy. Passive Fingerprinting is a method to learn more about the enemy, without them knowing it. Specifically, you can determine the operating system and other characteristics of the remote host using nothing more then sniffer traces. Though not 100% accurate, you can get surprisingly good results. Craig Smith has developed a proof of concept tool based on the concepts covered in this paper. Also, the subterrain crew has developed siphon, a passive port mapping and OS fingerprinting tool.

Introduction to HTTP fingerprinting (An)

Published on 2003-11-30, by Saumil Shah, ©Saumil Shah.

HTTP Fingerprinting is a relatively new topic of discussion in the context of application security. One of the biggest challenges of maintaining a high level of network security is to have a complete and accurate inventory of networked assets. Web servers and web applications have now become a part of the scope of a network security assessment exercise. In this paper, we present techniques to identify various types of HTTP servers. We shall discuss some of the problems faced in inventorying HTTP servers and how we can overcome them.

Passive Host Fingerprinting

Published on 2001, by Max Vision, ©Whitehats, Inc..

Passive Host Fingerprinting is the practice of determining a remote operating system by measuring the peculiarities of observed traffic without actively sending probes to the host. Traditional active OS fingerprinting is accomplished by sending various standard and nonstandard probes to the host in question to elicit responses that can be measured and compared to known fingerprints. The following examples describe some observed peculiarities between Microsoft Windows 2000 5.0.2195 and Redhat Linux 6.1. The purpose of this write-up is to publicize the discussion of passive fingerprinting and hopefully to receive some feedback from the security community regarding their own experiences or knowledge of OS peculiarities.

Passive System Fingerprinting using Network Client Applications

Published on November 27, 2000, by Jose Nazario, ©Crimelabs Security Group.

Passive target fingerprinting involves the utilization of network traffic between two hosts by a third system to identify the types of systems being used. Because no data is sent to either system by the monitoring party, detection approaches the impossible. Methods which rely solely on the IP options present in n

Port 0 OS Fingerprinting

Published on 2003, by Ste Jones, ©Ste Jones.

There are 65536 tcp / udp ports available to any normal TCP/IP stack. The range is from 0 -> 65535, which is then split into multiple groups. For example 0 -> 1024 is known as the reserved port range (traditionaly only root can assign programs to ports in this range) and the ephemeral port range from 1025 -> 65535. The ephemeral port range can also be split into two groups known as high and low port ranges. These two groups are set by the OS, but can normally be tweaked by changing specific options within the kernel.

Practical approach for defeating Nmap OS-Fingerprinting (A)

Published on 2003, by David Barroso Berrueta, ©voodoo.

Remote OS Fingerprinting is becoming more and more important, not only for security pen-testers, but for the black-hat. Just because Nmap is getting popularity as the tool for guessing which OS is running in a remote system, some security tools have been developed to fake Nmap in its OS Fingerprinting purpose. This paper describes different solutions to defeat Nmap and behave like another chosen operating system, as well as a demonstration on how can be accomplished.

Remote active OS fingerprinting tool using ICMP (A)

Published on 2002, by Ofir Arkin, ©sys-security.com.

During the winter of 2000 I started researching the Internet Control Message Protocol (ICMP).The protocol goals and features were outlined in RFC 792 (and then later in RFCs 1122,1256,1349,1812) as a means to send error messages for nontransient error conditions,and to provide a way to probe the network in order to determine general characteristics about it. My goal was to go through the relevant RFCs quickly and then continue with other more interesting protocols.Instead,I found that ICMP can be used to fingerprint operating systems.

Remote OS Detection via TCP/IP Fingerprinting (2nd Generation)

Published on 2006, by Fyodor, ©Fyodor.

When exploring a network for security auditing or inventory/administration, you usually want to know more than the bare IP addresses of identified machines. Your reaction to discovering a printer may be very different than to finding a router, wireless access point, telephone PBX, game console, Windows desktop, or UNIX server. Finer grained detection (such as distinguishing Mac OS X 10.4 from 10.3) is useful for determining vulnerability to specific flaws and for tailoring effective exploits for those vulnerabilities.

In part due to its value to attackers, many systems are tight-lipped about their exact nature and operating system configuration. Fortunately, Nmap includes a huge database of heuristics for identifying thousands of different systems based on how they respond to a selection of TCP/IP probes. Another system (part of version detection) interrogates open TCP or UDP ports to determine device type and OS details. Results of these two systems are reported independently so that you can identify combinations such as a Checkpoint firewall forwarding port 80 to a Windows IIS server.

While Nmap has supported OS detection since 1998, this article describes the 2nd generation system which debuted in 2006.

Remote OS detection via TCP/IP Stack FingerPrinting

Published on October 18, 1998, by Fyodor, ©Fyodor.

This paper discusses how to glean precious information about a host by querying its TCP/IP stack. I first present some of the "classical" methods of determining host OS which do not involve stack fingerprinting, then describe the current "state of the art" in stack fingerprinting tools. Next comes a description of many techniques for causing the remote host to leak information about itself. Finally I detail my (nmap) implementation of this, followed by a snapshot gained from nmap which discloses what OS is running on many popular Internet sites.

TCP/IP Stack Fingerprinting Principles

Published on October 25, 2000, by Thomas Glaser, ©SANS Institute.

Reconnaissance is a practice used by skilled hackers to size up and gather information about their target. There are several ways to go about gathering any given piece of information regarding a target that would yield vulnerability. One of the most important pieces of information that a hacker could have is the flavor and version operating system of a remote host. With information in regards to the flavor and version of the operating system, a hacker could look for any number of possible vulnerabilities via information on the web that are specific to that operating system and version.

What is AMap and how does it fingerprint applications?

Published on 2003, by Antonia Rana, ©SANS Institute.

Gathering information about a remote host is often the first step in launching an attack. In order to break into a system exploiting some kind of vulnerability it is important to find as much information as possible. Port scanning, OS fingerprinting , banner grabbing are only some of the techniques that can be used. This paper summarises briefly the most common intelligence gathering techniques in use today, describing some of the tools that employ such techniques. Finally, a tool (amap) is presented which can be used to probe remote systems in the attempt to recognise an application listening on a non standard port.

X - Remote ICMP Based OS Fingerprinting Techniques

Published on 2001, by Fyodor Yarochkin and Ofir Arkin, ©sys-security.com.

X - Remote ICMP Based OS Fingerprinting Techniques

Xprobe v2.0 A "Fuzzy" Approach to Remote Active Operating System Fingerprinting

Published on 2002-08-02, by Ofir Arkin and Fyodor Yarochkin, ©sys-security.com.

The tools used today for remote active operating system fingerprinting use a signature database to perform a match between the results they receive from a targeted machine and known operating system fingerprints. Usually, the process is done by utilizing strict signature match