miércoles, 29 de mayo de 2019

OS fingerprinting: a brief history

In this post I will show some historical techniques, tools and countermeasures I will be showing in Derevolutionizing OS Fingerprinting: The Cat and Mouse Game at Defcon China.

OS fingerprinting describes the method of utilising gathered information of a target host to find out what OS the machine is running on.

Wikipedia describes it as:
“ TCP/IP stack fingerprinting is the passive collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint ”
There are multiple approaches for finding out the OS of an unknown host without having an account, or any way of logging on the machine:
  • Banner Information & Manual Reconnaissance
  • Active Fingerprinting
  • Passive Fingerprinting
  • Timing Analysis Fingerprinting


Other services that send back ‘free’ useful information include IMAP,POP2, POP3, SMTP, SSH, NNTP and FINGER.  This technique is reasonably reliable even now and automated tools exist to make the process simple and painless.

Even, with access to remote host, you could play with the following commands until you get what you want:
  • uname -a, or uname -o or uname -v
  • lsb_release -a
  • cat /proc/version
  • cat /etc/*-release
  • cat /etc/issue*

A more primitive approach is to port scan the machine using any of the common port scanners freely available and examine the returned list of listening ports for patterns common to a particular OS.

Banners can also be revealed in an indirect way too, for example email headers often contain the version string of the client that is used by a user, and sometimes the OS version also.

Another example could be the SYST commando in FTP; a SYST request asks for information about the server's operating system. The server accepts this request with code 215. For example:

Examples from other servers:

  • 215 UNIX Type: L8 Version: BSD-44
  • 215 NetWare system type.
  • 215 MACOS Peter's Server
  • 215 AmigaOS

Another way to get more information is analysing offered files, like trying to download:
  • compress
  • ls
  • tar
  • gzip
  • gunzip
  • compress
  • zcat
  • etc.
Then, use the file command to determine the file type:

Finally, it may be possible to determine the OS of a system by a non-technical solution, such as social engineering.  Learning about the target through phone calls, chatting to the System Administrator, or even a public site tour are all possibilities


Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies.

This allows the scanner to obtain more accurate results than a passive scanner, and in a shorter amount of time. The traditional approach is to examine the TCP/IP stack behaviour of a targeted network element when probed with several legitimate packets
  • Nmap is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.
  • Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses and multiple simultaneous matches, and a signature database.
  • Queso: Hispanic shortcut to “Que Sistema Operativo”, with translates into "Which Operating System". Sends different types of packets to open ports on targets hosts, each one with different TCP headers, and compares the responses with the config file, where the different Ones are described


Passive fingerprinting is the process of analysing packets from a host on a network. In this case, the fingerprinter acts as a sniffer and doesn’t put any traffic on a network. It is called passive because it doesn’t involve communicating with the host being examined.Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Passive scanners are generally and inherently less accurate than active scanners, due to the fact they have less control over the data they are analyzing.
  • p0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
  • Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. 


A device will generally issue a DHCP request on the network upon connection. It is the DHCP client of the operating system that issues a DHCP request on the network. When doing so, it asks for DHCP options (like DNS Server, WINS server, default gateway, etc.).

The order in which the DHCP client asks for those options is relatively unique and identifies the specific operating system version. The same principle applies to DHCPv6.

There is a great paper from Eric Kollmann, called Chatter on the Wire: a look at DHCP traffic that explains this technique.

Also, Satori performs passive OS identification on any packets it sees. It can parse and utilize the following packet types: DHCP, TCP (syn and syn/ack), ICMP, SMB, CDP, plus many others.



The Linux IP Personality patch adds to Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters (anything you can specify in an iptables rule: src/dst IP address, TCP or UDP port, etc.)

The characteristics that can be changed are:
  • TCP Initial Sequence Number (ISN)
  • TCP initial window size
  • TCP options (their types, values and order in the packet)
  • IP ID numbers
  • answers to some pathological TCP packets
  • answers to some UDP packets

They are deeply configurable. This patch relies on the framework created by Rusty Russel: netfilter. More precisely, the patch adds a new iptables target (in a kernel module) that can be used in the mangle table with a (patched) iptables.


Stealth patch works for Linux kernels of version 2.2.19 through 2.2.22 and of version 2.4.19. When this patch is applied, all packets with both FIN and SYN flag set are discarded. Furthermore, all packets with one specific reserved bit set and all packets that match nmaps probe 2 (this means the ACK, FIN, RST and SYN flags are not set) are dropped

Though the Stealth Patch does not enable a host to fein being some other operating system, it still can confuse a fingerprinting application by droping specific packets that are typical for a OS detector. The downside of an unmodified Stealth Patch is, since only a few kernel versions were supported, this behaviour could give away valuable info to a fingerprinter again.


In contrary to the described methods up to now, IPlog is not a kernel module but a standalone application. Although mainly written for detecting port scans, it includes the ability to try to fool nmap. It detects TCP Null and FIN scans, UDP and ICMP ”smurf” attacks, bogus TCP flags, TCP SYN and ”Xmas” scans.


Kernel module available for version 2.2 that also tries to hide original OS and act as a different one. Per default, it will emulate the behaviour of a VAX device, but it can be configured by parsing a nmap signature file and hands over the values to the module.


Morph handles inbound and outbound packets and change TCP, UDP, ICMP and IP headers to reflect selected OS. Worked under Linux, and under development for OpenBSD, FreeBSD and NetBSD. Built on Packet Purgatory Library (relies on libpcap and libdnet libraries), that acts as a wedge between OS kernel and network interface running in user land.

The  key  variable  in  these  functions  is  the  variable  packet.  This  is  a  buffer  that contains  the  contents  of  the  packet.  If  the  packet  handler  functions  returns  zero, whatever  is  in  the  buffer  at  that  time  will  be  reinjected  to  the  network.  So  by modifying the buffer, it modify the packet that will be sent/received.

The  inbound  packet  handler  will  be  called  for  each  packet  heading  out  from  the system  running  Packet  Purgatory,  before  that  packet  reaches  the  network,  and  the inbound  packet  handler  will  be  called  for  each  packet  inbound  to  the  system,  but before  the  system's  kernel  starts  processing  it. The  State  Table  works  when  ever  host  sends  packet  by generating a “random” sequence number based on emulated OS. State table maintains session sequence number offset  information. Hence, Sequence number gets modified on the way to remote OS.

EVOLUTION: OSfooler-ng

OSfooler-ng has been complete rewriten from the ground up, being highly portable, more efficient and combining all known techniques to detect and defeat at the same time:
  • Active remote OS fingerprinting: like Nmap
  • Passive remote OS fingeprinting: like p0f v2
  • Commercial engines like Sourcefire’s FireSiGHT OS fingerprinting

Some additional features are:
  • No need for kernel modification or patches
  • Simple user interface and several logging features
  • Transparent for users, internal process and services
  • Detecting and defeating mode: active, passive & combined
  • Will emulate any OS
  • Capable of handling updated nmap and p0f v2 fingerprint database
  • Undetectable for the attacker

In future posts, we will see more in detail the operation of nmap and p0f v2, and how OSfooler-ng can defeat both tools and their analysis techniques.

1 comentario: