Passive Fingerprinting

* Passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it.
    * However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.
    * Passive fingerprinting is less accurate than active fingerprinting.


Like active fingerprinting, passive fingerprinting is also based on the differential implantation of the stack and the various ways an OS responds to it. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host and study it for tell tale signs that can reveal the OS.

 Note  The four areas that are typically noted to determine the operating system are:

TTL - What the operating system sets the Time To Live on the outbound packet

Window Size - What the operating system sets the Window Size at.

DF - Does the operating system set the Don't Fragment bit?

TOS - Does the operating system set the Type of Service, and if so, at what?


Passive fingerprinting need not be fully accurate nor does it have to be limited to these four signatures. However, by looking at several signatures and combining the information, the accuracy can be improved upon. The following is the analysis of a sniffed packet dissected by Lance Spitzner in his paper on passive fingerprinting (http://www.honeynet.org/papers/finger/)

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:oxo ID:56257
***F**A* Seq: 0x9DD90553
Ack: 0xE3C65D7Win: 0x7D78


Based on the 4 criteria, the following is identified:

TTL: 45

Window Size: 0x7D78 (or 32120 in decimal)

DF: The Don't Fragment bit is set

TOS: 0x0

This information is then compared to a database of signatures. Considering the TTL used by the remote host, it is seen from the sniffer trace that the TTL is set at 45. This indicates that it went through 19 hops to get to the target, so the original TTL must have been set at 64. Based on this TTL, it appears that the packet was sent from a Linux or FreeBSD box, (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host.

The next step is to compare the Window size. The Window Size is another effective tool, specifically what Window Size is used and how often the size changes. In the above signature, it is set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and Solaris tend to maintain the same Window Size throughout a session. However, Cisco routers and Microsoft Windows/NT Window Sizes are constantly changing. The Window Size is more accurate if measured after the initial three -way handshake (due to TCP slow start).

Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). TOS is also of limited value. This seems to be more session based then operating system. In other words, it's not so much the operating system that determines the TOS, but the protocol used. Therefore, based on the information above, specifically TTL and Window size, one can compare the results to the database of signatures and with a degree of confidence determine the OS (in this case, Linux kernel 2.2.x).

 Threat  Passive fingerprinting can be used for several other purposes. It can be used by crackers as 'stealthy' fingerprinting. For example, to determine the Operating System of a 'potential victim', such as a web server, one only needs to request a webpage from the server, and then analyze the sniffer traces. This bypasses the need for using an active tool that can be detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the proxy firewalls based on the signatures we have discussed. Organizations can use Passive Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not authorized on the network.

Comments