OSI: Securing the Stack, Layer 4 -- Fingerprinting

At Layer 4 of the OSI model, the transport layer, a major security threat is fingerprinting. Learn how active and passive fingerprinting can endanger your network -- and what you can do to prevent fingerprinting -- in this tip, part of our "Securing the Stack" series by Michael Gregg.

Layer 4 of the OSI model is the transport layer. The transport layer is in the middle of the OSI model, with three layers below and three layers above. In this article, I discuss fingerprinting and how it is related to the transport layer. Fingerprinting is the act of operating system (OS) To better understand how fingerprinting works, we first need to review some transport layer basics. identification. For example, is the client running...

MAC OS 10, BSD or Windows 2003 Server?

Securing the stack series
Bookmark this index for our securing the stack series.
Two protocols are primarily associated with the transport layer: First, there is User Datagram Protocol (UDP), which is a connectionless protocol. UDP offers no mechanisms for reliability; it was designed for speed. Next, there is Transmission Control Protocol (TCP), which is connection-oriented and is designed for reliability. TCP provides reliability by using flow control, checksums for error detection, sequence and acknowledgment numbers, a defined window size, and even a startup and shutdown process.

TCP also uses a set of control bits or flags. These flags are used to control the flow of data. Some common flags include:

  • URG: Specifies urgent data.
  • ACK: Specifies a value. The acknowledgment sequence number is significant and should be examined by the recipient.
  • RST: Specifies a reset. RST can be used to terminate a connection that is experiencing problems.
  • SYN: Specifies a synchronization. The SYN is used to start up a session.
  • FIN: Specifies a finish. A FIN is used at the conclusion of connection to signal a session teardown.
Both TCP and UDP act as middlemen in that they are responsible for making a connection. Specifically, the transport layer is responsible for host-to-host connectivity. When thinking of connectivity, imagine a phone call. The very act of hearing someone answer a phone can (usually) tell you a lot about them -- whether they are young or old, male or female. Fingerprinting works in much the same way, as the attacker is attempting to identify the target. The target needs to be identified before an attack can be launched. Fingerprinting can be an active or passive activity.

Passive fingerprinting

Passive fingerprinting is hard to detect. It does not inject traffic into a network and works much like a packet sniffer. Passive fingerprinting tools examine packets and look at default values in the IP, ICMP and TCP header to determine the type of operating system that created the packets. Passive fingerprinting may not be as accurate as active fingerprinting, but it is stealthy. Programs such as Siphon, Ettercap and p0f are all tools based on the passive fingerprint concept. To get more background on passive fingerprinting, consider reviewing this article from the Honeynet Project: Know your enemy: Passive fingerprinting.

To get a better idea of how passive fingerprinting tools work, let's look more closely at the program p0f. This passive fingerprinting tool uses the p0f.fp file to store known OS fingerprints. A small portion of that file is shown here:

----------------- MacOS -------------------
32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2
----------------- OpenBSD -----------------
16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4

Look closely at the first entry while I briefly describe the first four fields. First, the value "32768" is the TCP initial window size. Next, the value "255" is the IP time-to-live (TTL). This is followed by a "1" that denotes the IP don't-fragment bit. The fourth field, "48," defines the total length in bytes of the TCP SYN packet. These attributes uniquely define a MAC OS 9 operating system. Compare these values with those shown in the entry for OpenBSD. You should see quite a bit of difference. What this means is that each vendor uses slightly different values when designing an OS. These differences can be used to identify the system. If you would like to learn more about p0f, check out the p0f applications home page.

Active fingerprinting

Active fingerprinting isn't low-key like passive fingerprinting. Whereas passive fingerprinting cannot be detected by an intrusion detection system (IDS), active fingerprinting can. What active fingerprinting provides for hackers is much more accuracy. Active fingerprinting functions by sending oddly formatted TCP packets. The result is that each target responds differently to these malformed packets. Active fingerprinting tools include Xprobe2 and Nmap.

Nmap works by sending out different types of packets to the target host. Once Nmap has identified at least one open and one closed port, it can begin the actual OS identification. Nmap can send out a stream of packets with different TCP flag settings or TCP options. The hope is that one of these packets will cause the targeted system to respond. As an example, one such scan sends a TCP packet with the flag settings of SYN, FIN, PUSH and URGENT. This is not a normal packet.

Defenses against passive scanning are limited, but IDS tools can be used to detect active fingerprinting. Snort can be used to pattern match against known active fingerprinting scans. Morph is another option. Morph is an OS fingerprint confusion tool that attempts to confuse active fingerprinting tools so that they cannot make an accurate discovery.

Whatever your choice, what's important is to understand how these techniques work so that you can better defend against them.

About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He currently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.

This was first published in December 2006

Dig deeper on The OSI Model

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close