TCP also uses a set of control bits or flags. These flags are used to control the flow of data. Some common flags include:
- URG: Specifies urgent data.
- ACK: Specifies a value. The acknowledgment sequence number is significant and should be examined by the recipient.
- RST: Specifies a reset. RST can be used to terminate a connection that is experiencing problems.
- SYN: Specifies a synchronization. The SYN is used to start up a session.
- FIN: Specifies a finish. A FIN is used at the conclusion of connection to signal a session teardown.
Passive fingerprinting is hard to detect. It does not inject traffic into a network and works much like a packet sniffer. Passive fingerprinting tools examine packets and look at default values in the IP, ICMP and TCP header to determine the type of operating system that created the packets. Passive fingerprinting may not be as accurate as active fingerprinting, but it is stealthy. Programs such as Siphon, Ettercap and p0f are all tools based on the passive fingerprint concept. To get more background on passive fingerprinting, consider reviewing this article from the Honeynet Project: Know your enemy: Passive fingerprinting.
To get a better idea of how passive fingerprinting tools work, let's look more closely at the program p0f. This passive fingerprinting tool uses the p0f.fp file to store known OS fingerprints. A small portion of that file is shown here:
----------------- MacOS ------------------- 32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2 ----------------- OpenBSD ----------------- 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4
Look closely at the first entry while I briefly describe the first four fields. First, the value "32768" is the TCP initial window size. Next, the value "255" is the IP time-to-live (TTL). This is followed by a "1" that denotes the IP don't-fragment bit. The fourth field, "48," defines the total length in bytes of the TCP SYN packet. These attributes uniquely define a MAC OS 9 operating system. Compare these values with those shown in the entry for OpenBSD. You should see quite a bit of difference. What this means is that each vendor uses slightly different values when designing an OS. These differences can be used to identify the system. If you would like to learn more about p0f, check out the p0f applications home page.
Active fingerprinting isn't low-key like passive fingerprinting. Whereas passive fingerprinting cannot be detected by an intrusion detection system (IDS), active fingerprinting can. What active fingerprinting provides for hackers is much more accuracy. Active fingerprinting functions by sending oddly formatted TCP packets. The result is that each target responds differently to these malformed packets. Active fingerprinting tools include Xprobe2 and Nmap.
Nmap works by sending out different types of packets to the target host. Once Nmap has identified at least one open and one closed port, it can begin the actual OS identification. Nmap can send out a stream of packets with different TCP flag settings or TCP options. The hope is that one of these packets will cause the targeted system to respond. As an example, one such scan sends a TCP packet with the flag settings of SYN, FIN, PUSH and URGENT. This is not a normal packet.
Defenses against passive scanning are limited, but IDS tools can be used to detect active fingerprinting. Snort can be used to pattern match against known active fingerprinting scans. Morph is another option. Morph is an OS fingerprint confusion tool that attempts to confuse active fingerprinting tools so that they cannot make an accurate discovery.
Whatever your choice, what's important is to understand how these techniques work so that you can better defend against them.
About the author:
Michael Gregg has more than 15 years of experience in IT. Michael is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He currently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.
This was first published in December 2006