OS Fingerprinting
Open ports that have been uncovered during the port scanning phase need to be further investigated. The mere existence of an open port does not mean vulnerability exists. Attackers must probe for more information to determine whether vulnerabilities that exist can be exploited. The open ports that are discovered provide clues to what operating system (OS) the target is running. Determining the OS that is running on a specific target is the purpose of OS fingerprinting. Once an OS is identified, it is possible to better focus the attacks that come later. To identify an OS, there are two different methods that can be utilized: active fingerprinting or passive fingerprinting.
OS fingerprinting relies on the unique characteristics that each OS exhibits during normal operation. Each OS responds to communication attempts in different ways that can provide clues for a well-educated guess to be made about the system in place. To determine these unique characteristics, active and passive fingerprinting can probe a system to generate a response or listen to a system’s communications for details about the OS.
Active OS Fingerprinting
The process of active OS fingerprinting is accomplished by sending specially crafted packets to the targeted system. In practice, multiple probes or triggers are sent from the scanning system to the target. When the responses are received from a target system, an educated guess can be made as to the OS that is present. Though it may appear otherwise, OS identification is an accurate method of determining the system in place because the tools have become much more accurate than in the past.
Xprobe2
Xprobe2, a commonly used active fingerprinting tool, relies on a unique method to identify an operating system known as fuzzy signature matching. This method consists of performing a series of tests against a certain target and collecting the results. The results are then analyzed to determine the probability that a system is running a specific OS. Xprobe2 cannot say definitively which OS is running but instead uses the results to infer what system is running. As an example, running Xprobe2 against a targeted system yields the following results:
The results that Xprobe2 is presenting here are the probability that the system is running a given OS. Xprobe2 comes with several predefined profiles for different OSs, and the results are compared against these profiles to generate the results seen here. The results show that there are three OSs that match profiles to different degrees: The results for Windows 10 are at 75 percent, and the others are quite low; therefore, it can be assumed with some confidence that Windows 10 is in place. This score is intended to determine which OS the target computer is running.
Nmap
Valuable in OS fingerprinting as well as port scanning, Nmap can provide reliable data on which operating system is present. Nmap is effective at identifying the OSs of networked devices and generally can provide results that are highly accurate. Several Nmap options that can be used to fine-tune the scan include:
-sV Application version detection
-O OS fingerprinting
-A Both of the previous options
An example of an Nmap scan with the -O option is shown here:
Nmap has identified this system as Linux along with detecting version and uptime information. An attacker gaining this information can now target an attack to make it more effective because it would be possible to focus on only those exploits that are appropriate—for example, no Windows attacks. Nmap is capable of identifying commonly encountered network devices and is a tool that should not be overlooked.
Passive OS Fingerprinting
The alternative to active fingerprinting is passive fingerprinting, which approaches the process differently. Passive fingerprinting, by design, does not interact with the target system itself. It is a passive tool that monitors or captures network traffic. The traffic monitored is analyzed for patterns that would suggest which OSs are in use. Passive OS fingerprinting tools simply sniff network traffic and then match that traffic to specific OS signatures. The database of known patterns can be updated from time to time as new OSs are released and updated. As an example, a tool may have a fingerprint for Windows 7 but will need to be updated to include Windows 10.
A passive identification requires larger amounts of traffic but offers a level of stealth. It is much harder to detect these tools because they do not perform any action that would reveal their presence. These tools are similar in that they examine specific types of information found in IP and TCP headers. Although you do not need to understand the inner workings of TCP/IP to use these tools, you should have a basic understanding as to what areas of these headers these tools examine. These include:
TTL value (different OSs will start with different time-to-live values)
Don’t fragment bit (DF) (different OSs might or might not set the DF bit)
Type of service (TOS) (different OSs might set varying TOS, if at all)
Window size (different OSs will initiate with different TCP window sizes)
And although most TCP header values conform to standards defining TCP/IP, these flag values are flexible enough to let you fingerprint what system likely sent that packet.
The p0f Tool
One tool for performing passive OS fingerprinting is p0f, which can identify an OS using passive techniques. That means p0f can identify the target without placing any additional traffic on the network that can lead to detection. The tool makes attempts to fingerprint the system based on the incoming connections that are attempted.
The following results have been generated using p0f:
Once p0f is running, it will attempt to identify the system that is being connected to, based on the traffic that it observes. The previous example shows that p0f has identified the system in question as being a distribution of Linux known as RedHat.