If a hacker can determine what type of operating system a targeted computer is running, he or she can work to exploit the vulnerabilities present in that operating system. OS Fingerprinting is used by security professionals and hackers for mapping remote networks and determining which vulnerabilities might be present to exploit. In fact, it is a tactic used by cyber-criminals and even ethical hackers to figure out what type of operating system is being used by a target computer on a network. In fact, by analyzing certain protocol flags, options, and data in the packets a device sends onto the network, hackers can make relatively accurate guesses about the OS that sent those packets.
OS Fingerprinting works only for packets that contain a full-fledged TCP connection; that is the TCP connection should have a SYN, SYN/ACK, and ACK connection.
There are two Fingerprinting:
Active OS Fingerprinting
Active OS fingerprinting involves actively determining a targeted PC’s OS by sending carefully crafted packets to the target system and examining the TCP/IP behavior of received responses. The main reason why an attacker may prefer a passive approach is to reduce the risk of being caught by an IDS, IPS, or a firewall. Properly configured, implemented, and maintained IDSes, IPSes, and firewalls can mitigate active fingerprinting. In other words, active fingerprinting is challenging the target machine to see what happens.
Active fingerprinting works by sending packets to a target and analyzing the packets that are sent back. Almost all active fingerprinting these days is done with Nmap.
Nmap is usually used by network administrators to monitor the security of their networks. In fact, Nmap is an effective application for both admins and attackers. Nmap sends probes to lots of different TCP/IP ports, and analyzes what returned. Nmap utilizes scripting that analyzes that data to print out results that are useful for OS fingerprinting. Running an OS fingerprinting scan in Nmap is as simple as typing:
“nmap -A ip_address_or_domain_name_of_target”.
Passive OS Fingerprinting
Passive OS fingerprinting is a more effective way of avoiding detection or being stopped by a firewall and it examines of passively collected sample of packets from a host. Passive fingerprinting uses a pcap (packet capture) API. In GNU/Linux and BSD/Unix operating systems, pcap can be found in the libpcap library, and for Windows, there’s a port of libpcap called WinPcap. Passive fingerprinting can make a guess of a target’s OS, because different OSes have different TCP/IP implementations.
Passive OS fingerprinting is less accurate than active OS fingerprinting, but may be a technique chosen by an attacker or penetration tester who wants to avoid detection. Passive fingerprinting can be mitigated by assuring that NICs (network interface cards) don’t operate in promiscuous mode.
There are following four important elements that we will look at to determine the operating system
- TTL: What the operating system sets the Time-To-Live on the outbound packet.
- Window Size: What the operating system sets the Window Size at.
- DF: Does the operating system set the Don’t Fragment bit?
- TOS: Does the operating system set the type of Service?
Tools Used for OS Fingerprinting
P0f – passive: This tool is an OS Fingerprinting tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.
Ettercap – passive: This tool is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols.
XProbe2 – active: This tool is an active OS Fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses and multiple simultaneous matches, and a signature database.