Information Security

Taeshik Shon

OS Fingerprinting….

Packet Filtering in Intrusion Detection

babylon~> telnet hpux.u-aizu.ac.jpTrying 163.143.103.12 ... Connected to hpux.u-aizu.ac.jp.Escape character is '^]'.

HP-UX hpux B.10.01 A 9000/715 (ttyp2)

login:

Active OS Fingerprinting(old school)

babylon> telnet ftp.netscape.com 21Trying 207.200.74.26 ...Connected to ftp.netscape.com.Escape character is '^]'.220 ftp29 FTP server ready.SYST215 UNIX Type: L8 Version: SUNOS

Active OS Fingerprinting(old school, a bit more advanced)

babylon> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:‘

Server: Microsoft-IIS/4.0babylon>

Here, we send a HTTP GET request to a remote server, and observe the webserver software which is identified in the response.

Active OS Fingerprinting(old school, last example)

• Sys admins usually turn the login banner OS announce off.

• Applications can be configured to lie.• What we really need is a solution that doesn’t

depend upon the honesty of the application.• Enter: New School Active OS Fingerprinting

Downsides to the old school method

• Pioneered by Queso, a now defunct tool, and improved upon by the widely popular nmap.

• Described by Nmap’s author, Fyodor, in his paper “Remote OS detection via TCP/IP Stack FingerPrinting”, October 18, 1998

• http://www.insecure.org/nmap/nmap-fingerprinting-article.html

New school active Fingerprinting

• His basic idea was to send a specially crafted packet, usually with an invalid/strange set of options (which is where OS vendors usually differ in implementation), and see what happens.

• He uses several methods, none of which individually identify the remote OS, but combined together will give you a good idea.

Fyodor’s fingerprint method

• The FIN probe -- Send a FIN packet (or any packet without an ACK or SYN flag) to an open port and wait for a response.

• The correct RFC 793 behavior is to NOT respond, but many broken implementations such as MS Windows, BSDI, CISCO, and IRIX send a RESET back.

Methods used by Nmap

• IPID sampling -- Most operating systems increment a system-wide IPID value for each packet they send. Others, such as OpenBSD, use a random IPID and some systems (like Linux) use an IPID of 0 in many cases where the "Don't Fragment" bit is not set. Windows does not put the IPID in network byte order, so it increments by 256 for each packet.

• Remember that it was the predictability of the IPID field which Bellovin used in his paper “A technique for counting NATted hosts”.

Methods used by Nmap

• TCP Initial Window -- This simply involves checking the window size on returned packets. This test actually gives us a lot of information, since some operating systems can be uniquely identified by the window alone

• AIX is the only OS which uses 0x3F25

• In their "completely rewritten" TCP stack for NT5, Microsoft uses 0x402E.

• Interestingly, that is exactly the number used by OpenBSD and FreeBSD.

Methods used by Nmap

Q&A