OS fingerprinting : p0f


Hands-on Practice

- p0f


What is OS fingerprinting?

Operating system fingerprinting is the process of learning what operating system is running on a particular device. By analyzing certain protocol flags, options, and data in the packets a device sends onto the network, we can make relatively accurate guesses about the OS that sent those packets. By pinpointing the exact OS of a host, an attacker can launch a precise attack against a target machine. In a world of buffer overflows, knowing the exact flavour and architecture of an OS could be all the opportunity an attacker needs.

OS fingerprinting Techniques

- Passive OS fingerprinting
  Passive fingerprinting is the process of analysing packets from a host on a network. In this case, the fingerprinter acts as a sniffer and doesn
t put any traffic on a network. It is called passive because it doesnt involve communicating with the host being examined. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Passive scanners are generally and inherently less accurate than active scanners, due to the fact they have less control over the data they are analyzing.

- Active OS fingerprinting
  Active fingerprinting is the process of transmitting packets to a remote host and analysing corresponding replies. This allows the scanner to obtain more accurate results than a passive scanner, and in a shorter amount of time. The traditional approach is to examine the TCP/IP stack behaviour of a targeted network element when probed with several legitimate packets


OS fingerprinting Tools

- p0f passive OS fingerprinting
  P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way. Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP).
Website : http://lcamtuf.coredump.cx/p0f3/

- Ettercap passive OS fingerprinting
  Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
Website : http://ettercap.github.io/ettercap/

- Nmap active OS fingerprinting
  Nmap is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts.

Website : http://nmap.org/

- XProbe2 active OS fingerprinting
  Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses and multiple simultaneous matches, and a signature database.
Website : http://sourceforge.net/projects/xprobe/files/xprobe2/


·  Wikipedia, TCP/IP stack fingerprinting Wikipedia

·  Overview of OS Fingerprinting, INFOSEC, http://resources.infosecinstitute.com/overview-os-fingerprinting/

·  p0f, : http://lcamtuf.coredump.cx/p0f3/

·  Ettercap, http://ettercap.github.io/ettercap/

·  Nmap, http://nmap.org/

·  XProbe2, http://sourceforge.net/projects/xprobe/files/xprobe2/