Fingerprinting with TCP/IP



A simple method of fingerprinting is to use the well-understood ICMP. ICMP packets are used to monitor the state of an interface on a host or report the status of access to a connected device. Nine message types are available: four for making queries and five for reporting errors. Each type is defined by a number, as shown in Table 1. PING is a very popular program that sends ICMP type 8 messages. Type 8 is an echo request whereas a type 0 is an echo reply. In addition to an ICMP type, there is a code that is used to report more information about an error. By manipulating these codes into invalid values, the target’s response or failure to respond can be captured. This in itself can tell us something about the OS. Some systems do not look at the code field on an echo request. Others do and respond with an error.
Table 1: ICMP Types 
ICMP CODE
TYPE
0
Echo reply
1–2
Unassigned
3
Destination unreachable
 
Code
Meaning
 
0
Net unreachable
 
1
Host unreachable
 
2
Protocol unreachable
 
3
Port unreachable
 
4
Fragmentation needed and don’t fragment was set
 
5
Source route failed
 
6
Destination network unknown
 
7
Destination host unknown
 
8
Source host isolated
 
9
Communication with destination network is administratively prohibited
 
10
Communication with destination host is administratively prohibited
 
11
Destination network unreachable for type of service
 
12
Destination host unreachable for type of service
 
13
Communication administratively prohibited
 
14
Host precedence violation
 
15
Precedence cutoff in effect
4
Source quench
5
Redirect
6
Alternate host address
7
Unassigned
8
Echo
9
Router advertisement
10
Router selection
11
Time exceeded
 
Code
Meaning
 
0
Time to live exceeded in transit
 
16
Fragment reassembly time exceeded
12
Parameter Problem
 
Code
Meaning
 
0
Pointer indicates the error
 
1
Missing a required option
 
2
Bad length
13
Timestamp
14
Timestamp reply
15
Information request
16
Information reply
17
Address mask request
18
Address mask reply
19–29
Reserved
30
Traceroute
31
Datagram conversion error
32
Mobile host redirect
33
IPv6 Where-Are-You
34
IPv6 I-Am-Here
35
Mobile registration request
36
Mobile registration reply
39
SKIP
40–254
N/A
Another method of reconnaissance is known as IP fingerprinting. The concept is an elegant form of manipulating inputs into the protocol stack of a target and measuring the results. For a brief review, let’s look at the TCP header structure in Table 2.
Table 2: TCP Segment
                     0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15                                   16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31

                                             SOURCE PORT                                                                                      DESTINATION PORT

                                                                                           SEQUENCE NUMBER

                                                                                  ACKNOWLEDGEMENT NUMBER

Header Length       Reserved    URG      ACK    PSH       RST     SYN       FIN                                             Window Size
                                                 Checksum                                                                                            Urgent Pointer
                                       Options (up to 40 bytes)                                                                                                                     End of Option
                                                                                                        Data
The most useful operational benefit of TCP is the fact that it guarantees delivery by acknowledging the receipt of each packet. That set of flags—SYN, ACK, and RST—are what tell the recipient the purpose of what is transmitted. Our vulnerability scanner is sending SYN packets to the target. But it is the behavior of the rest of the contents of the packet that can reveal something about the target. Sequence number is a good example. So that TCP listeners on hosts do not become confused, every packet includes a sequence number. Since the creation of the protocol, it was found that it is easily possible to “wrap” the sequence numbers because they are of limited size (32 bits). To address the potential for wrapping and having a duplicate sequence number with an old packet being mistaken for a sequence number of a new packet, a time-stamp option was introduced in RFC 1323. This is an optional field and not all operating systems’ TCP/IP implementations set the value. When the scanner sees such value sent when the time-stamp option was never used, the choice in operating systems is narrowed considerably.
Another phenomenon to measure is the incrementing of the time stamp. By first determining the RTT between the scanner and the target, you then know how much time should elapse between TCP segments. The remote OS will increment the time stamp on each segment by a certain value. The way in which the target increments the value can reveal the type of OS.
For example, we know that OS XYZ increments the time stamp by one for every 500 ms of uptime. The average RTT between the target and the scanner is 100 ms, which is 50 ms in each direction, as shown in Figure 1. We receive the first segment with a time stamp (TS1) of 100. We acknowledge this segment and start a timer. The second segment with a time stamp of 102 (TS2) arrives and we stop the clock. The elapsed time between segment 1 and segment 2 is 1100 ms. We know that the time in transit for the segments is 100 ms. So the clock value, 1100, minus the RTT, 100, gives us 1000 ms of elapsed time on the host between segments. The difference between TS2 and TS1is 2. This means that, in 1000 ms, the time-stamp value went up by two, which is 500 ms per time-stamp increment. Looking at a table of time-stamp values over time, we know that the target has incremented the time stamp by one for every 500 ms, which is OS XYZ. This technique combined with other fingerprinting methods will ultimately narrow the choice of OSs. This choice is important in determining future steps of vulnerability scanning.

 
Figure 1: The average round-trip time (RTT) between the target and the scanner is 100 ms, which is 50 ms in each direction.
Invalid flag combinations are another approach. The normal combinations, SYN, SYN-ACK, and ACK, are expected. But various host OSs react strangely to combinations such as FIN+URG+PSH, which is a combination not seen in a normal handshake. It is referred to as an Xmas or Christmas scan because it lights up the TCP flags like a Christmas tree. Another combination that can possibly fingerprint an OS is SYN+FIN. In addition to host discovery, these types of scans can determine whether a port is open on a host without establishing a TCP connection or half-open connection. That is because IP stacks that adhere to the RFC will respond with an RST packet if the port is open. If closed, there will be no response from the host.
Use of these flags can get more sophisticated as well. If it has already been established that a port is open using a harmless TCP-SYN scan, the same port can be probed with a FIN-ACK combination. It turns out that systems implementing the IP stack from Berkley Standard Distribution (BSD) will not respond according to the RFC with an RST packet. This provides more evidence as to the likely system type of the target.
By combining these and many other types of probes, a decent guess can be made as to the type of system. The work for this has been well-established by the creators of NMAP (www.nmap.org). They continue to discover new ways to scan and map targets on a network and build those techniques into their open-source tool. A little reading and experimentation with this can be very educational.
However, the topics of OS fingerprinting and IP stack fingerprinting can be tricky, unreliable, and confusing. Some OSs may share the same IP stack code but be different OS versions. For example, a variety of Linux distributions will use the same stack but this does not necessarily reveal the flavor of the OS. Virtual machine technology can further cloud the issue because the underlying hypervisor OS may respond to network traffic and proxy the connection to the actual host OS. The fingerprinting result can be quite unexpected. Firewall and virtual machines can perform network address translation (NAT) that will conceal the true nature of the target OS.

1 comments:

Florence said...


I started on COPD Herbal treatment from Ultimate Health Home, the treatment worked incredibly for my lungs condition. I used the herbal treatment for almost 4 months, it reversed my COPD. My severe shortness of breath, dry cough, chest tightness gradually disappeared. Reach Ultimate Health Home via their website at www.ultimatelifeclinic.com . I can breath much better and It feels comfortable!

Popular Posts