Linux Firewalls - Michael Rash [74]
There are several techniques for remotely fingerprinting operating systems via network traffic. They can be divided broadly into two categories: active and passive.
Note
The term operating system fingerprinting is a bit of a misnomer, as the term really refers to network stack fingerprinting. Because network stacks vary from OS to OS, the corresponding operating systems can be inferred by fingerprinting the network stack.
Active OS Fingerprinting with Nmap
With its user-contributed database of over 1,600 OS fingerprints, Nmap's -O option is probably the best-known active OS fingerprinting implementation. Nmap primarily utilizes the vagaries of TCP to guess the identity of remote operating systems, especially these:
The way a target stack constructs the options portion of the TCP header in response to SYN packets sent by Nmap.
The nature of ICMP Port Unreachable messages elicited from a targeted system after sending a UDP packet to a closed port. While operating systems are supposed to return a portion of the original UDP packet sent to a closed UDP port within an ICMP Port Unreachable message, many stacks out there do not perform this flawlessly; things such as checksums, IP ID values, and the IP total length field can become garbled. The extent and manner in which these values become garbled is used as a measure to assist in fingerprinting the remote stack.
Note
Xprobe is another interesting active OS fingerprinter (http://www.sys-security.com) that makes heavy use of ICMP to assist in fingerprinting. In some cases Xprobe sends far fewer packets than Nmap to fingerprint an OS; Nmap can sometimes generate as many as 1,400 packets in the course of generating a fingerprint for a single remote host. More information on active fingerprinting techniques can be found in the papers "Remote OS Detection via TCP/IP Stack FingerPrinting" (http://www.insecure.org) and "The Present and Future of Xprobe2—The Next Generation of Active Operating System Fingerprinting" (http://www.sys-security.com).
Passive OS Fingerprinting with p0f
Given psad's propensity for passive detection versus actively generating network traffic, active OS fingerprinting is not used. We will continue the discussion from the perspective of what is possible with strictly passive means.
One of the most well-known and successful passive operating system fingerprinting implementations is p0f, developed by Michal Zalewski (http://lcamtuf.coredump.cx). As it turns out, if you can passively intercept raw TCP packet data, either because you have access to a network segment over which packets are flowing or because packets are directed at or originate from a system that you control, you can glean a lot of interesting information that is useful for OS fingerprinting. TCP SYN and SYN/ACK packets contribute the most information, because they define the parameters under which TCP connections are supposed to behave and because different TCP stacks negotiate these parameters with some distinction.
In the p0f incarnation of OS fingerprinting, a remote operating system is identified by examining several fields within the IP and TCP headers of TCP SYN or SYN/ACK packets that originate from the system. These fields include the following:
Fragmentation bit
Initial TTL value
Maximum Segment Size (MSS)
Overall SYN packet size
TCP option values and order
TCP window size
p0f uses a custom signature format to store the specific parameters mentioned above for each OS. For example, here's a fingerprint for a Linux system running the 2.5 kernel (the signature needs to be updated because it really refers to the stable 2.6 kernel instead of the 2.5 development kernel, and an allowance is made within the fingerprint for the 2.4 kernel as well):
S3:64:1:60:M*,S,T,N,W1:.:Linux:2.5 (sometimes 2.4) (1)
The p0f signature format has several fields separated by colon (:) characters:
Reading from left to right, the first field, S3, refers to the TCP window size. This field instructs p0f to look for TCP SYN packets with a window size that is a multiple of three times the