TCP/IP Fingerprinting via NMAP
Results 1 to 10 of 10

Thread: TCP/IP Fingerprinting via NMAP

  1. #1
    Banned
    Join Date
    Feb 2004
    Posts
    20

    TCP/IP Fingerprinting via NMAP

    TCP/IP Fingerprinting via NMAP
    Since each developer of an operating system implements TCP/IP a bit differently than another developer of an operating system, different operating systemís TCP/IP stack could respond differently given the same situation in a TCP/IP conversation.

    At the time of this writing, NMAP interrogates the target machineís TCP/IP stack by sending it eight different packets and observing the response. Each of the eight different packets are specially crafted to put the target machine in a position where there is a high probability that two things will happen:

    The target operating systemís TCP/IP stack will respond unique in comparison to another operating systemís TCP/IP stack. The target operating system TCP/IP stack will respond in a consistent manner. Knowing how a given operating systemís TCP/IP stack would respond in advance to each of the eight tests allows NMAP to determine with a high degree of accuracy not only which operating system the target is running, but also what version it is running as well.

    The crafted test packets are sent one at a time by the source machine running nmap. The tests are documented in the table below:

    Test Description
    TSeq A series of SYN packets are sent to the target machine to see how TCP sequence numbers are derived.

    T1 A SYN packet with options (WNMTE) set is sent to an open TCP port.
    T2 A NULL packet with options (WNMTE) set is sent to an open TCP port.
    T3 A SYN,FIN,PSH,URG packet with options (WNMTE) set is sent to an open TCP port.
    T4 An ACK packet with options (WNMTE) set is sent to an open TCP port.
    T5 A SYN packet with options (WNMTE) set is sent to a closed TCP port.
    T6 A ACK packet with options (WNMTE) set is sent to a closed TCP port.
    T7 A FIN,PSH,URG packet with options (WNMTE) set is sent to a closed TCP port.
    PU A packet to a closed UDP port.

    Several different metrics are observed for each of the first seven tests to help determine the target operating system. They are:

    Whether or not the target host responded.

    Whether or not the target host responded with a packet that had the "Donít Fragment" bit set.

    The Window Size set by the target host in the response packet.

    The relationship of the acknowledgement number of the TCP packet sent in response to NMAPís prior TCP packet.

    Flags set in the TCP packet sent in response.

    TCP options that are in the responding packet.

    The first test (Tseq) and last test (PU) uses different metrics that will not be covered in this paper, but the same principles apply.

    All of these metrics can measure something different between operating systems and different versions of the same operating system given a certain test. But these metrics are consistent with the same version of a given operating system given any of the tests that NMAP implements.

    NMAP holds all of its known operating system fingerprints in a text file called nmap-os-fingerprints. There are a few hundred fingerprints documented that include at least one entry for all the popular operating systems. An entry in the file typically looks like:

    Fingerprint Windows 2000
    TSeq(Class=RI%gcd=<5%SI=>BBB&<FFFF)
    T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)


    The line that states Fingerprint Windows 2000 identifies the operating system (and sometimes version) that owns the fingerprint. The next line that begins with TSeq, identifies the method for calculating TCP sequence numbers for a given TCP session. The lines that follow, starting with T1 through PU, are descriptive of how that operating system fingerprinted would respond to the given test.

    The tests T1 through T7 are all TCP tests. The symbol Ď%í delimits the metrics used in fingerprinting. The symbol Ď|í is used to represent "or" in a given set of answers to a metric to state that a number of given results would satisfy the fingerprint.

    The metrics are detailed in the following table:

    Metric Valid Values Description
    Resp (Whether or not the host responded to the test packet by sending a reply. )
    Y = There was a response
    N = There was no response


    DF (Whether or not the host responding to the test packet sent the "Donít Fragment" bit in response. )
    Y = DF was set
    N = DF was not set

    W (Can be a two-byte integer expressed in hexadecimal. Window advertisement size sent by the host responding to the test packet. )

    ACK (The acknowledgement sequence number response type. )
    0 = ack zero
    S = ack sequence number
    S++ = ack sequence number + 1

    Flags (Indicate what flags were set in the responding packet.)
    S = SYN
    A = ACK
    R = RST
    F = FIN
    U = URG
    P = PSH

    Ops (Options sent back by the host responding to the test packet. There can be any number of options set (including none) in any order.)
    M = MSS
    E = Echoed MSS
    W = Window Scale
    T = Timestamp
    N = No Option

    For example, let us take the first test in the previous fingerprint example:

    T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)

    This test states that the response packet of the target host to NMAP sending a SYN packet with options to it had the following characteristics:

    Resp= Resp is not defined; which means the metric is satisfied whether or not the target replies

    DF=Y The "Donít Fragment" bit was set

    W=402E The window size was 402E

    ACK=S++ Acknowledgement number was one plus the initial sequence number

    Flags=AS The packet had the SYN/ACK flags set

    Ops=MNWNNT The packet had the following option flags set in this order: MNWNNT

    The following is a trace (using dump) that illustrates how the tests are implemented. There is a source machine running NMAP (10.0.2.3) and a target machine (10.0.2.6) that we would like to test to see if NMAP can find a TCP/IP stack fingerprint for in its fingerprint file.

    Source Test Packet 1 (NMAP)
    10:37:42.324053 10.0.2.3.34031 > 10.0.2.6.135: S 1338197984:1338197984(0) win 4096 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 9783)

    Targetís Response
    10:37:42.324518 10.0.2.6.135 > 10.0.2.3.34031: S 2863638239:2863638239(0) ack 1338197985 win 16430 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) (ttl 128, id 15245)

    The first test packet NMAP sends out is a SYN packet some TCP options set. Looking at the above trace and going through our metrics we can deduce the following:

    The target responded so the metric Resp=Y

    The "Donít Fragment" bit (DF) was set in the targetís response so the metric DF=Y

    The window size is 16430; however, in hex that is 402E. So the metric W=402E

    The acknowledgement number equals the source sequence number plus 1. So the metric Ack=S++

    A SYN/ACK packet was sent in response. So the metric Flags=AS

    The TCP options MNWNNT was sent in response. So the metric Ops=MNWNNT.

    The fingerprint for T1 (Test 1) would look like: T1(DF=Y%W=402E%Ack=S++%Flags=AS%Ops=MNWNNT)


    Source Test Packet 2 (NMAP)
    10:37:42.324315 10.0.2.3.34032 > 10.0.2.6.135: . win 4096 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 1545)

    Targetís Response
    10:37:42.324718 10.0.2.6.135 > 10.0.2.3.34032: R 0:0(0) ack 1338197984 win 0 (ttl 128, id 15246)

    The second test packet NMAP sends out is a NULL packet some TCP options set. Looking at the above trace and going through our metrics we can deduce the following:

    The target responded so the metric Resp=Y

    The "Donít Fragment" bit (DF) was not set in the targetís response. So the metric DF=N

    The window size is 0. So the metric W=0

    The acknowledgement number equals the most recent source sequence number. So the metric Ack=S

    An ACK and a RESET were sent in response. So the metric Flags=AR

    There were no TCP options sent in response. So the metric Ops=.

    The fingerprint for T2 would look like: T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)


    Source Test Packet 3 (NMAP)
    10:37:42.327823 10.0.2.3.34033 > 10.0.2.6.135: SFP 1338197984:1338197984(0) win 4096 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 4649)

    Targetís Response
    10:37:42.328265 10.0.2.6.135 > 10.0.2.3.34033: S 2863675212:2863675212(0) ack 1338197985 win 16430 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0> (DF) (ttl 128, id 15247)

    The third test packet NMAP sends out is a SYN/FIN/PSH/URG packet some TCP options set to a known open port. The fingerprint for T3 would look like: T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)


    Source Test Packet 4 (NMAP)
    10:37:42.334937 10.0.2.3.34034 > 10.0.2.6.135: . ack 0 win 4096 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 6192)

    Targetís Response
    10:37:42.335359 10.0.2.6.135 > 10.0.2.3.34034: R 0:0(0) win 0 (ttl 128, id 15248)

    The fourth test packet NMAP sends out is an ACK packet some TCP options set to a known open port. The fingerprint for T4 would look like: T4(DF=N%W=0%ACK=O%Flags=R%Ops=)


    Source Test Packet 5 (NMAP)
    10:37:42.340712 10.0.2.3.34035 > 10.0.2.6.32775: S 1338197984:1338197984(0) win 4096 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 62508)

    Targetís Response
    10:37:42.341113 10.0.2.6.32775 > 10.0.2.3.34035: R 0:0(0) ack 1338197985 win 0 (ttl 128, id 15249)

    The fifth test packet NMAP sends out is an SYN packet some TCP options set to a known closed port. The fingerprint for T5 would look like: T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)


    Source Test Packet 6 (NMAP)
    10:37:42.343991 10.0.2.3.34036 > 10.0.2.6.32775: . ack 0 win 4096 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 18026)

    Targetís Response
    10:37:42.344416 10.0.2.6.32775 > 10.0.2.3.34036: R 0:0(0) win 0 (ttl 128, id 15250)

    The sixth test packet NMAP sends out is an ACK packet some TCP options set to a known closed port. The fingerprint for T6 would look like: T6(DF=N%W=0%ACK=O%Flags=R%Ops=)


    Source Test Packet 7 (NMAP)
    10:37:42.349443 10.0.2.3.34037 > 10.0.2.6.32775: FP 1338197984:1338197984(0) win 4096 urg 0 <wscale 10,nop,mss 265,timestamp 1061109567 0,eol> (ttl 59, id 37913)

    Targetís Response
    10:37:42.349840 10.0.2.6.32775 > 10.0.2.3.34037: R 0:0(0) ack 1338197985 win 0 (ttl 128, id 15251)

    The seventh test packet NMAP sends out is an FIN/PSH/URG packet some TCP options set to a known closed port. The fingerprint for T7 would look like: T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)


    Adding up the results of the cumulative testing results in the examples shows a fingerprint that matches the fingerprint shown for Windows 2000 above.


    [shadow]agent.idle[/shadow]

  2. #2
    Banned
    Join Date
    Mar 2004
    Posts
    28

    Implimentation

    How can such a system be implimented?

    It would be useful, as it could help configure networks.

  3. #3
    Banned
    Join Date
    Feb 2004
    Posts
    20
    AngelOfRevenge, are you asking about countermeasures to TCP/IP fingerprinting?

    [shadow]agent.idle[/shadow]

  4. #4
    Member
    Join Date
    Jul 2003
    Posts
    68
    I assure you he has no Facken clue what he`s asking.

  5. #5
    Banned
    Join Date
    Feb 2004
    Posts
    20
    Oh well. Here's some shiz worth reading.

    [shadow]agent.idle[/shadow]

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    tutorials forum is for matrial written by members. so inless your name is thomas glaser and you wrote this oCT 25, 2000 YOUR A FRAUD!

    http://www.sans.org/resources/idfaq/...erprinting.php
    Bukhari:V3B48N826 ďThe Prophet said, ĎIsnít the witness of a woman equal to half of that of a man?í The women said, ĎYes.í He said, ĎThis is because of the deficiency of a womanís mind.íĒ

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    111
    That was really pretty stupid to do. I dumped the title of "your" tutorial in google and this popped up 3 search results down. I didn`t want to say anything because i`m new.

    Good eye Tedob1

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    back at ya Atticus|1.

    being new doesn't mean mean being stupid as he obviously thinks we are.
    Bukhari:V3B48N826 ďThe Prophet said, ĎIsnít the witness of a woman equal to half of that of a man?í The women said, ĎYes.í He said, ĎThis is because of the deficiency of a womanís mind.íĒ

  9. #9
    That wouldn't work in college, and sure as hell wouldn't work here, idle.

    /me smacks forehead

  10. #10
    Banned
    Join Date
    Feb 2004
    Posts
    20
    Sorry everyone. I didn't realize that we were trying to take credit for anything we posted here. I wasn't writing a paper for college or submitting this as simething of my own for work etc. Next time I'll post a link instead, or put the author's name on it. My bad.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides