What is OS Fingerprinting?
Operating System Fingerprinting is the process that is done when you are trying to determine the identity of an endpoint or host by analyzing packets that originate from the device. This can be performed by security professionals or dirtbags or even you. It can be used as a method of reconnaissance for potential hackers or as a method of research for designing and implementing security controls within a network infrastructure. It is vital for security professionals to understand and is a key penetration skill. When you understand what OS you’re working with, you can then understand specific bugs and vulnerabilities that are unique to your OS that you can then utilize in your diabolical plot to take over the world.
Passive vs Active Fingerprinting
We can typically group with activity into two categories: Passive and Active. Active fingerprinting is naturally a much simpler process that works by sending packets and analyzing the packets returned to you but then those pesky Firewalls and IDS / IPS systems that are designed to pick up on that kind of thing might just get in your way. Well unless you hit those security tools with a DDOS / DoS attack. Anyway, most people are going to use NMAP (GUI version zenmap) for this. You can easily imagine how this could be used by administrators or adversaries. It’s easy as 123 ““nmap -A ip_address_or_domain_name_of_target” or it’s as simple as ““sudo nmap -O -sV -T4 -d ip_address_or_domain_name_of_target“! Your security scanner will send a plethora of TCP/ICMP/UDP packets and will analyze, script, and format the data returned to you in a manner that is most useful and digestable.
Now let’s talk about passive fingerprinting for a minute.
Passive fingerprinting is a little shy. You’re just sort of sniffing around rather than asking the target who they are or what they do. You’re still creepy sniffing TCP/IP ports but not so blatantly that the bouncer, Trellix or Cisco, throw you out on the curb and blacklist you by saying, “And stay out!” Some (not all) of the tools that are being used at this time include: p0f, Ettercap (Available on Kali, here, and here) as well as Network Miner (available from Netresec) and Satori (a Python rewrite.) So ya know…. check ’em out and research what tool may be best for your specific system.
Passive typically uses a packet capture or pcap API and to borrow from the almighty InfoSec Institute, “passive fingerprinting does its best to determine a target machine’s OS by analyzing the initial Time To Live (TTL) in packet IP headers, and the TCP window size in the first packet of a TCP session, which is usually either a SYN (synchronize) or SYN/ACK (synchronize and acknowledge) packet.” So, the passive method will somewhat guess based on TCP/IP implementation.
Common TTLs by OS
128 | Windows
64 | Linux
255 | Network
255 | Solaris
Important caveat: TTLs will lower as they go from router to router. TCP window sizes can be changed by several variables, too.
For ways to mitigate exposure and limit the amount of information available for someone doing recon on your network there are things like ensuring your NICs are not in promiscuous mode unless you absolutely have to, implementing strong encryption, and performing network log analysis as often as possible.