OS fingerprinting
The term OS fingerprinting (English for “operating system fingerprint”), more specifically also TCP / IP stack fingerprinting (English for “TCP / IP protocol stack fingerprint”), means the recognition of operating systems by observing various modes of reaction of the systems in the network remotely. Both active and passive methods can be used to identify the operating system.
About the TCP / IP - protocol stack , the operating system to determine is possible in both methods; In addition, the banner of a program can be analyzed in the active variant.
TCP / IP protocol stack
A widely used method of operating system analysis is that using the TCP / IP protocol stack. This makes use of the property that each operating system has its own TCP / IP protocol stack implementation, the settings of which are found in the header of network packets and which differ from those of other operating systems. The following fields vary within different implementations:
- Initial Time to Live (8 bit)
- Receive window size (16 bit)
- Maximum segment size (16 bit)
- "Don't fragment" flag (1 bit)
- sackOK option (1 bit)
- nop option (1 bit)
- Window Scale Option (8 bit)
- Initial packet size (16 bit)
Together, the data make a 67-bit signature.
Analyzing the TCP / IP protocol stack is not always successful, however, because the above fields can be configured in many operating systems, which means that you can even pretend to be a different operating system than you actually use.
passive
Passive methods are characterized by the fact that they can be carried out in an absolutely latent manner. With these methods, only the data traffic between the observer and the target system is evaluated and analyzed. For example, a simple web session can offer detailed information on a target system through simultaneous analysis using passive OS fingerprinting.
active
Active methods are characterized by taking the initiative and pushing data to the target host in the hopes that the resulting response can be analyzed. Therefore, this method is aggressive in nature and is not always welcomed. It is also possible for intrusion detection systems (IDS) to identify ongoing active fingerprints.
Banner grabbing
In addition to the above-mentioned method using the TCP / IP protocol stack, it is also possible to find out the operating system using the so-called banner. Banners are lines of text with which, for example, HTTP or FTP services identify themselves when establishing a connection. In the best case scenario, a banner contains information about the service in question as well as about the operating system. This technique is also known as banner grabbing and is also available to some port scanners .
Example with telnet and FTP:
$ telnet localhost 21 Trying 127.0.0.1... Connected to ftp.localhost. Escape character is '^]'. 220 Super FTP Service
Example with netcat :
$ nc 127.0.0.1 22 SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110
Banner grabbing is not always successful, however, because many programs either have the option of deactivating or editing the banner, whereby either no information is obtained or another operating system is suggested than is actually used.