Network Reconnaissance OS Fingerprinting:
- It is very important for an attacker to determine the OS running on the target system.
- The two most effective OS detection technique are:
- Active Fingerprinting
- Passive Fingerprinting
- Different Operating System have different stacks. Hence, different operating systems respond differently to the same packet sent to it by some system.
- This different in responses is used as a benchmark of differentiating between various Operating Systems.
For example, the response sent by a Windows XP system to a packet will be different than that of a UNIX system.
- Thus the working of OS Fingerprinting can be described as follows:
Attacker -> Customized Packet -> Remote
Host
Remote Host -> Response -> Attacker
- Depending on this response received by the attacker, the OS of the remote system is identified.
Active Fingerprinting:
- Active Fingerprinting in performed in the following manner:
1. A customized packet is sent to the remote host.
2. The response generated from the remote host, is recorded using a Packet Sniffer.
3. The recorded response is studied & compared to known responses & the OS is determined.
- While studying the responses sent by a host, the following can help us identify the OS running on it:
TCP Initial Window Size of Packets
ACK Values of Packets
Initial Sequence Number Fragments
ICMP Message Quenching Method
ICMP Error Message Quenching Method
ICMP Error Message Echoing Integrity
- The problem with Active Fingerprinting is that an attacker needs to actively send messages to the target computer and records its responses. Hence, it is not anonymous.
Tools for OS Fingerprinting
nmap (One of the best OS Fingerprinting tools available)
