Understanding Your enemies: passive fingerprint detection

Know Your Enemy:
Passive Fingerprinting
Identify remote hosts through passive Feature Detection
Honeynet Project
Http://project.honeynet.org
Http://www.xfocus.org
Last Modified: 24 May 2000.

One of the challenges of network security is that you need to understand the attackers, your threats and your own resources, and your enemies, passive feature detection is one of the methods for understanding and not being noticed by attackers. Although this method may not be 100% correct, you will get some surprising results. Craig Smith developed the basic tool passfing. In addition, subterrain crew also developed siphon, a tool that can passively detect ports and OS.

Fingerprinting

Traditionally, operating system features can be operated through "enthusiasm" tools, such as queso or nmap, which operate on the IP stack of each operating system based on its own different features, multiple Information packages that each operating system responds. Therefore, these tools only need to create a database based on different operating systems and corresponding to different information packages. Then, they need to determine the operating system of the remote host and send a variety of unusual information packages, checks how the information package responds and compares it with the database. Fyodor's nmap tool uses this method, and he also writes a specific document.

Passive Fingerprinting follows the same concept, but the implementation method is different. Passive Fingerprinting replaces the proactive query of remote hosts based on the communication on the remote host. All you need to do is capture the information packets sent from the remote host. Based on sniffing these information packets, you can determine the operating system of the remote host, just like the active feature detection, Passive Fingerprinting) it is also because each operating system has its own IP stack features. By analyzing sniffer traces and identifying the differences between them, you can determine the operating system of the remote host.

Signal

Generally, you can determine the host operating system from four aspects (of course, there are other signals ):

TTL-this data is the survival time set by the operating system for the outbound information package.
Window Size-the Size of the Window set by the operating system. The Size of this Window is included when the FIN information package is sent.
DF-you can check whether the operating system has set an inaccurate part bit.
TOS-whether the operating system has set the service type
By analyzing these factors in the information package, you can determine a remote operating system. Of course, the detected system cannot be 100% correct, nor can you determine the system based on the single signal features above. However, by viewing multiple signal features and combining these information, you can increase the precision of remote hosts. The following is a simple example. The system being tested sends an information package, which initiates a mountd vulnerability attack. Therefore, I want to know about this host, I do not use tools such as finger or NMAP now, but want to learn passively accepted information, using snort to get the following signal features:
04/20-21:41:48. 129662 129.142.224.3: 659-> 172.16.1.107: 604
Tcp ttl: 45 TOS: 0x0 ID: 56257
* ** F ** A * Seq: 0x9DD90553 Ack: 0xE3C65D7 Win: 0x7D78

Based on the above four rules, we can achieve the following:

TTL: 45
Window Size: 0x7D78 (or 32120 in decimal)
DF: The Dont Fragment bit is set
TOS: 0x0
We are comparing the signal feature database. First, we can view the TTL used on the remote system. From the information we get, we can see that the TTL is 45, most of this indicates that it reaches our host through 19 hops, so the original TTL should be set to 64, based on this TTL, this information package should appear to be sent from the LINUX and FREEBSD systems (of course, more system signal features need to be placed in the database). The TTL is verified by the traceroute remote host, if you consider that the remote host is detecting your traceroute, you can set your traceroute time-to-live (30 hops by default ), use the-m option to set the number of hops between the host to 1 and 2. For example, in the previous example, we can use traceroute-m 18 to set the number of hops to 18, in this way, you can see the path to the host without encountering the remote host. Yes