Use the TCPIP stack to process different remote operating systems...

In recent years, the network security evaluation software has been gradually accepted by the network security field and is widely used.
Quickly spread. As part of the evaluation software, remote operating system detection must meet the following conditions:
-Accuracy: avoid incorrect detection results;
-Firewall and intrusion detection system impact: Avoid impact (or be affected) firewall and Intrusion Detection
Testing System;
-Elegant: low network traffic and non-hazardous segmentation;
-Smart: easy to expand and identify databases and automatic detection functions;
-Speed: High-Speed fingerprint detection tools should allow a wide range of network scans.
I will introduce you to a new operating system fingerprint detection tool-ring. In some cases
The tool may fail, but the good features and accurate results of the ring will surely satisfy you.
Ring is an open-source software designed for experimental concepts and testing purposes.

2> Technology Development Level
2.1 Brief History of operating system detection technology
-Identity information is obtained using this technology in many test tools.
Information. It is often achieved through the collection and analysis of binary files.
-TCP segmentation (Standard/non-standard) response analysis relies on different operating systems to perform specific segmentation
Different responses are differentiated. Popular tools include Savage's queso and Fyodor's NMAP.
Most of the changes come from this technology.
-ICMP response analysis is a new technology. It sends UPD or ICMP requests
REQUEST packets, and then analyze various ICMP responses. The X-probe of Ofir Arkin is the technology used.
In this case, X-probe works better, but when the firewall blocks some protocols, the result is not so good.
Satisfactory.
-Initialize the serial number (ISN) to randomly generate different exploits in the TCP stack.
Do not have enough test results to determine the operating system of the remote host. (For more information, see Maid, M.
(Apr, 2001), strange attractors and TCP/IP Sequence Number Analysis)
-Special operating system denial of service can also be used for operating system fingerprint detection, not only
Only used by hackers. In some special cases, denial of service can detect accurate results.

2.2 details of stack Query Technology
Stack query technology detects the system by measuring the response of the remote host TCP/IP stack to different requests.
Most operating systems will respond to special segment requests in a special way.
NMAP and queso are based on this technology. They generate a set of TCP and UDP requests sent to the remote
The open (not open) Port of the target host. In this case, the useful response information of the remote host will be received by the probe tool.
And analyze it.
These technologies usually enable the Security Evaluation Software to get some types and versions
Class information.
In several ways, this technology is so accurate:
-Each operating system (even if a patch is installed) is usually implemented using its own IP stack.
-TCP/IP specifications are not strictly enforced. Each different implementation will have its own unique
This makes it possible for a successful test.
-Specifications may be disrupted, some selective features may be used, and some other systems may not
Yes.
-Some private improvements to the IP protocol may also be implemented, which becomes a feature of some operating systems.
.

2.3 restrictions on typical tools
NMAP can recognize 500 different operating systems, but the premise is the stability of the network environment, the Target Master
You must open a TCP port, a closed TCP port, and a closed UDP port. If the preceding conditions are not met
The accuracy of the test results will be greatly reduced.
For the sake of security, the current network system usually opens only one visible TCP port, while
The datagram received by other ports is filtered out by the firewall or package filtering device.
In such a firewall-protected network environment, UDP ports and ports are closed based on the ICMP protocol.
Closed TCP port detection tools, such as NMAP and xprobe, work poorly.

3> Use of TCP/IP protocol
TCP, as a data transmission protocol, is built on the IP Protocol. Its definition can be found in rfc793.
. TCP/IP is the main network protocol used on the Internet.
The success of TCP lies in its reliability: the detection and management of errors, the control of data flow and congestion
System, retransmission mechanism, etc.
To meet this requirement, TCP becomes a connection-oriented protocol. Its operating mechanism is as follows:
1. Establish a connection
2. Data Transmission
3. Terminate the connection
TCP is built on the IP protocol. In the case of network congestion or routing problems, the IP protocol cannot
Provides reliable end-to-end data transmission. In addition, IP is a non-connection protocol, so connection control is established
On the TCP layer.
TCP provides multiple control over the connection in its header. The serial number and validation number are for better
Manage the re-transmission of data packets and control various special error conditions. The metadata field of the TCP datagram header
URG, ack, Psh, RST, Syn, and fin are set to manage the TCP connection status. For more information, see rfc793.
In order to better understand the principle of the ring in the future, the following lists the three handshakes for TCP connection establishment:
(The client actively initiates a connection to the server)

Client Server
| -------- SYN ---------> |
| <------ SYN-ACK ------- |
| -------- Ack ---------> |

During the process of data transmission over the network, some segments may be lost during transmission.
A datagram must be confirmed by the receiver. TCP maintains a list of confirmed data packets.
Note: If a datagram is not received within the expected time, it will be considered as a loss location
.

Moreover, TCP automatically processes the real order of the received data packets, and then
To the upper-layer system.
Network System blocking will lead to the loss of data packets. The size of any network capacity is attributed
The ability to transmit or route the physical underlying layer.
NOTE: If network congestion occurs, some data packets may be lost. TCP is heavy
If the lost data packets are sent, the network congestion will become more and more serious. Therefore, if the network
When blocking occurs, the retransmission speed of the datagram will be reduced.

Although TCP emphasizes this mechanism, the rfc793 does not use any rules to calculate the validation count.
The latency between reports.

4> Temporary Analysis
Principle 4.1
The retransmission of data packets provides us with another way to analyze the remote host operating system. We will
Analyzes the latency of the target host in each retransmission datagram to determine the operating system fingerprint of the remote host.
This method has been defined in rfc793, but it leaves some room for use. And,
Some implementations do not fully follow the current standards.
In order to let us know the role of this method, that is, the timeout mechanism, we must emphasize that
The IP stack of the host must be in a non-standard state.
And this situation can be easily imitated, simply discard the remote host SYN-ACK Datagram
Can be reached.
Measure the latency between two adjacent data packets sent by retransmission, or observe other information, such
TCP tags, serial numbers, and validation numbers can all obtain useful information about the remote host operating system.
If each operating system has its own characteristics, create a typical system identification database
It will become a possibility. Regardless of the host or network conditions, the operating system will be the only one that affects the test results.
. Therefore, to test the results of using the same operating system on different hosts
The same (the premise is that the network is stable)
By comparing the fingerprint of the target host with that in the operating system fingerprint database, you may know the remote
The operating system of the host.
The new operating system IDs will be easily recorded, and they will be recorded with the operating system names.
Contact.

DIY 4.2
This operating system fingerprint detection technology will use two parts of the probe instrument. One datagram Filter
Devices, such as personal firewalls, and datagram listening devices.

Preparation of the probe instrument: A simple method to simulate network congestion is to install
Personal firewalls, and some filtering rules are set to prohibit receiving all data packets from the target host. In this case
It is reported that the listener will receive all the data packets from the target host. Due to the existence of the firewall, the listener will scan the host.
No confirmation information is sent, so that a complete TCP connection cannot be established. After a certain period of time
The host terminates any relationship with the scan host.

Test process: the test process consists of three different steps.
-Firewall settings
-Try to establish a standard connection with the target host
-The target host sends a confirmation datagram.

The implementation process is described in detail below:
-Select a host and confirm an opened port. For example, the remote host is
192.168.0.10, whose TCP port 80 is open (the web service enabled by the system );
-Configure the firewall to block all data from the target host (192.168.0.10 ).
.
-Listen to all data packets from Port tcp80 of the target host;
-Send a SYN datagram to the target host and try to establish a connection with it;
-Analyze the latency between all adjacent data packets from the target host.

In fact, what we measure is not the interval between the target host and the continuous data packets,
The interval between consecutive data packets received from the target host. If these time intervals are almost fixed
So we can boldly assume that they are equal.
The following figure shows the traffic reported during the probe hours (A indicates scanning the host, B indicates the target host to be Probe
, The no-arrow line between A and B indicates no data transmission ):

A B
| -------- SYN ---------> |
| <------ SYN-ACK ------- | --------------
| ------------------- | The interval is T1.
| <------ SYN-ACK ------- | --------------
| ------------------- | The time interval is T2.
| ------------------- |
| <------ SYN-ACK ------- | --------------
| ------------------- |
| ------------------- | The time interval is T3.
| ------------------- |
| ------------------- |
| <------ SYN-ACK ------- | --------------

4.3 Static Analysis
Because the datagram may pass through some unstable networks, such as the Internet, it is likely to receive
The delay (r_ I) between the continuous datagram to and the delay (s_ I) when they are sent is no longer the same.
If we receive two consecutive data reports from the target host, the measured latency is 3.01.
Seconds, but it is very likely that they will delay each other by 3.0 seconds. The problem is that some systems implement 3.2
Seconds are used as the time delay for sending two consecutive data packets. The range between 3.0 seconds and 3.2 seconds is too small.
It is impossible to tell which system the received datagram comes from.
To avoid this problem, we can use the TCP time cut option, so that we can better
When the message of the datagram is sent. Setting the time cut option in each datagram will improve the accuracy of the test result.
Accuracy. However, using the time cut option may increase the difficulty of our judgment, because the time cut option may return
Some inaccurate time data.

This method is based on Fingerprint acquisition and comparison with the existing fingerprint database.
The general method of measuring the "distance" is to obtain the difference between the corresponding latencies:
Distance = Σ | r_ I-s_ I |
Here, r_ I is the time delay related to the received I-th datagram, and s_ I is
The time delay of the corresponding ordered datagram.
Therefore, the most likely operating system to be detected is to find the fingerprint database with the shortest distance.
The corresponding operating system. However, the obtained "distance" does not take into account some important marks of the TCP datagram header (such
SYN, ack, RST, fin ......) . These tags often detect the running status of the target host.
Serial number and validation number, which can be used to differentiate different system implementation methods.

5> ring execution and actual results
5.1 Database
For ease of development, ring uses the Standard C language and some library files in UNIX. For example, dug
Song's libdnet library, Mike D. Schiffman Libnet library, Lawrence Berkeley
National liboratory libpcap library.
The libdnet library is used to control the firewall. It provides an API that allows you to control some Unix
Firewall (such as ipchains, ipfilters, IPF ......)
Libpcap is usually used for network listening and datagram analysis.

5.2 running process
Ring needs some initialization parameters for remote host detection, including the IP address of the target host and the IP address of the target host.
The previous open TCP port scans the host's IP address and the network interface used to listen on the datagram.
Then, the ring will perform the following steps:
-Select the source port;
-Use libdnet to establish a local Filtering Facility to block data packets from the target host;
-Use libpcap to listen for received data packets;
-Send a tcp syn data report to the target host using Libnet;
-Listen for the send-back datagram within the default/adjusted Delay
-Compare the received return datagram with the known Signature

5.3 actual results
When other tools cannot differentiate remote host systems, the ring still provides very accurate results. Example
For example, a Win2k host and a freebsd host, even if they are hidden behind a normally configured firewall,
Ring may also distinguish them.
Win2k and FreeBSD have a very familiar implementation because they share the same IP stack.
Technology. If the two operating systems have only one open port, NMAP is usually unable to distinguish
Both.
If the implementation technology is very familiar, We will detect another reset datagram for further exploration.
For the ring, it should be sufficient to distinguish the operating system of the remote host.
The following is a comparison between Win2k and FreeBSD:
(In the following table, the data corresponding to each system is the time delay of retransmission datagram, in seconds as a single
Bit. For example, the first row of data: 1 st indicates the first retransmission of the remote host, and 3 tables under Windows 2 K
It indicates that the first retransmission delay of the window 2 K system is 3 seconds, and 3 in the next FreeBSD 4.4 also indicates FreeBSD
4.4 The first retransmission delay of the system is 3 seconds .)
____________________________________________
| Retries | === windows 2 k ====|= FreeBSD 4.4 = |
| = 1st = | =========== 3 ============|========= 3 ====== |
| = 2nd = | =========== 6 ==========|========= 6 ====== |
| = 3rd = | = no more retries = | ==== 12 ====== |
| = 4th ==|==========================|=====24 =======|
----------------------------------------------------
| = Reset = | = No Reset sent = | = reset after 30 sec. = |
----------------------------------------------------

Ring can also differentiate different versions of the same operating system:
-------------------------------------------------
| Retries | === linux2.2.14 ==|=== Linux 2.4 ===|
| = 1st ==|=========3, 5 ==========|===========4, 26 ====== |
| ==2nd ==|=========6, 5 ==========|=============== 6 ========== |
| === 3rd ==|=========12, 5 ==========|===========12 ====== |
| = 4th ==|==========24, 5 ==========|==============24 ===========|
| = 5th ==|=========48, 5 ==========|=============48, 2 ====== |
| = 6th ==|====== 96,5 ==========|= no more retries = |
| = 7th ==|=========120,5 ========|=======================|
| = 8th = | = no more retries = | =======================|
-------------------------------------------------
| = Reset = | === no reset ====|=== no reset ===|
-------------------------------------------------

-------------------------------------------------
| Retries | === Windows 98 ====|=== windows 2 k ===|
| = 1st ==|============= 3 ==========|=============== 3 ======== = |
| ==2nd ==|============= 6 ============|============= 6 ======== = |
| === 3rd ==|=========12 ============|= no more retries = |
| = 4th ==|= no more retries =|=========================|
-------------------------------------------------
| = Reset = | ===== no reset ====|===== no reset ===|
-------------------------------------------------

The following are the differences between different devices:
---------------------------------------------------------
| Retries | Minolta printer | Cisco router | 3Com Switch |
| = 1st ==|=======4, 5 ========|=========== 2 ============|=== = 3, 5 = |
| = 2nd = |=========4, 5 ========|======== 3, 9 ==========|==== 4 ==== |
| === 3rd ==|========= 9 ==========|========= 5, 9 ==========|=== = 4, 4 = |
| = 4th ==|=========18 =======| no more retries |=====4, 4 ==== |
| ==5th ==|==========36 ========|============================|== = 4, 4 = |
| = 6th ==|===========72 ========|==========================|== = 4, 4 = |
| ==7th ==|========= 144 ========|============================|=== = 4, 4 = |
| = 8th ==|========= 285 ========|==========================|=== = 4, 4 = |
| = 9th ==|========= 576 ========|==========================|=== = 4, 4 = |
| = 10th = | ======= 169 ========|==========================|==== 4, 4 = |
| = 11th = | ======= 169 ========|==========================|==== 4, 4 = |
| = 12th = | ======= 169 ========|==========================|==== 4, 4 = |
---------------------------------------------------------
| = Reset = | ===== reset ======|=== no reset ====|=== no reset = |
---------------------------------------------------------
Note: after a series of retransmission, some systems will send an rst datagram warning to scan the host
Stop Transmission and stop retransmission of data packets.

6> discussion and Expansion
6.1 advantages
The biggest advantage of the ring technology is that it only needs an open port. If the target host is
If it is protected by the firewall, only one port is opened, and other ports are filtered out.
In the same firewall configuration, NMAP will not be so effective because it is based on
Closed ports are often filtered out.
Moreover, the ring technology uses a standard TCP datagram, which will not create
Has any adverse effect.
On the other hand, this probe method takes more time than NMAP or xprobe. This is measurement continuity
An inherent disadvantage of datagram time delay.
6.2 Protection
Is there any way to prevent the ring from detecting the operating system fingerprint? Because the data is transmitted as a standard number.
It is reported that the target host cannot be separated from the common data transmission.
The retransmission of data packets is obvious, but the loss and retransmission of data packets are common on the network.
What happened.
If an intrusion detection system suspends a connection to prevent excessive junk information on the network,
This will reduce the TCP error rate and restore the network's flow capacity.
In some operating systems, you can modify the data of some members of the TCP/IP stack to avoid
The role of ring detection. However, I do not recommend this method because it seriously threatens the stability of the TCP/IP stack.
Another possible method is to hide the host after the proxy, or use firewall technology to implement
SYN forwarding or SYN gateway technology. SYN forwarding or SYN protection technology is specifically used to deal with SYN flood attacks.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SYN forwarding principle:
(Note: In the following figures, the same host is the same name, and the straight line without arrows does not mean anything.
. For example, three clients refer to the same client, and three firewalls refer to the same firewall)

Client ------ SYN ------> firewall -------------- target
Client <--- SYN-ACK ----- firewall -------------- target

If the firewall does not receive the waiting ack datagram within a certain period of time, the connection will
Aborted:

Client <------ rst ------- firewall ---------------- target

Instead, the transmission continues:

Client ---------------- firewall ------- SYN ------> Target
Client ------ ack ------> firewall <--- SYN-ACK ----- target
Client ---------------- firewall ------- ack ------> Target

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SYN gateway principle:

Client ------ SYN ------> firewall ------- SYN ------> Target
Client <---- SYN-ACK ---- firewall <----- SYN-ACK ---- target

If the firewall does not receive the waiting ack datagram within a certain period of time, it will interrupt the current
Connection:

Client ---------------- firewall ------ rst ------> Target

On the contrary, the connection will continue:

Client ------ ack ------> firewall ------ ack ------> Target

6.3 future improvement
Another State in the TCP transmission stream also has the same function, trying to resend those pretended to be discarded
Datagram. This is the fin_wait_1 status. It can be used in combination with the previous detection technology or
The SYN protection system is being tested. This interesting technology can be implemented through the network that implements the SYN gateway protection mechanism.
To detect the system fingerprint of the real target host.
---------------------------------------------
| Retries | === linux2/4 ====|=== windows 2 k ===|
| = 1st ==|=========0, 8 ========|============= 3 ====== |
| ==2nd ==|======== 1, 3 ========|============ 6 ======== |
| === 3rd ==|=========2, 6 ========|======== 12 =======|
| = 4th ==|=========5, 2 ========|=========24 =========|
| ==5th ==|=======10, 5 ==========|=========48 =======|
| = 6th ==|=====20, 8 =======| no more retries |
| ==7th ==|=======41,6 ========|=====================|
| = 8th = | no more retries | ==================== |
---------------------------------------------
| = Reset = | === no reset ==|=== no reset ===|
---------------------------------------------

7> conclusion
The ring uses a new operating system detection technology built on conventional and non-hazardous TCP transmission.
It identifies the operating system fingerprint of the remote host by analyzing the latency of the target host in each retransmission datagram. For example
It should be better if it is combined with other operating system detection technologies.

Reference:
1) <ring-full-paper> by intranode Research Team
2) <remote OS Detection via TCP/IP stack fingerprinting>
Fyodor
3) <ICMP based remote OS TCP/IP stack fingerprinting techniques>
By Ofir Arkin & Fyodor yarochkin