Analysis and Exploration of Vulnerabilities

OS Fingerprinting

Network stacks do not behave consistently, and there are specific behaviors.

  • Many RFCs contain optional behavior.

  • Some stacks have bugs.

  • Some stacks have optional behaviors.

  • Some stacks are not fully compliant (e.g., constrained devices).

Fingerprinting is possible by:

  • Sending a sequence of probes.

  • Observing response.

  • Matching behavior against a database.

The process lacks specificity.

  • Fingerprints may not be found for unknown systems.

  • A fingerprint may match multiple systems.

  • A combination of open/closed ports may not allow a full fingerprint.

Example: Nmap TCP Tests T2-T7.

  • TCP null (no flags set) pkt with the IP DF bit set and a window of 128 to an open port.

  • TCP pkt with SYN, FIN, URG, PSH flags set and a window of 256 to an open port. IP DF bit is 0.

  • TCP ACK pkt with IP DF and a window of 1024 to an open port.

  • TCP SYN pkt without IP DF and a window of 31337 to a closed port.

  • TCP ACK pkt with IP DF and a window of 32768 to a closed port.

  • TCP pkt with the FIN, PSH, URG flags set and a window of 65535 to a closed port. IP DF bit is 0.

Mitigation

Restrict the number of ports open.

  • Accurate fingerprinting relies on responses from open ports.

Detect scanning and enumeration with a firewall-specific rule.

  • Simple port maps and fingerprint attempts are easily recognized.

  • Advanced assessments, taking hours/days are not trivial to detect.

If supported, enable network obfuscation mechanisms.

  • OS may emulate the behavior of another system.

PreviousBannersNextCWE-74

Last updated