# OS Fingerprinting

Network stacks do not behave consistently, and there are specific behaviors.

* Many RFCs contain optional behavior.
* Some stacks have bugs.
* Some stacks have optional behaviors.
* Some stacks are not fully compliant (e.g., constrained devices).

Fingerprinting is possible by:

* **Sending a sequence of probes**.
* Observing response.
* **Matching behavior** against a database.

The process lacks specificity.

* Fingerprints may not be found for unknown systems.
* A fingerprint may match multiple systems.
* A combination of open/closed ports may not allow a full fingerprint.

Example: Nmap TCP Tests T2-T7.

* TCP null (no flags set) pkt with the IP DF bit set and a window of 128 to an **open port**.
* TCP pkt with SYN, FIN, URG, PSH flags set and a window of 256 to an **open port**. IP DF bit is 0.
* TCP ACK pkt with IP DF and a window of 1024 to an **open port**.
* TCP SYN pkt without IP DF and a window of 31337 to a **closed port**.
* TCP ACK pkt with IP DF and a window of 32768 to a **closed port**.
* TCP pkt with the FIN, PSH, URG flags set and a window of 65535 to a **closed port**. IP DF bit is 0.

## Mitigation

Restrict the number of ports open.

* Accurate fingerprinting relies on responses from open ports.

Detect scanning and enumeration with a firewall-specific rule.

* Simple port maps and fingerprint attempts are easily recognized.
* Advanced assessments, taking hours/days are not trivial to detect.

If supported, enable network obfuscation mechanisms.

* OS may emulate the behavior of another system.