Fingerprinting is the easiest way to detect the operating system (OS) of a remote system. OS detection is important because, after knowing the target system’s OS, it becomes easier to hack into the system. The comparison of data packets that are sent by the target system is done by fingerprinting. The analysis of data packets gives the attacker a hint as to which operating system is being used by the remote system.
There are two types of fingerprinting techniques as follows:
Active fingerprinting
Passive fingerprinting
In active fingerprinting, ICMP messages are sent to the target system and the response message of the target system shows which OS is being used by the remote system. In passive fingerprinting, the number of hops reveals the OS of the remote system.
Ways to perform active OS fingerprinting
The most common ways of performing active OS fingerprinting are as follows:
ICMP error message quoting: Since different operating systems quote different types of information in the ICMP error message, an attacker can easily guess the operating system of a remote host by analyzing ICMP error message quotes.
ICMP error message quenching: In this method, an attacker sends UDP packets to any random unused port of the remote host. When the remote host replies with ICMP error messages, an attacker can guess the operating system by counting the number of ICMP replies sent from the remote host.
Window size: Many operating systems use unique window size values in all outgoing data packets, so the operating system of a remote host can be easily guessed by an attacker after analyzing the window size value.
Studying ISN: Many operating systems follow a particular sequence of ISN; hence, analyzing ISN is a good clue of the operating system for an attacker.
Sending FIN packets to open ports on the remote system: Some non-UNIX operating systems do not respond to FIN packets; hence, it may be a good indication to an attacker about which operating system is being used by the remote host.
Ways to perform passive OS fingerprinting
Passive OS Fingerprinting with the help of sniffers: In passive OS fingerprinting, an attacker installs a sniffer on any third party such as a router on which the victim communicates frequently. Now he studies the sniffer’s log and responses, and receives hints about the remote OS with the help of the following parameters:
TTL values: This is Time To Live Value for any packet sent by any host.
The window size: For many OS, the initial window size value is fixed.
Don’t Fragment bit (DF): Some operating systems keep the DF bit on, and some do not.
Type of service: Type of service value varies from OS to OS.
When an attacker identifies these values from the sniffer’s logs, he matches it with his database of known signatures of operating systems and receives a clue about which OS is running on the remote system.
Passive OS Fingerprinting with the help of email headers: An attacker can use the email header passive OS fingerprinting for remote OS detection, in which an email header is analyzed to get the information about the remote OS. Email headers usually give information about the mail daemon of the remote computers. Since a specific mail daemon is usually used for a particular OS, an attacker can easily guess the remote computer with the help of mail daemon information.
Countermeasures against OS fingerprinting: The following are the countermeasures against OS fingerprinting:
Using snort rules to detect the various OS fingerprinting attacks.
Checking whether any new malicious connection has been established or not.
- Updating antivirus and firewall regularly.
- Changing the default values of various parameters that are used in passive OS fingerprinting.
- Using secure communication with encrypted protocols.
