Layer 4 of the OSI model is the transport layer. The transport layer is in the middle of the OSI model, with three layers below and three layers above. In this article, I discuss fingerprinting and how it is related to the transport layer. Fingerprinting is the act of the operating system (OS) identification.
To better understand how fingerprinting works, we first need to review some transport layer basics.
For example, is the client running MAC OS 10, BSD or Windows 2003 Server?
Two protocols are primarily associated with the transport layer: First, there is User Datagram Protocol (UDP), which is a connectionless protocol. UDP offers no mechanisms for reliability; it was designed for speed. Next, there is Transmission Control Protocol (TCP), which is connection-oriented and is designed for reliability. TCP provides reliability by using flow control, checksums for error detection, sequence and acknowledgment numbers, a defined window size, and even a startup and shutdown process.
TCP also uses a set of control bits or flags. These flags are used to control the flow of data. Some common flags include:
- URG: Specifies urgent data.
- ACK: Specifies a value. The acknowledgment sequence number is significant and should be examined by the recipient.
- RST: Specifies a reset. RST can be used to terminate a connection that is experiencing problems.
- SYN: Specifies a synchronization. The SYN is used to start up a session.
- FIN: Specifies a finish. A FIN is used at the conclusion of connection to signal a session teardown.
Both TCP and UDP act as middlemen in that they are responsible for making a connection. Specifically, the transport layer is responsible for host-to-host connectivity. When thinking of connectivity, imagine a phone call. The very act of hearing someone answer a phone can (usually) tell you a lot about them -- whether they are young or old, male or female. Fingerprinting works in much the same way, as the attacker is attempting to identify the target. The target needs to be identified before an attack can be launched. Fingerprinting can be an active or passive activity.
Passive fingerprinting is hard to detect. It does not inject traffic into a network and works much like a packet sniffer. Passive fingerprinting tools examine packets and look at default values in the IP, ICMP and TCP header to determine the type of operating system that created the packets. Passive fingerprinting may not be as accurate as active fingerprinting, but it is stealthy. Programs such as Siphon, Ettercap and p0f are all tools based on the passive fingerprint concept. To get more background on passive fingerprinting, consider reviewing this article from the Honeynet Project: Know your enemy: Passive fingerprinting.
To get a better idea of how passive fingerprinting tools work, let's look more closely at the program p0f. This passive fingerprinting tool uses the p0f.fp file to store known OS fingerprints. A small portion of that file is shown here:
----------------- MacOS ------------------- 32768:255:1:48:M*,W0,N:.:MacOS:9.0-9.2 ----------------- OpenBSD ----------------- 16384:64:1:64:M*,N,N,S,N,W0,N,N,T:.:OpenBSD:3.0-3.4
Look closely at the first entry while I briefly describe the first four fields. First, the value "32768" is the TCP initial window size. Next, the value "255" is the IP time-to-live (TTL). This is followed by a "1" that denotes the IP don't-fragment bit. The fourth field, "48," defines the total length in bytes of the TCP SYN packet. These attributes uniquely define a MAC OS 9 operating system. Compare these values with those shown in the entry for OpenBSD. You should see quite a bit of difference. What this means is that each vendor uses slightly different values when designing an OS. These differences can be used to identify the system. If you would like to learn more about p0f, check out the p0f applications home page.
Active fingerprinting isn't low-key like passive fingerprinting. Whereas passive fingerprinting cannot be detected by an intrusion detection system (IDS), active fingerprinting can. What active fingerprinting provides for hackers is much more accuracy. Active fingerprinting functions by sending oddly formatted TCP packets. The result is that each target responds differently to these malformed packets. Active fingerprinting tools include Xprobe2 and Nmap.
Nmap works by sending out different types of packets to the target host. Once Nmap has identified at least one open and one closed port, it can begin the actual OS identification. Nmap can send out a stream of packets with different TCP flag settings or TCP options. The hope is that one of these packets will cause the targeted system to respond. As an example, one such scan sends a TCP packet with the flag settings of SYN, FIN, PUSH and URGENT. This is not a normal packet.
Defenses against passive scanning are limited, but IDS tools can be used to detect active fingerprinting. Snort can be used to pattern match against known active fingerprinting scans. Morph is another option. Morph is an OS fingerprint confusion tool that attempts to confuse active fingerprinting tools so that they cannot make an accurate discovery.
Whatever your choice, what's important is to understand how these techniques work so that you can better defend against them.
About the author: Michael Gregg has more than 15 years of experience in IT. Michael is the president of Superior Solutions Inc., a Houston-based training and consulting firm. He is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He currently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.