Digg this story   Add to del.icio.us  
Passive Aggressive
Jon Lasser, 2002-01-30

Black hats use 'passive fingerprinting' to identify your operating system without you knowing it. But the technique is useful for white hats too.

On January 21st, a new version of an interesting program called p0f was released. p0f is a tool designed for passive OS fingerprinting, identifying an operating system by examining packets being passed over the local network, without sending any packets designed to elicit a response. It's a fascinating area of research, and it may solve the ethical and legal problems associated with active fingerprinting.

In active OS fingerprinting, the program sends a number of oddly-formed packets to the target system and looks at the response to those packets. Each system will respond differently to at least some of these strange or broken packets, and the "fingerprint" of these responses can be used to guess the operating system.

Active OS fingerprinting is a technique that has been around since at least 1997, though Queso, the first program to do a thorough job of fingerprinting, was apparently released in August of 1998. (That's as far back as their ChangeLog runs, at any rate.)

Today, the port-scanning tool Nmap has supplanted Queso as the OS fingerprinting tool of choice. And Fyodor, Nmap's author, had written an excellent paper about active OS fingerprinting that covers the technical details.

Although active fingerprinting is useful for some network administrators, its very nature makes it potentially dangerous to use.

To illustrate, a coworker of mine once received a visit from the site security officer, who had himself received a call from a bank whose web servers had been fingerprinted. My coworker had been idly curious about his own bank's servers. Had our site security officer or the bank's computer security personnel been less understanding, he would have faced dismissal, or even legal proceedings.

The fact is, Queso and Nmap are "grey hat" tools, useful for both good deeds and nefarious activities. You should make sure you get your network administrator's permission, preferably in writing, before using either tool on your network, and never scan another network without prior written permission.

Passive fingerprinting, on the other hand, comes with less baggage.

While similar in concept to active fingerprinting, passive fingerprinting examines unique identifiers of TCP/IP implementations for different operating systems. Unlike active fingerprinting, passive fingerprinting uses only normal traffic to determine the operating system. While perhaps sacrificing some precision, passive fingerprinting is theoretically undetectable by the target system.

The Passive Fingerprint Kit
The concept was described in a HoneyNet project paper written in May 2000. The technique was designed to discover information about attack platforms being used against HoneyNets, systems designed to "trap" crackers and learn their techniques. Since then, several different packages have been developed that can use passive fingerprinting techniques. These include Siphon, p0f, and Ettercap.

Although the current version of Siphon available for download is rather old (September 2000), a new version is promised Real Soon Now, and it integrates interesting network-mapping features into the product. When the promised version 1.0 is released, I will mention it in this column. Until then, it might be worthwhile to look at other tools.

Ettercap is the most advanced of the passive fingerprinting tools I've seen to date, and some users will find it invaluable for identifying devices on their networks. But it's also the one most likely to get you in trouble.

In addition to passive OS fingerprinting, Ettercap also supports TCP session hijacking, which lets you take control of an active telnet or FTP session between two other systems. It's also useful for password grabbing, and boasts a host of other black hat features. If you use this tool on your network, be absolutely sure that management knows what it is capable of doing, and what you're using it for.

Which brings us back to p0f. This is a bare-bones passive-fingerprinting tool that uses the libpcap library also used by tcpdump and Snort, the popular network sniffers. It examines the SYN packets at the start of a TCP connection and makes a guess as to the target OS. It runs in console mode and has only a few features, but does a pretty good job. It's a straightforward tool.

Given passive fingerprinting's prominent inclusion in grey hat and black hat tools, you may want nothing more than to frustrate the technique. But there's not a whole lot you can do. Perhaps some of the same active fingerprinting evasion techniques will be helpful. On the other hand, there's only so much information that gets leaked to passive fingerprinting.

Unlike active fingerprinting, there's little ethical difficulty with passive fingerprinting, because the software is merely looking closely at the traffic that passes by on the network. It's like listening to other people's accents in a cafe.

Passive fingerprinting can help you identify mysterious devices on your local network, and may prove useful for other LAN administrative tasks. Mostly, however, it's interesting how much can be deduced from so little information.


SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Passive Aggressive 2002-02-01
Anonymous
Passive Aggressive 2002-02-01
Anonymous (1 replies)
Passive Aggressive 2002-02-01
00011011 (4 replies)
Passive Aggressive 2002-02-02
Anonymous
Passive Aggressive 2002-02-03
Anonymous (1 replies)
Passive Aggressive 2002-02-13
Anonymous
Passive Aggressive 2002-02-03
Anonymous (1 replies)
Passive Aggressive 2002-02-05
Anonymous
Passive Aggressive: "License to Scan" 2002-02-03
frederic.debuck@advalvas.be (1 replies)
Passive Aggressive: 2002-02-16
Anonymous (2 replies)
Passive Aggressive: 2002-02-19
ABeggerAndAChooser
Passive Aggressive: 2002-02-21
Anonymous
Passive Aggressive 2002-02-04
Anonymous
Passive Aggressive 2002-02-04
arhodes
Passive Aggressive 2002-02-06
raul
Passive Aggressive 2002-02-06
raul
Passive Aggressive 2002-02-07
DB
Passive Aggressive 2002-02-15
Anonymous
Updated Siphon 2002-04-04
Maetrics
Passive Aggressive 2002-05-10
Anonymous


 

Privacy Statement
Copyright 2010, SecurityFocus