Black hats use 'passive fingerprinting' to identify your operating system without you knowing it. But the technique is useful for white hats too.
Unlike active fingerprinting, there's little ethical difficulty with passive fingerprinting, because the software is merely looking closely at the traffic that passes by on the network.
p0fis a tool designed for passive OS fingerprinting, identifying an operating system by examining packets being passed over the local network, without sending any packets designed to elicit a response. It's a fascinating area of research, and it may solve the ethical and legal problems associated with active fingerprinting.
In active OS fingerprinting, the program sends a number of oddly-formed packets to the target system and looks at the response to those packets. Each system will respond differently to at least some of these strange or broken packets, and the "fingerprint" of these responses can be used to guess the operating system.
Active OS fingerprinting is a technique that has been around since at least 1997, though Queso, the first program to do a thorough job of fingerprinting, was apparently released in August of 1998. (That's as far back as their ChangeLog runs, at any rate.)
Today, the port-scanning tool Nmap has supplanted Queso as the OS fingerprinting tool of choice. And Fyodor, Nmap's author, had written an excellent paper about active OS fingerprinting that covers the technical details.
Although active fingerprinting is useful for some network administrators, its very nature makes it potentially dangerous to use.
To illustrate, a coworker of mine once received a visit from the site security officer, who had himself received a call from a bank whose web servers had been fingerprinted. My coworker had been idly curious about his own bank's servers. Had our site security officer or the bank's computer security personnel been less understanding, he would have faced dismissal, or even legal proceedings.
The fact is, Queso and Nmap are "grey hat" tools, useful for both good deeds and nefarious activities. You should make sure you get your network administrator's permission, preferably in writing, before using either tool on your network, and never scan another network without prior written permission.
Passive fingerprinting, on the other hand, comes with less baggage.
While similar in concept to active fingerprinting, passive fingerprinting examines unique identifiers of TCP/IP implementations for different operating systems. Unlike active fingerprinting, passive fingerprinting uses only normal traffic to determine the operating system. While perhaps sacrificing some precision, passive fingerprinting is theoretically undetectable by the target system.
The concept was described in a HoneyNet project paper written in May 2000. The technique was designed to discover information about attack platforms being used against HoneyNets, systems designed to "trap" crackers and learn their techniques. Since then, several different packages have been developed that can use passive fingerprinting techniques. These include Siphon, p0f, and Ettercap.
Although the current version of Siphon available for download is rather old (September 2000), a new version is promised Real Soon Now, and it integrates interesting network-mapping features into the product. When the promised version 1.0 is released, I will mention it in this column. Until then, it might be worthwhile to look at other tools.
Ettercap is the most advanced of the passive fingerprinting tools I've seen to date, and some users will find it invaluable for identifying devices on their networks. But it's also the one most likely to get you in trouble.
In addition to passive OS fingerprinting, Ettercap also supports TCP session hijacking, which lets you take control of an active telnet or FTP session between two other systems. It's also useful for password grabbing, and boasts a host of other black hat features. If you use this tool on your network, be absolutely sure that management knows what it is capable of doing, and what you're using it for.
Which brings us back to
p0f. This is a bare-bones passive-fingerprinting tool that uses the
libpcaplibrary also used by
tcpdumpand Snort, the popular network sniffers. It examines the SYN packets at the start of a TCP connection and makes a guess as to the target OS. It runs in console mode and has only a few features, but does a pretty good job. It's a straightforward tool.
Given passive fingerprinting's prominent inclusion in grey hat and black hat tools, you may want nothing more than to frustrate the technique. But there's not a whole lot you can do. Perhaps some of the same active fingerprinting evasion techniques will be helpful. On the other hand, there's only so much information that gets leaked to passive fingerprinting.
Unlike active fingerprinting, there's little ethical difficulty with passive fingerprinting, because the software is merely looking closely at the traffic that passes by on the network. It's like listening to other people's accents in a cafe.
Passive fingerprinting can help you identify mysterious devices on your local network, and may prove useful for other LAN administrative tasks. Mostly, however, it's interesting how much can be deduced from so little information.