OS FINGERPRINTING

BY:SAMANA SAMI,BIBI QURAT-UL-AIN AND SEHRISH NOOR.

INTRODUCTION TO CYBER SECURITY :

We use computers for everything from space investigation to shopping and communicating
with friends through email or chat programs. Although you may not consider your
communications much of a high confidential issue, you probably do not want strangers
reading your email, using your computer to attack other systems, sending forged email from
your computer, or examining personal information stored on your computer.
Intruders may not care about your identity. Often they want to gain control of your computer
so they can use it to launch attacks on other computer systems. Having control of your
computer, gives them the ability to hide their true identity as they launch attacks, often
against high-profile computer systems such as government or financial systems. Even if you
have, a computer connected to the Internet only to play games or to send emails to friends
and family, your computer may be a target.
One of the many techniques used to compromise your computer by the attackers is
Operating System Fingerprinting.

OS FINGERPRINTING:
Operating System (OS) fingerprinting is the science of determining the
operating system of a remote computer on the Internet.
This may be accomplished passively by sniffing network packets
travelling between hosts, actively by sending carefully crafted packets
to the target machine and analysing the response, or through nontechnical means. It is used by Security Professionals (known as Whitehats) and Hackers (Black-hats) alike for mapping remote networks
and determining which vulnerabilities might be present to exploit.

WHY OS FINGERPRINTING?

When an attacker is trying to hack into any computer, he starts to

gather information about the computer (target) as much as
possible. Major Key information is the operating system the target
is running on. As long as this information is not revealed, the
attacker is limited in the variety of attacks, probes and exploits.
Therefore the focus on initial information gathering is finding out
the operating system.

There are several approaches to finding out the running operating

system of an unknown host without having an account or any
other way of logging in directly on this machine.

TYPES OF OS FINGERPRINTING:
There are basically two
types of os
fingerprinting , which
are as follows:
1.Active os finger
printing.
2.Passive os finger
printing.

ACTIVE OS FINGERPRINTING:
Active operating system fingerprinting is the method of actively
determining a targeted network nodes underlying operating system by
probing the targeted system with several packets and investigating the
response.
It is based on the fact that various os vendors implement the TCP stack
differently, and responses will differ based on the os.
The responses are then compared to a database to determine the
operating system.
Active fingerprinting is detectable because it repeatedly attempts to
connect with the same target system.

PASSIVE OS FINGERPRINTING
Passive fingerprinting is based on sniffer traces from the remote system. Instead
of actively querying the remote system, all it needs to do is capture packets
sent from the remote system. Based on the sniffer traces of these packets, you
can determine the operating system of the remote host. Just like in active
fingerprinting, passive fingerprinting is based on the principle that every
operating system's IP stack has its own individual characteristic. By analyzing
sniffer traces and identifying these differences, you may be able determine the
operating system of the remote host.
Passive fingerprinting usually goes undetective by any security system but is
less accurate than active fingerprinting.

TECHNIQUES OF OS FINGERPRINTING.

The techniques that are used for os finger printing can either be
automated or non automated, some of the most popular
techniques are as follows:

Non automated techniques:

Banner grabbing.

Automated techniques:

Nmap.

NON-AUTOMATED TECHNIQUE:
Banner grabbing:
Though banner grabbing is the most basic and easiest form
of OS fingerprinting, it is often quite efficient and reliable.
The approach is simple and doesnt require any special
tools most of the time . Banner grabbing is the process of
opening a connection and reading the banner or response
sent by the application.

NON-AUTOMATED TECHNIQUE CONT

Many email and web servers will respond to a telnet
connection with the name and version of the s/w.
This aids a hacker in fingerprinting the os and
application software. For example , a Microsoft
exchange email server would only be installed on a
windows os.

NON-AUTOMATED TECHNIQUE CONT

Here is an example using telnet, a standard tool that can be found on all Microsoft Windows
and UNIX-like platforms:
root@nostromo# telnet mail.fh-hagenberg.at 143 Trying 193.170.124.96... Connected to
postman.fh-hagenberg.at. Escape character is '^]'. * OK Microsoft Exchange Server 2003
IMAP4rev1 server version 6.5.7226.0 (postman.fhs-hagenberg.ac.at) ready.
When analyising the output in bits and pieces a lot of information is revealed from the single
line that was returned by the server.
Microsoft Exchange Server 2003: It is a Microsoft Exchange Server 2003.
IMAP4rev1 server: It runs IMAP4.
version 6.5.7226.0: It is version 6.5.7226.0.
Now its up to an attacker to find an exploit for this specific version of the Microsoft
Exchange Server 2003.

NON-AUTOMATED TECHNIQUE CONT

Banners are often revealed in an indirect way too. For
example email headers often contain the version string of
the client that is used by a user sometimes including the
operating system version. Sometimes even the firewall that
an email passed through adds its banner to the header of
the email.

AUTOMATED TECHNIQUE
Nmap :
As its name implies, nmap is a network mapping utility. Provide nmap with
a TCP/IP address, and it will identify any open "doors" or ports that might be
available on that remote TCP/IP device. The real power behind nmap is the
amazing number of scanning techniques and options available! Each nmap
scan can be customized to be as blatantly obvious or as invisible as
possible. Some nmap scans can forge your identity to make it appear that a
separate computer is scanning the network, or simulate multiple scanning
decoys on the network.

AUTOMATED TECHNIQUE CONT

One powerful aspect of nmap is its ubiquity. Nmap is
available on flavors of UNIX, Linux, Windows, and Apple
Macintosh OS X. The source code for nmap has been ported
to many other operating systems, and it is already included
with many UNIX and Linux distributions. You may have nmap
already installed on your computer and not even know it,
Nmap runs from the command line of the operating system.

AVOID OS FINGER
FINGERPRINTING(DEFEATING):

AVOIDING FINGERPRINTING(CNTD)
THERE ARE NUMBER OF WAYS THAT WE CAN AVOID OS FINGERPRINTING.

1. To avoid classical fingerprinting (Daemon banner grabbing)

Daemon banner grabbing happens through the welcome massage that applications
use to send when starting a conversation. This problem can be solved by
. simple editing the welcome massage in such a way that attacker get the wrong
information and that information mislead him.
. provide the attacker with a long daemon banner and in the mean time track him.
. Use of a firewall
. Firewall software provides a language that allows responses to be crafted to
particular packets, thus actively spoofing the target OS

AVOIDING FINGERPRINTING(CNTD)
2. Defeating Active fingerprinting(nmap):
Method to defeat nmaps describe a traffic normalizer which defeats
nmaps active scans. They aim to confuse nmap, and do not attempt to
lie about their OS.
They also seem to hard code everything, rather than supporting nice
configured files.

CONCLUSION
OS fingerprinting is a fascinating subject that is of interest to the security
community. There are lot of techniques to do OS fingerprinting in the same time
there are number of ways to overcome/avoid OS finger printing. Remote OS
Fingerprinting is a recent development on the Internet and one to watch. The
ability to remotely determine, with high accuracy, the Operating System of a
remote host on the Internet is a powerful one.
In future, there will be extremely customized new attacks that will overcome all
the barriers and will be harder to avoid. The general trend towards increasing
penalties for being caught as the worlds cyber laws improve may also serve as
a driver towards more refined attacks in the future.

CONT..
What we have to remember is that, this is like a race when hackers
come up with a solution to avoid OS fingerprinting crackers come up
with a counter technique; hackers again develop a counter-counter
technique that will avoid the new technique discovered by crackers.
This cycle never ends. All what we have to do is getting updated with
the most recent technology to deal this.

REFERENCES:
[1] http://en.wikipedia.org/wiki/TCP/IP_stack_fingerprinting/
[2] Techniques in OS-Fingerprinting published by Nostromo,
Hagenberg, September 2005
[3] http://ettercap.sourceforge.net/
[4] http://www.netmap.com.au/
[5] http://
www.dummies.com/how-to/content/how-hackers-grab-banners-to-penetr
ate-your-network.html

REFERENCES
[6] http://www.networkuptime.com/nmap/page1-1.shtml
[7] http://
windows.microsoft.com/en-us/windows/telnet-commands#1TC=window
s-7