Derevolutionizing OS Fingerprinting: The cat and mouse game

Derevolutionizing OS Fingerprinting:
The Cat and Mouse Game
Jaime Sánchez 
@segofensiva

Derevolutionizing OS Fingerprinting: The Cat and Mouse Game
DEFCON CHINA 1.0
$ WHO I AM
* Jaime Sánchez
@segofensiva
https://seguridadofensiva.com
* Passionate about computer security and
occasional Rockstar ;)
* In my free time I conduct research on
security and work as an independent
consultant
* From Spain :)
* Speaker in many other conferences:
* RootedCON in Spain
* Nuit du Hack in Paris
* BlackHat in Sao Paulo
* Defcon in Las Vegas
* etc.

DEFCON CHINA 1.0
WHAT IS OS FINGERPRINTING?
OS fingerprinting describes the method of utilising gathered information of a
target host to find out what OS the machine is running on.
Wikipedia describes it as:
“ TCP/IP stack fingerprinting is the passive collection of configuration
attributes from a remote device during standard layer 4 network communications.
The combination of parameters may then be used to infer the remote machine's
operating system (aka, OS fingerprinting), or incorporated into a device
fingerprint ”
There are multiple approaches for finding out the OS of an unknown host without
having an account, or any way of logging on the machine:
• Banner Information & Manual Reconnaissance
• Active Fingerprinting: transmitting packets to a remote host and analysing
corresponding replies.
• Passive Fingerprinting: analysing packets from a host on a network. We act as
a sniffer, and don’t put any traffic on a network.
• Timing Analysis Fingerprinting

DEFCON CHINA 1.0
BANNER GRABBING / MANUAL RECONNAISSANCE

DEFCON CHINA 1.0
Other services that send back ‘free’ useful information include IMAP,POP2, POP3,
SMTP, SSH, NNTP and FINGER. This technique is reasonably reliable even now and
automated tools exist to make the process simple and painless.
Even, with access to remote host, you could play
with the following commands until you get what you
want:
• uname -a, or uname -o or uname -v
• lsb_release -a
• cat /proc/version
• cat /etc/*-release
• cat /etc/issue*
A more primitive approach is to port scan the machine using any of the common
port scanners freely available and examine the returned list of listening ports
for patterns common to a particular OS. 
Finally, it may be possible to determine the OS of a system by a non-technical
solution, such as social engineering. Learning about the target through phone
calls, chatting to the System Administrator, or even a public site tour are all
possibilities

DEFCON CHINA 1.0
Banners can also be revealed in an indirect way too, for example email headers
often contain the version string of the client that is used by a user, and
sometimes the OS version also. 
Another example could be the SYST commando in FTP; a SYST request asks for
information about the server's operating system. The server accepts this request
with code 215. For example:
Examples from other servers: 
215 UNIX Type: L8 Version: BSD-44 
215 NetWare system type. 
215 MACOS Peter's Server 
215 AmigaOS

DEFCON CHINA 1.0
Another way to get more information is analysing offered files, like trying to
download:
• compress
• ls
• tar
• gzip
• gunzip
• compress
• zcat
• etc.
Then, use the file command to determine the file type:

DEFCON CHINA 1.0

DEFCON CHINA 1.0
ACTIVE OS
FINGERPRINTING

DEFCON CHINA 1.0
QUESO
•Hispanic shortcut to “Que Sistema Operativo”, with translates into “Which Operating
System”
•Sends 7 (0-6) different types of packets to open ports on targets hosts, each one
with different TCP headers, and compares the responses with the config file, where
the different ones are described, in a response-based way to each packet:
•SYN (valid packet)
•SYN+ACK
•FIN
•FIN+ACK
•SYN+FIN
•PSH
•SYN+XXX+YYY (XXX and YYY are unused flags)
•On response to to packet 0 (SYN), any LISTEN port must answer a SYN+ACK with a
nonzero ack_num, seq_num and window, or, in case of not being LISTEN, it'll send
back a RST+ACK with the valid ack_num.
•All packets with random seq_num and 0x0 ack_num.
•Signatures outdated and project archived.

DEFCON CHINA 1.0
Xprobe2
• The first version combined various remote
active operating system fingerprinting
methods using the ICMP protocol, which were
discovered during the ICMP Usage in Scanning
research project, into a simple, fast,
efficient and a powerful way to detect the
underlying operating system a targeted host
is using.
• Xprobe2 rely on fuzzy signature matching,
p r o b a b i l i s t i c g u e s s e s , m u l t i p l e
simultaneously matches, and a signature
database.
• Sends 4 different types of ICMP packets to target host
• UDP packet is sent for ICMP unreachable
• Final packet is vanilla SYN Uses a basic fuzzy logic scoring system to provide more than one guess
at the remote OS, along with a probabilistic score. This approach could even be extended to
attempt to discover the source of any packet manipulation.
• Designed to be extensible with an API to facilitate new test modules.
• Information request packet is basically obsolete

DEFCON CHINA 1.0
NMAP: REMOTE OS DETECTION
DEVICE TYPE
All fingerprints are classified with one or more high-level device types, such as
router, printer, firewall, or (as in this case) general purpose.
Several device types may be shown, in which case they will be separated with the
pipe symbol as in “Device Type: router|firewall”.

DEFCON CHINA 1.0
RUNNING
OS Family (Linux in this case) and OS generation (2.6.X) if available. If there are multiple OS
families, they are separated by commas. When Nmap can't narrow down OS generations to one specific
choice, options are separated by the pipe symbol ('|') Examples include OpenBSD 3.X, NetBSD 3.X|4.X
and Linux 2.4.X|2.5.X|2.6.X.
If Nmap finds too many OS families to print concisely, it will omit this line. When there are no
perfect matches, Nmap changes the field to Running (JUST GUESSING) and adds an accuracy percentage
(100% is a perfect match) in parentheses after each candidate family name. If no fingerprints are
close matches, the line is omitted.

DEFCON CHINA 1.0
OS CPE
This shows a Common Platform Enumeration (CPE) representation of the operating system when
available. It may also have a CPE representation of the hardware type. A CPE name is a URL
that encodes seven ordered fields:
cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>
The main division of CPE names is in the <part> field; this can take on only three values:
a for applications,
h for hardware platforms, or
o for operating systems.

DEFCON CHINA 1.0
OS DETAILS
Detailed description for each fingerprint that matches. While the Device type and Running lines are
from predefined enumerated lists that are easy to parse by a computer, the OS details line contains
free-form data which is useful to a human reading the report. This can include more exact version
numbers, device models, and architectures specific to a given fingerprint.
When there are multiple exact matches, they are comma-separated. If there aren't any perfect matches,
but some close guesses, the field is renamed Aggressive OS guesses and fingerprints are shown
followed by a percentage in parentheses which specifies how close each match was.

DEFCON CHINA 1.0
UPTIME GUESS
As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the
headers for a timestamp option. Many operating systems use a simple counter for this which
starts at zero at boot time then increments at a constant rate such as twice per second
NETWORK DISTANCE
As part of OS detection, Nmap receives several SYN/ACK TCP packets in a row and checks the
headers for a timestamp option. Many operating systems use a simple counter for this which
starts at zero at boot time then increments at a constant rate such as twice per second

DEFCON CHINA 1.0
TCP SEQUENCE PREDICTION
Systems with poor TCP initial sequence number generation are vulnerable to blind TCP spoofing attacks.
In other words, you can make a full connection to those systems and send (but not receive) data while
spoofing a different IP address. The target's logs will show the spoofed IP, and you can take
advantage of any trust relationship between them. This attack was all the rage in the mid-nineties
when people commonly used rlogin to allow logins to their account without any password from trusted IP
addresses.
Kevin Mitnick is alleged to have used this attack to break into Tsutomu Shimomura's computers in
December 1994.

DEFCON CHINA 1.0
IP ID Sequence Generation
Many systems unwittingly give away sensitive information about their traffic levels based
on how they generate the lowly 16-bit ID field in IP packets. This can be abused to spoof
a port scan against other systems and for other mischievous purposes.
If Nmap does not receive sufficient responses during OS detection, it will omit the whole
line

DEFCON CHINA 1.0
NMAP: VERSION SCAN (-sV)
DEALING WITH NAT GATEWAY BOXES
If there’s a gateway box that redirects ports to several different machines, TCP/IP
fingerprinting will identify the proxy while version scanning will generally detect the
server running the proxied application.
This technique offers:
• Determines application name and version number (if available)
• SSL support for services like HTTPS, POP3S etc. as well as providing version details
• IPv6 is supported, including TCP, UDP, and SSL over TCP
• Best case, using both techniques to get result more credible
• Application exclusivity. If we identify a service as Microsoft Exchange, we know the
operating system is Windows since Exchange doesn't run on anything else. This type of
OS detection is intended to complement Nmap's OS detection system (-O) and can
sometimes report differing results. For example, consider a Microsoft Exchange server
hidden behind a port-forwarding Unix firewall.

DEFCON CHINA 1.0
REMOTE OS FINGERPRINTING
nmap OS fingerprinting works by sending up to 15 TCP, UDP, and ICMP probes to known
open and closed ports of the target machine.
These probes are specially designed to exploit various ambiguities in the standard
protocol RFC. Then nmap listens for the responses, as there could be dozens of
attributes in those responses that could lead to a fingerprint.
Every probe is tracked and resent at least once if there is no response.

DEFCON CHINA 1.0
NMAP: SIGNATURE DATABASE
Fingerprint Microsoft Windows XP SP0/SP1
Class Microsoft | Windows | XP | general purpose
CPE cpe:/o:microsoft:windows_xp::-
CPE cpe:/o:microsoft:windows_xp::sp1
SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW
0NNT00NNS%O6=M5B4NNT00NNS)
WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E)
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=7B-85%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(DFI=S%T=7B-85%TG=80%CD=Z)

SEQ(SP=7C-9F%GCD=1-6%ISR=96-A0%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00N
NS%O6=M5B4NNT00NNS)
WIN(W1=4470%W2=41A0%W3=4100%W4=40E8%W5=40E8%W6=402E)
T1(R=Y%DF=Y%T=7B-85%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
DEFCON CHINA 1.0
Six TCP probes, 110m apart (for initial SEQ numbers, IP IDs and TCP timestamps):
• Packet 1: WS10, NOP, MSS1460, TS, SACK. W1
• Packet 2: MSS1400, WS0, SACK, TS, EOL. W63
• Packet 3: TS, NOP, NOP. WS5, NOP, MSS640, W4
• Packet 4: SACK, TSm TS10, EOL. W4
• Packet 5: MSS536, SACK, T, WS10, EOL. W16
• Packet 6: MSS265, SACK, TS. W512
Sequence Number Analysis
Options received for each probe
Window size received for each probe
Responsiveness
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
SEQ number
Z 0
A same as ACK
A+ ACK+1
O other
ACK number
Z 0
S same as SEQ
S+ SEQ+1
O other
RST data checksum
TCP FLAGS
E ECN
U URG
A ACK
P PSH
R RST
S SYN
F FIN
QUIRKS

DEFCON CHINA 1.0
ECN(R=Y%DF=Y%T=7B-85%TG=80%W=4470%O=M5B4NW0NNS%CC=N%Q=)
Test explicit congestion notification (ECN) support in the target TCP Stack.
Sends to an open port SYN packet (ECN CWR/ECE flags set), ACK=0, SEQ is random, WS=3 with
OPTIONS= WS10, NOP, MSS1460, SACK, NOP, NOP
Explicit Congestion Notification
Y ECE not CWR
N Neither of two bits
S Both bits
0 Other
ICMP test with two ICMP echo requests to target:
• Packet 1: IP DF bit, TOS=0, Code 9, SEQ=295, random IP ID and ICMP request id, and
payload random character repeated 120 times.
• Packet 2: similar, except TOS=4, Code 0, 150 bytes payload, and IP ID, request ID
and SEQ number incremented from previous values
IE(DFI=S%T=7B-85%TG=80%CD=Z)
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
ICMP Response Code
Z both zero
S both the same
<NN> same non-zero
0 Any other combination
OTHER POSSIBLE FIELDS
TOSI: type of service for response
SI: ICMP Sequence number 
DLI: response data length

TCP FLAGS
E ECN
U URG
A ACK
P PSH
R RST
S SYN
F FIN
DEFCON CHINA 1.0
T2(R=Y%DF=N%T=7B-85%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=7B-85%TG=80%W=402E%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)
Six T2-T7 TCP probe packets, with Options WS10, NOP, MSS265, TS, SACK (T7 uses WS15):
• Packet T2: TCP null (no flags), IP DF, W128 to open port
• Packet T3: SYN, FIN, URG, PSH, W256 to open port
• Packet T4: ACK with DF, W1024 to open port
• Packet T5: SYN with DF, W31337 to closed port
• Packet T6: ACK with DF and W32768 to open port
• Packet T7: FIN, PSH, URG, W65535 to closed port
Responsiveness
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
SEQ number
Z 0
A same as ACK
A+ ACK+1
O other
ACK number
Z 0
S same as SEQ
S+ SEQ+1
O other
RST data checksum
QUIRKS
TCP options
Window Size
TCP OPTIONS
L EOL
N NOP
M MSS
W WS
T TS
S SACK

DEFCON CHINA 1.0
U1(DF=N%T=7B-85%TG=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
UDP packet to a closed port, character C (0x43) repeated 300 times for the data field, IP
ID 0x1042.
If port is closed (and no firewall), Nmap expects ICMP port unreachable.
DF bit
N Neither
S both echo value
Y both bit set
O other combination
TTL / Guess
IP Total length
U n u s e d p o r t
unreachable field
nonzero
IP total length
IP ID
I n t e g r i t y o f
r e t u r n e d I P
checksum
Integrity of returned UDP data
G same payload
I invalid
Returned probe
UDP checksum

DEFCON CHINA 1.0
PASSIVE OS
FINGERPRINTING

DEFCON CHINA 1.0
PASSIVE OS FINGERPRINTING
Passive fingerprinting is like a packet sniffer.
Examines network traffic, making a copy of the data but
without redirecting or altering it.
Can be used for several purposes:
•As stealthy fingerprinting, bypassing the need for
using an active tool that can detect various IDS
systems
•To identify remote proxy firewalls
•Organisations can use to identify rogue systems in
there organisation
-p0f is a tool that utilises an array of sophisticated, purely passive, traffic fingerprinting
machanisms to identify the players behind any initial TCP/IP communication (often as little as
single normal SYN) without interfering in any way. 
-There are other tools like Ettercap, NetworkMiner, PRADS, Satori or PacketFence.

Window Size 
* Any value 
%n nn nn Multiple 
%xx MSS Multiple
Txx MTU Multiple
Xxx Constant Value
DEFCON CHINA 1.0
P0Fv2 SIGNATURES
8192:32:1:48:M*,N,N,S:.:Windows:98
Initial TTL
DF Bit
Packet Size
Operating System 
Family 
Version
TCP Options/Order 
N: NOP 
E: EOL 
Wnn: Window Scaling
Mnn: Maximum Segment Size 
S: Selective SACK ok 
T/T0: Timestamp (with 0 value)
?n: unrecognized option
Quirks 
Data in SYN packets 
Options after EOL 
IP ID Field = 0
ACK different to 0
Unusual flags
Incorrect options decode

DEFCON CHINA 1.0
P0f v3
Version 3 was a complete rewrite of the original codebase, incorporating a
significant number of improvements to network-level fingerprinting, and introducing
the ability to reason about application-level payloads (eg, HTTP).
 
The brand new database of signatures started from scratch, focusing on:
•TCP SYN ("who is connecting to me?") signatures for a variety of systems -
especially from some of the older, more exotic, or more specialized platforms,
such as Windows 9x, NetBSD, IRIX, Playstation, Cisco IOS, etc. The connection
does not need to succeed
•TCP SYN+ACK signatures ("who am I connecting to?"). The current database is
minimal
•HTTP request signatures - especially for older or more exotic browsers (e.g.
MSIE5, mobile devices, gaming consoles), crawlers, command-line tools, and
libraries.
•HTTP response signatures. P0f ships with a minimal database here (only Apache 2.x
has any real coverage).

DEFCON CHINA 1.0
label = s:win:Windows:XP
*:128:0:*:16384,0:mss,nop,nop,sok:df,id+:0
IPv4/IPv6/Both
Initial TTL
Length of IPV4
options or IPV6
extension
headers
Maximum Segment Size
Window Size
(fixed value, multiple of MSS/
MTU, or multiple or integer)
Window Scaling Factor
TCP options (ordered)
eol+n: explicit end of options + padding
nop: no-op option
mss: maximum segment size
ws: window scaling
sok: selective ACK permitted
sack: selective ACK
ts: timestamp
?n: unknown option
Quirks
df - "don't fragment" set (probably PMTUD);
id+ - DF set but IPID non-zero; ignored for IPv6
id- - DF not set but IPID is zero; ignored for IPv6
ecn - explicit congestion notification support
0+ - "must be zero" field not zero; ignored for IPv6
flow - non-zero IPv6 flow ID; ignored for IPv4
seq- - sequence number is zero
ack+ - ACK number is non-zero, but ACK flag not set
ack- - ACK number is zero, but ACK flag set
uptr+ - URG pointer is non-zero, but URG flag not set
urgf+ - URG flag used
pushf+ - PUSH flag used
ts1- - own timestamp specified as zero
ts2+ - non-zero peer timestamp on initial SYN
opt+ - trailing non-zero data in options segment
exws - excessive window scaling factor (> 14)
bad - malformed TCP options
Payload Size Classification
0: for zero
+: for non-zero
*: any
P0Fv3 SIGNATURES

DEFCON CHINA 1.0
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.
It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and
on Microsoft Windows.
It is capable of intercepting traffic on a network segment, capturing passwords, and conducting
active eavesdropping against a number of common protocols. Its original developers later
founded Hacking Team …
It works by putting the network interface into promiscuous mode and by ARP poisoning the target
machines. Thereby it can act as a 'man in the middle' and unleash various attacks on the
victims.
Some of the features:
• …
• OS fingerprinting: determine the OS of the victim host and its network adapter
• …

DEFCON CHINA 1.0
0000:_MSS:FF:WS:0:0:0:0:A:28:Windows XP
ETTERCAP SIGNATURES
Maximum Segment Size
4 digit hex field. If omitted/
unknown (_MSS)
Window Size
4 digit hex field
TTL
2 digit hex field.
Window Scale
2 digit hex field. If
omitted/unknown (WS)
SACK
NOP
DF
TS
Flag of the packet
S = SYN
A = SYN + ACK
Packet Length
2 d i g i t h e x f i e l d . I f
irrelevant/unknown (LT)
Operating System
Ascii string

DEFCON CHINA 1.0
0008:_MSS:40:WS:0:0:0:0:S:28:Red Hat Linux 7.2 Kernel 2.4.7-10
0008:64:0:28:.:.:Ettercap:Red Hat Linux 7.2 Kernel 2.4.7-10
Window Size
MSS
TTL
WS
SACK
NOP
DF
TS
SYN
SIZE
Window Size
TTL
DF
SIZE
OPTIONS
QUIRKS
ETTERCAP -> pofv2
We can’t read Ettercap’s database, we need to parse it from the beginning, like
the nmap or p0fv2 processor, o we can just try to convert the file to something
we are able to parse automagically.
We have migrated from Ettercap to
p0fv2 database…

DEFCON CHINA 1.0
COMMERCIAL ENGINES
These techniques can be used to avoid commercial implementations also. We hide our machine,
faking the detector engine and recognising us like another OS, to attack another host and
leading administrator to think that it may be a false positive.
Fingerprint value example:
Had no time to figure it out what each field means in all the commercial appliances I’ve seen
so far, so I decided to cross the data available with default Map and p0f database to get
desired TCP/IP header values.

DEFCON CHINA 1.0
ONLINE WEBSITES

DEFCON CHINA 1.0
OTHER TECHNIQUES
A device will generally issue a DHCP request on
the network upon connection.
It is the DHCP client of the operating system that
issues a DHCP request on the network. When doing
so, it asks for DHCP options (like DNS Server,
WINS server, default gateway, etc.).
The order in which the DHCP client asks for those
options is relatively unique and identifies the
specific operating system version.
The same principle applies to DHCPv6.
There is a great paper from Eric Kollmann, called Chatter on the Wire: a look at DHCP
traffic that explains this technique.
Also, Satori performs passive OS identification on any packets it sees. It can parse
and utilize the following packet types: DHCP, TCP (syn and syn/ack), ICMP, SMB, CDP,
plus many others.

DEFCON CHINA 1.0
OTHER TECHNIQUES
Vendors, like Apple or Sony have patterns
of MAC addresses, allowing to use that
information for device identification.
O r g a n i z a t i o n a l l y
Unique Identifier
4 digit hex field
Network Interface
Controller Specific
4 digit hex field

DEFCON CHINA 1.0
COUNTERMEASURES

DEFCON CHINA 1.0
IP PERSONALITY
The Linux IP Personality patch adds to Linux 2.4 kernel the ability to have
different 'personalities' network wise, that is to change some
characteristics of its network traffic, depending on different parameters
(anything you can specify in an iptables rule: src/dst IP address, TCP or UDP
port, etc.)
The characteristics that can be changed are:
• TCP Initial Sequence Number (ISN)
• TCP initial window size
• TCP options (their types, values and order in the packet)
• IP ID numbers
• answers to some pathological TCP packets
• answers to some UDP packets:
They are deeply configurable.
This patch relies on the framework created by Rusty Russel: netfilter. More
precisely, the patch adds a new iptables target (in a kernel module) that can
be used in the mangle table with a (patched) iptables.

DEFCON CHINA 1.0
STEALPH PATCH
Another patch for Linux kernels of version 2.2.19 through 2.2.22 and of
version 2.4.19.
When this patch is applied, all packets with both FIN and SYN flag set are
discarded. Furthermore, all packets with one specific reserved bit set and
all packets that match nmaps probe 2 (this means the ACK, FIN, RST and SYN
flags are not set) are dropped
Also packets with with the FIN, PUSH and URG flag set are dropped, which
would equal to maps probe 7.
Though the Stealth Patch does not enable a host to fein being some other
operating system, it still can confuse a fingerprinting application by
droping specific packets that are typical for a OS detector
The downside of an unmodified Stealth Patch is, since only a few kernel
versions were supported, this behaviour could give away valuable info to a
fingerprinter again.

DEFCON CHINA 1.0
IPlog
In contrary to the described methods up to now, iplog is not a kernel module
but a standalone application. Although mainly written for detecting port
scans, it includes the ability to try to fool nmap.
It detects TCP Null and FIN scans, UDP and ICMP ”smurf” attacks, bogus TCP
flags, TCP SYN and ”Xmas” scans.
BLACKHOLE
The blackhole is used to control system behaviour when connection requests
are received on SCTP, TCP, or UDP ports where there is no socket listening.
The TCP blackhole behaves as following: if the value is 0, whenever a packet
connects a TCP closed port, it returns a RST. If the value is 1, if a SYN
packet connects a TCP closed port, it's dropped; and if the value is 2, if
any packet tries to connect to a TCP closed port, it's dropped.
The UDP blackhole is similar. Enabling these settings, tests 5, 6, 7 and the
unreachable port test won't work when running Nmap to remotely guess the OS.

DEFCON CHINA 1.0
FINGERPRINT FUCKER (2000 by |Cyrax|)
Kernel module available for version 2.2 that also tries to hide original OS
and act as a different one.
Per default, it will emulate the behaviour of a VAX device, but it can be
configured bu parsing a nmap signature file and hands over the values to the
module.
FINGERPRINT FUCKER (2001 by cthulhu)
There is another application called Fingerprint Fucker, but this time it is
for the FreeBSD operating system.
It rewrites the TCP/IP stack and sends reply packets with different settings,
like a different WS or TTL

DEFCON CHINA 1.0
MORPH
•Handle inbound and outbound packets and
change TCP, UDP, ICMP and IP headers to
reflect selected OS
•Worked under Linux, and under development
for OpenBSD, FreeBSD and NetBSD
•Built on Packet Purgatory Library (relies
on libpcap and libdnet libraries), that
acts as a wedge between OS kernel and
network interface running in user land.
Packet Purgatory provided fine-grained control of raw sockets, while still being able to use
helpful constructs like the TCP stack and preexisting software.
The main concept to packet purgatory is the idea of packet handlers.

DEFCON CHINA 1.0
PROJECT HISTORY
* First work with NFqueue
* Alpha version in PERL
* Alpha version for Android in C (Building an Android IDS on Network Level
- DEFCON 21)
* Ported code to Python (Blackhat Arsenal USA)
* OSfooler
* Working with some nmap signatures
* Working with some p0f signatures
* Only worked with nmap or p0f, not both
* Started from the beginning
* Read and parse nmap database (almost done)
* Read and parse p0f v2 database (complete)
* Emulate nmap and p0f at the same time
* First OSfooler-ng release
* Started parsing ettercap database

DEFCON CHINA 1.0
ARCHITECTURE
Computer operating systems provide
different levels of access to
resources. 
This is generally hardware-enforced
by some CPU architectures that
provide different CPU modes at the
hardware or microcode level. 
Rings are arranged in a hierarchy
from most privileged (most trusted,
usually numbered zero) to least
privileged (least trusted, usually
with the highest ring number).
On most operating systems, RING 0 is the level with the most
privileges and interacts most directly with physical hardware such
as the CPU and the memory.

DEFCON CHINA 1.0
Vs
KERNEL SPACE is strictly reserved for running the
kernel, kernel extensions and most device drivers.
USER SPACE usually refers to the various programs and
libraries that the operating system use to interact with
the kernel: software that performs input/output,
manipulates file systems, objects etc.
KERNEL SPACE USER SPACE

DEFCON CHINA 1.0
How I
met your
packets

DEFCON CHINA 1.0
- A target extension consists of a KERNEL MODULE,
and an optional extension to iptables to provide
new command line options.
- There are several extensions in the default
Netfilter distribution:

DEFCON CHINA 1.0
For this to be useful, two further components are
required:
• a QUEUE HANDLER which deals with the actual mechanics
of passing packets between the kernel and user space
• a USER SPACE APPLICATION to receive, possibly
manipulate, and issue verdicts on packets.
The default value for the maximum queue length is 1024.
Once this limit is reached, new packets will be dropped
until the length of the queue falls below the limit
again.
$ iptables -A INPUT -j NFQUEUE —queue-num 0

DEFCON CHINA 1.0
OSfooler was a practical approach presented at Black Hat Arsenal USA 2013. It could
be used to detect and defeat active and passive remote OS fingerprinting from tools
like nmap, p0f or commercial appliances (only some signatures worked…)
Written in Perl, but also some performance tests, ported to Python

DEFCON CHINA 1.0
OSfooler-ng
OSfooler-ng makes it possible to fool nmap into believing that the host runs an
operating system freely specified by the administrator.
Most test packets sent by nmap are abnormal, and the others are sent to closed
ports, therefore they have no influence on the local TCP/IP stack

DEFCON CHINA 1.0
DEMO TIME
Active OS Fingerprint:
- nmap
Passive OS Fingerprint:
- p0f
- ettercap

DEFCON CHINA 1.0
LONG STORY SHORT
You can get OSfooler-ng at the oficial Github repository: 
https://github.com/segofensiva/OSfooler-ng
SYN ACK FIN

Derevolutionizing OS Fingerprinting: The cat and mouse game

More Related Content

What's hot (20)

Similar to Derevolutionizing OS Fingerprinting: The cat and mouse game (20)

More from Jaime Sánchez (13)

Recently uploaded (20)

Derevolutionizing OS Fingerprinting: The cat and mouse game