- p0f
Operating system fingerprinting is the process of learning what operating system is running on a particular device. By analyzing certain protocol flags, options, and data in the packets a device sends onto the network, we can make relatively accurate guesses about the OS that sent those packets. By pinpointing the exact OS of a host, an attacker can launch a precise attack against a target machine. In a world of buffer overflows, knowing the exact flavour and architecture of an OS could be all the opportunity an attacker needs.
- Passive OS
fingerprinting
Passive fingerprinting is the process of analysing packets from a
host on a network. In this case, the fingerprinter acts as a sniffer and doesn’t put any traffic on a network. It is called passive because it
doesn’t involve communicating with the host being examined.
Based on the sniffer traces of these packets, you can determine the operating
system of the remote host. Passive scanners are generally and inherently less
accurate than active scanners, due to the fact they have less control over the
data they are analyzing.
- Active OS fingerprinting
Active fingerprinting is the process of transmitting packets to a
remote host and analysing corresponding replies. This allows the scanner to
obtain more accurate results than a passive scanner, and in a shorter amount of
time. The traditional approach is to examine the TCP/IP stack behaviour of a
targeted network element when probed with several legitimate packets
- p0f – passive OS fingerprinting
P0f is a tool that utilizes an array of sophisticated, purely
passive traffic fingerprinting mechanisms to identify the players behind any
incidental TCP/IP communications (often as little as a single normal SYN)
without interfering in any way. Version 3 is a complete rewrite of the original
codebase, incorporating a significant number of improvements to network-level
fingerprinting, and introducing the ability to reason about application-level
payloads (e.g., HTTP).
Website : http://lcamtuf.coredump.cx/p0f3/
- Ettercap – passive OS fingerprinting
Ettercap is a comprehensive suite for man in the middle attacks. It
features sniffing of live connections, content filtering on the fly and many
other interesting tricks. It supports active and passive dissection of many
protocols and includes many features for network and host analysis.
Website : http://ettercap.github.io/ettercap/
- Nmap – active OS fingerprinting
Nmap is a free and open source utility for network discovery and
security auditing. Many systems and network administrators also find it useful
for tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what services those hosts
are offering, what operating systems they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics. It was
designed to rapidly scan large networks, but works fine against single hosts.
Website : http://nmap.org/
- XProbe2 – active OS fingerprinting
Xprobe2 is an active operating system fingerprinting tool with a
different approach to operating system fingerprinting. Xprobe2 relies on fuzzy
signature matching, probabilistic guesses and multiple simultaneous matches,
and a signature database.
Website : http://sourceforge.net/projects/xprobe/files/xprobe2/
· Wikipedia, TCP/IP stack fingerprinting Wikipedia
· Overview of OS Fingerprinting, INFOSEC, http://resources.infosecinstitute.com/overview-os-fingerprinting/
· p0f, : http://lcamtuf.coredump.cx/p0f3/
· Ettercap, http://ettercap.github.io/ettercap/
· Nmap, http://nmap.org/
· XProbe2, http://sourceforge.net/projects/xprobe/files/xprobe2/