OS fingerprinting technique

From: Franck Veysset (franck.veysset@intranode.com)
Date: 04/17/02 

Date: Wed, 17 Apr 2002 19:25:14 +0200
From: Franck Veysset <franck.veysset@intranode.com>
To: "pen-test@securityfocus.com" <pen-test@securityfocus.com>

Carefully studying the way TCP works, especially some timer value
inside the TCP stack, we have derived on a new technique for remote OS
detection, based on temporal response analysis.

The idea is quite simple: send a TCP SYN packet to an open port on a
remote system, and listen the different answers (usually successive
SYN/ACK packets). By measuring the number of response, the delay
between retries, and the optional presence of a "RST" packet after a
few answers, we can easily recognize some operating systems.
The nice thing is that it only required to send one packet on an open
TCP port, which make this method really quiet.

As a proof of concept, we also developed a standalone tool "RING"
that will perform these testings and identifications, using a signature
file.

More information is available at:
http://www.intranode.com/site/techno/techno_articles.htm

The open source tool can be downloaded from:
http://www.intranode.com/site/techno/ring-0.0.1.tar.gz

The full, 13 pages, white paper is available at:
http://www.intranode.com/pdf/techno/ring-full-paper.pdf

We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring@intranode.com

Thanks,

-Franck 

-- 
Franck Veysset    --   http://www.INTRANODE.com
       Intranode Software Technologies

It is always possible to aglutenate multiple separate 
problems into a single complex interdependent solution.
In most cases this is a bad idea. (RFC 1925)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Relevant Pages

  • [TOOL] RING, An Opensource OS Fingerprinting Tool
    ... RING is a new remote operating system fingerprinting tool based on ... Carefully studying the way TCP works, ... based on temporal response analysis. ... SYN packet to an open port on a remote system, ...
    (Securiteam)
  • alt.2600 FAQ Revision .014 (2/4)
    ... One type of firewall is the packet filtering firewall. ... Dropping packets instead of rejecting them greatly increases the time required to scan your network. ... Port scanning UDP ports is much slower than port scanning TCP ports. ... Chartreuse Use the electricity from your phone line Cheese Connect two phones to create a diverter Chrome Manipulate Traffic Signals by Remote Control ...
    (alt.2600)
  • Re: jailed "system" needs IPV4 access
    ... see if the ACK flag is set on a tcp packet. ... the keep-state option just ... 00500 deny log ip from 192.160.1.0/24 to any in via dc1 ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Incoherent E-mails
    ... The Novell crap was originally run on IPX ... The term in the early-mid nineties was "packet storm". ... The original advantage of UDP was ... > 60 bytes for TCP. ...
    (alt.computer.security)
  • Re: A question regarding MTU: how it can effect TCP performance + other queries
    ... Can you check if your physical NIC has TCP large send offload enabled? ... I can't think of anything for the UDP case however, that just seems strange to me. ... Are you grouping multiple UDP packets in one TCP packet? ... encapsulated within another TCP packet when passed to physical interface, while for UDP I am sending UDP packet encapsulated within TCP packet when passed to physical interface. ...
    (microsoft.public.development.device.drivers)