During penetration testing, the main objective of the auditor is to exploit and gain access. For that to happen, it is required to have some information about the system/network being exploited, and to know the operating system running on the system (to be exploited). Also, from the network security point of view, it is required, and at the same time challenging, to know and understand the threats and protect against them. OS fingerprinting is the name given to the technique of detecting the operating system of the system/machine.
OS Fingerprinting can be broadly classified into two types:
- Active Fingerprinting
- Passive FingerprintingActive OS fingerprinting is based on the fact that every OS has its own unique TCP/IP stack features. Every OS responds in a different manner to a variety of malformed packets. To perform such fingerprinting, all one has to have is a signature database of responses of different operating systems for different queries (packets). The next step is to send different packets to the target and compare the responses with the database, and then it will determine the underlying operating system. Same approach is followed by Nmap, one of the most widely used port scanning and OS fingerprinting tools. Active fingerprinting is utilized most of the time during a penetration test as it is more certain in its outcomes, but it also generates traffic which might trigger an IDS/IPS running on the machine being fingerprinted. If we need to maintain stealth, this technique is not a good option as the traffic generated will leave traces in the log of the system.
The passive fingerprinting technique also maintains a database for the purpose of identification, but unlike the active technique, it does not generate any traffic. It simply sits and sniffs the packets sent by the remote system and based on the unique signature of the operating system in the packet, it determines the OS. Simply by analyzing the data being sent by the remote host during the typical communication, the underlying OS can be detected. As no new packets are generated and sent to the target machine, it won’t trigger any security measures put in place by the owner, and hence, is more stealth. The signatures of different OS’s can be generated based on the fact that different operating systems implement the networking protocols in slightly different manners and sometimes send some data unique to the OS. Though no single piece of information can be accurately used for the purpose of identification, a mixture of signatures can help in making the identification more specific. Information other than the operating system can also be gleaned out sometimes, such as remote system configuration, ISP etc. Although this technique is not 100% accurate, it can be very helpful in the scenarios when we don’t want to trigger the alarms (IDS/IPS).
Both the techniques discussed above have their pros and cons and can be utilized according to the situation/scenario. In this article, the focus will be on the tools and techniques of passive fingerprinting. The first tool in this list is network miner.
Network Miner is a Network Forensic Analysis Tool for Windows. Network Miner acts as a passive packet sniffer and captures the data on the network, without generating any new traffic itself and hence, remains covert. It utilizes WinPcap library for the purpose of capturing the packets and can also analyze PCAP files off-line. It can be downloaded from http://sourceforge.net/projects/networkminer/
Network miner performs OS fingerprinting using the Satori, P0f and Ettercap OS fingerprint signatures. It also utilizes MAC vendor list from Nmap. It can be executed from a thumb drive without any installation. It basically runs on windows but can also run on Linux with wine.
Network Miner is capable of extracting files and certificates by parsing a PCAP file or by sniffing traffic directly from the network. Protocols which are supported for file extraction are FTP, HTTP and SMB. It can also extract user credentials for the supported protocols. Newer version of the application can also sniff WLAN (wireless) traffic.
Using the application is a simple task, the user simply has to select an active network adapter from the list and hit the start button. The interface lists the discovered nodes along with their information. A more detailed description can be viewed by expanding the nodes in the host list.
Figure 1. Network Miner
The captured traffic can reveal:
- Operating System
- User Credentials
- Open Ports
- Images etc.
Though it acts as a packet sniffer, the data it collects is related to the host on the network rather than the data regarding the traffic on the network. The user interface presents a host centric view and not packet centric. Figure 2 show the result under the images tab of the tool by parsing a pcap file.
Figure 2. A parsed pcap file result (Images tab)
Network miner can also be utilized for the purpose of evaluating the data we are revealing to the network which we are connected. By executing the application on our own machine, we can see what information we are disclosing. This information can be of great use to an attacker, as it might reveal our credentials or for the purpose of crafting a social engineering attack.
P0f is a multipurpose passive OS fingerprinting tool. It can identify the OS on the machines with which we are connected, even if there is a packet firewall present in between. It is also capable of detecting certain types of packet filters, NAT setups, ISP etc. and this all is done without generating any traffic on the network. P0f can be downloaded from http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.03b.tgz.
P0f utilizes three different detection modes for the purpose:
- SYN mode: Incoming connection fingerprinting – To fingerprint the machine connecting to our system.
- SYN+ACK mode: Outgoing connection (remote) fingerprinting – To fingerprint systems we connect to.
- RST+ mode: Outgoing connection refused (remote) fingerprinting – To fingerprint systems that rejects our traffic.
P0f is the first of its kind, a well-developed implementation of the passive fingerprinting technique with specific and unique signatures which provide a high level of accuracy for the task. It has been developed in a manner such that it can be (and has been) integrated with other solutions. P0f uses the libpcap library for the purpose of packet capturing and analysis. The tool is currently in version 3, with substantial enhancements in previous versions. P0f is very swift and highly scalable in its operation on both the endpoints of a typical TCP/IP connection. It can also detect the system uptime, network hookup, distance, NAT, proxy setup etc. bypassing the restrictions that might have blocked a Nmap scan.
The latest version of P0f i.e. version 3 is a complete rewrite of the original application. New signatures have been updated to the database for better results. Users and developers can submit the new signature and report bug to the author at http://lcamtuf.coredump.cx/p0f3/. The majority of the signatures used by the application have been devised explicitly for it. Figure 3 shows the options of the tool.
Figure 3. P0f Options
Some basic command line options of P0f:
-i iface - snoop on a specific network interface.
-r fname - reads offline pcap captures from the specified file.
-f fname - reads fingerprint database (p0f.fp) from the specified location.
-o fname - write data to the specified file.
-s fname - listens for API queries on the specified filesystem socket. A single instance can be listening on a particular socket at a given time.
-L - lists all available network interfaces.
-d - runs p0f in daemon mode: the program will fork into background and will continue writing to the specified log file or API socket. This option requires -o or -s option to be specified.
The signatures of the tool are developed based on the:
Data extracted from various headers
Ordering of options in protocols
Ordering of the headers
Syntax of the headers
- Timestamp progression etc.
Apart from OS fingerprinting P0f also attempts to identify NAT device, Load balancer (server side) and some other server side devices and applications to present a better picture of the environment. Figure 4 demonstrates the tool in action. As shown in the figure, p0f has successfully identified the servers OS (linux 3.x).
Figure 4. P0f in action
Some of the uses of the tool are:
- Pentest: Probing the target in a stealth manner.
- Profiling: Can be utilized to silently gather information of the machines accessing the server or any node on the network.
- Troubleshooting: Troubleshooting network issues being faced.
- Circumventing security measures: Security measures such as firewall (packet filter), NAT devices can be easily evaded.
As stated earlier, it can be integrated with other applications using P0f API. It allows other applications running on the same machine to get opinions from p0f about a particular host.
It can be integrated with web applications, packet filters and so on.
Another tool in our list is Ettercap. Ettercap is termed as the Swiss army knife of sniffers. Initially, it was meant to be a tool for the purpose of sniffing traffic over a LAN; but over time, it has developed as a complete program for data capturing, recording and analysis. It is a free and open source tool and is usually utilized to perform man-in-the-middle attacks. Ettercap is capable of active, as well as passive, dissection of many different protocols. Its ability to conduct active eavesdropping and passive OS fingerprinting is what makes it stand out from others of its kind (sniffers). It provides both kind of interfaces i.e. command line interface (CLI) as well as Graphical user interface (GUI). It ranks 16 in the sectools top 125 network security tools list (http://sectools.org/search/?q=ettercap). Ettercap can be downloaded from http://ettercap.sourceforge.net/. Figure 5 show Ettercap interface displaying the result of passive fingerprinting.
Figure 5. Ettercap
Two sniffing options supported by Ettercap are:
- Unified: In this method, all the data packets are sniffed that pass on the cable. The packets which are not meant for the host running the tool (ettercap) are automatically forwarded.
- Bridged: This mode utilizes two interfaces, one for sniffing and another to forward the traffic. It is a very stealth mode.
Modes of operations offered by Ettercap, as described on Wikipedia (http://en.wikipedia.org/wiki/Ettercap_(computing)):
- IP based: Packet filtering done based on IP (source and destination).
- MAC based: Packet filtering done based on MAC address (source and destination).
- ARP based: Utilizes ARP poisoning (a hacking technique to perform Man-in-the-Middle attack) to sit and sniff traffic on a switched LAN between two hosts.
- Public ARP based: Utilizes ARP poisoning to sniff on a switched LAN from a victim host to all other hosts.
Apart from fingerprinting ettercap is also capable of performing Man-in-the-Middle attack. A Man-in-the-Middle (MITM) is a kind of active eavesdropping in which the attacker sits between the victims by making independent connections to them and relays messages between them. The victims believe that they are interacting directly to each other. The success of this attack depends on the fact that the attacker is successfully able to impersonate each endpoint to the satisfaction of the other. A more detailed description can be found at the OWASP website https://www.owasp.org/index.php/Man-in-the-middle_attack.
Along with the already embedded features into the tool, it can also be extended with the help of the plugins. Different functionalities can be added to its arsenal by developing plugins.
From the point of view of an attacker, as well as pentester, passive fingerprinting technique provides a quite efficient way to identify remote machines, without them knowing it. The main advantage of this technique is that it can be used in conjunction with firewalls and IDS/IPS systems, which can be very helpful in cases where penetration needs to be done on secured systems. Another worthy feature is that it will generate no logs on the machines being fingerprinted. On the other hand, the results of this technique are not very reliable and can be manipulated easily. One should not rely completely on one result/signature for the purpose of identification and must look for other information to support it.