Support The Ethical Hacker !! - Click Here If You Like My Contents !!!

Showing posts with label Passive. Show all posts
Showing posts with label Passive. Show all posts

Wednesday, November 18, 2009

OS Fingerprinting -Finding Remote Host's OS

 It is very important for an attacker to know about the OS of the target.Different OS's have different stacks and kernels.The response to same message is different in different OS's so by analyzing these messages we can know about the OS in the host.Attacker sends packets made using the packet generation softwares and the target is forced to respond to it.Thus OS finger printing is done.

The techniques used for this purpose can be classified in to 2 types namely :

1) Active finger printing
2) Passive finger printing

Active fingerprinting :
steps:
A customized data packet is send to the target host.
The response generated is recorded using  the packet sniffer.
The recorded response is studied and compared to known responses and OS is identified.

Fators helping us to identify the OS :

TCP initial window size of the packets.
ACK values of the packets.
Initial Sequence Number(ISN)  values
Heading of overlapped fragments.
ICMP Message quoting method
ICMP Error Message quenching method
ICMP Error Message Echoing integrity

Problem:
The attacker will have to send the packets actively to the target and record its responses.
This method is not anonymous.So it may have tha attacker caught in the act.

That is why we go for Passive Fingerprinting.

TOOLS for active finger printing :

Nmap
Quso
Aping


Passive Fingerprinting :
This method is  anonymous. It is very difficult to identify passive fingerprinting.

The main steps in this method are as  follows :
The attacker uses a sniffer to record the data packets sent by the target.
The various parts of the response is analyzed for particular values which are specific for a particular OS.
Thus the OS of host is found out.The attacker may install the sniffer in a cafe and analyze the packets recieved while someone connects to the same computer.

The main fields studied in the passive method are:
TTL value
The window size
Don't fragment bit
Type of source (TOS)

 Consider the example :
When we recieve a
windows size =9000
TOS =0
DFB =yes
then the host must be running a Win9X or Win NT

Countermeasures:

Change the default values of the parameters studied.
Mislead the attacker by giving values of another OS.
Use ACL for filtering.
Posted by Swaroop Krishnan S at 9:54 PM 1 comments
Labels: , , , , ,
Subscribe to: Posts (Atom)