All About Finger Printing - An Article By Gaurav Kumar (ethicalhackers@yahoo.com)

All About Finger Printing
-An Article by Gaurav Kumar (ethicalhhackers@yahoo.com)

Updated article will be available on www.mycgiserver.com/~ethicalhackers/finger.html

Hello friends!
This comprehensive article is all about finger printing. I will discuss both type of finger printing - Active and Passive.

What is finger printing?

Finger printing is a kind of technique in which we find out the remote host operating system and other info. There

Types of Finger printing.

There are two types of finger printing -
1) Active finger printing.
2) Passive finger printing.

In case of active finger printing we actively query the remote host and analyze the data received. As the name itself indicates we are actively communicating with the remote host and hence our actions can be logged by remote host.

In case of passive finger printing we do not actively query the host but we analyze the data using sniffers. Many people say that in case of passive finger printing our actions are not logged. But its not true. Actually when we do passive finger printing we have to connect the remote host atlas once to get the data...there are very few remote hosts that will connect to client to give the data. Now I will explain various active and passive finger printing techniques.

Let us first discuss Active finger printing.

ACTIVE FINGER PRINTING

Active finger printing require us to to connect to the remote host on various open ports and grab the welcome banner data. First we run a port scanner on the target computer. You should always remember that port scanning can be easily detected by IDS (Intrusion Detection System) and fireballs. Modern techniques like SIN scanning can also be detected. Let us assume that remote host is having ports 21,25,139 and 80 open. Now if you are an experienced tech it will seem to you that remote host is a windows host as it is having port 139 (used for netbios communication) open. But wait! that system can be a line system also as it may be running a samba server. Let us know actively query the target system on open ports. We first connect to port 21. It is used by FTP service. Simply connect to this host on port 21 and note down the welcome banner. If it says something like this

220 computer_name_goes_here Microsoft FTP Service (Version 5.0).

we can assume that host is running a windows NT type OS (it can be windows NT,2000,XP).
as Microsoft FTP Service mostly runs on these OS. You can also get waft in place of Microsoft FTP Service...this indicates that host is running on UNIX type OS. Now the remote host we ask our user name and password. If you have one,its good. If you don't have try logging using anonymously by giving user name as anonymous and email address as password. If you have logged in successfully you can use command literal cyst to find out OS. I have seen many hosts that allow the command literal cyst to be run even if you are not logged in.
Now we come to port 25. This port is used by SMUT service. Again you have to connect to this port and analyze the welcome banner. If words like sundial occurs you can infer remote host is running UNIX type OS. You can also note down the name and search on googol if you don't know about that program. Before query netbios port 139 I will try port 80. This very is used by web servers. Now that you are reading this article most probably it has been sent to your web browser by port 80 of web server. Now let us query this service. Connect to port 80 of remote host and type some ambit name and press enter twice (HTTP requires two carriage return). Now the remote host will respond with this data similar to this-

HTTP/1.1 400 Bad Request
Date: Tue., 15 Jan 2003 10:18:00 GMT
Server: Apache/1.0.32 (Line) mod_perl/1.99_04-dev Perl/v2.3.1

This indicates remote host is running on UNIX type (Line) OS.

You can also try to connect to other open ports and grab the banner data.

Now we come to port 139. If this port is open you can find out many details about host. At first site it indicates a Windows type OS. If you know how to program using WIN API you can use Net BIOS APIs to communicate with the system. First you will have to establish a Null session and the connect to IPC$ and then query remote host. One such tool that can be used is enema. Default netbios implementation allows you to uniquely find remote host. Using this technique you can uniquely distinguish remote system as a unix or windows 9x or windows nt or windows 2000 or windows XP or windows .Net system!!! I am still waiting for a tool that uses this technique. Popular finger printing tool like nmap,queso don't use this technique.(correct me if i am wrong.)

There are some other non-standard techniques that lies in the category of passive finger printing but I would like to discuss them here because that don't requires snuffers and packet generator.

Suppose you receive an email from your friend and you want to find out OS used for writing that email. Its very simple. Look that the email headers. If you use outlook select that message, go to file and click on properties and then click on message source. If you see something like X-mailer=Microsoft Outlook it indicates Windows type OS. (of course that could be a linux system as sender may be running outlook express on linux using WINE but chances of this are rare.)

Quite obviously you have to change the welcome banner information if you wanna hide your OS information and you must firewall port 139 from untrusted network. Changing welcome banner is comparatively easy in case of UNIX type OS.

Note- www.netcraft.com/whats is an online free service that gives you web server and OS name quite accurately.

Now we come to passive finger printing.

PASSIVE FINGER PRINTING

This type of finger printing is used by advanced hackers. Please note that following text requires you to have some inside knowledge of TCP/IP working. Further, you must have a good packet capture (sniffer) and generator utility. In case you use Windows type OS I recommend using CommView as packet capture utility and Rafale X (GUI based but not so advanced) or LibnetNT-my favorite (have fuctions for programming) as packet generator.
In case you use UNIX type OS you can use ethereal (or snort) as packet capture and libnet (or packet factory) as packet generator library.

In passive finger printing we sent some data once (may be more - will discuss later in this article) and then analyze the data capture received from our sniffer(installed on our system). This type of technique do not require us to do a port scanning and hence no IDS and firewall will block our ip address.

Actually there is no single way to detect remote OS. We have use many techniques to detect remote OS

Various techniques used in passive finger printing are -

1) TTL value.
2) Window Size.
3) DF bit.
4) TOS.
5) Initial Sequence Number.
6) TCP packets with different options to a port (closed as well as open).
7) ICMP packet to an unreachable port.
8) ICMP payload.
There are many more techniques involving ICMP. See reference section at the end of article.

1. TTL value.

TTL (Time To Live) value is used for telling the OS handling the data the time for which the packet should be handled. If a OS encounters a packet having TTL equals 0 it will discard the packet. As the OS finds that it has to transfer the packet to next network device it will decrease the value by 1. Now let us apply this information practically. Let there be an false ip address 256.1.2.3 We have to find out the OS running on this ip adress. We will ping to this computer. Here is an sample output.

Pinging computer_name_here [256.1.2.3] with 32 bytes of data:

Reply from 256.1.2.2: bytes=32 time<15ms TTL=124
Reply from 256.1.2.3: bytes=32 time<45ms TTL=124
Reply from 256.1.2.3: bytes=32 time<102ms TTL=124
Reply from 256.1.2.3: bytes=32 time<569ms TTL=124

Ping statistics for 256.1.2.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

TTL=124 shows that the packet ICMP packet we have received has a TTL value of 124. We will traceroute to this computer.

Here is an sample output.

Tracing route to computernamegoeshere[256.1.2.3]
over a maximum of 30 hops:

1 126 ms 118 ms 125 ms 192.168.0.2

2 145 ms 132 ms 117 ms 223.34.6.1

3 136 ms 189 ms * 3.3.245.3

4 630 ms 124 ms 728 ms 256.1.2.3

Above result shows that the remote host was reached in 4 hops (network devices). So we can infer that original TTL value was = no. of hops+ ttl value we recived i.e. 4+124=128

This indicates a windows type OS.

Here is an indicative list.

OS VERSION PLATFORM TTL

Windows 9x/NT Intel 32

Windows 9x/NT Intel 128

Windows 2000 Intel 128

DigitalUnix 4.0 Alpha 60

Unisys x Mainframe 64

Linux 2.2.x Intel 64

FTX(UNIX) 3.3 STRATUS 64

SCO R5 Compaq 64

Netware 4.11 Intel 128

AIX 4.3.x IBM/RS6000 60

AIX 4.2.x IBM/RS6000 60

Cisco 11.2 7507 60

Cisco 12.0 2514 255

IRIX 6.x SGI 60

FreeBSD 3.x Intel 64

OpenBSD 2.x Intel 64

Solaris 8 Intel/Sparc 64

Solaris 2.x Intel/Sparc 255

2) Window Size.

If we analyze the data received from host and found the window size to be 0x7D78 (32120 in decimel) we can infer that host is running on Linux. Linux, FreeBSD, and Solaris maintain same window size throughout session. While windows NT type OS keeps changing this value. Microsoft OS uses 0x402E and AIX uses 0x3F25 as thier window size.

3) DF bit.

According to RFC 791 there must be 3 bits in an IP packet. Bit 0 is reserved , Bit 1 is DF (Don't Fragment) bit and Bit 2 is MF (More Fragment) bit. If value of any bit is 0 its means false and 1 indiactes true. For example we get a packet with DF bit value 1 it tells OS not to fragment the data.

Operating systems like Linux kernal 2.4.x , AIX 4.3.x, HP UX 10.30 ,11 give value 1 to the DF bit.

4) TOS.

TOS means type of service. Windows 2000,Ultrix and Novell Netware sends data ICMP packet with TOS bit set (value=1). While most UNIX type machine do not set this. This is an effective method of identifying operating systems.

5) Initial Sequence Number.

This number is used by operating systems to keep track of packets handled by them. Each OS can have its own sequence number. TCP/IP connection is made using 3 way handshake process. When a client wants to make a connection with the server, it send an tcp packet with SYN (synchronize) bit on and its own sequence number. If servers is willing to accept connection it sends a tcp packet with both SYN and ACK (acknowledge) bit on and its own sequence number and then client sends a packet with ACK bit on and the connection is now established. Note that in the 2 nd way (when servers sends a syn and ack bit on) it also send its sequence number. This number can have value ranging from 0 to 4,294,967,295. For every successful connection this value is increased by 64000 and by 128000 each second. So my making many connections successively we can get an constant initial sequence number.

NMAP and Queso can reliabley detect ISN.

6) TCP packets with different options to a port (closed as well as open).

If we send tcp packets with different options to a machine the output we receive can uniquely indentify remote host. I let this task to the reader to play with these bits.

7) ICMP packet to an unreachable port.

When we send ICMP packets to a closed port on a machine we must expect an "Unreachable Port" error message. Now each OS gives this message after a particular time. This time can be used to identify remote host.

8) ICMP payload.

Microsoft ICMP REQUEST payloads contain the alphabet, while most Unix systems, such as Solaris or Linux, ICMP REQUEST payloads have number and symbols

All these 8 tests can uniquely identify remote host quite uniquely. There are so many other techniques that one can write a book on them. I have much more to share with you but time doesn't allow me to do this.

References-

In writing this article I have taken help from various articles available on internet. Here are they-

Know Your Enemy-Passive Fingerprinting by Craig Smith and Peter Grundl. http://project.honeynet.org/papers/finger

Tracing the traceroute- By Ankit Fadia. www.ankitfadia.com

NMAP fingerprinting article. http://www.insecure.org/nmap/nmap-fingerprinting-article.html

ICMP Scanning. http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip

Updated article will be available on www.mycgiserver.com/~ethicalhackers/finger.html