OS Fingerprinting in Ethical Hacking refers to any method used to determine what operating system is running on a remote computer. By analyzing certain protocol flags, options, and data in the packets a device sends onto the network, we can make relatively accurate guesses about the OS that sent those packets.
By pinpointing the exact OS of a host, an attacker can launch a precise attack against a target machine. In a world of buffer overflows, knowing the exact flavor and architecture of an OS could be all the opportunity an attacker needs
OS fingerprinting Techniques
1. Active fingerprinting
Active fingerprinting is accomplished by sending specially crafted packets to a target machine and then noting down its response and analyzing the gathered information to determine the target OS. In the following section, we have given an example to explain how you can use NMAP tool to detect the OS of a target domain.
2. Passive fingerprinting
Passive fingerprinting is based on sniffer traces from the remote system. Based on the sniffer traces (such as Wireshark) of the packets, you can determine the operating system of the remote host. We have the following four important elements that we will look at to determine the operating system
- TTL − What the operating system sets the
- Time-To-Live on the outbound packet.
- Window Size − What the operating system sets the Window Size at.
- DF − Does the operating system set the
- Don’t Fragment bit.
- TOS − Does the operating system set the
- Type of Service, and if so, at what.
Tools Used For OS fingerprinting
1. p0f – passive OS fingerprinting
P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.
Version 3 is a complete rewrite of the original codebase, incorporating a significant number of improvements to network-level fingerprinting, and introducing the ability to reason about application-level payloads (e.g., HTTP). Website: http://lcamtuf.coredump.cx/p0f3/
2. Ettercap – passive OS fingerprinting
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. Website: http://ettercap.github.io/ettercap/
3. Nmap – active OS fingerprinting
Nmap is a free and open-source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services those hosts are offering, what operating systems they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
It was designed to rapidly scan large networks, but works fine against single hosts. If you do not have Nmap command installed on your Linux system, then you can install it using the following yum command – $yum install Nmap Website: http://nmap.org/
4. XProbe2 – active OS fingerprinting
Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 relies on fuzzy signature matching, probabilistic guesses and multiple simultaneous matches, and a signature database. Website: http://sourceforge.net/projects/xprobe/files/xprobe2/
By analyzing these factors of a packet, you may be able to determine the remote operating system. This system is not 100% accurate and works better for some operating systems than others.
Before attacking a system, it is required that you know what operating system is hosting a website. Once a target OS is known, then it becomes easy to determine which vulnerabilities might be present to exploit the target system.