Active OS Fingerprinting
Attack Pattern ID: 312 (Standard Attack Pattern)Typical Severity: LowStatus: Draft
+ Description

Summary

An attacker engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities

Server-side

Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: Any
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: User Datagram Protocol
Relationship Type
Uses Protocol
Related Protocol: lnternet Control Messaging Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites

The ability to send and receive packets from a remote target, or the ability to passively monitor network communications.

+ Resources Required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on unix/linux requires root privileges. Installing a listener on the network requires access to at least one host, and the privileges to interface with the network interface card.

+ Related Attack Patterns
NatureTypeIDNameDescriptionView(s) this relationship pertains toView\(s\)
ChildOfAttack PatternAttack Pattern311Fingerprinting Remote Operating Systems 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern314IP Fingerprinting Probes 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern315TCP/IP Fingerprinting Probes 
Mechanism of Attack (primary)1000
ParentOfAttack PatternAttack Pattern316ICMP Fingerprinting Probes 
Mechanism of Attack (primary)1000
+ References
Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". 6th Edition. McGraw Hill, ISBN: 978-0-07-161374-3. 2009.
Defense Advanced Research Projects Agency (DARPA). "RFC793 - Transmission Control Protocol". 1981. <http://www.faqs.org/rfcs/rfc793.html>.
Gordon "Fyordor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". 3rd "Zero Day" Edition, . Insecure.com LLC, ISBN:978-0-9799587-1-7. 2008.
Gordon "Fyordor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://nmap.org/p51-11.html>.