OS Fingerprinting

DISCLAIMER!
This content is intended solely for educational and ethical purposes. The website pentest.id is created by our lecturer and this activity is conducted with permission. All activities related to cybersecurity must comply with available regulations. The author (me) is not responsible for any misuse or illegal activities performed using the knowledge shared here. Any actions taken by the readers using this info are at the reader’s own risk. 

OS Fingerprinting

OS fingerprinting is the process of analyzing packets from a network to gather info about the system’s Operating System (OS), so that it can be used in later attacks. There are two types of OS fingerprinting, which are active that connects (send network packets) directly to the target and passive that does not connect directly. Passive OS fingerprinting is slower, but it is not as noticeable as active OS fingerprinting. Some of the OS fingerprinting tools or techniques are Idle Scan, P0f, and Nmap.

Image source: https://www.hackers-arise.com/post/2016/06/10/operating-system-os-fingerprinting-with-p0f

 

Idle Scan or Zombie Scan is a stealthy scanning technique that utilizes an idle or zombie host to scan a target, so that the target system can not detect the real attacker. This method relies on the sequence ID number to infer whether a port is open or not.

The process of Idle scan is roughly as below (you can read my previous post to understand more about TCP flags):

1.     The attacker finds a zombie host and send a SYN/ACK packet to the zombie. If the zombie responds with RST, then the zombie is idle and can be exploited.

2.     The attacker takes note of the last sequence number and IP address of the zombie.

3.     The attacker spoofs the zombie’s IP address and sends a SYN packet to the target. If the target port is open, then the target will respond SYN/ACK to zombie. If it is closed, then the target will respond RST to zombie.

4.     Then, the attacker will send SYN/ACK to zombie again. If the zombie’s sequence number is incremented by 2, then the target port is open. If the sequence number only incremented by 1, then the port is closed.

 

However, the sequence number of a request is now randomized, so it is harder to scan the target now. 

For active OS fingerprinting, we can utilize Nmap to scan the target system and get the info of the OS and others. For example, we scan the port 80, 443, and 21 of pentest.id in the image below. From the information below, we can see that the running OS is highly likely to be Oracle Virtual Box.

OS fingerprinting is crucial for offensive cybersecurity. It is important in conducting the pen testing because OS fingerprinting helps attacker to gather critical information about the target and discover the vulnerabilities of the system, so that the attacker can choose the right strategy for the attack.

I think that’s all. Thank you!

 

Additional References:

https://www.firewalls.com/blog/security-terms/os-fingerprinting/?srsltid=AfmBOoqVaeqEDJl_Ug_RurJN6xuYc9fe06VmT-yPxAb5ZATnhVyX9BgD