passive fingerprinting

Know Your Enemy:
Passive Fingerprinting

了解你的敌人：被动指纹
Identifying remote hosts, without them knowing

识别远程主机，在他们无意识的状态下

 

Honeynet Project 
http://project.honeynet.org
Last Modified: 04 March, 2002

One of the challenges of network security is learning about the bad guys. To understand your threats and better protect against them, you have to Know Your Enemy. Passive Fingerprinting is a method to learn more about the enemy, without them knowing it. Specifically, you can determine the operating system and other characteristics of the remote host using nothing more then sniffer traces. Though not 100% accurate, you can get surprisingly good results. The subterrain crew has developed siphon, a passive network and system mapping and OS fingerprinting tool. Also, Michael Zalewski (Poland's finest) and Bill Stearns are maintaining p0f. Both of these tools demonstrate the functionality we are about to discuss.

 

互联网安全的一个重要挑战就是学习坏人，为了了解你的威胁并且更好的抵抗他们，你需要了解你的敌人。被动指纹是一个能更多学习敌人的方法，并且在他们无意识的状态下。特别是你可以使用嗅探器得到操作系统和远程主机的其他特征。尽管不能保证100%准确，但是你可以得到很神奇的很好的结论。已经开发了siphon，无源网络、系统映射一起操作系统指纹工具。所有的这些工具斗证明了我们即将讨论的功能。

 

Fingerprinting 

指纹

Traditionally, Operating System fingerprinting has been done using active tools, such as queso or nmap. These tools operate on the principle that every operating system's IP stack has its own idiosyncrasies. Specifically, each operating system responds differently to a variety of malformed packets. All one has to do is build a database on how different operating systems respond to different packets. Then, to determine the operating system of a remote host, send it a variety of malformed packets, determine how it responds, then compare these responses to a database. Fyodor's nmap is tool of choice when using this methodology. He has also written a detailed paper on this.

 

传统的操作系统指纹已经使用一些工具可以实现，比如nmap或者queso等工具，它的原理是每个操作系统的IP包有自己的特征，具体来说，每个操作系统对于一场数据包的反应是不同的。所有工具必须做的是将不同操作系统对不同数据的反应做一个数据库，判定一个远程主机时，向他发送异常包，接收它的反馈，然后将这些反馈和数据库对比。

 

 

Passive fingerprinting follows the same concept, but is implemented differently. Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host. Just like in active fingerprinting, passive fingerprinting is based on the principle that every operating system's IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences, you may be able determine the operating system of the remote host. 
被动指纹基于同样的原理，但是它的实施方法不同。被动指纹基于对远程系统嗅探的痕迹。和主动的查询远程机器比，你只需要捕获远程机器发送的数据包。基于这些数据包的嗅探痕迹，你可以确定远程主机的操作系统。像主动指纹一样，被动指纹也是基于每台操作系统IP包的特征，IP包都有自己的堆栈特征。通过分析嗅探的痕迹和确定这些不同，你可能能够确定远程主机的操作系统。

 

The Signatures 

签名

There are four TCP areas that we will look at to determine the operating system (however there are other signatures that can be used). These signatures are:

TTL - What the operating system sets the Time To Live on the outbound packet

Window Size - What the operating system sets the Window Size at.

DF - Does the operating system set the Don't Fragment bit.

TOS - Does the operating system set the Type of Service, and if so, at what.

 

有四个TCP领域我们可以用来确定操作系统，不排除也有其他的签名也可以使用，这些签名包括：

TTL，操作系统为发出的数据包设置生存时间

Window Size，操作系统设置的窗口大小

DF，操作系统设置的非碎片比特位

TOS，操作系统设置的服务类型

 

By analyzing these factors of a packet, you may be able to determine the remote operating system. This system is not 100% accurate, and works better for some operating systems then others. No single signature can reliably determine the remote operating system. However, by looking at several signatures and combining the information, you increase the accuracy of identifying the remote host. An example would be the easiest way to explain. Below is the sniffer trace of a system sending a packet. This system launched a mountd exploit against us, so we want to learn more about it. We do not want to finger or nmap the box, that could give us away. Rather, we want to study the information passively. This signature was captured using snort, our passive weapon of choice.

 

通过分析一个数据包的这些特征，你可能能够确定远程操作系统。这个系统不是100%的准确，并且存在在某些操作系统的效果优于其他操作系统的问题。没有一种签名能够可靠地确定远程的操作系统，但是，通过综合不同签名的信息，我们可以提高识别远程主机的准确率。这里我们给出一个简单的实例，下面是一个操作系统发送的数据的嗅探痕迹。这个系统对我们进行了大量的攻击，我们想了解到更多的东西，在这里我们不死用指纹或者nmap之类的工具。我们想被动的学习信息，在理我们选择的被动工具室snort。

 

04/20-21:41:48.129662 129.142.224.3:659 -> 172.16.1.107:604
TCP TTL:45 TOS:0x0 ID:56257
***F**A* Seq: 0x9DD90553 
Ack: 0xE3C65D7 Win: 0x7D78

Based on our 4 criteria, we identify the following:

TTL: 45

Window Size: 0x7D78 (or 32120 in decimal)

DF: The Don't Fragment bit is set

TOS: 0x0

 

We then compare this information to a database of signatures. First, we look at the TTL used by the remote host. From our sniffer trace above, you can see the TTL is set at 45. This most likely means it went through 19 hops to get to us, so the original TTL was set at 64. Based on this TTL, it appears this packet was sent from a Linux or FreeBSD box, (however, more system signatures need to be added to the database). This TTL is confirmed by doing a traceroute to the remote host. If you are concerend about the remote host detecting your traceroute, you can set your traceroute time-to-live (default 30 hops), to be one or two hops less then the remote host (-m option). For example, in this case we would do a traceroute to the remote host, but using only 18 hops (traceroute -m 18). This gives you the path information (including their upstream provider) without actually touching the remote host. For more information on TTLs, check out this Research Paper on Default TTL values.

 

获取四项指标之后，我们可以讲这些信息与数据库中的签名比较。首先，看远程主机使用的TTL，试验中得到的TTL是45，并且到达我们经历了19跳，所以原始的TTL应该是64，由此可以得到这个数据包来自一个Linux系统或者FreeBSD。推断得出的TTL是64，我们可以通过判断与远程主机的连接情况判断，如果你担心远程主机检测到你的跟踪，你可以设置自己的TTL（默认是30），并且跳数比远程host少1到2跳。比如，在这个例子中，我们要设置跳数为18来跟踪主机，这样可以得到路径信息，同时能够完全不到达远程主机。想获得更多关于TTL的信息，可以点击连接Research Paper on Default TTL values.

 

The next step is too compare the Window size. We have found the Window Size to be another effective tool, specifically what Window Size is used and how often the size changes. In the above signature, we see it set at 0x7D78, a default Window Size commonly used by Linux. Also, Linux, FreeBSD, and Solaris tend to maintain the same Window Size throughout a session (as this one did). However, Cisco routers (at least my 2514) and Microsoft Windows/NT Window Sizes are constantly changing. We have found that Window Size is more accurate if measured after the initial three-way handshake (due to TCP slow start). For more information on Window Size, see Stevens, "TCP/IP Illustrated, Volume 1" Chapter 20.

 

下一步是比较窗口的大小。我们现在已经得到窗口的大小是另一个有效的工具，尤其是窗口大小事如何使用以及变化频率。在上面的例子中，窗口大小被设置为0X7D78，一个Linux设置的通用大小。同时，Linux，freeBSD和Solaris往往会通过session缓存来保证窗口大小不变。然而，思科、微软的窗口大小是不断变化的。我们发现如果通过传统的三次握手之后窗口大小的数值会更精确。如果想了解更多关于窗口大小的信息，可以查看Steverns的"TCP/IP Illustrated, Volume 1" Chapter 20。

 

Most systems use the DF bit set, so this is of limited value. However, this does make it easier to identify the few systems that do not use the DF flag (such as SCO or OpenBSD). After further testing, we feel that TOS is also of limited value. This seems to be more session based then operating system. In other words, its not so much the operating system that determines the TOS, but the protocol used. TOS defintely requires some more testing. So, based on the information above, specifcally TTL and Window size, you can compare the results to the database of signatures and with a degree of confidence determine the OS (in our case, Linux kernel 2.2.x).

 

大部分的系统会设置DF位，所以它的价值不是很高。但是，对于一些不使用DF位的机器来说很容易识别系统。你可以通过将签名数据库中的数据和TTL以及窗口大小做对比，然后得到一个对操作系统判别的级别。

 

Keep in mind, just as with Active Fingerprinting, Passive Fingerprinting has some limitations. First, applications that build their own packets (such as nmap, hunt, nemesis, etc) will not use the same signatures as the operating system. Second, it is relatively simple for a remote host to adjust the TTL, Window Size, DF, or TOS setting on packets. For example, to change the default TTL value:

 

想主动指纹一样，被动指纹有一些缺点：（1）应用程序在构造pack包时不回使用操作系统的指纹；（2）它对只匹配TTL、窗口大小、DF和TOS的pack的判断比较简单。

 

Solaris: ndd -set /dev/ip ip_def_ttl 'number'
Linux: echo 'number' > /proc/sys/net/ipv4/ip_default_ttl
NT: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

However, by combining a variety of different packets and signatures, in this case TTL and Window Size, you can reliably approximate the remote system.

Other Signatures and Uses
We are not limited to the four signatures discussed so far. There are other areas that can be tracked, such as initial sequence numbers, IP Identification numbers, TCP or IP options. For example, Cisco routers tend to start IP Identification numbers at 0, instead of randomly assigning them. For TCP Options, the option Selective Acknowledgement SackOK is commonly used by Windows and Linux, but not commonly used by FreeBSD or Solaris. With Maximum Segment Size (MSS), most operating systems use a MSS of 1460, however Novell commonly uses 1368, and some FreeBSD variants may use a MSS of 512. Also, ICMP packets can be used. Honeynet member Ofir Arkin has done extensive research in using ICMP for fingerprinting, publishing the paper ICMP Usage in Scanning. The ICMP signatures he discusses in this paper can be used for passively fingerprinting systems based on their ICMP signatures. For example, Microsoft ICMP REQUEST payloads contain the alphabet, while most Unix systems, such as Solaris or Linux, ICMP REQUEST payloads have number and symbols.

 

我们目前不仅限于这四类签名，也有其他的领域我们也可以学习，比如说数字序列、ip认证码、TCP 或者IP选项。比如，思科的路由器的IP认证码起始位0，对于TCP选项，选择性的默认StackOk是Windows和Linux常用的选项，但是F热恩BSD和Solaris就不常用，对于最大段的大小，大部分的操作系统默认位1460，但是Novell常使用1368，并且有些FreeBSD版本使用的时512，同时，ICMP包也会被用到。Ofir Arkin通过ICMP在签名领域做了一些研究， 并发表了论文 ICMP Usage in Scanning，在文章中他指出UCMP签名可以被用在被动签名系统中，比如，微软的ICMP请求包的有效负载字母，但是Unix系统多是数字和符号。

 

Passive fingerprinting can be used for several other purposes. It can be used by the bad guys as 'stealthy' fingerprinting. For example, to determine the Operating System of a 'potential victim', such as a webserver, one only needs to request a webpage from the server, then analyze the sniffer traces. This bypasses the need for using an active tool that can be detected by various IDS systems. Also, Passive Fingerprinting may be used to identify remote proxy firewalls. Since proxy firewalls rebuild connection for clients, it may be possible to ID the proxy firewalls based on the signatures we have discussed.

 

被动指纹签名可以被用在其他领域。他可以用于识别坏人的隐身指纹，比如要确定一个潜在受害的操作系统，想web服务器，只需要向服务器发送一个web网页请求，然后分析嗅探痕迹。这种转换方式来使用主动工具，会被很多IDS系统识别。同时，被动指纹可以用来识别远程机器的防火墙，因为代理防火墙与客户端重建连接，它可能能得到基于签名的代理防火墙的ID。

 

 Organizations can use Passive Fingerprinting to identify 'rogue' systems on their network. These would be systems that are not authorized on the network. For example, a Microsoft or Sun shop can quickly identify 'rogue' Linux or FreeBSD systems that mysteriously appeared on their network. Passive Fingerprinting can be used to quickly inventory an organizations operating systems without touching or imapcting any systems or network performance. You would be surprised how may organizations do not know what systems they have on their internal network. For individuals conducting security assessment, Passive Fingerprinting also allows one to quickly identify critical systems (such as Unisys Mainframe). This method can also be used to identify rogue or unautorized systetms or OS types within an organization, a possible indication of 'blackhat' activity.

 

组织单位可以使用被动指纹来识别它们网络上的流氓系统，这些系统可能是网络上没有被认证的系统。例如，Microsot和Sun可以很快的识别出神秘出现在它们网络上的流氓Linux或者FreeBSD系统。被动指纹可以用来快速梳理网络系统同时不需要触碰等。

 

The Project has developed a test database to demonstrate these concepts of passive fingerprinting. The database was built by testing a variety of systems with the Telnet, FTP, HTTP, and SSH protocol. This database is no longer being developed and is provided for demonstration purposes only. If you want to contribute to the development of passive fingerprinting, we recommend the actively maintained solutions we have discussed so far.

 

这个项目已经开发了一些数据库来证明这些被动指纹的概念，这个数据库通过对使用Telnet，FTP，HTTP和SSH协议的不同系统创建，这个数据库仅用于演示使用，不会再对其更新，如果你想针对被动指纹的发展给予贡献，我们将综合当前所有的成果给予指导和建议。

 

Conclusion 
Passive fingerprinting gives you the ability to learn about the enemy, without them knowing it. Though no single piece of information can positively identify a operating system, by combining several signatures, you can make an approximation of the remote system. A big thanks to the following people for their help and ideas:

 

结论

被动指纹可以让你在敌人无意识的状态下学习敌人，因为没有一个单独的特征可以准确的判断操作系统，所以通过综合不同签名，可以对远程系统做出一个近似判断。

Craig Smith
Peter Grundl 
Subterrain Siphon Project