RootPrompt.org: Passive Fingerprinting; IDing remote hosts, without them knowingMay 01, 2000, 13:39 (0 Talkback[s])
(Other stories by Lance Spitzner)
[ Thanks to Noel for this link. ]
"One of the challenges of network security is learning about the bad guys. To understand your threats and better protect against them, you have to Know Your Enemy. Passive Fingerprinting is a method to learn more about the enemy, without them knowing it. Specifically, you can determine the operating system and other characteristics of the remote host using nothing more then sniffer traces. Though not 100% accurate, you can get surprisingly good results."
"Traditionally, Operating System fingerprinting has been done using active tools, such as queso or nmap. These tools operate on the principle that every operating system's IP stack has its own idiosyncrasies. Specifically, each operating system responds differently to a variety of malformed packets. All one has to do is build a database on how different operating systems respond to different packets. Then, to determine the operating system of a remote host, send it a variety of malformed packets, determine how it responds, then compare these responses to a database."
"Passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system, all you need to do is capture packets sent from the remote system. Based on the sniffer traces of these packets, you can determine the operating system of the remote host."
"Below is the sniffer trace of a system sending a packet. This system launched a mountd exploit against me, so I want to learn more about it. I do not want to finger or nmap the box, that could give me away. Rather, I want to study the information passively. This signature was captured using snort, my sniffer of choice."