[ Thanks to Noel
for this link. ]
“One of the challenges of network security is learning about the
bad guys. To understand your threats and better protect against
them, you have to Know Your Enemy. Passive Fingerprinting is a
method to learn more about the enemy, without them knowing it.
Specifically, you can determine the operating system and other
characteristics of the remote host using nothing more then sniffer
traces. Though not 100% accurate, you can get surprisingly good
results.”
“Traditionally, Operating System fingerprinting has been done
using active tools, such as queso or nmap. These tools operate on
the principle that every operating system’s IP stack has its own
idiosyncrasies. Specifically, each operating system responds
differently to a variety of malformed packets. All one has to do is
build a database on how different operating systems respond to
different packets. Then, to determine the operating system of a
remote host, send it a variety of malformed packets, determine how
it responds, then compare these responses to a database.”
“Passive fingerprinting is based on sniffer traces from the
remote system. Instead of actively querying the remote system, all
you need to do is capture packets sent from the remote system.
Based on the sniffer traces of these packets, you can determine the
operating system of the remote host.”
“Below is the sniffer trace of a system sending a packet. This
system launched a mountd exploit against me, so I want to learn
more about it. I do not want to finger or nmap the box, that could
give me away. Rather, I want to study the information passively.
This signature was captured using snort, my sniffer of choice.”