tips reconnaissance tools

SecurityTrails Blog · May 21 · SecurityTrails team

Cybersecurity Fingerprinting Techniques and OS-Network Fingerprint Tools

Reading time: 11 minutes

In the physical world, analyzing fingerprints is one of the most popular techniques used to identify people involved with all types of crimes, from robbery to kidnapping or even murder.

In the digital world, there are ways to analyze fingerprints as well—but in this sense we’re talking about OS, network and service fingerprints.

In this article we’ll explore what a fingerprint is in cyber security, different types of fingerprint techniques, and some of the most popular fingerprinting tools in use.

What is fingerprinting in cyber security?

Fingerprints in the digital world are similar to what human fingerprints are in the real world. Simply put, a fingerprint is a group of information that can be used to detect software, network protocols, operating systems or hardware devices.

Fingerprinting (also known as footprinting) is the art of using that information to correlate data sets in order to identify—with high probability—network services, operating system number and version, software applications, databases, configurations and more.

Once the penetration tester has enough information, this fingerprinting data can be used as part of an exploit strategy against the target.

How does OS and network fingerprinting work?

In order to detect OS, networks, services and application names and numbers, attackers will launch custom packets to the target. These packets will receive a response from the victim in the form of a digital signature. This signature is one of the keys to identify what software, protocols and OS is running the target device.

Once the attackers have the right information, they know your scenario, and can create a full infrastructure map of all your services and possible network topology to fine-tune their digital assault.

Types of fingerprinting techniques

Just as there are many human fingerprinting techniques used to extract information from certain scenarios, in the digital world there are many ways to analyze digital fingerprints from hosts.

Most digital fingerprinting techniques are based on detecting certain patterns and differences in network packets generated by operating systems.

Fingerprint techniques often analyze different types of packets and information such as TCP Window size, TCP Options in TCP SYN and SYN+ACK packets, ICMP requests, HTTP packets, DHCP requests, IP TTL values as well as IP ID values, etc.

Active fingerprinting

Active fingerprinting is the most popular type of fingerprinting in use. It consists of sending packets to a victim and waiting for the victim’s reply to analyze the results.

This is often the easiest way to detect remote OS, network and services. It’s also the most risky as it can be easily detected by intrusion detection systems (IDS) and packet filtering firewalls.

A popular platform used to launch active fingerprint tests is Nmap. This handy tool can help you detect specific operating systems and network service applications when you launch TCP, UDP or ICMP packets against any given target.

By using internal scripting rules, Nmap analyzes the results from the victim replies, then prints out the results—which are 99% of the time accurate.

Port scanning is one of the most traditional forms of fingerprinting. We’ve recognized Nmap as one of the best port scanners around, as seen in our previous article Top 15 Nmap Commands to Scan Remote Hosts.

Passive fingerprinting

Passive fingerprinting is an alternative approach to avoid detection while performing your reconnaissance activities.

The main difference between active and passive fingerprinting is that passive fingerprinting does not actively send packets to the target system. Instead, it acts as a network scanner in the form of a sniffer, merely watching the traffic data on a network without performing network alteration.

Once the attacker has sniffed enough information, it can be analyzed to extract patterns that will be useful for detecting operating systems and applications.

While this type of technique may bypass common network intrusion detection techniques, it’s not guaranteed to hide your network presence while sniffing traffic.

Top OS fingerprinting tools

When it comes to cybersecurity fingerprinting, one of the most popular methods involves OS name and version detection.

This is part of the usual data intelligence process when running your OSINT research. While many tools may fit into this particular category, a few stand out from the rest.

Let’s look at some active and passive OS fingerprinting tools.

Nmap

It’s impossible for us to avoid mentioning one of the best port scanners in the world in this list. Nmap includes many features as a port scanner, but also as an OS detection software.

How can I detect a remote operating system with Nmap?

The -O option will make this happen. By using Nmap fingerprinting features, you enable OS detection in your scans. There are two sub-options that can be used as well:

--osscan-limit: Limit OS detection to promising targets. When using this option, Nmap OS detection is way more effective when Nmap finds at least one open and one closed TCP port. It’s the fastest option available for performing reconnaissance tasks.

--osscan-guess: This guess OS detection results when Nmap is unable to detect the exact OS the remote system is running. While this may not show you the exact remote OS, Nmap will let you know the exact the accuracy/confidence level (percentage) for each OS guess.

Let’s see how to perform a basic OS detection with Nmap:

nmap -O X.X.X.X

The result may look similar to this:

Basic OS detection with Nmap

As you can see in this example, Nmap was able to detect running services in open ports, as well as apply an aggressive guessing of the remote operating system.

OS detection performed. Please report any incorrect results at https://nmap.org/submit/.

Nmap done: 1 IP address (1 host up) scanned in 25.68 seconds

In case there is a firewall blocking your request, you can add the -Pn option, as shown below:

nmap -O X.X.X.X -Pn

A more aggressive approach can be taken by using -A option, but this will likely result in firewall detection from the remote host:

nmap -A X.X.X.X

p0f

P0f is a great alternative to Nmap, a passive fingerprinting tool used to analyze network traffic and identify patterns behind TCP/IP based communications that are often blocked for Nmap active fingerprinting techniques.

It includes powerful network-level fingerprinting features, as well as one that analyzes application-level payloads such as HTTP. It’s also useful for detecting NAT, proxy and load balancing setups.

P0f installation is very easy. It only requires you to download the compressed file and then run ./build.sh, as seen here:

[22:22]root@securitytrails(0):p0f-3.09b[0]# ./build.sh
Welcome to the build script for p0f 3.09b!
Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
[+] Configuring production build.
[*] Checking for a sane build environment... OK
[*] Checking for working GCC... OK
[*] Checking for *modern* GCC... OK
[*] Checking if memory alignment is required... nope
[*] Checking for working libpcap... OK
[*] Checking for working BPF... OK
[+] Okay, you seem to be good to go. Fingers crossed!
[*] Compiling p0f... OK (see COMPILER-WARNINGS)
And that's it. Be sure to review README. If you run into any problems, you
can reach the author at <lcamtuf@coredump.cx>.
Once installed, you can perform any fingerprinting against the network by running:
./p0f -i eth0

Our tests revealed significant and sensitive information about the outgoing TCP connections to remote servers, as well as port numbers of local services and operating system version:

Outgoing TCP to remote, port numbers, and OS version.

You can also read offline pcap data from a given file by using:

./p0f -r some_capture.cap

This passive fingerprinting tool includes more options that can be explored by running ./p0f --help

Ettercap

Ettercap is another great network sniffing tool that supports many different protocols including Telnet, FTP, Imap, Smb, MySQL, LDAP, NFS and encrypted ones like SSH and HTTPS.

While it’s often used to launch man-in-the-middle attacks, it’s also useful as a fingerprinting tool that can help identify local and remote operating systems along with running services, open ports, IP, mac address and network adapter vendor.

Ettercap can be easily installed on most Unix/Linux platforms. In order to perform OS and service detection, it will sniff your entire network (e.g. visited websites), and save the results in profiles. From there you can begin exploring information from all the intercepted hosts, as you can see in the following screenshots:

Information from intercepted hosts

We checked a few hosts. In the following example, fedoraproject.org was analyzed, revealing a few interesting details such as IP address, hostname, type of host, operating system (in this case it wasn’t detected), operating system guess, open ports, and running services.

Ettercap Fedoraproject analysis

Network and service fingerprint tools

When it comes to cybersecurity fingerprinting we can do more than detect remote OS names and versions—we can also focus on specific network services.

DNS fingerprinting

Some tools like Fpdns can be used to identify based on queries DNS the software that is used as the DNS server, even if we disable printing the version of BIND for example.

How can I remotely determine the DNS server version of any website?

To do so you can run the following command:

fpdns -D site.com

Output example:

Output example

As seen from the previous image, there are times when you won’t not get the DNS server name and version for some websites, while on others it’s easily detectable.

You can also play a little bit more and test if DNS recursion is enabled by simply running:

fpdns dns.server.com

Replace dns.server.com with a real Name Server.

The output should be something like:

[23:32]root@securitytrails(1):temp[0]# fpdns ns1.server.com
fingerprint (ns1.server.com., XX.XX.XX.XX): ISC BIND 9.2.3rc1 — 9.4.0a0 [recursión enabled]

Now let’s jump into some new fingerprinting standards, not just tools.

SSH fingerprinting

Hassh is a new SSH Fingerprinting standard used to accurately detect and identify specific Client and Server SSH deployments. These fingerprints uses MD5 as a default storage method, for later analysis, usage and comparison when needed.

While SSH is a fairly secure protocol, it has a few drawbacks when it comes to analyzing interaction between client and server. In this case, using Hassh can help in situations that include:

  • Managing alerts and automatically blocking SSH clients using a Hassh fingerprint outside of a known “good set”.
  • Detecting exfiltration of data by using anomaly detection on SSH Clients with multiple distinct Hassh values
  • Forensic investigation as SSH connection attempts are now easier to find, with greater granularity than researching by IPSource. The Hassh will be present within SSH client software, this will help to detect the origin even if the IP is behind a NAT and is shared by different SSH clients.
  • Detecting and identifying specific client and server SSH implementations.

This works by using the MD5 “hassh” and “hasshServer” (created from a specific set of algorithms by SSH clients and SSH server software) from the final SSH encrypted channel. This generates a unique identification string that can be used to fingerprint client and server applications.

The final MD5 can be easily translated into examples such as these:

c1c596caaeb93c566b8ecf3cae9b5a9e SSH-2.0-dropbear_2016.74
d93f46d063c4382b6232a4d77db532b2 SSH-2.0-dropbear_2016.72
2dd9a9b3dbebfaeec8b8aabd689e75d2 SSH-2.0-AWSCodeCommit

Hassh is a brand new project, online since their Github repo a few months ago.id It looks like a solid solution, one that can shed light on the typical SSH client-server connection problems seen for decades. Thanks to this new fingerprint standart, debugging SSH connections will be easier.

Check out the original Salesforce engineering announcement for more information.

SSL fingerprinting

JA3, as their creators said, is an SSL/TLS fingerprint method. This helps to create fingerprints that can be produced by any platform for later threat intelligence analysis.

In the same case as the previous technology (HASSH), using JA3 + JA3S as a fingerprinting technique for the TLS negotiation between both ends (client and server) can produce a more accurate identification of the encrypted communications.

This helps identify clients and servers with high probability in almost all cases, as you see below with Tor client and Tor server:

Standard Tor Client:

JA3 = e7d705a3286e19ea42f587b344ee6865 (Tor Client)
JA3S = a95ca7eab4d47d051a5cd4fb7b6005dc (Tor Server Response)

This provides researchers a higher level of trust that this activity is indeed Tor traffic, and nothing else.

More information can be found at Github repo.

Summary

If you are on a red team, network and service fingerprinting is one of the most useful things to consider when trying to generate data intelligence about your target.

For blue teams, fingerprinting can generate helpful information that may be used to harden your OS and network stack, in order to avoid future cybersecurity threats.

The fingerprint techniques and tools we mentioned here can be excellent OSINT sources in your data gathering process, but there is much more to explore. Domain names, DNS services, as well as IP addresses and SSL certificates can often leave unseen trails—exposing vulnerable parts of your attack surface.


Book your SurfaceBrowser™ demo with our sales team to discover our powerful all-in-one passive reconnaissance toolkit.