Passive fingerprinting is a way to guard your system by finding out information about remote systems without them knowing. Every operating system (OS) has its own fingerprint that is determined by its unique TCP/IP stack. Each OS responds differently to malformed packages. This response can then be compared to a database of responses to determine the OS. Both active fingerprinting and passive fingerprinting follow these same steps to learn about the enemy. So, what’s the difference between active and passive fingerprinting?
Active fingerprinting might generate traffic between your system and the invading system. Passive fingerprinting allows you to stealthily identify the other system using packet sniffing. No new packets are generated that could be sent to the remote system so nothing can be detected. A popular packet sniffing tool is called nmap.
Four things on the packet to determine OS
There are four things in the packet that could help determine the remote OS.
- TTL- a timer value included in packets sent over networks that tells the recipient how long to hold or use the packet before discarding and expiring the data (packet)
- Window Size
- DF – the amount of free space in the file system
- TOS – type of service to determine packet prioritization
These values are not 100 percent reliable but they do provide enough information to begin. These values can be changed by the remote host so no single value is an indicator of the remote OS; however, after analyzing enough packets with consistent data, compared against a database, you can reliably assess the remote OS quite accurately.
These four are not the only values to assess. There are other signatures to look at to make an accurate determination. A good source database will include the testing value from several systems using Telnet, FTP, HTTP, and SSH protocols.