Information Technology Reference
In-Depth Information
The process at all has four components: (1) the acquired network data, (2)
a fingerprint made by refinement of the data, (3) a fingerprint database where
each fingerprint is labeled according to the OS in which it represents, and (4)
the results produced by a matching algorithm applied to the database and the
fingerprint made from the acquired data. These four components are distributed
into two sub processes, called
fingerprinting
and
matching
.
The techniques used for this purpose differ according to the data they use
and how these data are acquired. The OS fingerprinting process can be divided
in two subsequent tasks: which we call characterization and classification. In the
characterization task a
fingerprint
is created for an OS, while in the classification
use some procedure is applied to a database of these pictures to classify (
match
)
the OS. According to how data are created and captured the methods can be
grouped in two classes:
-Active:
the machine that performs the identification sends messages to the
remote machine. The responses to these messages (or the lack of responses)
are used in the identification process;
- Passive:
the machine that performs the identification does not send mes-
sages through the network to perform identification. The remote machine
data is captured when it communicates with a third machine. This implies
that the identification machine must have access to the communication chan-
nel between the remote and the third machine.
The way these two categories of tools performs fingerprinting is very important
because it closely related to the tool eciency. Choosing the appropriate tool for
OS fingerprinting is an important question to consider, once it will be (usually)
applied on security tests. We will show some of the most important character-
istics of the most well known tools and how these characteristics are important
for an security expert.
This paper is followed by more 4 sections. The criteria used and to select
tools, OSes and the test bed used to assessment are presented in Section 2. The
results are presented in Section 3. Explanations about the results are done in
Section 4, and Section 5 concludes the paper.
2Seno
When the OS fingerprinting process uses TCP/IP network data the process is
called TCP/IP stack fingerprinting, which takes advantage of details that differ
from implementation to implementation of the TCP/IP [8]. The selection of the
tools used in this survey is conducted by four reasons: (i) greater acceptance
by the security community [1]; (ii) widely used [9]; (iii) techniques used are at
least mentioned in papers [4,12]; (iv) and use active OS fingerprinting. The last
presented reason was adopted because unlike passive methods, the active ones
can produce the data it needs not depending on third devices, and the tech-
niques used to create fingerprints depends only on data. For such reason, other
well known TCP/IP stack fingerprinting tools such as p0f, PRADS, Etthercap,
Search WWH ::
Custom Search