Information Technology Reference
In-Depth Information
Table 2.
Classification results
Network setup
Nmap SinFP Xprobe2 Zion
(
a
)
(
a
)
Clean environment
(
b
)
(
c
)
Using Port Address Translation
(
d
)
Using Packet Normalization
(
f
)
Using SYN proxy
(
e
)
(
g
)
Using Honeyd
The notes in each part of Table 2 are associated to these facts and events:
(a) unable to distinguish between Windows 2000 and XP;
(b) the Debian GNU/Linux operating system was not precisely recognized: it was
classified as Linux 2.6.X and OpenBSD 4.X with the same grade of certainty (85%);
(c) because Xprobe2 uses only network layer information it cannot distinguish the
operating system using information associated to transport layer;
(d) the Debian GNU/Linux operating system was not precisely recognized: it was
classified as Linux 2.6.X and OpenBSD 4.X with almost the same grade of certainty
(approximated 86%);
(e) the Honeyd use was not recognized, but the Honeyd mimic was not good enough
to produce the wrong result;
(f) the Zion tool was able to recognize the use of the SYN proxy;
(g) the Zion tool was able to recognize the use of Honeyd.
Until this point what we showed when each analyzed tool fails in the task on
recognize operating systems remotely. Although only the active tools have been
analyzed the methods used by passive tools are also fragile since the information
used by these methods are also affected by the security mechanisms used here.
In the next section will be verified what information can be used to perform OS
fingerprinting even in the presence of PF and Honeyd.
4WhyZonOutp orm ?
The TCP ISN (Initial Sequence Number) is responsible for maintaining con-
sistency in TCP communications (i.e. to avoid duplicated segments originated
from the reuse of sequences of previous connections [16]). The way the genera-
tion of these numbers is implemented can lead to security problems. After the
discovery of these problems a new recommendation was established in 1996 by
RFC 1948 [5]. Michal Zalewski first showed that some operating systems have a
distinct way of implement the generation of these numbers [21,22].
To use the TCP ISNs as data to create a signature to perform OS fingerprint-
ing will consider the PRNG (Pseudo Random Number Generation) of the oper-
ating systems. The current recommendation for the generation of these numbers
through a function
G
isn
(
t
) is expressed as [5]:
G
isn
(
t
)=
M
(
t
)+
F
(
·
)
(1)
M
(
t
)=
M
(
t −
1) +
R
(
t
)
(2)
F
(
·
)=
f
(
connection id, secret key
)
(3)
Search WWH ::
Custom Search