LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

More documents

Recommendations

Info

Ambiguity Resolution via Passive OS Fingerprinting 199 Table 1. Enumeration of the possible combinations of TCP options, padded appropriately with nop options . # Possible combinations of TCP options 1 mss 1460 2 timestamp nop nop 3 sackok nop nop 4 wscale 0 nop 5 wscale 0 nop sackok nop nop 6 wscale 0 nop mss 1460 7 wscale 0 nop timestamp nop nop 8 sackok nop nop mss 1460 9 sackok nop nop timestamp nop nop 10 mss 1460 timestamp nop nop 11 timestamp nop nop sackok nop nop wscale 0 nop 12 mss 1460 sackok nop nop wscale 0 nop 13 mss 1460 timestamp nop nop wscale 0 nop 14 mss 1460 timestamp nop nop sackok nop nop 15 mss 1460 timestamp nop nop sackok nop nop wscale 0 nop TCP SYN segments are sent with the 2 4 different possible combinations of TCP options, as shown in Table 1 We can encode options ordering to simplify a later lookup to an int comparison. A bit-field can be used to identify the options present in the client’s SYN segment. Since we use the most prevalent options, (timestamp, mss, wscale, sackok), we only need bits bits, and can encode them as shown in Table 2. These tests allow us to build 16 sub-tables for SYNACK lookups. When a lookup is requested for a SYNACK, we take the encoded value of the TCP options present in the SYN segment, as shown in Table 2, for which the SYNACK corresponds, and hash into one of the 16 sub-tables to match the SYNACK TCP and IP values. The TCP Timestamp. Another ambiguous bit of behavior was discovered during testing. This has to do with network stack implementations of the TCP Timestamp option. RFC 1323 specifies the requirement for using TCP timestamps as a method to calculate “reliable round-trip time estimates”[18] between two connected hosts. Specifically, section 3.2 states: “The Timestamp Echo Reply field (TSecr) is only valid if the ACK bit is set in the TCP header; if it is valid, it echos a timestamp value that was sent by the remote TCP in the TSval field of a Timestamps option. When TSecr is not valid, its value must be zero.” However, some operating systems do not set the TSecr field to the TSval given in the sent TCP SYN segment of a SYNACK reply, where the sent SYN
200 G. Taleck Table 2. Encoding of TCP options present in TCP SYN segments: bit 3: timestamp, 2: wscale, 1: sackok, 0: mss. TCP options Bits Value no options 0000 0 mss 0001 1 sackok 0010 2 sackok mss 0011 3 wscale 0100 4 wscale mss 0101 5 wscale sackok 0110 6 wscale sackok mss 0111 7 timestamp 1000 8 timestamp mss 1001 9 timestamp sackok 1010 10 timestamp sackok mss 1011 11 timestamp wscale 1100 12 timestamp wscale mss 1101 13 timestamp wscale sackok 1110 14 timestamp wscale sackok mss 1111 15 segment contained a non-zero TSval field. This is not necessarily a violation of the specification, but it does provide useful information that can be used to differentiate operating systems when monitored passively. Window Sizes. Additionally, some stacks will adjust their initial window size depending on whether the timestamp or other options were requested by the client. Table 3 illustrates some differences and similarities between operating systems and the initial window size. Table 3. Initial Window Sizes (WS) of various operating systems with and without the TCP timestamp (TS) option requested. Operating System WS without TS WS with TS Linux 2.4.0 5840 5792 Microsoft Windows NT4.0 64240 65160 MacOS 10.1 32768 33000 OpenBSD 3.3 64240 65160 FreeBSD 2.2 16384 17520 FreeBSD 4.6 57344 57344
Page 1 and 2: Ambiguity Resolution via Passive OS
Page 3 and 4: 194 G. Taleck 2.2 Traffic Normaliza
Page 5 and 6: 196 G. Taleck IDS Client Server SYN
Page 7: 198 G. Taleck Minimal FTP Client FT
Page 11 and 12: 202 G. Taleck that failed (either t
Page 13 and 14: 204 G. Taleck The “freshness” o
Page 15: 206 G. Taleck 7. Fyodor: Remote OS

LNCS 2820 - Ambiguity Resolution via Passive OS Fingerprinting

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?