In this excerpt of Chapter 9 from Silence on the Wire, author Michal Zalewski discusses both harmful and beneficial ways to use passive fingerprinting, and how to prevent successful passive fingerprinting on your network.
When observed by either the recipient or a bystander (such as an ISP between the sender and the recipient), network traffic can provide information beyond the actual data exchanged, including certain parameters of the sender's system. As suggested previously, the exposure is important and quite interesting because, unlike the data transmitted by applications, it is not necessarily obvious, and the disclosure is often beyond any user's control. Although users can change their browser settings and those of other applications in order to prevent being monitored, identified and tracked, the disclosure that occurs on the lower IP or TCP layer can easily undermine this effort by revealing to the observer just as much about the victim as the victim is trying to hide. It can also carry data of more fundamental significance to the security of the infrastructure, including some useful hints about how the victim's network is constructed and protected.
That said, short of privacy invasion, passive fingerprinting can also be useful for quite legitimate reconnaissance tasks. The set of practical (and commonly deployed) applications of passive fingerprinting extends through the entire ethical spectrum, from malice to rightful defense.
- Collecting statistical data and incident logging
One of the more legitimate uses for passive fingerprinting is that of monitoring the network to perform noninvasive and objective analysis of the platforms and network environments used, to ensure that users receive service that is optimized for their software, and to guarantee that no sizable group of users is neglected in some way. Too, gathering data about potential attackers or other unauthorized activity can be greatly enhanced by the use of passive fingerprinting. Indeed, passive fingerprinting is particularly popular in the field of honeypot research.
- Content optimization
Download Chapter 9, Foreign accent
Read the review of this book by Information Security magazine
Visit the Information Security Bookshelf for more excerpts
- Policy enforcement
The detection and eventual blocking of obsolete or noncompliant systems (say, devices that violate a corporate policy or pose a security risk) or infestations of unauthorized network hookups is another interesting application for passive fingerprinting. Since version 3.4, OpenBSD has provided a method for routing and redirecting traffic based on the operating system detection results, hence making policy enforcement based on remote operating system characteristics quite viable. The same functionality is now provided as a part of Linux netfilter patch-o-matic code. Both implementations are closely inspired by or based on p0f.
- Poor man's security
Passive fingerprinting can also be used to minimize certain types of exposure. Although with some effort it is possible to fool the fingerprinting technique, fingerprinting might be used to prevent certain types of clients (such as Windows systems, a platform most commonly infested with spyware, backdoors and worms, and often used for unsolicited mass e-mail distribution or attack hops) from using certain underlying services on the network, while allowing "less suspect" entities to access them.
Security testing and preattack assessment
Active fingerprinting is often stopped in its tracks by firewalls and other solutions that carefully filter and analyze IP traffic. Passive fingerprinting, however, can examine even aggressively protected systems and can map networks without triggering any alerts.
The approach to security testing and assessment using passive fingerprinting is twofold. First, it can be used to analyze incoming traffic. Although the observer must wait for the remote party to connect to their systems, such a connection can be quite easily induced without triggering suspicion. In fact, it is often sufficient to send a specific e-mail or a link to a Web site to the victim behind even the most sophisticated packet-filtering solution. Second, passive fingerprinting can be used to analyze the responses to legitimate traffic to an available service in order to determine the remote party's parameters. If a black-hat hacker knows how to compromise an internal network, but wants to know more about its internals in order to minimize the risk of being detected prematurely, passive fingerprinting can come in handy. The same can be said about legitimate security testing for which one is paid by the entity that undergoes the test.
- Customer profiling and privacy invasion
Many companies go to great lengths to gather and sell valuable information about people's habits, preferences, and behavior. Although this information is usually used for marketing purposes, it could — in theory — be used against a specific person. The ability to track users by correlating fingerprinting results from several locations that they have visited, whether to map internal networks and software used, track individuals, or gather other valuable statistical data, can be a source of information that might either have considerable value by itself or be used to enhance the attractiveness of other not-quite-ethical offerings.
Espionage and covert reconnaissance
The ability to gather additional information about a competitor's network Architecture, and user behavior and preferences is often quite tempting. Though this may sound like bad science-fiction, it is simply a more targeted type of the profiling discussed above.
Prevention of fingerprinting
Given the complexity of a typical IP stack, it is extremely difficult to prevent fingerprinting in general, but it is possible to address specific issues and disable specific types of known fingerprinting software by determining what parameter it relies on most and then changing it. For example, certain packet-filtering solutions, such as pf in OpenBSD, provide a packet normalization service that ensures that all outgoing traffic "looks the same." Although this might prevent some aspects of fingerprinting to some degree or might simply make fingerprinting more difficult by rendering some popular programs less accurate, it does not solve the problem completely.
Although the thorough and seemingly exhaustive manual or automated modification of certain operating system settings or TCP parameters can make system identification more difficult, certain behaviors are buried deep in the kernel and are not customizable. For example, it is fairly difficult to change the option ordering in a packet. Moreover, when users make manual modifications, they risk introducing unique characteristics into packets originating from their system, which only further affects their privacy and anonymity.
Fortunately, certain solutions do address specific types of testing. For example, IP Personality by Gael Roualland and Jean-Marc Saffroy alters the TCP stack so that it appears to specific tools as if it comes from a different operating system. If you fancy, you can use IP Personality to make NMAP think that your system is a Hewlett-Packard laser printer. However, some problems arise. For one, it is easy to actually weaken a system's TCP stack by attempting to impersonate a device that uses a weak stack to begin with. For example, if, in order to comply with a printer's particular characteristics, you use trivial sequence numbers on all connections, someone will sooner or later take advantage of this to easily disrupt or tamper with your traffic. Too, software such as IP Personality will only work against the most popular, well-known, and well-documented tools, but it offers no guarantee of success against the rest, because the characteristics examined by each tool and the way these characteristics are interpreted are different from place to place. You can only hope to fool the least determined, most naive, "mainstream" attackers who use tools you know about.
Download Chapter 9, Foreign accent, to learn more about passive fingerprinting
This was first published in August 2005