SinFP - a Perl module to do active and passive OS fingerprinting

Introduction

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization technologies, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with only 1 test giving the OS reliably in most cases).

Feature list - Version 2.00:

  • complete rewrite
  • sinfp.db completely reworked
  • new tests based on comparison between probe and response (TCP seq/ack comparison, IP ID value comparison)
  • new matching algorithm, works like a search engine (a problem of finding intersection, by applying a deformation mask on keywords) much more efficient than in 1.xx branch
  • possibility to pass manually a matching mask to change a little the matching algorithm
  • passive fingerprinting much more acurate thanks to new matching algorithm
  • possibility to launch P1P2P3 probes, or only P1P2 probes, or only P2 probe
  • match IPv6 signatures against IPv4 ones
  • API changes, not compatible with 1.xx version anymore
  • DB schema changes, not compatible with 1.xx version anymore
  • many bugfixes

Version 1.00:

  • Full OS fingerprinting suite, built as a Perl module
  • Active fingerprinting
  • Passive fingerprinting (with signature matching made against active ones)
  • Works the same over IPv4 and IPv6 (yes, IPv6 fingerprinting)
  • Online mode
  • Offline mode (especially useful when you have a pcap file)
  • Heuristic matching algorithm to avoid the need to write new signature for a target stack which has some TCP option deactivated, or changed window size, for example

SinFP signatures are stored in a SQLite database, a portable format if anyone wants to integrate it in another project. Here is the database schema:

JPG schema: SinFP DB schema. PS schema: SinFP DB schema.

For those who ask, here are benefits over nmap:

  • Only three TCP packets all targeted to the same open TCP port. And in most cases, only one SYN packet is required to fingerprint.
  • All packets traverse firewalls with trafic normalization feature
  • Makes the difference between SunOS 5.6/5.7, Windows NT 4.0/98SE and Linux 2.4/2.6
  • No need to add a new signature because the target has deactivated some TCP option, thanx to a heuristic algorithm

How to get it

You have two ways. Either you are a Perl aficionados, or a general Linux/BSD user, prefering packaged systems.

From Sourceforge

Packaged archive, featuring all needed modules. Link: http://sourceforge.net/projects/sinfp/. Once downloaded, you can install it that way: 

prompt$ tar zxvf SinFP-X.YY.Z.tar.gz
prompt$ cd SinFP-X.YY-Z
prompt$ make
prompt$ su
prompt# make install

All files will be installed to /usr/local/sinfp by default. So, to use SinFP, just call /usr/local/sinfp/bin/sinfp.pl, and play.

From CPAN

CPAN URL: http://search.cpan.org/~gomor/.

For UNIX/Linux systems 

prompt# cpan Net::SinFP

For Windows ActivePerl systems:

First, install WinPcap 3.1: http://www.winpcap.org/. Then, apply the following procedure. It was tested with ActivePerl 5.8.8.819, with PPM v4.0. 

# If you are behind a proxy:
C:\> set http_proxy=http://username:password@proxy:port

# Add gomor repository
C:\> ppm repo add gomor http://www.gomor.org/files/ppm/repo-8xx

### Installation in default site area

# Disable all other repo, if you have many. Or only ActiveState repo
# by default
C:\> ppm repo 1 off
C:\> ppm install Net-SinFP

# Re-enable all other repo
C:\> ppm repo 1 on

sinfp.pl will be in C:/perl/site/bin. 

# Installation in own area

# Create an area for SinFP
C:\> mkdir C:/perl/sinfp
C:\> set PERL5LIB=%PERL5LIB%;C:/perl/sinfp

C:\> ppm gui
# In the GUI, select Edit/Preference, and check sinfp, answer OK, then check
# site area, or any other default area you use

# Disable all other repo, if you have many. Or only ActiveState repo
# by default
C:\> ppm repo 1 off
C:\> ppm install --area sinfp Net-SinFP

# Re-enable all other repo
C:\> ppm repo 1 on

sinfp.pl will be in C:/perl/sinfp/bin. If you have error messages loading some SinFP related DLLs, go to http://www.microsoft.com. In the search field, type in: vcredist_x86.exe. Download it and install it.

Submitting new signatures

I'm always willing to accept new signatures. To do that, just send me (webmaster[at]gomor.org) the generated .pcap file when you've fingerprinted a target (in active mode; do not forget -k argument, to keep the .pcap file). Be sure to send the exact version of the target (uname -sr), and that no filtering device between you and the target is active. I only add signatures taken in perfect conditions.

If you do not want me to know which IP address you've fingerprinted, you can send me the output of the anonymized pcap file, which is generated by default. It is named sinfp4-127.0.0.1.pcap for IPv4 signatures. Basically, the source address is changed to 127.0.0.1, the destination to 127.0.0.2, and of course IP and TCP checksums are changed.

Example usage 

prompt$ ./sinfp.pl

  -- SinFP - 2.06 --

 o Information about signature database updates, and more:
 o http://lists.gomor.org/mailman/listinfo/sinfp

Usage: /home/gomor/perl5/bin/sinfp.pl -i <targetIp> -p <openTcpPort>

 o Common parameters:
   -i <ip>     target IP
   -p <port>   target open TCP port (default: 80)
   -d <dev>    network device to use
   -I <ip>     source IP address to use
   -3          run all probes (default)
   -2          run only probes P1 and P2 (stealthier)
   -1          run only probe P2 (even stealthier)
   -v          be verbose
   -s <file>   signature file to use
   -C          print complete information about target operating system
   -O          print only operating system
   -V          print only operating system and its version family
   -H          use HEURISTIC2 masks to match signatures (advanced users)
   -A <mask1,mask2,...>
               use a custom list of matching masks (advanced users)

 o Online mode specific parameters:
   -k   keep generated pcap file
   -a   do not generate an anonymized pcap file trace

 o Offline mode specific parameters:
   -f <file>   name of pcap file to analyze

 o IPv6 specific parameters:
   -6         use IPv6 fingerprinting, instead of IPv4
   -M <mac>   source MAC address to use
   -m <mac>   target MAC address to use
   -4         if no IPv6 signature matches, try against IPv4 ones

 o Active mode specific parameters:
   -r <N>   number of tries to perform for a probe (default: 3)
   -t <N>   timeout before considering a packet to be lost (default: 3)

 o Passive mode specific parameters:
   -P            passive fingerprinting
   -F <filter>   pcap filter

Active fingerprinting (IPv4)

The target is a Windows 2000 SP4 (fully patched as of may 2005). 

prompt# ./sinfp.pl -ai 192.168.0.86 -p 445
P1: B11113 F0x12 W64240 O0204ffff M1460
P2: B11113 F0x12 W64240 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
IPv4: HEURISTIC0/P1P2P3: Windows: Microsoft: Windows: 2000 (SP0, SP4)

Active fingerprinting (IPv6)

The target is a SunOS 5.9 (Solaris 9). 

prompt# ./sinfp.pl -a6i fe80::213:2ff:fe44:632b -m 00:13:02:44:63:2b -p 22
P1: B10013 F0x12 W50020 O0204ffff M1440
P2: B10013 F0x12 W49980 O0101080affffffff444541440204ffff0103030001010402 M1440
P3: B10020 F0x04 W0 O0 M0
IPv6: HEURISTIC0/P1P2P3: Unix: Sun: SunOS: 5.9
IPv6: HEURISTIC0/P1P2P3: Unix: Sun: SunOS: 5.10

Passive fingerprinting (IPv4 offline example)

Example just running in passive mode, on a previously captured file (via tcpdump, for example): 

prompt$ ./sinfp.pl -PHf capture.pcap
207.46.198.30:80 > 192.168.0.32:2506 [SYN|ACK] ### www.microsoft.com
P2: B11111 F0x12 W5840 O0204ffff0402080affffffff0000000001030302 M1440
IPv4: BH1FH0WH1OH0MH1/P2: GNU/Linux: OSS: Linux: 2.6.x (2.6.16, 2.6.9)

204.152.190.12:80 > 192.168.0.100:2697 [SYN|ACK] ### www.netbsd.org
P2: B11111 F0x12 W32768 O0204ffff010303000101080a0000000004241bb1 M1440
IPv4: BH0FH0WH1OH1MH1/P2: BSD: OSS: NetBSD: 3.0

204.152.191.37:80 > 192.168.0.100:3409 [SYN|ACK] ### www.kernel.org
P2: B11111 F0x12 W5792 O0204ffff0402080affffffffffffffff01030302 M1440
IPv4: BH1FH0WH1OH0MH1/P2: GNU/Linux: OSS: Linux: 2.6.x (2.6.16, 2.6.9)

216.136.204.117:80 > 192.168.0.100:4684 [SYN|ACK] ### www.freebsd.org
P2: B11111 F0x12 W57344 O0204ffff010303000101080affffffffffffffff M1440
IPv4: BH0FH0WH1OH0MH1/P2: BSD: OSS: FreeBSD: 4.9
IPv4: BH0FH0WH1OH0MH1/P2: BSD: OSS: FreeBSD: 4.11 (4.11-RELEASE)
IPv4: BH0FH0WH1OH0MH1/P2: BSD: OSS: FreeBSD: 4.10 (4.10-RELEASE)
IPv4: BH0FH0WH1OH0MH1/P2: BSD: OSS: FreeBSD: 4.7

129.128.5.191:80 > 192.168.0.100:4551 [SYN|ACK] ### www.openbsd.org
P2: B11111 F0x12 W1440 O0101080affffffffffffffff010303000204ffff M1440
IPv4: BH0FH0WH2OH0MH2/P2: Unix: Sun: SunOS: 5.6

209.249.116.195:80 > 192.168.0.100:3118 [SYN|ACK] ### www.sun.com
P2: B11111 F0x12 W32844 O0101080affffffffffffffff0204ffff0103030001010402 M1440
IPv4: BH0FH0WH2OH0MH2/P2: Unix: Sun: SunOS: 5.9
IPv4: BH0FH0WH2OH0MH2/P2: Unix: Sun: SunOS: 5.10

Latest signature file

sinfp-latest.db

SinFP mailing list

To be informed of all updates, especially new signature files, please subscribe to sinfp mailing list: http://lists.gomor.org/mailman/listinfo/sinfp

See also Tips and Tricks

DocTipsAndTricks

Last update: 18 Apr 2008 at 16:02:04 (r4)

 
"Study from the past to learn about the future."
--GomoR

Copyright © 2000-2008 www.GomoR.org.
Top left logo is Copyright © 2008 Mikael Auffret.
All rights reserved.