Tips and Tricks

Using manual deformation masks

Sometimes, a target cannot be identified. But you may have a guess about what operating system is running and you want to confirm your thoughts. The -A parameter comes to the rescue. I call it deformation masks or matching masks.

I was playing with TWiki, and read some documentation on their website, when I saw that they were powered by Sun Microsystems. So, I tried to fingerprint TWiki.org:

% sudo /home/gomor/perl5/bin/sinfp.pl -vkai twiki.org
VERBOSE: using db: /home/gomor/perl5/bin/sinfp.db
VERBOSE: dev: eth1
VERBOSE: ip : 192.168.0.101
VERBOSE: ip6: fe80::213:2ff:fe44:632b
VERBOSE: mac: 00:13:02:44:63:2b
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: unknown

Too bad, the operating system cannot be identified. First thing to try, -H parameter to enable advanced deformation masks. Because the previous command saved the fingerprinting transaction to a .pcap file, we can rerun the identification in offline mode:

% sinfp.pl -f sinfp4-204.153.195.50.80.pcap -H                   
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: HEURISTIC2/P1P2P3: Unix: SunOS: 5.10
IPv4: HEURISTIC2/P1P2P3: Unix: SunOS: 5.9

This time, we have an answer. The target appears to be running SunOS 5.9 or 5.10 (Solaris 9 or 10). But the match is done in HEURISTIC2, this is the worst match, even though we can be pretty confident in this result. To be even more confident, we can use manual deformation mask, by guessing (we try from the most deformant to the least deformant):

% sinfp.pl -f sinfp4-204.153.195.50.80.pcap -A BH2FH0WH2OH2MH2 
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: BH2FH0WH2OH2MH2/P1P2P3: Unix: SunOS: 5.10
IPv4: BH2FH0WH2OH2MH2/P1P2P3: Unix: SunOS: 5.9

% sinfp.pl -f sinfp4-204.153.195.50.80.pcap -A BH0FH0WH2OH2MH0
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: BH0FH0WH2OH2MH0/P1P2: Unix: SunOS: 5.10
IPv4: BH0FH0WH2OH2MH0/P1P2: Unix: SunOS: 5.9

% sinfp.pl -f sinfp4-204.153.195.50.80.pcap -A BH0FH0WH2OH1MH0
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: unknown

% sinfp.pl -f sinfp4-204.153.195.50.80.pcap -A BH0FH0WH1OH2MH0
P1: B11113 F0x12 W65392 O0204ffff M1460
P2: B11113 F0x12 W33304 O0101080affffffff444541440204ffff0103030101010402 M1460
P3: B11120 F0x04 W0 O0 M0
IPv4: unknown

To summarize tried deformation masks (I did not show all tried masks):

• BH2FH0WH2OH2MH2
• BH0FH0WH2OH2MH0
• BH0FH0WH2OH1MH0
• BH0FH0WH1OH2MH0

We can conclude that the best deformation mask for the target is: BH0FH0WH2OH2MH0. This means that compared to the perfect signature for a SunOS 5.9 or 5.10, we have a deformation on the TCP Window Size and the TCP Options. With this mask, we have totally ignored the value of the TCP Window Size (WH2) and we have accepted huge deformations on TCP Options (OH2).

The deformation may be due to filtering devices like a filtering router or a firewall. This may also be due to customization to the TCP/IP stack parameters, or this is a new signature for SunOS, like SunOS 5.11 (Solaris 11) because SinFP currently does not have a signature for Solaris 11.