Advertisement

Journal in Computer Virology

, Volume 6, Issue 3, pp 197–205 | Cite as

SinFP, unification of active and passive operating system fingerprinting

  • Patrice Auffret
Original Paper

Abstract

The ubiquity of firewalls using Network Address Translation and Port Address Translation (NAT/PAT), stateful inspection, and packet normalization technologies is taking its toll on today’s approaches to operating system fingerprinting. Hence, SinFP was developed attempting to address the limitations of current tools. SinFP implements new methods, like the usage of signatures acquired by active fingerprinting when performing passive fingerprinting. Furthermore, SinFP is the first tool to perform operating system fingerprinting on IPv6 (both active and passive modes). Thanks to its signature matching algorithm, it is almost superfluous to add new signatures to its current database. In addition, its heuristic matching algorithm makes it highly resilient against signatures that have been modified by intermediate routing and/or filtering devices in-between, and against TCP/IP customization methods. This document presents an in-depth explanation of techniques implemented by SinFP tool.

Keywords

Command Line Passive Mode Signature Database Network Address Translation Response Frame 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Stateful Passive Fingerprinting for Malicious Packet Identification. http://www.andrew.cmu.edu/user/xsk/XenoKovahThesis.pdf
  3. 3.
    IPv6 Neighbor Discovery Protocol based OS Fingerprinting. http://hal.inria.fr/docs/00/16/99/90/PDF/technical_report_fingerprinting.pdf
  4. 4.
    A Hybrid Approach to Operating System Discovery using Answer Set Programming. http://ieeexplore.ieee.org/iel5/4258513/4258514/04258556.pdf?tp=&isnumber=&arnumber=4258556
  5. 5.
    Toward Undetected Operating System Fingerprinting. http://www.usenix.org/events/woot07/tech/full_papers/greenwald/greenwald.pdf
  6. 6.
    Prise d’empreinte active des systèmes d’exploitation. http://www.gomor.org/bin/view/GomorOrg/Misc7
  7. 7.
    Internet Protocol (version 6). ftp://ftp.rfc-editor.org/in-notes/rfc2460.txt
  8. 8.
    Internet Protocol (version 4). ftp://ftp.rfc-editor.org/in-notes/rfc791.txt
  9. 9.
    SQLite Home Page. http://www.sqlite.org/
  10. 10.
    Transmission Control Protocol. ftp://ftp.rfc-editor.org/in-notes/rfc793.txt
  11. 11.
    Remote OS Detection using TCP/IP Fingerprinting (2nd Generation). http://insecure.org/nmap/osdetect/
  12. 12.
  13. 13.
    Analyse fine: bornes inférieures et algorithmes de calculs d’intersection pour moteurs de recherche. http://www.cs.uwaterloo.ca/~jbarbay/Recherche/Publishing/Publications/these.pdf
  14. 14.
    Nmap—Free Security Scanner for Network Exploration and Security Audits. http://insecure.org/nmap/
  15. 15.
    TCP/IP Fingerprinting Methods Supported by Nmap. http://insecure.org/nmap/osdetect/osdetect-methods.html
  16. 16.
  17. 17.
  18. 18.
  19. 19.
    Introduction and Comparison with Nmap 4.10, Part I. http://www.phocean.net/?p=13
  20. 20.
    Comparison with Nmap 4.20, Part II. http://www.phocean.net/?p=14
  21. 21.
  22. 22.
    SinFP OS fingerprinting tool. http://www.gomor.org/bin/view/Sinfp/WebHome

Copyright information

© Springer-Verlag France 2008

Authors and Affiliations

  1. 1.Thomson Corporate Research Security LabsCesson-SévignéFrance

Personalised recommendations