SinFP, unification of active and passive operating system fingerprinting

Abstract

The ubiquity of firewalls using Network Address Translation and Port Address Translation (NAT/PAT), stateful inspection, and packet normalization technologies is taking its toll on today’s approaches to operating system fingerprinting. Hence, SinFP was developed attempting to address the limitations of current tools. SinFP implements new methods, like the usage of signatures acquired by active fingerprinting when performing passive fingerprinting. Furthermore, SinFP is the first tool to perform operating system fingerprinting on IPv6 (both active and passive modes). Thanks to its signature matching algorithm, it is almost superfluous to add new signatures to its current database. In addition, its heuristic matching algorithm makes it highly resilient against signatures that have been modified by intermediate routing and/or filtering devices in-between, and against TCP/IP customization methods. This document presents an in-depth explanation of techniques implemented by SinFP tool.

This is a preview of subscription content, access via your institution.

References

  1. 1

    Net::SinFP 0.92. http://search.cpan.org/~gomor/Net-SinFP-0.92/

  2. 2

    Stateful Passive Fingerprinting for Malicious Packet Identification. http://www.andrew.cmu.edu/user/xsk/XenoKovahThesis.pdf

  3. 3

    IPv6 Neighbor Discovery Protocol based OS Fingerprinting. http://hal.inria.fr/docs/00/16/99/90/PDF/technical_report_fingerprinting.pdf

  4. 4

    A Hybrid Approach to Operating System Discovery using Answer Set Programming. http://ieeexplore.ieee.org/iel5/4258513/4258514/04258556.pdf?tp=&isnumber=&arnumber=4258556

  5. 5

    Toward Undetected Operating System Fingerprinting. http://www.usenix.org/events/woot07/tech/full_papers/greenwald/greenwald.pdf

  6. 6

    Prise d’empreinte active des systèmes d’exploitation. http://www.gomor.org/bin/view/GomorOrg/Misc7

  7. 7

    Internet Protocol (version 6). ftp://ftp.rfc-editor.org/in-notes/rfc2460.txt

  8. 8

    Internet Protocol (version 4). ftp://ftp.rfc-editor.org/in-notes/rfc791.txt

  9. 9

    SQLite Home Page. http://www.sqlite.org/

  10. 10

    Transmission Control Protocol. ftp://ftp.rfc-editor.org/in-notes/rfc793.txt

  11. 11

    Remote OS Detection using TCP/IP Fingerprinting (2nd Generation). http://insecure.org/nmap/osdetect/

  12. 12

    sinfp—News about SinFP. http://lists.gomor.org/mailman/listinfo/sinfp

  13. 13

    Analyse fine: bornes inférieures et algorithmes de calculs d’intersection pour moteurs de recherche. http://www.cs.uwaterloo.ca/~jbarbay/Recherche/Publishing/Publications/these.pdf

  14. 14

    Nmap—Free Security Scanner for Network Exploration and Security Audits. http://insecure.org/nmap/

  15. 15

    TCP/IP Fingerprinting Methods Supported by Nmap. http://insecure.org/nmap/osdetect/osdetect-methods.html

  16. 16

    Net::SinFP 2.06. http://search.cpan.org/~gomor/Net-SinFP-2.06/

  17. 17

    SinFP vs Nmap. http://www.computerdefense.org/2006/12/04/sinfp-vs-nmap/

  18. 18

    Nmap vs SinFP. http://www.computerdefense.org/2006/12/08/nmap-vs-sinfp/

  19. 19

    Introduction and Comparison with Nmap 4.10, Part I. http://www.phocean.net/?p=13

  20. 20

    Comparison with Nmap 4.20, Part II. http://www.phocean.net/?p=14

  21. 21

    Tips and Tricks. http://www.gomor.org/bin/view/Sinfp/DocTipsAndTricks

  22. 22

    SinFP OS fingerprinting tool. http://www.gomor.org/bin/view/Sinfp/WebHome

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Patrice Auffret.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Auffret, P. SinFP, unification of active and passive operating system fingerprinting. J Comput Virol 6, 197–205 (2010). https://doi.org/10.1007/s11416-008-0107-z

Download citation

Keywords

  • Command Line
  • Passive Mode
  • Signature Database
  • Network Address Translation
  • Response Frame