A Qualitative Survey of Active TCP/IP Fingerprinting Tools and Techniques for Operating Systems Identification

  • João Paulo S. Medeiros
  • Agostinho de Medeiros Brito Júnior
  • Paulo S. Motta Pires
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6694)


TCP/IP fingerprinting is the process of identifying the Operating System (OS) of a remote machine through a TCP/IP based computer network. This process has applications close related to network security and both intrusion and defense procedures may use this process to achieve their objectives. There are a large set of methods that performs this process in favorable scenarios. Nowadays there are many adversities that reduce the identification performance. This work compares the characteristics of four active fingerprint tools (Nmap, Xprobe2, SinFP and Zion) and how they deal with test environments under adverse conditions. The results show that Zion outperforms the other tools for all test environments and it is suitable even for use in sensible systems.


Transmission Control Protocol Strange Attractor Network Address Translator Qualitative Survey Security Device 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Nmap Hackers Mailing List: Top 2 OS Detection Tools (2008)Google Scholar
  2. 2.
    The OpenBSD Packet Filter (2010), (OpenBSD version 4.7)
  3. 3.
    Arkin, O., Yarochkin, F.: XProbe2 A ‘Fuzzy’ Approach to Remote Active Operating System Fingerprinting. Tech. rep., Sys-security (August 2002)Google Scholar
  4. 4.
    Auffret, P.: SinFP, unification de la prise d’empreinte active et passive des systmes d’exploitation. In: Proc. Symposium sur La Securit des Technologies de L’Information et des Communications (2008)Google Scholar
  5. 5.
    Bellovin, S.: Defending Against Sequence Number Attacks. RFC 1948 (Informational) (May 1996)Google Scholar
  6. 6.
    Eddy, W.: TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational) (August 2007)Google Scholar
  7. 7.
    Egevang, K., Francis, P.: The IP Network Address Translator (NAT). RFC 1631 (Informational) (May 1994)Google Scholar
  8. 8.
    Fyodor.: Remote OS Detection via TCP/IP Fingerprinting. Phrack Magazine 8 (1998)Google Scholar
  9. 9.
    Fyodor.: Nmap Network Scanning. Insecure.Com LLC (2009)Google Scholar
  10. 10.
    Handley, M., Paxson, V., Kreibich, C.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proceedings of the 10th USENIX Security Symposium (2001)Google Scholar
  11. 11.
    Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: A New Method for Recognizing Operating Systems of Automation Devices. In: Proc. IEEE Conference on Emerging Technologies & Factory Automation (ETFA 2009), pp. 772–775 (2009)Google Scholar
  12. 12.
    Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., Roudier, Y. (eds.) DPM 2009. LNCS, vol. 5939, pp. 208–221. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Medeiros, J.P.S., Brito, A.M., Pires, P.S.M.: Using Intelligent Techniques to Extend the Applicability of Operating System Fingerprint Databases. Journal of Information Assurance and Security 5(1), 554–560 (2010)Google Scholar
  14. 14.
    Medeiros, J.P.S., Cunha, A.C., Brito Jr., A.M., Motta Pires, P.S.: Application of Kohonen Maps to Improve Security Tests on Automation Devices. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 235–245. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Medeiros, J.P.S., dos Santos, S.R., Brito, A.M., Pires, P.S.M.: Advances in Network Topology Security Visualisation. International Journal of System of Systems Engineering 1(4), 387–400 (2009)CrossRefGoogle Scholar
  16. 16.
    Postel, J.: Transmission Control Protocol. RFC 793 (Standard) (September 1981)Google Scholar
  17. 17.
    Provos, N.: Honeyd (May 2007), (version 1.5c)
  18. 18.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Addison-Wesley, Reading (2008)Google Scholar
  19. 19.
    Smart, M., Malan, G., Jahanian, F.: Defeating TCP/IP stack fingerprinting. In: Proceedings of the 9th USENIX Security Symposium (2000)Google Scholar
  20. 20.
    Srisuresh, P., Egevang, K.: Traditional IP Network Address Translator (Traditional NAT). RFC 3022 (Informational) (January 2001)Google Scholar
  21. 21.
    Zalewski, M.: Strange Attractors and TCP/IP Sequence Number Analysis. Tech. rep., Coredump (2001)Google Scholar
  22. 22.
    Zalewski, M.: Strange Attractors and TCP/IP Sequence Number Analysis – One Year Later. Tech. rep., Coredump (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • João Paulo S. Medeiros
    • 1
  • Agostinho de Medeiros Brito Júnior
    • 2
  • Paulo S. Motta Pires
    • 2
  1. 1.LabSIN – Security Information Laboratory, LabEPI – Elements of Information Processing Laboratory, Department of Exact and Applied Sciences – DCEAFederal University of Rio Grande do Norte – UFRNNatalBrazil
  2. 2.LabSIN – Security Information Laboratory, LabEPI – Elements of Information Processing Laboratory, Department of Computer Engineering and Automation – DCAFederal University of Rio Grande do Norte – UFRNNatalBrazil

Personalised recommendations