Wednesday, August 12, 2009

ICMP OS Fingerprinting

Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.

Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio: http://www.screencast.com/users/laurachappell/folders/Media%20Roll/media/75047d06-2801-49b7-87d3-0e41a3abd500

NetscanPro appears to be doing the standard:
ICMP Request
Timestamp Request
AddressMask Request
Information Request
ICMP Request (Code <> 0)
TOS and Precedence

Without going back and reading Ofir's paper again, or looking at my old ICMP program I'm not sure if any of them are new from what Ofir presented in his paper back in 2001 "ICMP Usage In Scanning" or not. I wonder if LNSS is still using the the Code <> 0 test at all?

ICMP fingerprinting seems about the same as before. Useful in some cases, not so useful in others. It is good to see that it is still being used and therefor some new database has probably been made.

Out of the 4 main types of devices on my network it identified them as [Actual - Identification}:
Netgear WAP - HP Procurve Switch 2500 Series
Brother Printer - Unable to identify operating system.
Linksys VOIP Device - HP LaserJet 2800 Series
XP - Windows XP responding to Ping only

Ok, I had my box crash twice while doing OS Fingerprinting with this. It could be a problem on my box or it could be a bad dissector on their end. Will follow up with them. [note: Kirk was quick on responses, looks like it was probably in WinpCap since the BSOD pointed at npf.sys, trying to duplicate on another system, may also be a NIC driver combination, looking into it, but doesn't appear to be NetScanTools related]

Anyway, out of 4 devices it could ID 1 correctly. Any fingerprinting program is only as good as its DB, so maybe I'll have to play with it a bit more and send it some new fingerprints if they have the ability to add them. [Note: Looks like the ability to add more will be in version 11, so I'll have to try to follow up with them in the future]

No comments: