Sunday, November 25, 2012

SinFP and Syn/Ack fingerprinting

With SinFP3 v1.2 they claim to do one packet OS fingerprinting

"The latest version of SinFP3 (v1.20) introduces two new cool features: the ability to perform a SYN scan and doing OS fingerprinting at the same time. The idea is to use SYN|ACK answers to the SYN scanning process to acurately identify the remote operating system nature. The second new feature is a server mode allowing third-party applications to access the SinFP3 fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of SinFP3."

 It is cool that since they are already scanning the systems and looking for open ports they've added the ability to use the Syn/Ack response and passively fingerprint the return data.  p0f had a syn/ack feature and I added it to Satori back in the day, but I know p0fv2 didn't have a very big syn/ack DB and I honestly don't know how big Satori's is as I have it all rolled into the tcp.xml file. 

I need to look at their fingerprint file and see if it is something I can incorporate into Satori.  If it appears feasible to convert what I get back into the same format, i'll have to follow up with the authors and see about adding it in.  That just means finding time to play with SinFP now!  Not sure when that will happen, but added to the list.