Author:
TOO2Y
I. Introduction In recent years, the network security assessment software has gradually received by the network security community, and is quickly propagated in a large range. Remote operating system detection As a part of the evaluation software, there must be several conditions: - Accuracy: Avoid errors to detect results; - The impact of firewall and intrusion detection system: avoid impact (or affected) firewall and intrusion detection system; - Wen Ya: Low network circulation and risk segment; - dexterity: easy to extend identifying database and automatic detection functions; - Speed: High-speed fingerprint detection tools should allow a wide range of network scans. I introduce you to a new operating system fingerprint detection tool -ring. In some cases, other tools may fail, but the good features and quite accurate results that RING will make you satisfied. Ring is an open source software that is mainly for experimental concepts and testing purposes.
Second, the Level of Technology Development 2.1 Operating System Detection Technology - Get Identification Information Use this technology in many detection tools to obtain identification information of certain services. It is often achieved by collecting and analyzing binaries. - TCP segmentation (standard / non-standard) response analysis It is distinguished by different operating systems to distinguish between specific segments. The more popular tools with Savage Queso and Fyodor's NMAP, they all used a variety from this technique. - ICMP response analysis It is a technology that is just launched. It analyzes various ICMP answers by sending UPD or ICMP request packets. The X-ProBe of Ofir Arkin is useful, in general, X-ProBe works better, but when the firewall is implicit, the result is not so good. - Initialization Serial Number (ISN) Analysis Different Exploits randomly in the TCP stack, determine the operating system of the remote host by identifying enough test results. (For details, please see Zalewski, M. (Apr, 2001), Strange Attractors and TCP / IP SEQUENCE NUMBER Analysis - Special Operating System Refused Service can also be used on the detection of operating system fingerprints, not just hackers. . In some very special cases, the denial of service can detect accurate results.
2.2 Details of Stack Query Techniques The system is detected by measuring the response to different requests by measuring the Remote Host TCP / IP stack. Most operating systems will respond to special segmentation requests in a special way. NMAP and Queso are based on this technology. They generate a set of TCPs and UDP requests to send to an open (unmart) port of the remote target host. At this time, the useful information of the remote host response will be received by the probe tool and then analyzed. These technologies typically enable security assessment software within a smaller delay to obtain some information about types and versions. In a few aspects, this technique is so accurate: - Each operating system (even if a patch) is usually used with its own IP stack implementation. - TCP / IP specification is not strictly implemented, and each different implementation will have their own characteristics, which will bring possible probation. - The specification may be disrupt, some selective features are used, while some of the systems may not be used. - Certain private pairs of IP protocols may also be implemented, which has become the characteristics of certain operating systems.
2.3 Some limitations of typical tools NMAP can identify 500 different operating systems, but provided the stability of the network environment, the target host must open a TCP port, a closed TCP port and an off UDP port. If the above conditions are not met, the accuracy of the detection results will be largely reduced. Current network system, for security reasons, often open an visible TCP port, while the data reported by other ports is filtered out by the firewall or package filter device. In such a firewall-protected network environment, the detection tool based on the ICMP protocol, the closed UDP port, and the closed TCP port, such as NMAP, Xprobe work is not so good. Third, the TCP / IP protocol use TCP as a data transfer protocol is built on the IP protocol, and its definition can be found on RFC793. The TCP / IP protocol is a network protocol mainly used on the Internet. The success of TCP is its reliability: the control, data flow, and blocking control, retransmission mechanisms, and the like for errors. In order to achieve this, TCP has become a connection-oriented protocol. Its running mechanism is as follows: 1. Establish connection 2. Data transfer 3. Termination connection TCP is built on the IP protocol, and the IP protocol cannot provide reliable end-to-end data transfer when network blocking or routing issues. Moreover, IP is a non-connected protocol, so the connection control is built on the TCP layer. The TCP protocol provides a multifaceted control of the connection at its head. The serial number and confirmation number is to better manage the resend and control of various special errors. The URG, ACK, PSH, RST, SYN, and FIN of the TCP Datasters Head Code field are set to manage TCP connection states. See RFC793 for details. In order to better understand the principle of RING later, the following three handshakes listed in the TCP establishment: (Client actively initiating connection)
Client Server│ -------- SYN ---------> ││ <------ SYN-ACK ------ ││ ------- -Ack ---------> Denual reports in the process of transferring on the network, some segments may be lost during transmission, and theoretically, each datagon must be confirmed by the recipient. TCP has maintained a list of confirmed datagrams. Note: If a datagret is not received within the expected time, it will be considered losing processing.
Moreover, TCP automatically handles the true sequence of various data reports that have been received, then it will be sent to the upper system in the correct order. The blocking of the network system will result in the loss of the datagram. The size of any network accommodation capacity is due to the ability of the physical underlying transmission capacity or the ability to route. Note: If the network is blocked, there may be some datagram that is lost. The TCP has retransmitted those lost datagrams so that the obstruction of the network will become more and more serious. Therefore, if the network block occurs, the retransmission speed of the datagram will be reduced.
Although TCP emphasizes this mechanism, there is no rule to calculate the size of the delay between the confirmation datagram in RFC793.
Fourth, temporary analysis 4.1 Principles of the data report provides us with another way to analyze the remote host operating system. We will determine the fingerprint of the remote host operating system by analyzing the delay between the target host between the retransmission dartes. This approach has been defined in RFC793, but has left some rooms. Moreover, some implementations do not fully follow the current standards. In order to let us know this approach, it is to experience the role of timeout mechanism, we must emphasize the IP stack of the remote host in a non-standard state. And this situation can be easily imitated, and it is only necessary to give up the confirmation of the remote host SYN-ACK datagram. By measuring the delay between the two adjacent datagrams between retransmission, or some other information, such as TCP markers, serial numbers, confirmation numbers, all of which are some of the useful information about the remote host operating system. If each operating system has its own characteristics, then a typical system identification database will become a possibility. Regardless of the host or network condition of the test, the operating system will be the only factor that affects the test results. Therefore, the results that detect those obtained on different hosts but use the same operating system will be the same (provided that the network condition is relatively stable) By comparing the target host fingerprint with the operating system fingerprint database, it will be possible. Know the operating system that the remote host runs. The logo of the new operating system will be easily recorded, they will connect with the name of the operating system. 4.2 DIY This operating system fingerprint detection technology will use two parts of the probe instrument. A datagram filter device, such as a personal firewall, and the other is the data report monitoring device. Detecting instruments: A simple mimetic network blocking method is to install a personal firewall on the scan host, and set some filter rules to prohibit receiving all datagrams from the target host. At this time, the data report will receive all the datagrams from the target host. Due to the presence of the firewall, the scan host does not send any confirmation information so that a complete TCP connection cannot be established. After a certain period of time, the remote host will terminate any relationship with the scan host. Test process: The test process will consist of three different steps. - Firewall settings - Try to establish a standard connection with the target host - Target Host Send a confirmation Dativity Detail The process of detailing the implementation: - Select a host and confirm that an open port is confirmed. For example, the remote host is 192.168.0.10, its TCP 80 port is open (system-opened web service); - Configure the firewall to block all of the datagrams from the target host; (192.168.0.10). - Monitor all datagrams from the target host TCP80 port; - Send a SYN datagram to the target host, attempt to establish a connection to it; - Analyze all delays between neighboring datagons from the target host.
In fact, our measurement is not the time interval between the target host to send a continuous datagram, but the time interval between the continuous datagram of the target host. If these time intervals are almost fixed, then we can boldly assume that they are equal. Below is the flow of data report (A represents the scan host, b represents the detected target host, the no arrow straight line between A and B means no data transmission): AB│ -------- SYN- --------> │││ ------ SYN-ACK ------ │ -------------- │ ------ --------------- │ Time Interval is T1│ --------------- │ --------- --- │ -------------------- │ Time Interval is T2│ ------------------- - ││ ------ SYN-ACK ------- │ --------------- ------------- -------- ││ -------------------- │ Time Interval is T3│ ------------- -------- ││ -------------------- ││ <------ SYN-ACK ------- │ -------------- 4.3 Static analysis Because the datagram may pass some unstable networks, such as Internet, this is likely to receive delay (R_i) and The delay in which they are sent (S_i) is no longer the same. If we receive two consecutive datagrams from the target host, the measured delay is 3.01 seconds, but it is very likely that they have a delay between each other at the time of transmission of 3.0 seconds. The problem is that some system implementations will be 3.2 seconds as the time delay of transmitting two consecutive datagrams. The interval between 3.0 seconds and 3.2 seconds is too small, so that it is from which the received data report is from which system comes from. To avoid this problem, we can use TCP time cut selection, which can better get information about when the data is sent. Setting the time intercept item in each datastumn will increase the accuracy of the probe results. However, the use time intercept item may increase our difficulty, because the time intercept item may return some inaccurate time data. This method is based on fingerprint acquisition and comparison with existing fingerprint databases. The normal measurement "distance" is a difference between the corresponding delay: distance = σ│ ri - S_i │ where R_i is a time delay associated with the received i-th data report, S_i is in the fingerprint database The time delay of the corresponding order datagram. Therefore, the most probable operating system that detects will be the operating system corresponding to the "distance" to the shortest fingerprint database. The "Distance" is not considered some of the important marks of the TCP datagram (such as SYN, ACK, RST, FIN ...). These markers often detect the operational state of the target host. The serial number and confirmation number, which can be used to distinguish between different system implementations.
5. Ring's Execution and Reality Results 5.1 The library is simple in development, Ring uses some library files under the standard C language and UNIX. For example, Dug Song ''s LibdNet Library, Mike D. Schiffman Libnet Library, Lawrence Berkeley National Liboratory LibRAP LIBRARY. The libdnet library is used to control the firewall, which provides an API to control some UNIX firewalls (such as IPChains, IPFilters, IPF ...) libpcap is usually used to monitor the network, and datagrams.
5.2 Running Procedure Ring The detection of the remote host requires some initialization parameters, the IP address of the target host, an open TCP port on the target host, the IP address of the host, and the network interface used to listen to the data. Then Ring will perform the following steps: - The selection of the source; TCP SYN Data Reports Detective Target Host; Ring still provides very accurate results. For example, a Win2K host, a FreeBSD host, even if they are hidden behind usually formulated firewalls, Ring is also possible to distinguish them. The implementation of Win2K and FreeBSD has a very similar place because they share the same IP stack technology. If only one open port on these two operating systems, NMAP is usually unable to distinguish between both. If the technology is very knowledge, we will detect additional reset datagrams to make further analysis, which should be a compliance to distinguish the remote host. The comparison of Win2K and FreeBSD: (The data corresponding to each system is the time delay of the retransmission of the data report, in seconds. As shown in the following picture: 1st Represents the first retransmission of the remote host The 3 after Windows 2K indicates that the first retransmission delay of the Window 2K system is 3 seconds, and then the 3 seconds below FreeBSD 4.4 also indicates the first retransmission of FreeBSD 4.4 system for 3 seconds.
) __________________________________ │RETRIES│ === WINDOWS 2K ==== │ = FreeBSD 4.4 = ││ == 1st == │ ========= 3 ======= │ ====== = 3 ====== ││ == 2nd == │ ======== 6 ======== │ ====== 6 ====== ││ = = 3rd == │ = no more Retries = │ ===== 12 ====== ││ == 4TH == │ ================== │ = ==== 24 ====== │ -------------------------------------- -------------- │ = reset = │ == no reset sn == │ = resetAfter 30 sec. = │ --------------- -------------------------------------
Ring can also distinguish from different versions of the same operating system: ------------------------------------- ----------- │RETRIES│ === Linux2.2.14 === │ ==== Linux 2.4 ==== │ │ == 1st == │ ======= 3 , 5 ======= │ ====== 4, 26 ======= │ │ == 2nd == │ ======= 6, 5 ====== = │ ========== ││ == 3rd == │ ====== 12, 5 ======= │ ======= = 12 ======== ││ == 4th == │ ====== 24, 5 ====== │ ======= 24 ========= = ││ == 5th == │ ========= │ ================== ││ == 6th == │ ====== 96, 5 ======= │ = NO more Retries = ││ == 7th == │ ======= 120, 5 ====== │ ==== ============= ││ == 8th == │ = no more Retries = │ ================= │ ----- -------------------------------------------- │ = reset = │ = === no reset ==== │ ==== No reset ==== │ --------------------------------------------------------------------------------------------------------- --------------------
------------------------------------- │ Retries│ === Windows 98 ==== │ === WINDOWS 2K === │ │ == 1st == │ ======== 3 ======== │ ===== ==== 3 ======== ││ == 2nd == │ ======== 6 ======== │ ======== 6 == ====== │ │ == 3rd == │ ======== 12 ======== │ = NO more Retries = ││ == 4th == │ = no more retries = │ ================= │ -------------------------------- ---------------- │ = reset = │ ===== No reset ==== │ ===== No reset ==== │ ---- ---------------------------------------------
The following is the difference between reality in different devices: ------------------------------------- ------------------ │RETRIES│MINOLTA Printer│ Cisco Router │3Com Switch││ == 1st == │ ====== 4, 5 ==== == │ ====== 2 ======== │ ==== 3, 5 ==== ││ == 2nd == │ ====== 4, 5 === === │ ====== 3, 9 ====== │ ==== 4, 4 ==== ││ == 3rd == │ ======= 9 === ==== │ ====== 5, 9 ====== │ ==== 4, 4 ==== ││ == 4TH == │ ======= 18 == ==== │NO more Retries│ ==== 4, 4 ==== ││ == 5th == │ ======== 36 ====== │ ======== ======== │ ==== 4, 4 ==== ││ == 6th == │ ======= 72 ====== │ ======= ======== │ ==== 4, 4 ==== ││ == 7th == │ ====== 144 ====== │ ======== ======= │ ==== 4, 4 ==== ││ == 8th == │ ====== 285 ====== │ ========== ====== │ ==== 4, 4 ==== ││ ==
9th == │ ======= │ =============== │ ==== 4, 4 ==== ││ == 10th = │ ============== │ =============== │ ==== 4, 4 ==== ││ == 11th = │ ====== 169 ====== │ =============== │ ==== 4, 4 ==== ││ == 12th = │ == ==== 169 ====== │ =============== │ ==== 4, 4 ==== │ ---------- ---------------------------------------------- │ = reset = │ ===== Reset ===== │ === No reset ==== │ == no reset = │ -------------------- -------------------------------------- Note, after a series of retransmission, some system will Send an RST Datasheet Waze the warning of the host to terminate the transmission, and then stop retransmission datagrans.
6. Discussion and Extension 6.1 The biggest advantage of the technologies used in Ring is that it only needs an open port. If the target host is protected by the firewall, it is likely that only one port is opened, and the other ports are filtered. In the same firewall configuration, NMAP will not be so effective because it is based on some closed ports, and these closed ports are often filtered. Moreover, RING technology is to use a standard TCP datagram that will not have any adverse effects on the target host. On the other hand, this detection method requires more time than NMAP or XProbe. This is a natural disadvantage that measures the delay of continuous data. 6.2 Protection What can I prevent Ring from the detection of the operating system fingerprint? Because the transmission is a standard datagram, the target host is not possible to distinguish from the usual data transfer. The retransmission of the datagram is obvious, but the loss of the datagram and retransmitting things in the network are often happening. If an intrusion detection system has stopped a connection in order to prevent excessive spam on the network, this will reduce the error rate of TCP and restore the traffic capacity of the network. In some operating systems, the role of avoiding Ring detection can be achieved by modifying data of certain members of the TCP / IP stack. But I don't recommend this method because it will seriously threaten the stability of TCP / IP stack. Another possible way is to hide the host after the agent or use firewall technology to implement SYN forwarding or SYN gateway technology. SYN forwarding or SYN protection technology is specifically used to deal with SYN flood attacks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> SYN forwarding principle: (Note: The same name is the same host, the straight line without arrows does not make sense . ---- TargetClient <--- SYN-ACK ----- FireWall ---------------- Target
If the firewall does not receive a waiting ACK datagram in a certain period of time, then this connection will be suspended:
Client <------ RST ------- Firewall ---------------- Target
Conversely, the transmission will continue:
Client ---------------- Firewall ------- SYN ------> TargetClient ------ ACK ------> Firewall < --- SYN-ACK ----- TargetClient ---------------- Firewall ------- ACK ------> Target
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> SYN Gateway principle: Client ------ SYN ------> FireWall ------- SYN ------> TargetClient <---- SYN-ACK ---- FireWall <----- SYN-ACK ---- Target If the firewall does not receive a waiting ACK in a certain period of time Data report, then it will interrupt this connection: Client ---------------- FireWall ------ RST ------> Target Instead, the connection will keep going:
Client ------ ACK ------> FireWall ------ Ack ------> Target6.3 future improvements have the same function in another state in the transport stream of TCP Try to rehabilitate the data report that is pretended to be discarded, this is the FIN_WAIT_1 state. It can be used in conjunction with the previous detection techniques, or in the detection of the SYN protection system. This interesting technology can implement the system fingerprint detection of the true target host by implementing the network of the SYN gateway protection mechanism. -------------------------------------------- │RETRIES│ == = Linux2 / 4 ==== │ == Windows 2k === ││ == 1st == │ ====== 0, 8 ====== │ ====== 3 == ===== │ │ == 2nd == │ ====== 1, 3 ====== │ ======= 6 ======= ││ == 3rd = = │ ====== 2, 6 ====== │ ======= 12 ======= ││ == 4TH == │ ====== 5, 2 = ===== │ ====== 24 ======= ││ == 5th == │ ===== 10, 5 ===== │ ===== 48 ======= ││ == 6th == │ ===== 20, 8 ====== │NO more == │ ===== 41, 6 = ===== │ =============== ││ == 8th == │NO more Retries│ =============== │- -------------------------------------------- │ = reset = │ = == no reset === │ ==== No reset === │ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -------------
7. Conclusion Ring uses a new operating system detection technique based on conventional and risk-free TCP transmission. It determines the fingerprint of the remote host operating system by analyzing the delay between the target host between the retransmission datagrams. If combined with other operating system detection techniques, you should receive a better effect. Reference: 1) << Ring-full-paper >> by Intranode Research Team2) << Remote OS detection via TCP / IP Stack FingerPrinting >> by Fyodor3) << ICMP based remote OS TCP / IP stack fingerprinting techniques >> by Ofir Arkin & fyodor Yarochkin
