Hershel: Single-Packet OS Fingerprinting

Traditional TCP/IP fingerprinting tools e.g., nmap are poorly suited for Internet-wide use due to the large amount of traffic and intrusive nature of the probes. This can be overcome by approaches that rely on a single SYN packet to elicit a vector of features from the remote server. However, these methods face difficult classification problems due to the high volatility of the features and severely limited amounts of information contained therein. Since these techniques have not been studied before, we first pioneer stochastic theory of single-packet OS fingerprinting, build a database of 116 OSs, design a classifier based on our models, evaluate its accuracy in simulations, and then perform OS classification of 37.8M hosts from an Internet-wide scan.

[1]  John Viega,et al.  How Vulnerable Are Unprotected Machines on the Internet? , 2014, PAM.

[2]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[3]  Tadayoshi Kohno,et al.  The limits of automatic OS fingerprint generation , 2010, AISec '10.

[4]  Sy-Yen Kuo,et al.  Xprobe2++: Low volume remote network information gathering tool , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[5]  Niels Provos,et al.  Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority , 2008, NDSS.

[6]  Ramesh Govindan,et al.  Census and survey of the visible internet , 2008, IMC '08.

[7]  Alberto Dainotti,et al.  Uncovering network tarpits with degreaser , 2014, ACSAC.

[8]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[9]  Farnam Jahanian,et al.  Defeating TCP/IP Stack Fingerprinting , 2000, USENIX Security Symposium.

[10]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[11]  João Paulo S. Medeiros,et al.  An Effective TCP/IP Fingerprinting Technique Based on Strange Attractors Classification , 2009, DPM/SETOP.

[12]  Craig Valli,et al.  Honeyd - A OS Fingerprinting Artifice , 2003, Australian Computer, Network & Information Forensics Conference.

[13]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[14]  Robert Beverly,et al.  A Robust Classifier for Passive TCP/IP Fingerprinting , 2004, PAM.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Brian Tierney,et al.  A TCP Tuning Daemon , 2002, ACM/IEEE SC 2002 Conference (SC'02).

[17]  Franck Veysset,et al.  New Tool And Technique For Remote Operating System Fingerprinting , 2002 .

[18]  Fabrice Harrouet,et al.  IpMorph: fingerprinting spoofing unification , 2010, Journal in Computer Virology.

[19]  João Paulo S. Medeiros,et al.  A Data Mining Based Analysis of Nmap Operating System Fingerprint Database , 2009, CISIS.

[20]  Greg Taleck,et al.  Ambiguity Resolution via Passive OS Fingerprinting , 2003, RAID.

[21]  David Lee,et al.  Network Protocol System Fingerprinting - A Formal Approach , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[22]  Rob Beck Passive-aggressive resistance: OS fingerprint evasion , 2001 .

[23]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[24]  Dmitri Loguinov,et al.  Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[25]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.

[26]  Niels Provos,et al.  ScanSSH: Scanning the Internet for SSH Servers , 2001, LISA.

[27]  Mark Handley,et al.  Is it still possible to extend TCP? , 2011, IMC '11.

[28]  Dawn Xiaodong Song,et al.  Fig: Automatic Fingerprint Generation , 2007, NDSS.

[29]  Patrice Auffret SinFP, unification of active and passive operating system fingerprinting , 2008, Journal in Computer Virology.

[30]  Carlos Sarraute,et al.  Using Neural Networks to improve classical Operating System Fingerprinting techniques , 2010, ArXiv.

[31]  Duncan Napier Security: IP Taxables/NetFilter -- Linux's next-generation stateful packet filter , 2001 .

[32]  Vern Paxson,et al.  Computing TCP's Retransmission Timer , 2000, RFC.

[33]  Lloyd G. Greenwald,et al.  Toward Undetected Operating System Fingerprinting , 2007, WOOT.

[34]  Brian Tierney,et al.  TCP Tuning Guide for Distributed Application on Wide Area Networks , 2001, login Usenix Mag..

[35]  Sally Floyd,et al.  On inferring TCP behavior , 2001, SIGCOMM 2001.