SinFP, TCP options, and tool redux

SinFP is the shiznet. Why?
0) map out open firewall ports to backend hosts. This is very nice.
1) only single open port required (how many times do you actually get CLOSED and OPEN ports in a pen-test against a hardened server….uh, never.
2) fast (3 packets)
3) relatively stealthy (how many IDS engines are flagging on valid SYN packets with valid options)

IMO, there are 2 major players in the OS fingerprinting space. Namely, nmap and xprobe2. I’m not gonna waste your time running tests against tons of different boxes. Let’s just run the 3 tools against my win2k3 SP1 server which is running without any firewalls (for the benefit of this test)…

First up, we have the incumbent champion nmap. Nmap steps up to the plate…there’s the pitch…the swing…
OS details: Microsoft Windows .NET Enterprise Server (build 3604-3790)

Ouch. Swing and miss. Nmap is batting .000

Next up is xprobe2. The swing, swing, swing, swing, swing, …, swing
[+] Host 10.10.10.8 Running OS: “Microsoft Windows 2003 Server Standard Edition” (Guess probability: 100%)
[+] Other guesses:
[+] Host 10.10.10.8 Running OS: “Microsoft Windows XP SP2″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows 2003 Server Enterprise Edition” (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows 2000 Workstation SP2″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows 2000 Server Service Pack 1″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows 2000 Server Service Pack 4″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows NT 4 Workstation” (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows NT 4 Workstation Service Pack 4″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows NT 4 Server Service Pack 1″ (Guess probability: 100%)
[+] Host 10.10.10.8 Running OS: “Microsoft Windows NT 4 Server Service Pack 5″ (Guess probability: 100%)

That’s just ugly. 10 swings and one foul tip. Xprobe2 is batting .050.

Next up is the relative newcomer, SinFP. Here comes the pitch…the swing:
IPv4: HEURISTIC0/P1P2P3: Windows: Microsoft: Windows: 2000
IPv4: HEURISTIC0/P1P2P3: Windows: Microsoft: Windows: 2003 (SP1)

SinFP bats .500.

Playing with sinfp made me curious (again) about how devices handle bogus options data. It had been a few years so I wrote a quick script that ran 7 elementary tests:

0) Options section is limited to 40 bytes…Let’s go past that boundary.
1) Options are of format [Kind][LEN][values]. Give a bogus LEN byte
2) Insert arbitrary EOL
3) Fiddle around with the reserved KINDS (27-255)
4) Runts with bogus TCP offset
5) Giants with bogus TCP offset
6) replay options (i.e. keep repeating the same KIND,LEN,VALUE until we get close to 40)

While testing, I segfaulted a very, very popular open source IDS package. I leave the exact option packet and the buggy software as an exercise to the astute reader ;)

Other ‘devices’ have similar difficulties.

Fyodor’s top (50 * 2) is out. Is it just me, or has not much changed over the years?

Peace be unto Ye

!Dmitry

Share