In cybersecurity, fingerprinting is a technique for identifying the type, version, configuration and other details of a target system or service by analysing its characteristic information. Fingerprinting is often used to identify the "identity" of a system or service, similar to how fingerprinting is used in biology. In this way, attackers and defenders are able to obtain valuable information to develop appropriate attack or defence strategies. This paper will discuss in detail the classification, uses, tools and defences of fingerprint detection.
I. Classification of fingerprint detection
Fingerprint detection can be classified into two categories, active fingerprint detection and passive fingerprint detection, based on whether or not it actively interacts with the target system.
1. Active fingerprint detection
Active fingerprint detection refers to sending a specific detection request or packet to the target system by taking the initiative and analysing the response data returned by the target to infer its feature information.
This method has a high degree of accuracy, but also carries some risk, as it may alert the target system and increase the probability of detection.
Common means of active fingerprint detection include:
● Protocol Interaction: By interacting with the protocol stack of the target system, it is possible to identify its operating system type.
For example, the Nmap tool provides the -O option, which can be analysed by theTCP/IP stackdifferences to identify the operating system. The details of how the stack is handled (e.g., packet size, response time, specific flag bits, etc.) may differ from one operating system to another, thus revealing their system type.
:: Service version detection::An attacker can send a request to a specific port on the target system (e.g. HTTP, SSH, etc.) and analyse the returned Banner message to infer the version of the service used from it.
For example, an HTTP server banner may return a message like "Apache/2.4.29 (Ubuntu)", which gives the attacker clues as to the version of the operating system and the type of web server.
:: Special packet detection::An attacker can send unusually formatted or uncommon packets and observe how the target system handles them.
For example, the way checksums are calculated, the rules for generating sequence numbers, etc., may reveal the type or configuration of the target system.
2. Passive fingerprint detection
Passive fingerprint detection differs from active detection in that it does not interact directly with the target system, but rather infers the characteristics of the target by listening to and analysing the data traffic transmitted by the target system in the network. Since this approach does not involve direct interaction, it is relatively covert and not easily detected by the target.
Common passive fingerprint detection methods include:
:: Analysis of traffic patterns::The pattern of data traffic generated in the network may vary from one operating system and application to another. An attacker can analyse theTTL value(Time-to-Live), TCP window size, and other characteristics to infer the operating system type of the target system.
Different operating systems may handle network packets differently, so the details of the traffic can reflect the characteristics of the system.
:: Application layer profiling::Some application protocols (e.g. HTTP, SMTP, etc.) carry specific identification information during communication.
For example, the "Server" field in the HTTP header usually returns the type and version of the web server. In addition, organisational information and public key algorithms in SSL/TLS certificates can also be used as a basis for fingerprinting.
:: Characterisation of equipment::In fingerprinting of Internet of Things (IoT) devices, a particular device may have unique communication behaviours or MAC address prefixes, and these features can be used to identify the device type or vendor information.
II. Uses of fingerprint detection
Fingerprint probing techniques have a wide range of application areas, including both attacker and defender use. The core purpose of fingerprint probing, for both attackers and defenders, is to obtain detailed information about a system or service in order to formulate a strategy for subsequent attacks or defences.
1. Attacker's perspective
For an attacker, fingerprint probing is an important step before carrying out an attack. Through fingerprint probing, an attacker can obtain the following information:
:: Identify target vulnerabilities::By identifying the operating system version or service version of a target system, an attacker can determine whether the system has a known vulnerability. For example, certain versions of the Apache server may have remote code execution vulnerabilities, while certain versions of the Windows operating system may have SMB vulnerabilities, and so on.
:: Customised attack loads::Different operating systems or services require the use of different attack methods. An attacker can customise a specific attack payload based on the results of fingerprint probing. For example, the attack methods for a Windows system may be different from those for a Linux system, and fingerprinting helps the attacker to choose the most appropriate attack method.
2. Defender's perspective
Defenders use fingerprint detection to help them better protect their systems from attacks:
:: Monitoring of network assets::By performing regular fingerprinting, defenders can identify unauthorised devices or services on the network. For example, an unauthorised device may be detected by a specific MAC address or service version, allowing timely action to be taken to quarantine or remove it.
:: Detection of unusual behaviour::Some malware or attackers may masquerade as legitimate services or devices. Through fingerprint detection, the defender is able to detect these disguises. For example, an attacker may disguise as a web server, but its fingerprint does not match that of the legitimate server, and the defender can detect the anomaly in time through fingerprinting.
III. Common fingerprint detection tools
Fingerprint detection cannot be done without some specialised tools, here are a few common fingerprint detection tools:
● Nmap
- Official address. https://nmap.org/
- Open source address. https://github.com/nmap/nmap
Nmap is one of the most commonly used network scanning tools, which provides a variety of fingerprinting features, including service version detection (-sV) and operating system identification (-O).Nmap is able to infer information about the target's operating system, open ports, service version, etc. by interacting with the target's protocol stack.
● MasscanMasscan
Masscan is a high-performance port scanning tool capable of scanning large-scale IP address spaces in a fraction of the time, often tens of times faster than Nmap.Masscan employs a similar scanning approach to Nmap, but is designed with a focus on fast scanning and efficient concurrent processing. It is capable of discovering open ports over a large area and can be used in conjunction with Nmap for further service version probing and fingerprinting.
- Open source address. https://github.com/robertdavidgraham/masscan
● Wireshark::
Wireshark is a powerful network analysis tool for passive fingerprinting by capturing and analysing network traffic.Wireshark supports in-depth analysis of a wide range of protocols, including TCP, HTTP, SSL, etc., and can help defenders to identify anomalous traffic patterns in the network.
- Official address. https://www.wireshark.org/
- Open source address. https://github.com/wireshark/wireshark
● fofa
fofa is a search engine that specialises in discovering devices exposed on the Internet. It collects and displays information about all publicly available devices on the Internet through fingerprint probing, including web servers, routers, monitoring devices, etc. fofa can help security researchers discover devices that may have security vulnerabilities. There is also shadon,zoomeye, 360quake, etc.
- Official address. https://fofa.info/
- Open source address: No public open source version (commercial tools)
● Netcat
Netcat (nc) is a simple but powerful networking tool that makes TCP/IP connections and can be used to test network connections, transfer data, and probe remote services. Although Netcat itself is not a dedicated fingerprinting tool, it can be used to manually send a probing request and get some fingerprinting information based on the target response.
- Open source address. https://github.com/diegocr/netcat
● WhatWeb
WhatWeb is a web application fingerprinting tool designed to identify the type and version of web servers, CMS (Content Management Systems), web frameworks, plug-ins, and more. It performs fingerprinting by sending specific HTTP requests and analysing feature information in the response.
- Open source address. https://github.com/urbanadventurer/WhatWeb
● XProbe2
XProbe2 is an open source remote OS fingerprinting tool. It sends a series of specific packets to analyse the response of the target system to infer the type and version of the operating system .
- Open source address. https://github.com/eternalblue-xploit/xprobe2
● P0f
P0f is a passive OS fingerprinting tool that listens to data traffic in the network (without interacting with the target system) to infer the OS type and version of the target system. Unlike other active fingerprinting tools, P0f does not actively send any probe packets, avoiding the risk of being detected by the target.
- Open source address. https://github.com/holman/p0f
● Banner Grabbing
Banner Grabbing is a method of obtaining Banner messages returned by a target host by connecting to its specific port (e.g. HTTP, SSH, etc.). These Banner messages usually contain the type, version and other key information about the target service.
- Official address: There is no single official address, usually Banner Grabbing is done through tools like Netcat, Nmap, Telnet, etc.
IV. Defences against fingerprint detection
For defenders, the key to preventing fingerprint detection is to minimise the amount of sensitive information that is exposed and to adopt obfuscation techniques as well as encrypted communications to reduce the risk of detection.
1. Minimising exposure
● Close unnecessary services and ports: Do not expose unrelated services to the Internet, regularly check the open ports of your system, and close unnecessary ports and services.
● Modify or hide Banner information: Many services return a Banner message at startup informing the client of their type and version. To reduce the risk of fingerprinting, this information can be modified or hidden through configuration, for example by modifying the "Server" field of the web server to avoid revealing detailed version information.
2. Confusing fingerprints
● Use of obfuscation techniques: Reduce the likelihood of fingerprinting through traffic pattern analysis by using specific tools (e.g. ModSecurity) or by configuring network devices to obfuscate protocol stack characteristics such as uniform TCP window size, TTL values, and other parameters.
● Use of intrusion detection systems: Some Intrusion Detection Systems (IDS) can identify and block fingerprint probing behaviours, detecting and responding to anomalous probing requests in a timely manner.
3. Encryption and authentication
● Encrypted communication using VPN or TLS: Encrypted communication can effectively prevent passive fingerprint detection. By encrypting network traffic through VPN or TLS protocols, attackers cannot access information at the application layer, thus greatly increasing the difficulty of fingerprint detection.
● Restriction of unauthorised access: Configure firewall rules, IP whitelisting and other means to restrict access to the target service to authorised users only, reducing the possibility of malicious probes.
4. Regular updates
● Timely patching of vulnerabilities: Regularly check for security updates to systems and software to avoid exploitation of known vulnerabilities due to version exposure.
V. CONCLUSIONS
Fingerprint detection technology plays an important role in network security and can be used by both attackers and defenders to obtain detailed information about the target system so that they can formulate appropriate strategies.
As cyber-attack methods continue to evolve, defenders need to strengthen their defences against fingerprint detection by minimising the risk of detection by minimising exposed information, obfuscating fingerprints, and encrypting communications.
At the same time, regularly updating systems, patching vulnerabilities and staying alert to fingerprint detection are important measures to ensure network security.