Friday, April 27, 2007

TCPdump: Privilege Dropping & Passive OS Fingerprinting

I never really notice about this until today, I think OpenBSD has done a lot of modifications on tcpdump, privilege dropping is just one of the feature, you can check out all the change logs of OpenBSD to date here -

http://www.openbsd.org/plus41.html

In fact you navigate on the changes from Release to Release, searching for tcpdump keyword and you may find what were improved and fixed.

Another interesting feature is passive operating system fingerprinting is built into pf and tcpdump(both ipv4 and ipv6 wise), you can now turn it on by using -o option in tcpdump -

shell>tcpdump -o -nni em0
01:57:33.265112 211.75.232.180.54452 > 1.2.3.4.25: S (src OS: unknown) 1591369098:1591369098(0) win 5840 (DF)
01:57:38.819585 89.1.209.9.4723 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 2701955957:2701955957(0) win 65535 (DF)
01:57:41.343984 89.1.209.9.2506 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.057512 201.244.249.179.3015 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 645056554:645056554(0) win 65535 (DF)
01:57:44.342456 89.1.209.9.2506 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 360732020:360732020(0) win 65535 (DF)
01:57:44.438020 89.1.209.9.1479 > 1.2.3.4.25: S (src OS: Windows XP SP1, Windows 2000 SP4) 416546610:416546610(0) win 65535 (DF)
01:58:03.762505 202.74.217.6.1713 > 1.2.3.4.25: S (src OS: Windows 2000 RFC1323, Windows XP RFC1323) 478012651:478012651(0) win 65535 (DF)

It is making use of p0f database but only perform the fingerprinting on tcp packet with syn flag set(In fact p0f is more powerful as it works with packets with other flags as well). Anyway tcpdump should be able to give you a quick glance of the remote operating sytem that trying to probe to you.

Kudos to OpenBSD team about it. By the way, I bet you all can't wait for this -

http://www.openbsd.org/41.html

Peace ;]

1 comment:

Anonymous said...

Neat tcpdump feature, I think it belongs there. I wonder if tcpdump.org will take this in as I'd really like it on other OSs I need to use :)