TCP/IP fingerprinting it's based upon the server's response in front of
strange IP packets or buggy responses. If you send an erroneous packet, the
server's response varies from OS to OS. If the packet is right it should be
answered only in one way, so, detecting bugs makes fingerprinting easier :)
Take a look at nmap's site :) http://www.insecure.org
Passive OS fingerprinting is less accurate because we can't send any packet
expecting a response, we only see incoming packets :/
Is the HURD's IP Stack a port of the Linux's stack? If so, HURD would be
detected as that Leenucks version :/
El Thursday 24 January 2002 15:40, Patrick Strasser escribió:
> Oystein Viggen wrote:
> > * [Sean Neakums]
> >
> >>AFAIR, they use the "Server:" header in the HTTP response to determine
> >>the OS of the server, rather than fingerprinting the TCP/IP stack.
> >>But I could be wrong.
> >
> > They use something they call "passive tcp fingerprinting". I don't know
> > exactly what that implies. The Server header is not used for OS
> > detection, at least not for Linux.
>
> You seem to be right... Netcraft has at least once fingerprinted an
> apache server running on the Hurd. It was hurd.dyndns.org operated by
> James Morrison (could not connect to, seems to be down). Netcraft says:
>
> "The site hurd.dyndns.org is running Apache/1.3.19 (Unix)
> Debian/hurd-i386 on Linux."
>
> So Netcraft sees a Linux Box. I don't think the Server String is
> reliable for getting the OS. We have to change the IP stack slightly to
> be recognised ;)
Sure! take a look at ip-personality patch 4 linux ;)
Best regards,
Kenneth Peiruza
Networks Engineer
