Passive TCP/IP Fingerprinting Tool. Run this on your server and find out what Operating Systems your clients are *really* using.

Related tags

Networkingzardaxt
Overview

Passive TCP/IP Fingerprinting

This is a passive TCP/IP fingerprinting tool. Run this on your server and find out what operating systems your clients are really using. This tool considers only the fields and options from the very first incoming SYN packet of the TCP 3-Way Handshake. Nothing else is considered.

Why?

  • p0f is dead. It's database is too old. Also: C is a bit overkill and hard to quickly hack in.
  • satori.py is extremely buggy and hard to use (albeit the ideas behind the code are awesome)
  • The actual statistics behind TCP/IP fingerprinting are more important than the tool itself. Therefore it makes sense to rewrite it.

Demo

Live Demo & Blog Article

Example

Classifying my Android smartphone:

python tcp_fingerprint.py -i eth0 --classify

Loaded 716 fingerprints from the database
listening on interface eth0

1616184306: 73.153.184.210:48646 -> 167.99.241.135:443 [SYN]
{'avgScoreOsClass': {'Android': 'avg=5.78, N=36',
                     'Linux': 'avg=5.11, N=99',
                     'Windows': 'avg=2.66, N=365',
                     'iOS': 'avg=3.62, N=20',
                     'macOS': 'avg=3.65, N=189'},
 'bestNGuesses': [{'os': 'Android', 'score': '8.0/10'},
                  {'os': 'Android', 'score': '8.0/10'},
                  {'os': 'Android', 'score': '8.0/10'}]}
---------------------------------
1616184306: 167.99.241.135:443 -> 73.153.184.210:48646 [SYN+ACK]
---------------------------------

A iPhone (User-Agent: iPhone; CPU iPhone OS 14_4_1 like Mac OS X) visting my server. Based on the SYN fingerprint alone, it's not possible to discern whether it's an macOS device or iOS device. But the guess is accurate enough.

python tcp_fingerprint.py -i eth0 --classify

Loaded 716 fingerprints from the database
listening on interface eth0

---------------------------------
1616184541: 85.19.65.217:49988 -> 167.99.241.135:443 [SYN]
{'avgScoreOsClass': {'Android': 'avg=4.18, N=36',
                     'Linux': 'avg=3.31, N=99',
                     'Windows': 'avg=3.36, N=365',
                     'iOS': 'avg=6.95, N=20',
                     'macOS': 'avg=7.26, N=189'},
 'bestNGuesses': [{'os': 'macOS', 'score': '10.0/10'},
                  {'os': 'macOS', 'score': '10.0/10'},
                  {'os': 'macOS', 'score': '10.0/10'}]}
---------------------------------
1616184541: 167.99.241.135:443 -> 85.19.65.217:49988 [SYN+ACK]
---------------------------------

And a Windows 10 (Windows NT 10.0; Win64; x64) device visiting my server:

python tcp_fingerprint.py -i eth0 --classify

Loaded 716 fingerprints from the database
listening on interface eth0

---------------------------------
1616184750: 186.53.223.136:10047 -> 167.99.241.135:443 [SYN]
{'avgScoreOsClass': {'Android': 'avg=3.88, N=36',
                     'Linux': 'avg=4.85, N=99',
                     'Windows': 'avg=7.47, N=365',
                     'iOS': 'avg=4.03, N=20',
                     'macOS': 'avg=3.81, N=189'},
 'bestNGuesses': [{'os': 'Windows', 'score': '10.0/10'},
                  {'os': 'Windows', 'score': '10.0/10'},
                  {'os': 'Windows', 'score': '10.0/10'}]}
---------------------------------
1616184750: 167.99.241.135:443 -> 186.53.223.136:10047 [SYN+ACK]
---------------------------------

Installation & Usage

First clone the repo:

git clone https://github.com/NikolaiT/zardaxt

cd zardaxt

Setup with pipenv.

pipenv shell

pipenv install

And run it

python tcp_fingerprint.py -i eth0 --classify

Or run in the background on your server

py=/root/.local/share/virtualenvs/satori-v7E0JF0G/bin/python
nohup $py tcp_fingerprint.py -i eth0 --classify > fp.out 2> fp.err < /dev/null &

Theory

Several fields such as TCP Options or TCP Window Size or IP Fragment Flag depend heavily on the OS type and version.

Detecting operating systems by analyizing the first incoming SYN packet is surely no exact science, but it's better than nothing.

Some code and inspiration has been taken from: https://github.com/xnih/satori

However, the codebase of github.com/xnih/satori was quite frankly a huge mess (randomly failing code segments and capturing all Errors: Not good, no no no).

This project does not attempt to be exact, it should give some hints what might be the OS of the incoming TCP/IP stream.

What fields are used for TCP/IP fingerprinting?

Sources:

  1. Mostly Wikipedia TCP/IP fingerprinting article
  2. A lot of inspiration from Satori.py
  3. Another TCP/IP fingerprinting tool

Entropy from the IP header

  • IP.ttl (8 bits) - Initial time to live (TTL) value of the IP header. The TTL indicates how long a IP packet is allowed to circulate in the Internet. Each hop (such as a router) decrements the TTL field by one. The maximum TTL value is 255, the maximum value of a single octet (8 bits). A recommended initial value is 64, but some operating systems customize this value. Hence it's relevancy for TCP/IP fingerprinting.
  • IP.flags (3 bits) - Don't fragment (DF) and more fragments (MF) flags. In the flags field of the IPv4 header, there are three bits for control flags. The "don't fragment" (DF) bit plays a central role in Path Maximum Transmission Unit Discovery (PMTUD) because it determines whether or not a packet is allowed to be fragmented. Some OS set the DF flag in the IP header, others don't.

Entropy from the TCP header

  • TCP.data_offset (4 bits) - This is the size of the TCP header in 32-bit words with a minimum size of 5 words and a maximum size of 15 words. Therefore, the maximum TCP header size size is 60 bytes (with 40 bytes of options data). The TCP header size thus depends on how much options are present at the end of the header.
  • TCP.window_size (16 bits) - Initial window size. The idea is that different operating systems use a different initial window size in the initial TCP SYN packet.
  • TCP.flags (9 bits) - This header field contains 9 one-bit flags for TCP protocol controlling purposes. The initial SYN packet has mostly a flags value of 2 (which means that only the SYN flag is set). However, I have also observed flags values of 194 (2^1 + 2^6 + 2^7), which means that the SYN, ECE and CWR flags are set to one. If the SYN flag is set, ECE means that the client is ECN capable. Congestion window reduced (CWR) means that the sending host received a TCP segment with the ECE flag set and had responded in congestion control mechanism.
  • TCP.acknowledgment_number (32 bits) - If the ACK flag is set then the value of this field is the next sequence number that the sender of the ACK is expecting. Should be zero if the SYN flag is set on the very first packet.
  • TCP.sequence_number (32 bits) - If the SYN flag is set (1), then this is the initial sequence number. It is conjectured that different operating systems use different initial sequence numbers, but the initial sequence number is most likely randomly chosen. Therefore this field is most likely of no particular help regarding fingerprinting.
  • TCP.urgent_pointer (16 bits) - If the URG flag is set, then this 16-bit field is an offset from the sequence number indicating the last urgent data byte. It should be zero in initial SYN packets.
  • TCP.options (Variable 0-320 bits) - All TCP Options. The length of this field is determined by the data offset field. Contains a lot of information, but most importantly: The Maximum Segment Size (MSS), the Window scale value. Because the TCP options data is variable in size, it is the most important source of entropy to distinguish operating systems. The order of the TCP options is also taken into account.
Owner
Nikolai Tschacher
In love with programming and entrepreneurship. I earned a M. Sc. in CS from Humboldt University of Berlin. Interests: IT Security, Typescript/JS, Python, C.
Nikolai Tschacher
A pure python implementation of multicast DNS service discovery

python-zeroconf Documentation. This is fork of pyzeroconf, Multicast DNS Service Discovery for Python, originally by Paul Scott-Murphy (https://github

Jakub Stasiak 483 Dec 29, 2022
Transfer files to and from a Windows host via ICMP in restricted network environments.

ICMP-TransferTools ICMP-TransferTools is a set of scripts designed to move files to and from Windows hosts in restricted network environments. This is

icyguider 269 Dec 20, 2022
Securely and anonymously share files, host websites, and chat with friends using the Tor network

OnionShare OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor ne

OnionShare 5.4k Jan 01, 2023
A simple python script to send cute messages to my boyfriend.

Morning Messages A simple python script to send cute messages to my boyfriend. It gives him the weather and news currently. Installation git clone htt

Sabrina Medwinter 3 Oct 12, 2022
An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data.

ARTIF is a new advanced real time threat intelligence framework built that adds another abstraction layer on the top of MISP to identify threats and malicious web traffic on the basis of IP reputatio

CRED 225 Dec 31, 2022
Utility for converting IP Fabric webhooks into a Teams format.

IP Fabric Webhook Integration for Microsoft Teams and/or Slack Setup IP Fabric Setup Go to Settings Webhooks Add webhook Provide a name URL will b

Community Fabric 1 Jan 26, 2022
Anonymously Reverse shell over Tor Network using Hidden Services without portfortwarding

Anonymously Reverse shell over Tor Network using Hidden Services without portfortwarding Tor ağı ile Dark Web servislerini kullanarak anonim biçimde p

249 Dec 29, 2022
The World Most Fastest Proxy Checker In Python, Maybe?!

The World's Most Fastest Proxy Checker In Python, Maybe?! Features Based on Python 3.7+ Save Valid Porixes into the custom file Multi-Thread Fully Asy

Cyber 4 Feb 10, 2022
Terminal based chat - networking project with sockets in python

Terminal based chat - networking project with sockets in python

2 Jan 24, 2022
🌐 Tools for Networking

🌐 Network Tools Tools for Networking This repository contains the tools needed to make networking easier. Make sure to download all of the requiremen

Tornaido 1 Jan 15, 2022
Una simple herramienta para rastrear IP programada en Python

Spyrod-v2 Una simple herramienta para rastrear IP programada en Python Instalacion apt install git -y cd $HOME git clone https://github.com/Euronymou5

15 Dec 08, 2022
CSP-style concurrency for Python

aiochan Aiochan is a library written to bring the wonderful idiom of CSP-style concurrency to python. The implementation is based on the battle-tested

Ziyang Hu 127 Dec 23, 2022
Use Fast Redirect to easily redirect your domains.

Fast Redirect Use Fast Redirect to easily redirect your domains. Fast Redirects expects a JSON 'database'. This JSON 'database' contains the domains t

Cyberfusion 1 Dec 20, 2021
Juniper SNMP Migrations For Python

Juniper SNMP Migrations This example will show how to use the PyEZ plugin for Nornir to build a NETCONF connection to a remote device validate that SN

Calvin Remsburg 1 Jan 07, 2022
A Python module that allows you to create and use simple sockets.

EasySockets A Python module that allows you to create and use simple sockets. Installation The easysockets module can be installed using pip. pip inst

Matthias Wijnsma 2 Jan 16, 2022
A repo with study material, exercises, examples, etc for Devnet SPAUTO

MPLS in the SDN Era -- DevNet SPAUTO All of the study notes have now been moved to use auto-generated documentation to build a static site with Githu

Hugo Tinoco 67 Nov 16, 2022
RabbitMQ asynchronous connector library for Python with built in RPC support

About RabbitMQ connector library for Python that is fully integrated with the aio-pika framework. Introduction BunnyStorm is here to simplify working

22 Sep 11, 2022
Nyx-Net: Network Fuzzing with Incremental Snapshots

Nyx-Net: Network Fuzzing with Incremental Snapshots Nyx-Net is fast full-VM snapshot fuzzer for complex network based targets. It's built upon kAFL, R

Chair for Sys­tems Se­cu­ri­ty 146 Dec 16, 2022
Linux SBC featuring two wifi radios, masquerading as a USB charger.

The WiFiWart is an open source WiFi penetration device masquerading as a regular wall charger. It features a 1.2Ghz Cortex A7 MPU with two WiFi chips onboard.

Walker 151 Dec 26, 2022
Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa

MAC-Converter Converts from PC formatted MAC addresses (hardware addresses) to Cisco format or vice-versa Stores the results to a file in the same dir

Stew Alexander 0 Dec 24, 2022