Fingerprinting is a technique used by attackers to determine product and version information about operating systems and applications running on remote systems. The technique is called fingerprinting because each platform or version number for a software product gen¬erally has its own specific ways of responding to differ¬ent requests that uniquely identify it, similar to the way fingerprints are unique to each person. Once an attacker has “fingerprinted” a remote host and determined what operating system and version it runs, the attacker can consult a database of known vulnerabilities for that platform and launch an attack.
Fingerprinting can be either active or passive. In active fingerprinting, the attacker sends different kinds of packets to the target system and observes the result. In passive fingerprinting, the attacker analyzes normal traffic generated by the target system, for example, by intercepting e-mail messages and analyzing the head¬ers. Some of the methods used for active fingerprinting of systems include the following:
1. Sending valid requests to common ports (for exam¬ple, Hypertext Transfer Protocol [HTTP] GET requests to port 80) and observing the result. Some Web servers respond to such requests by sending their product name and version number in the initial packets returned. This approach can also be used for other common protocols including File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and telnet.
2.Sending invalid data to common ports and observ¬ing the results. The error messages returned by ser¬ vices are often more system- and version-specific than normal responses to legitimate requests. One way of generating such data is to add special char¬acters such as “~” or “*” to standard requests to try to exploit known vulnerabilities in certain applica¬tions and platforms. More complex methods involve creating invalid Internet Protocol (IP), Transmission Control Protocol (TCP), or Internet Control Mes¬sage Protocol (ICMP) packets and analyzing how the target system responds to such packets.
3. Use a port scanner such as Nmap to identify which ports are open on the target system and compare the results with a database of such information for dif¬ferent platforms and versions.
