Where Have All the Good Fingerprinters Gone?

OS fingerprinting has been a fundamental reconnaissance technique since the mid-1990s. Nmap, p0f, and xprobe2 all approach the problem differently, but they share a common challenge: the fingerprint databases are not keeping up with the operating systems they need to identify.

I spent last week testing the latest versions of all three tools against a lab network with 14 different operating systems. The results were disappointing.

The Testing Setup

The lab included Windows XP SP2, Windows Server 2003 R2, Windows Vista RTM and SP1, Red Hat Enterprise Linux 4 and 5, Ubuntu 6.06 and 7.10, Solaris 10, FreeBSD 6.2, OpenBSD 4.2, Mac OS X 10.4 and 10.5, and a Cisco IOS 12.4 device.

Results

Nmap correctly identified 9 of 14 systems at 64 percent. It struggled with Windows Vista, misidentifying it as Windows Server 2003 in both cases.

p0f performed better on Linux variants but failed on both Mac OS X versions, reporting them as FreeBSD due to the BSD-derived TCP stack.

xprobe2 had the worst results at 5 of 14 correct. The tool has not been updated since 2005 and its database does not include Vista at all.

The Core Problem

Operating system fingerprinting relies on databases of known TCP/IP stack behaviors. These databases need continuous updates as new OS versions ship. Windows Vista introduced significant changes to the Windows TCP/IP stack, including a new implementation of receive window auto-tuning and changes to the default TTL value.

What We Need

The fingerprinting community needs a systematic approach to fingerprint submission and validation. I am working on a script that automates fingerprint capture from fresh OS installations.