Passive OS detection using fingerprinting technique TCP/IP protocols. Detection of OS has been the starting step for any cyber security service and it can be done either by passive finger printing or active fingerprinting.There are in built tools like Nmap ,Zenmap,Ettercap,pOf in Kali Linux which can be used to detect the OS and much more info of the system.In this project we have implemented only passive OS finger printing technique
TCP/IP stack signature methodology — from the SYN packet alone, we can reliably identify the client OS (Linux, Android, iOS, or Windows) based on TCP/IP header fields and option patterns. We have developed a python code(AI) that analyzes SYN packets from .pcap files or live captures to identify the client operating system and device type based on trained TCP/IP fingerprint models. By examining key fields such as TTL, window size, TCP options (MSS, WS, SACK, TSopt), and option ordering, the script passively predicts the OS with high accuracy. While tools like Wireshark, p0f, Satori, Ettercap, and Nmap also support fingerprinting, our approach simplifies OS detection using a reference table of SYN signatures, making it easy to visually identify whether a client is running Windows, Linux, Android, or other systems just by inspecting TCP/IP stack patterns.
What Are TCP Options?
TCP Options extend the capabilities of the protocol—allowing for fine-tuned performance, congestion control, and timestamping.
They appear primarily in SYN and SYN-ACK packets, where both
peers exchange their TCP stack capabilities.
Common TCP Options
|
Option Name |
Kind |
Description |
Example Value |
|
MSS (Maximum Segment Size) |
2 |
Max data per TCP segment (based on MTU - 40) |
1460 |
|
Window Scale (WS) |
3 |
Multiplies TCP window size for high-speed networks |
7 (×128) |
|
SACK Permitted |
4 |
Enables Selective Acknowledgment |
N/A |
|
Timestamp (TSval/TSecr) |
8 |
Measures RTT, detects packet reordering |
TSval=123456, TSecr=0 |
|
NOP (No Operation) |
1 |
Padding between options for alignment |
— |
|
End of Options List (EOL) |
0 |
Marks the end of TCP options |
— |
TCP Options in Action: The SYN Packet
When a TCP connection is established, the SYN packet carries TCP options that announce the sender’s capabilities.
Example (Wireshark-style):
Notes on option ordering & fingerprinting
·
The order of options (e.g., MSS,SACK,TS,WS) and precise
values (MSS, WS shift, TS presence) are signature features — different OSes
often send different orders and defaults (useful for passive fingerprinting).
· The order of TCP options is the most reliable fingerprint attribute — OS TCP stacks almost never change their default order.
· Default TTL, Window Size, and WS value combinations further narrow the match.
· Combining these yields high-confidence passive OS identification even from a single SYN.
Where TCP Options Appear
|
Packet Type |
Are TCP Options Present? |
Typical Options Seen |
|
SYN |
Yes (almost always) |
MSS, SACK Permitted, Timestamp, Window Scale, NOP |
|
SYN-ACK |
Yes |
MSS, SACK Permitted, Timestamp, Window Scale, NOP |
|
ACK (non-SYN) |
Sometimes (rare) |
Timestamp (TSval/TSecr), SACK Blocks |
|
Data Packets |
Sometimes |
Timestamp, SACK |
|
FIN / RST |
Usually No |
(TCP options rarely used here) |
SYN and SYN-ACK packets
· These are part of the TCP three-way handshake.
· This is where both peers negotiate capabilities — MSS, Window Scale, SACK, Timestamp support, etc.
· So most TCP options appear only here and are remembered for later use in the connection.
After the handshake
· Only certain options continue to appear in subsequent packets:
o Timestamps (TSval, TSecr) → appear in every data/ACK packet if negotiated.
o SACK blocks → appear in ACKs only when selective ACKs are used to report missing segments.
· Other options (like MSS, WS) do not reappear after the handshake — they were already negotiated.
FIN, RST packets
· These packets usually have no options, because they only signal connection termination.
TCP Fingerprints vs TCP Options
|
Concept |
What it is |
Relationship |
|
TCP Options |
Extra metadata added in the TCP header (beyond the standard 20 bytes) to provide extended capabilities like scaling, timestamps, MSS, etc. |
These are fields within TCP packets, particularly in the SYN phase. |
|
TCP Fingerprint |
A pattern or signature derived from how a specific OS or device sets its TCP header fields and TCP options. |
TCP fingerprints are built from analyzing TCP options and other header fields. |
So — TCP options are the raw data. TCP fingerprint is the unique pattern you extract from them.
TCP/IP Fingerprinting — The OS Signature
Each operating system implements TCP differently:
· Linux may set MSS=1460, WS=7, SACK=Permitted, TS=Enabled
· Windows might set MSS=1460, WS=8, TS=Enabled, SACK=Permitted, NOP padding
· Android and iOS use slightly different timestamp increments and window scaling.
By analyzing:
· TTL value
· Initial window size
· TCP option ordering
· TCP timestamp increments
· SYN packet size and alignment
We can create a unique TCP/IP fingerprint.
Example Comparison
|
OS |
TTL |
Window Size |
WS |
MSS |
SACK |
TS |
Option Order |
Typical Fingerprint |
|
Windows 10 |
128 |
64240 |
8 |
1460 |
✔ |
✔ |
MSS, WS, SACK, TS, NOP, EOL |
128:64240:8:1460:1:1 |
|
Linux 5.x |
64 |
29200 |
7 |
1460 |
✔ |
✔ |
MSS, SACK, TS, WS, EOL |
64:29200:7:1460:1:1 |
|
Android 13 |
64 |
65535 |
6 |
1460 |
✔ |
✔ |
MSS, WS, SACK, TS |
64:65535:6:1460:1:1 |
|
iOS 17 |
64 |
65535 |
7 |
1460 |
✔ |
✔ |
MSS, WS, TS, SACK |
64:65535:7:1460:1:1 |
Even if two devices share the same user-agent (e.g., both Chrome browsers), their TCP/IP stacks often differ—allowing passive OS detection without packet payloads.
AI-Powered Fingerprint Analysis
We’ve developed a Python-based AI model that:
- Parses SYN packets from .pcap or live network capture
- Extracts TCP header fields and options
- Compares against a trained reference table of known fingerprints
- Predicts OS and device type (Linux, Android, iOS, Windows, etc.)
Why TCP Fingerprinting Matters
- TCP options define how a host communicates — MSS, WS, TS, and SACK are key indicators.
- TCP/IP fingerprinting uses these patterns to identify OS and device types without active probing.
- AI-driven analysis enhances reliability across NATed or proxied environments.
- Together, they form a powerful passive detection tool for network forensics, analytics, and security monitoring.
|
Use Case |
Benefit |
|
Network Security |
Identify unauthorized or spoofed clients |
|
Threat Intelligence |
Profile botnets and IoT devices |
|
Incident Response |
Match attack patterns to OS fingerprints |
|
Performance Optimization |
Tune congestion control per OS behavior |
|
Passive Analytics |
Detect device diversity in large networks |
TCP/IP Stack Fingerprint — SYN Packet Option Comparison
No comments:
Post a Comment