Hershel: Single-Packet OS Fingerprinting

Shamsi, Zain; Nandwani, Ankur; Leonard, Derek; Loguinov, Dmitri

doi:10.1109/tnet.2015.2447492

Cited by 30 publications

(60 citation statements)

References 23 publications

(31 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Among Internet-wide studies, this is the largest population to be fingerprinted (i.e., 66M IPs), using the most extensive database (i.e., 420 signatures), and the first such attempt with an automatically generated D. Compared to the scan six years ago [25], we find that the number of Linux and embedded devices has almost doubled, while that of Windows has remained stable. We compare some of our results with those of Nmap and discover a major flaw in the operation of the latter that surfaces in scenarios with non-ideal network conditions (e.g., firewalls).…”

Section: A Motivation and Contributionsmentioning

confidence: 84%

“…This makes comparison between different approaches (e.g., Nmap [21], Snacktime [3], Hershel [25], p0f [34]) fairly complicated, especially if they utilize incompatible sets of features, databases, or assumptions on feature determinism. For example, consider method M 1 with n signatures and M 2 with m n. It may appear that M 1 is more powerful because its D is bigger; however, its classification accuracy may be lower due to the larger number of options to choose from and/or less reliable decision-making.…”

Section: A Motivation and Contributionsmentioning

confidence: 99%

“…We apply these concepts to Hershel [25], which is a classifier that, unlike all previous tools in active stack fingerprinting, allows random OS behavior and provides probabilities, rather than heuristic weights, for the match across any pair of samples. We focus on its temporal network features (i.e., delay jitter) since they are highly volatile and fairly well-understood, but difficult to separate using manual analysis.…”

Section: A Motivation and Contributionsmentioning

confidence: 99%

“…One option is use the clock drift in the kernel, which can be derived from observing the timestamp option in streams of reply packets [13] or variation in timer frequency [6]. Another option is to monitor retransmission timeouts (RTOs) of SYN-ACKs for half-open connections, where the methods include Snacktime [3], RING [30], IRLsnack [14], and Hershel [25]. The last classifier uses a stochastic model that takes into account packet loss, delay jitter, and random header-field modifications by end-users, some of which we review below.…”

Section: A Remote Os Classificationmentioning

confidence: 99%

See 3 more Smart Citations

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

Loguinov

2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

Maintaining and updating signature databases are tedious tasks that normally require a large amount of user effort. The problem becomes harder when features can be distorted by observation noise, which we call volatility. To address this issue, we propose algorithms and models to automatically generate signatures in the presence of noise, with a focus on single-probe stack fingerprinting, which is a research area that aims to discover the operating system of remote hosts using their response to a TCP SYN packet. Armed with this framework, we construct a database with 420 network stacks, label the signatures, develop a robust classifier for this database, and fingerprint 66M visible webservers on the Internet. We compare the obtained results against Nmap and discover interesting limitations of its classification process that prevent correct operation when its auxiliary probes (e.g., TCP rainbow, TCP ACK, and UDP to a closed port) are blocked by firewalls.Index Terms-OS fingerprinting, internet measurement.

show abstract

Section: A Motivation and Contributionsmentioning

confidence: 84%

Section: A Motivation and Contributionsmentioning

confidence: 99%

Section: A Motivation and Contributionsmentioning

confidence: 99%

Section: A Remote Os Classificationmentioning

confidence: 99%

See 2 more Smart Citations

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Shamsi

Loguinov

2017

IEEE/ACM Trans. Networking

Self Cite

View full text Add to dashboard Cite

show abstract

“…In a recent paper, Shamsi et al [5] proposed a single packet OS fingerprinting. As mentioned in their work, the current fingerprinting tools like NMAP are not well suited in the Internet environment due to large amount of traffic generated, and the intrusive nature of the probes.…”

Section: Network and Host Fingerprinting: An Attacker Perspectivementioning

confidence: 99%

SDMw: Secure Dynamic Middleware for Defeating Port and OS Scanning

2017

View full text Add to dashboard Cite

Abstract:Fingerprinting is a process of identifying the remote network devices and services running on the devices, including operating systems (OS) of the devices, and hosts running different OSs. Several research proposals and commercial products are available in the market to defeat fingerprinting. However, they have performance limitations and expose themselves to attackers. In this paper, we utilize some real-time fault-tolerance concepts (viz. real-time/dynamic, detection/locating, confinement/localizing and masking/decoy) to propose a plug-and-play adaptive middleware architecture called Secure Dynamic Middleware (SDMw) with a view to defeat attackers fingerprinting the network, without exposing itself to the attackers. We verify that the proposed scheme works seamlessly and requires zero-configuration at the client side.

show abstract

ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services

Genge

Enăchescu

2015

Security Comm Networks

View full text Add to dashboard Cite

Shodan has been acknowledged as one of the most popular search engines available today, designed to crawl the Internet and to index discovered services. This paper expands the features exposed by Shodan with advanced vulnerability assessment capabilities embedded into a novel tool called Shodan‐based vulnerability assessment tool (ShoVAT). ShoVAT takes the output of traditional Shodan queries and performs an in‐depth analysis of service‐specific data, that is, service banners. It embodies specially crafted algorithms which rely on novel in‐memory data structures to automatically reconstruct Common Platform Enumeration names and to proficiently extract vulnerabilities from National Vulnerability Database. Compared with the state of the art, ShoVAT brings several novel and significant contributions because it encompasses automated vulnerability identification techniques, it can return highly accurate results with customized and even purposefully modified service banners, and it supports historical service vulnerability analysis without the need to deploy additional monitoring infrastructures. The experiments performed on 1501 services in 12 different institutions across different sectors revealed high accuracy of results and a total of 3922 known vulnerabilities. Copyright © 2015 John Wiley & Sons, Ltd.

show abstract

Hershel: Single-Packet OS Fingerprinting

Cited by 30 publications

References 23 publications

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

Unsupervised Clustering Under Temporal Feature Volatility in Network Stack Fingerprinting

SDMw: Secure Dynamic Middleware for Defeating Port and OS Scanning

ShoVAT: Shodan‐based vulnerability assessment tool for Internet‐facing services

Contact Info

Product

Resources

About