The latest version of SinFP3 (v1.20, as of this writing) introduces two new cool features: the ability to perform a SYN scan and doing OS fingerprinting at the same time. The idea is to use SYN|ACK answers to the SYN scanning process to accurately identify the remote operating system nature. The second new feature is a server mode allowing third-party applications to access the SinFP3 fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of SinFP3.
One packet OS fingerprinting
If you don’t have installed SinFP3 yet, you can follow these guides:
Then, try to identify your target’s classic TOP10 open ports as follows. The -synscan-fingerprint is the new argument giving access to the feature, and the new default output plugin is the simple one:
# sinfp3.pl -synscan-fingerprint -target openbsd.org -port top10 -best-score [+] [J:0] Loaded Input: Net::SinFP3::Input::SynScan [+] [J:0] Loaded DB: Net::SinFP3::DB::SinFP3 [+] [J:0] Loaded Mode: Net::SinFP3::Mode::Active [+] [J:0] Loaded Search: Net::SinFP3::Search::Active [+] [J:0] Loaded Output: Net::SinFP3::Output::Simple [+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan] [+] [J:1] Starting of job with Next [199.185.137.3]:25 flags: 0x12 [+] [J:2] Starting of job with Next [199.185.137.3]:80 flags: 0x12 [199.185.137.3 ]:80 reverse: unknown [ 94%: OpenBSD 4.x] [199.185.137.3 ]:80 reverse: unknown [ 94%: OpenBSD 3.x] [199.185.137.3 ]:25 reverse: unknown [100%: OpenBSD 4.x] [199.185.137.3 ]:25 reverse: unknown [100%: OpenBSD 3.x]
You can see that two open ports have been found, and the detected operating system (on a per open port basis) appears to be OpenBSD 3.x or 4.x.
You can still access the more verbose output by launching the fingerprinting process in full mode (2 packets for Internet fingerprinting with -active-2 parameter) and displaying results with the console output plugin with -output-console parameter:
# sinfp3.pl -active-2 -target openbsd.org -port top10 -best-score -output-console [+] [J:0] Loaded Input: Net::SinFP3::Input::SynScan [+] [J:0] Loaded DB: Net::SinFP3::DB::SinFP3 [+] [J:0] Loaded Mode: Net::SinFP3::Mode::Active [+] [J:0] Loaded Search: Net::SinFP3::Search::Active [+] [J:0] Loaded Output: Net::SinFP3::Output::Console [+] [J:0] Starting of Input [Net::SinFP3::Input::SynScan] [+] [J:1] Starting of job with Next [199.185.137.3]:25 hostname[openbsd.org] \ reverse[unknown] mac[00:24:d4:ae:f4:3c] [+] [J:2] Starting of job with Next [199.185.137.3]:80 hostname[openbsd.org] \ reverse[unknown] mac[00:24:d4:ae:f4:3c] Result for target [199.185.137.3]:80: S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4 S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S3 L24 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.3 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.5 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.8 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.6 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.0 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.6 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.8 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.5 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.2 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.7 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.9 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 3.7 IPv4: [score:94]: BH0FH0WH0OH0MH0SH1LH0/S1S2: BSD: OSS: OpenBSD: 4.4 Result for target [199.185.137.3]:25: S1: B11113 F0x12 W16384 O0204ffff M1460 S0 L4 S2: B11113 F0x12 W16384 O0204ffff01010402010303ff0101080affffffff44454144 M1460 S0 L24 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.3 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.5 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.8 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.6 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.0 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.6 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.8 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.5 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.2 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.7 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.9 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 3.7 IPv4: [score:100]: BH0FH0WH0OH0MH0SH0LH0/S1S2: BSD: OSS: OpenBSD: 4.4
SinFP3 API access with the SinFP3 network protocol
The second feature allows access to the SinFP3 server. The idea is to launch SinFP3 in daemon mode, and have a client/server communication protocol to “ask” the fingerprinting engine to perform actions. This protocol is described within an RFC, available here.
You can implement this protocol in any language you want, and you will be able to use the fingerprinting engine in whatever language you prefer. For now, a Perl version of the communication protocol exists: Net::Frame::Layer::SinFP3.
Here is how to launch the SinFP3 server:
% sinfp3.pl -input-server -output-client -passive -best-score [+] [J:0] Loaded Input: Net::SinFP3::Input::Server [+] [J:0] Loaded DB: Net::SinFP3::DB::SinFP3 [+] [J:0] Loaded Mode: Net::SinFP3::Mode::Passive [+] [J:0] Loaded Search: Net::SinFP3::Search::Passive [+] [J:0] Loaded Output: Net::SinFP3::Output::Client [+] [J:0] Starting of Input [Net::SinFP3::Input::Server]
The server is now listening on localhost with port 32000/TCP. An example client application is available in the examples/ directory of Net::SinFP3 distribution. For now, only the passive mode is implemented within the server. If there is some interest from the community, we will enhance it to give access to the active mode.
The example below is crafting a client request embedding a TCP SYN packet in raw format (sent by the sinfp3-request-passive-netcat.pl script). It is sent to the SinFP3 server which is configured in passive mode. Then, the reply is analyzed by sinfp3-decode-netcat.pl script and printed on standard output.
% perl examples/sinfp3-request-passive-netcat.pl | nc localhost 32000 | \ perl examples/sinfp3-decode-netcat.pl SinFP3: version:1 type:0x04 flags:0x0270 SinFP3: code:0x01 tlvCount:4 length:88 SinFP3::Tlv: type:0x24 length:7 value:46726565425344 [FreeBSD] SinFP3::Tlv: type:0x25 length:3 value:372e34 [7.4] SinFP3::Tlv: type:0x26 length:3 value:372e78 [7.x] SinFP3::Tlv: type:0x29 length:1 value:64 [100%] SinFP3::Tlv: type:0x24 length:7 value:46726565425344 [FreeBSD] SinFP3::Tlv: type:0x25 length:3 value:372e33 [7.3] SinFP3::Tlv: type:0x26 length:3 value:372e78 [7.x] SinFP3::Tlv: type:0x29 length:1 value:64 [100%] SinFP3::Tlv: type:0x24 length:7 value:46726565425344 [FreeBSD] SinFP3::Tlv: type:0x25 length:3 value:382e33 [8.3] SinFP3::Tlv: type:0x26 length:3 value:382e78 [8.x] SinFP3::Tlv: type:0x29 length:1 value:64 [100%] SinFP3::Tlv: type:0x24 length:7 value:46726565425344 [FreeBSD] SinFP3::Tlv: type:0x25 length:3 value:382e32 [8.2] SinFP3::Tlv: type:0x26 length:3 value:382e78 [8.x] SinFP3::Tlv: type:0x29 length:1 value:64 [100%]
On the server, a new job has been processed:
[+] [J:1] Starting of job with Next [127.0.0.1]:37125
That’s all for today, folks. Feel free to follow @metabrik for updates, or subscribe to SinFP mailing list:
Full list of changes for v1.20
1.20 Sun Nov 25 14:44:37 CET 2012 - NEW: Input::Server: runs as a daemon to answer requests coming from clients. They must speak the SinFP3 protocol. - NEW: Output::Simple: now default mode instead of Output::Console - NEW: Input::SynScan: can be used to fingerprint target by just using the SYN|ACK response to our SYN (one packet fingerprinting \o/) - UPDATE: verbose mode 1 is now default. Many updates on log messages levels. - NEW: sinfp3.pl: -synscan-fingerprint argument - new: sinfp3.pl: -version prints Perl modules version - new: sinfp3.pl: -quiet to set verbose level 0 - new: sinfp3.pl: -passive to set to Mode::Passive and Search::Passive plugins - new: integration of p0f-3.06b passive signatures into sinfp3.db - update: Input::Sniff: must use Net::Frame::Dump 1.12 now - bugfix: on -dns-reverse, moved to Search modules, when generating Results - bugfix: Search::Passive: sets ip and port attributes for Results - bugfix: Global: when -port argument has an invalid format - bugfix: sinfp3.pl: usage help