‘Host Fingerprinting and Firewalking With hping’


The purpose of the paper presented here, is to discuss some techniques that can be effectively used in remote host fingerprinting. The paper will specially cover the cases where network hosts are behind firewalls.


‘The information has been provided by naveed.
The original article can be found at: http://bsdpakistan.org/downloads/HostFingerprinting.pdf


Remote host fingerprinting is the process of identifying the opened service ports and operating system of a machine over the network. This is usually achieved by various kinds of active and passive scanning techniques, by sending several packets to the remote machine and reviewing the responses. The generally available tools including nmap do a fairly good job in scanning and guessing the remote operating system. Where a host is fire walled these tools do not help much, either producing ambiguous or incorrect results. This is especially true for machines which are heavily fire walled and only allow very small number of packets to be forwarded and replied. In those cases we require another methods to correctly determine the state of a remote machine. We will examine some alternative methods including RING scan and ICMP scans. The first section describes various port scanning techniques while the next section throws some light on OS fingerprinting.

Note: In this paper we will explain the techniques with various tools but the majority of the work is based on a simple and powerful utility named hping. This paper assumes that reader has a basic understanding of remote host fingerprinting and Transmission Control Protocol/Internet Protocol (TCP/IP). We will review both;
Service port fingerprinting and OS fingerprinting in certain fire walled environments and will try to analyze the methods in detail that brings us the advantages and disadvantages of some techniques. Familiarity with hping and nmap will be useful for understanding the methods.

Port Knocking:
We start with general port scanning techniques with certain tools including nmap and hping. We will discuss the common SYN, SYNACK scanning first and the behavior of various hosts upon reception of these TCP packets. Then we will see how the results may vary with the machines that are fire walled with those ones, which are not. Afterwards some advanced techniques will be discussed including the FIN scans and UDP scans on firewalled hosts.

Hping is described as one of the tools that can be effectively used for scanning, fingerprinting and firewall testing. Some of its powerful features include the ability to send custom crafted packets with several protocols and performing remote scanning. This is very handy for examining the response of various custom created packets.

Network Mapper (nmap) is a famous network-auditing tool that can be used for advanced port scanning and OS detection. It has a powerful set of features available including passive scanning and idle scanning, though it does not have the ability to send custom packets like hping.

Testing with half open scan (SYN):
The idea of half open scanning (also referred as SYN scanning) is simple. Without completing the TCP three way handshake, send an initial SYN packet and wait for the response, if the SYN ACK is received it means the remote port is opened, otherwise you will receive a packet with RST flag set that is an indication of closed port.

The full document can be founs at: http://bsdpakistan.org/downloads/HostFingerprinting.pdf

Categories: Reviews