OSF

OSF is a passive OS fingerprinting for iptables.

Passive OS fingerprinting netfilter module allows to passively detect remote OS and perform various netfilter actions based on that knowledge. This module compares some data (WS, MSS, options and it’s order, ttl, df and others) from packets with SYN bit set with dynamically loaded OS fingerprints.

Userspace binary and library depend on iptables devel package (namely it needs xtables.h header).

Installation process.

  • Run “make”. That will build xt_osf.ko kernel module.
    One can optionally provide KDIR= and IPTABLES= parameters with the pathes to the appropriate headers.
  • Run “make lib”. That will build libipt_osf.so shared library.
    You should copy it to where all other iptables shared libs are placed in your distro.
    Fedora Core places them in /lib64/iptables or /lib/iptables
    Debian places them in /lib/xtables.
  • Run “make bin”. That will build userspace application which allows to load fingerprints.

    RUN.

    # insmod ./xt_osf.ko
    # ./nfnl_osf -f ./pf.os
    # iptables -I INPUT -j ACCEPT -p tcp -m osf --genre Linux --log 0 --ttl 2

    To remove fingerprints:

    # ./nfnl_osf -f ./pf.os -d
    

    You will find something like this in syslog:

    Windows [2000:SP3:Windows XP Pro SP1, 2000 SP3]: 11.22.33.55:4024 -> 11.22.33.44:139 hops=3
    Linux [2.5-2.6:] : 1.2.3.4:42624 -> 1.2.3.5:22 hops=4

    OSF has following options:

    • –log
      If present, OSF will log determined genres even if they don’t match desired one.
      0 – log all matched and unknown entries.
      1 – only first one.
      2 – log all matched entries.
    • –ttl
      0 – true ip and fingerprint TTL comparison. Works for LAN.
      1 – check if ip TTL is less than fingerprint one. Works for global addresses.
      2 – do not compare TTL at all. Allows to detect NMAP, but can produce false results.

    Fingerprints can be downloaded from http://www.openbsd.org/cgi-bin/cvsweb/src/etc/pf.os

    Original idea belongs to Michal Zalewski.

    The latest release is always available in archive.