How to make an OS Fingerprinting
There are 65536 TCP / UDP ports available to any normal TCP/IP stack. The range is from 0 to 65535, which is then split into multiple groups. For example 0 to 1024 is known as the reserved port range (traditionally only root can assign programs to ports in this range) and the ephemeral port range from 1025 to 65535. The ephemeral port range can also be split into two groups known as high and low port ranges. These two groups are set by the OS, but can normally be tweaked by changing specific options within the kernel.
Port 0 OS Fingerprinting
As port 0 is reserved for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet use this port. As the specifics are not clear different OS’s have, different ways of handling traffic using port 0 thus they can be fingerprinted.
Port 0 fingerprinting consists of seven tests. The tests are labeled P1 – P7 below.
P1: send tcp packet from source port 0 to port 0
P2: send tcp packet from source port X to port 0
P3: send tcp packet from source port 0 to open port
P4: send tcp packet from source port 0 to closed port
P5: send udp packet from source port 0 to port 0
P6: send udp packet from source port 53 to port 0
P7: send udp packet from source port 0 to closed port
Port X in test P2 is any port not equal to 0. Port 53 is used in test P6 as it is most likely to bypass a firewall configuration.
The standard reply expected to P1, P2 and P4 should be a RST packet as the port should be closed.
The standard reply to P3 should be SYN ACK as the port is open and port 0 is a valid port as described above.
The standard reply to P5, P6 and P7 should all be ICMP port unreachable as UDP port 0 / closed port should not have a program listening on it.
Although port 0 is a valid port number various OS’s handle port 0 differently.
Below are a few example fingerprints. The entire list can be found at the end of the paper.
Fingerprint OpenBSD 3.2/3.3
Notice that OpenBSD has a cool feature / bug whereby it does not allow incoming connections from source port 0 (test P3)
Although port 0 is a valid TCP / UDP port number, it is highly recommend that one should block any traffic using this port at your firewall. No program should be listening on port 0 and no program should connect from port 0 thus, it should be blocked.
Port 0 fingerprinting can be tested using the gobbler-2.0.1-alpha available from http://www.networkpenetration.com or http://gobbler.sourceforge.net