OS fingerprinting: can I rely on the results?

Question

Using nmap -O www.example.com I get:

Running (JUST GUESSING): Microsoft Windows 7|2008 (90%)

So I can say the target site is running Windows.

Using xprobe2 -v www.example.com, I'm just astonished at the fact that the results are completely different being:

+] Primary Network guess:
[+] Host 217.*4.***.** Running OS: "HP JetDirect ROM G.08.08 EEPROM G.08.04" (Guess probability: 86%)

Questions:

1. Can a website really fake a response given to a network scanner?
2. Nowadays is there a tool which is able to detect the running OS a hundred per cent sure?

Answer 1

First, the theory
OS fingerprinting works by examining the quirks about how a given computer responds to network traffic. While RFCs specify a lot about TCP/IP stack behavior, some of the details or defaults may not be officially specified, and some OSes may deviate slightly even in prescribed behavior. Since the TCP/IP stack low-level behavior is generally implemented in the OS, implementation differences typically reveal the OS in use.

Next, the complications
That said, it's reasonably simple, almost trivial, to throw off these detection systems. Since these fingerprinting systems rely on the assumption that settings such as initial window size or TTL are never changed, simply changing the defaults is typically enough to throw the system. While some examined behavior reflects code differences, other aspects are user-configurable settings which generally never get changed.

In fact, beyond just confusing OS fingerprinting tools, additional tools exist for the express purpose of giving very specific but "falsified" results in response to fingerprinting attempts.

Answer 2

1. Can a website really fake a response given to a network scanner?

Yes, but very few intentially fake responses. However, that doesn't mean you won't get incorrect fingerprint results on a regular basis; there are more common reasons for incorrect results. Many network scanners will have invalid responses due to just configuration changes from the OS's default, or in Nmap's case an inability to gather all of the required data to construct a full fingerprint. To get the most accurate Nmap fingerprint possible, the target host must (see the Nmap book on the topic),

1. Have at least one open TCP port
2. Have at least one closed TCP port
3. Have at least one closed UDP port
4. Respond to ICMP Echo requests

Part of the power of the Nmap OS scanner compared to simpler tools is that it combines tests from multiple protocols and attempts to produce a result that's a combination of many different probes, but it's also a downside because many hosts won't respond to all the probes needed to generate a full fingerprint (many machines block ICMP pings for instance). It will fill in default values for the missing tests and hope that the tests it could run on the host are enough to distinguish it's identity, but in most cases the best you'll get is a "fuzzy" match (not an exact fingerpring match, but something that is close).

Writing fingerprinting tools is a hard task, many operating systems behave in a very similar fashion, and distinguishing between them can be next to impossible. As you've already seen, many versions of Windows (in this case Windows 7 and Server 2008) get lumped together because the network stack implementations are identical or near identical.

Another problem that can sometimes change results is packet timing and network delay. Several of the Nmap fingerprint features rely on exact timing between probes sent and the response, combined with things like TCP Timestamps and sequence numbers. If a packet is delayed for a second because of a bit of lag, a resend somewhere along the routing path, or a CPU usage spike in the target machine, you can actually see differences in the Nmap fingerprint, meaning running an Nmap OS scan on the same target more than once can give you slightly different results!

1. Nowadays is there a tool which is able to detect the running OS a hundred per cent sure?

No. The best way is to use a combination of tools and common sense. Running an Nmap scan can give you a basic idea of what OS is running, and you can often narrow it down by looking at the versions and banners of services you see. If you see a machine that reports Linux 2.6 and then look at an SSH banner that says SSH-2.0-OpenSSH_4.6 Debian-4, you can be more confident the OS scan was correct. If you start seeing conflicting information, like a machine Nmap thinks is FreeBSD but it's running Microsoft IIS, then it needs more investigation and you should be more weary of the OS results. You're poking a black box on the other side of the internet and trying to extrapolate what's inside based on what it tells you, but what it tells you may be a lie or just accidentally confusing.

Answer 3

For answering question's title:

Yes, upto 90%, as nmap said.

And for your points:

1. Yes, that's job of honey pots
2. No. (100%, surely no. 100% don't exist anyway!)

honeypot are fake servers that work to present as any kind of existing system, in the hope an attacker would try to going on. From there, a lot of mechanism will ensure that attacker believe he is going on successfully break system's security, than log every attacker's actions...

From there, the honeypot could learn a lot about security failure which attacker is trying to exploit and even make a kind of fingerprint for identifying the attacker himself, by his reflex, method of test, keyboard hitting frequency and other personal particulatity (ip address stay secondary).

Do you wanna come to be glued in my honey, mon pote?

(mon pote is a french translation of my friend.)

Answer 4

xprobe2's fingerprints haven't been updated in years, so it isn't going to give you accurate results on a newer OS. I believe it was released back in 2005 time frame. Nothing is ever going to be 100% accurate. As noted in other threads, you can tweak the underlying systems banners (fool passive os fingerprinting tools), tweak its IP stack (fool both passive and active tools), etc.

Answer 5

What tools like nmap and xprobe do is trying to contact services on the machine, looking for open ports, seeing if and what they reply to certain queries. All of this can of course be controlled by the server you are contacting -- those can tell your analysis tool whatever they want. So no, there is no 100% method of detecting the running OS by probing a machine via a network scanner.