4

Are traditional OS-fingerprinting techniques effective in identifying Android smartphones (OS version) on a network. From my research I found most Android network mappers can be only run from Android platforms and tools such as nmap are unsuccessful.

  1. Android 1.5 Cupcake Linux kernel 2.6.27

  2. Android 1.6 Donut Linux kernel 2.6.29

    ..............................................................

  3. Android 4.0.x Ice Cream Sandwich Linux kernel 3.0.1

What are the best ways of identifying a smartphone or any other WiFi enabled smart devices on a network? Secondly how can I differentiate between smart devices and actual physical machines (server/desktop)?

Community
  • 1
Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61

2 Answers2

6

While Android is the "official" OS on the device, the underlying OS on all Android phones is Linux. It's also the most popular Linux OS currently in use on smartphones. So if you see a phone that gets identified as running Linux, then it's probably Android.

The catch is that Android phones typically have NO network listening ports open at all, unless there's an app running that does. So a portscan will reveal nothing.

Instead, you'd have to intercept any device-initiated traffic and watch for any clues, such as the User-Agent on an unencrypted web request.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 3
    "So if you see a phone that gets identified as running Linux, then it's probably Android." Assuming that the device in question is not physically near you, how can you tell that it is a phone just from doing a port scan/os fingerprinting? –  Dec 31 '12 at 08:09
  • @TerryChia MAC address ranges, if you have it. It's easier to fake a MAC addresses than an nmap fingerprint, but if the device isn't cooperating, you won't gain much from attempting to fingerprint it anyway. – Gilles 'SO- stop being evil' Dec 31 '12 at 14:49
  • @TerryChia Yeah... you don't know. But since the question was identifying a *phone* as Android, the best I figured the question assumed that you already knew you were dealing with a phone. But yeah, if the MAC address starts with `00:09:2D`, then that's a bit of a giveaway. – tylerl Dec 31 '12 at 17:13
2

From a passive OS fingerprinting stand point you have 2 main ways to differentiate the Android OS while it is on a wifi network.

  1. Use the User Agent on the web client at noted in another answer. This is fairly straight forward on earlier versions to get the exact version. As you got into the 2.0 and later ones you could also use the name, such as ECLAIR, FROYO, GINGEBREAD, etc.

  2. If you can pick up on their DHCP traffic you can utilize this to tell the difference between some versions, but not all. Some utilize the same basic fingerprint (1.5-2.1 for example). In some cases you can differentiate between brands of devices running android as the underlying system appears to have been tweaked to request specifics for their system.

Both of these fingerprinting techniques are done by Satori (http://chatteronthewire.org).

Community
  • 1
Eric
  • 36
  • 1