26-03-2012, 03:26 PM
OS fingerprinting with IPv6
os-fingerprinting-ipv6_33794.pdf (Size: 1.11 MB / Downloads: 47)
Introduction
In real life human fingerprints are used as a method of identification. As of today
no two fingerprints were found to be alike, hence fingerprints are an excellent way to
positively identify a person beyond reasonable doubt. Just like a human fingerprint has its
unique characteristics, an operating system has its unique implementation of
communication protocols by which it can be identified. In this context, OS (Operating
System) fingerprinting is the analysis of certain characteristics and behaviors in network
communications in order to remotely identify an OS and its version without having direct
access to the system itself (Allen, 2007). Like in real life, fingerprints are compared to a
database of known identities. Captured system communications characteristics and
behaviors need to be compared to a database of known operating systems.
Protocol Header changes in IPv6
This chapter gives a short overview of the IPv6 protocol. The introduction of the
IPv6 protocol is not only in response to the exhaustion of IPv4 address space, but an
evolution of the IPv4 protocol in terms of improving existing features and adding new
ones. Improvements in the IPv6 protocol include (Network Working Group, 1995):
Expanded address space.
Extended routing (more levels of addressing hierarchy, simple auto-configuration
of addresses).
Improved scalability of multicast routing.
Simplified header (lesser header fields compared to IPv4 to lower processing
costs, dropped header fields are now available as optional extension headers).
Support for optional extension headers (allows for faster processing because
extension headers are not examined by routers, allows for arbitrary length of IPv6
header).
Challenges in finding live hosts with IPv6
This paper assumes that the targeted live host for fingerprinting is known. But in
reality a new challenge with IPv6 is that it is not as easy to find live hosts to fingerprint
as with IPv4. Scanning a subnet with IPv4 might be done in a matter of hours, but it
might take days or weeks with IPv6 as the address space is much wider. Furthermore,
assuming that the number of live hosts will not raise the same amount as the address
space increases with the transition to IPv6, it will be much more difficult to find live
hosts.
IPID generation and fragmentation
The new fragmentation extension header in IPv6 reuses known IPv4 header fields
and therefore does not offer new functionality. The IPv4 header fields ‘Identification’
(packet ID), ‘Flags’ and ‘Fragment Offset’ were moved to the IPv6 fragmentation
extension header. While the basic functionality of fragmentation stays the same in IPv6,
the relocation of the fragmentation header fields enables new ways of usage for OS
fingerprinting. This is because fragmentation is now handled by the source and
destination rather than intermediate routers to speed up packet delivery times (Network
Working Group, 1998).
Conclusion
After looking at known fingerprinting methods from IPv4 and newly enabled
methods by the IPv6 protocol, we conclude that fingerprinting methods with the IP
protocol did not fundamentally change. Some of the known fingerprinting techniques
from IPv4 can still be used with IPv6, others are obsolete. Then again, IPv6 also enables
new methods of OS fingerprinting which substitute the obsolete methods from IPv4.
Overall, OS fingerprinting methods with the IP protocol are still limited with IPv6, hence
OS fingerprinting still depends on upper layer protocols like TCP or FTP.