Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is OS Fingerprinting?



Article ID: KB22925 KB Last Updated: 05 Mar 2017Version: 2.0
This article provides information about OS Fingerprinting and the support extended by Juniper for it.
  • What is OS Fingerprinting?

  • Does Juniper support OS Fingerprinting?

OS Fingerprinting refers to the detection of the operating system of an end-host by analyzing packets, which originate from that system. It is used by security professionals and hackers for mapping remote networks and determining which vulnerabilities might be present to exploit.

OS Fingerprinting works only for packets that contain a full-fledged TCP connection; that is the TCP connection should have a SYN, SYN/ACK, and ACK connection.

Certain parameters within the TCP/IP protocol definition are left up to the implementation of the respective operating system. Different operating systems set different defaults for these values. By collecting and examining these values, you can differentiate among various operating systems. Some of the areas that can be looked into to determine the OS are:

  • TTL

  • Window size

  • Packet size

  • DF bit

  • TOS

There are two ways to accomplish this:

  • Active OS Fingerprinting:

    It involves actively determining a targeted PC's OS by sending carefully crafted packets to the target system and examining the TCP/IP behavior of received responses.

  • Passive OS Fingerprinting:

    Passive OS fingerprinting is the examination of passively collected sample of packets from a host. It is based on sniffer traces from the remote system. Instead of actively querying the remote system, you can capture packets sent from the remote system

This is an example of captures taken from Machine A which is running Windows XP and Machine B which is running Windows 7.

Example 1:

Here you can see the difference between the behavior of setting the DF bit.

Windows XP:

Windows 7:

Example 2:

In this case, the two packets are performing the exact same function; but Packet A still reports its length as 62 bytes, where as packet B reports a length of 66 bytes. This means that the source host, which is transmitting packet B added an additional 4 bytes to its SYN packet. The source of these extra bytes can be found in the TCP header portion of the packets.

Windows XP:

Windows 7:

The following table provides a general idea of the OS mapping; a more detailed chart is provided by the SANS Institute.

OS TTL Packet Size
Windows 128 48
Linux 64 60
MAC 64 60

ScreenOS devices are not capable to perform OS fingerprinting; but some of the IDP devices, such as IDP75, IDP200, IDP250, IDP600, IDP800, IDP8200, and IDP1100, may support it.

To provide protection against this on the ScreenOS device, the possible workaround is to turn on some screening options, so that the firewall drops the abnormal packets. Such abnormal packets are used for OS fingerprinting, as the response to such packets is dependent on the OS and every OS has a different TCP/IP stack implementation.

You may enable the following screening options:

In the Web UI of the firewall, go to Security > Screening > Screen. You can see under Protocol Anomaly Reports > TCP/IP Anomalies:

  • SYN Fragment Protection

  • TCP Packet Without Flag Protection

  • SYN and FIN Bits Set Protection

  • FIN Bit With No ACK Bit in Flags Protection

  • Unknown Protocol Protection

Of course, this will not stop the application from telling which OS and version it is running; but could stop further discovery.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search