A fingerprint/footprint in cybersecurity is a set of data that can be used to detect operating systems, protocols, software, and hardware of a tech stack. Cybersecurity fingerprinting enables penetration testers and advanced operators to build a server profile by correlating various data sets. Fingerprinting attacks occur when attackers exploit this information to obtain the configuration of hosts and networks to orchestrate advanced attacks.
This article discusses fingerprinting in cybersecurity, various fingerprint attacks, prevention techniques, and commonly asked questions.
What is Footprinting/Fingerprinting?
Fingerprinting is a penetration testing technique to gather as much of a system’s configuration information as possible. Some information in a fingerprint includes application software technology, network topology, cluster architecture, host OS platform, and database version.
Fingerprinting involves scanning network traffic and outgoing packets from target systems or launching custom packets toward the target network. The objective of such malicious actions is typically to obtain the response of the target system in the form of a digital signature. The digital signature contains critical information that can map out the ecosystem’s infrastructure, services, and network components, which can further help the attacker measure the system’s security posture.
What is Fingerprinting in Network Security?
Considered one of the most severe forms of attacks, fingerprinting allows hackers to craft malicious packets and launch them toward a remote host to identify network protocols, hardware devices, and the topology of its private network. Hackers exploit these details to create a network map that helps them identify vulnerabilities for a successful attack. Fingerprinting is usually the second step in a fully-fledged cybersecurity attack. It helps hackers customize exploits by correlating differences in network packets vis-a-vis remote network response patterns.
Types of Fingerprinting
Depending on how they are carried out, fingerprinting techniques are commonly categorized as:
Passive fingerprinting is a stealth attack technique in which the hacker sniffs network traffic as a reconnaissance for creating a digital footprint of the corporate network. Rather than injecting any packets into the network, the hacker bypasses intrusion detection systems and becomes an active, persistent threat. To accomplish this, attackers typically use network scanning and a wide range of systems to simulate penetration testing and log digital activities.
The fingerprint developed from these operations helps attackers build a digital shadow of the application, subsequently used to fine-tune future attacks.
An active fingerprinting technique involves the hacker sending suspicious packets to the target systems and analyzing their responses to build a configuration profile. As the most popular fingerprinting technique, this technique offers a more straightforward way of determining the host operating systems by identifying the TCP/IP constructs and the underlying target hosts.
Active fingerprinting methods are also the riskiest as they are easier to capture with intrusion detection systems. Port scanning and network mapping are some of the most used active fingerprinting tools to identify the types of packets returned and other information crucial to determining application configuration, including:
- TCP options
- ICMP requests
- DHCP requests
- IP Time-to-Live (TTL) values
- IP Addresses and ID values
- Don’t Fragment bit setting
- Window size
Fingerprinting Attack Techniques
Fingerprinting attack techniques can also be classified according to the specific systems/components they target. These classes include:
A group of techniques aimed at determining a remote host’s operating system. The attackers can then create exploits tailored towards known vulnerabilities associated with the specific version of OS in use.
This attack aims to uncover specifics of TCP/IP stacks and other network protocols used within the corporate network. The attack typically requires the attackers to scan target networks in search of information such as TCP/IP address ranges, subnet masks, TCP/IP header fields, and DNS server configuration to interpret the configuration of an application’s current networks.
In this attack, an adversary scans emails within a corporate network for unique identifiers such as the type of sender, email address, mail flow rules, headers, footers, and subject lines. This information is collected over time to compose digital fingerprints and message profiles for each user. With these message profiles, attackers can craft suspicious emails for phishing attacks on other unsuspecting, registered users.
How to Prevent Fingerprinting Attacks?
While fingerprinting helps cybersecurity professionals and ethical hackers analyze application security controls’ effect, it may also enable malicious actors to orchestrate advanced attacks. Cyber security approaches crucial to preventing fingerprinting attacks include:
Restricting network traffic with firewalls
It is crucial to control the exchange of information between an application and external entities. A web application firewall with properly configured filtering and routing rules helps prevent the accidental leakage of sensitive information types to external malicious actors.
Restrict frames passing through the NIC
The Network Interface Card (NIC) passes all traffic received to the CPU in a promiscuous mode. It is recommended to enable promiscuous mode for NIC only when necessary, such as during troubleshooting network performance issues or integration testing. Instead, developers should ensure the web server’s controller is programmed to receive a specified set of frames, restricting the traffic that can interact with the host OS.
Monitor events and log files
Passive fingerprinting attacks are usually orchestrated using persistent threats, where the attacker acquires more information the longer they stay undetected. While the intrusion may go undetected, systems usually record all digital activities within their log files. To prevent deeper penetration and exploitation of the system, advanced operators and security professionals should diligently review application events and log files to identify malicious activity, such as:
- Use of advanced search parameters
- Fingerprint device IPs
- Suspicious packets
- Unauthorized fingerprinting behavior
- Suspicious traffic
- Malformed DNS queries
- Abuse of basic database queries
Constant vulnerability patching
The vibrant community of cyber security professionals, product vendors, and software enthusiasts consistently discovers and publishes vulnerabilities into threat enumeration databases. Attackers often use these databases to exploit systems when carrying out fingerprinting attacks as a source of identified weaknesses. To avoid potential attacks, it is recommended to patch vulnerabilities as soon as they are discovered or implement temporary stop-gap controls while a permanent fix is rolled out.
What is the difference between fingerprinting and enumeration?
Enumeration is locating and listing servers or other devices connected to the network. Fingerprinting is the next logical step, allowing cyber security professionals or hackers to gather as much information as possible about the server and network.
While DNS enumeration would return lists of devices connected to the network, fingerprinting aims to include detailed information, such as:
- Open ports
- Enabled/disabled features
- Installed software
- Operating System configurations
What are some of the most popular fingerprinting tools?
Some popular tools for fingerprinting testing techniques include:
NMap -A powerful tool for port scanning and OS detection.
p0f – A passive fingerprinting solution is used to analyze TCP/IP patterns and network traffic. The platform can also identify load-balancing, proxy, and NAT setups.
Ettercap – A network scanning tool that can sniff several protocols, including FTP, Telnet, Basic Database Queries in MySQL, and HTTPS. The platform leverages an insecure ARP protocol to perform a man-in-the-middle attack and can be used to identify open ports, mac addresses, NIC vendors, and running services.
XProbe2 – An active OS footprinting tool that uses probabilistic guesses, simultaneous matches, a signature database, and signature matching for fingerprinting communication patterns in software-defined networks.