Researchers Create New 'Fingerprinting' Method

Many fingerprinting tools have been quietly fading from the hacking scene, but two researchers hope to resuscitate the reconnaissance technique: Jay Graver and Ryan Poppa next month will release a new fingerprinting tool they developed that's more accurate and reliable, they say.

"Fingerprinting is becoming a lost art," says Graver, lead engineer at nCircle Network Security, who along with Poppa will demonstrate the HTTP fingerprinting tool at the upcoming SecTor security conference in Toronto. The poor quality and inaccuracy of many fingerprinting tools has caused their popularity among researchers to wane, and prompted some tools to disappear altogether, Graver and Poppa say.

The exception, of course, is the wildly popular open source nmap fingerprinting tool, the researchers say. "Nmap is still going strong and making major improvements, and it has enough people keeping it going," Graver says.

Fingerprinting tools -- which identify a remote machine's operating system or application protocol by sending it packets and analyzing its responses -- have been used for things like wireless hacking as well. (See New Tool Dusts for Fingerprints.) Fingerprinting tools use the responses to build a "fingerprint" of the system that is matched against a database of known "signatures." Hackers, good and bad, can use this information to target specific hosts for known vulnerabilities in that software.

Graver and Poppa say their tool is more foolproof than existing tools, and can quickly and easily identify HTTP servers. One problem with today's fingerprinting tools is many haven't been updated with the "fingerprints" of the latest server and OS versions, for instance, for years, so they are no longer accurate. Also, "one unexpected response" from the host causes accuracy issues with the tool, Poppa says.

The researchers say their tool uses a different and more effective technique in which it sends only one request for a response at a time, and uses incremental recon to determine its subsequent requests and to glean the information the attacker or researcher wants.

"If you don't know if the Web server is Apache or IIS, you send a request to it, and based on its response, you can eliminate if it's either Apache or IIS... Then it can send a second request based on the shape" of the server as we know it so far, Poppa says.

The researchers say they decided to go with HTTP fingerprinting only in their first iteration of the tool because it's the easiest to test for. "With HTTP, it's one question and one answer, one packet back and forth," Poppa says. "Other protocols involve quite a few packets."

Graver and Poppa say they're still debating what they'll ultimately do with the tool, whether it's adding more protocols to it, improving its accuracy further, or incorporating it into nCircle's own products.

"Ours is a direct, simplistic approach," Graver says. "It's amazing what you can learn with one question."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.