Home > CAPEC List > CAPEC-312: Active OS Fingerprinting (Version 2.10)  

CAPEC-312: Active OS Fingerprinting

Active OS Fingerprinting
Definition in a New Window Definition in a New Window
Attack Pattern ID: 312
Abstraction: Standard
Status: Stable
Completeness: Complete
Presentation Filter:
+ Summary

An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

+ Target Attack Surface

Target Attack Surface Description

Targeted OSI Layers: Network Layer

Target Attack Surface Localities


Target Attack Surface Types: Host

Target Functional Services

Target Functional Service 1: None
Protocol 1: Any
Related Protocol: Internet Protocol
Relationship Type
Uses Protocol
Related Protocol: User Datagram Protocol
Relationship Type
Uses Protocol
Related Protocol: Internet Control Messaging Protocol
Relationship Type
Uses Protocol
Related Protocol: Transmission Control Protocol
Relationship Type
Uses Protocol
+ Attack Prerequisites
  • The ability to monitor and interact with network communications.

    Access to at least one host, and the privileges to interface with the network interface card.

+ Typical Severity


+ Typical Likelihood of Exploit

Likelihood: Medium

+ Resources Required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.

A tool capable of sending and receiving packets from a remote system.

+ Attack Motivation-Consequences
ScopeTechnical ImpactNote
Read application data
Hide activities
+ References
[R.312.1] [REF-20] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 2: Scanning, pg. 56. 6th Edition. McGraw Hill. 2009.
[R.312.2] [REF-21] Defense Advanced Research Projects Agency Information Processing Techniques Office and Information Sciences Institute University of Southern California. "RFC793 - Transmission Control Protocol". Defense Advanced Research Projects Agency (DARPA). September 1981. <http://www.faqs.org/rfcs/rfc793.html>.
[R.312.3] [REF-22] Gordon "Fyodor" Lyon. "Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning". Chapter 8. Remote OS Detection. 3rd "Zero Day" Edition,. Insecure.com LLC. 2008.
[R.312.4] [REF-10] Gordon "Fyodor" Lyon. "The Art of Port Scanning". Volume: 7, Issue. 51. Phrack Magazine. 1997. <http://www.phrack.org/issues.html?issue=51&id=11#article>.
+ Content History
CAPEC Content TeamThe MITRE Corporation2014-06-23Internal_CAPEC_Team
CAPEC Content TeamThe MITRE Corporation2017-05-01Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_ExploitInternal
More information is available — Please select a different filter.
Page Last Updated or Reviewed: May 01, 2017