Passive OS Fingerprinting (TCP/IP Fingerprint)

Proxy providers and users go to great lengths to protect their privacy. This extends to every piece of information that could be used not just to identify themselves but also to the fact they’re using a proxy at all. Websites have a variety of tools at their disposal to track users across their site, including active measures like cookies — where the user agrees to download something onto their device — and more passive measures like browser fingerprinting — where a user’s data is derived from information they’re broadcasting rather than explicitly agreeing to share.

Passive OS fingerprinting, or TCP/IP fingerprinting, is one of the tools at a website’s disposal to collect information about its users, alongside many others it uses to create a unique fingerprint for every visitor.

What is Passive OS Fingerprinting?

Passive fingerprinting is a technique to determine the operating system and its specific version by analyzing characteristics in the IP, TCP, UDP, and ICMP protocols without injecting traffic into the network.

Different operating systems have subtle differences in how they implement various protocols, the TCP/IP stack in particular. By analyzing these differences, one can make an educated guess as to the operating system of any given user.

Passive OS fingerprinting doesn’t require any data to be transferred from the server to the client and doesn’t change the normal operations of the user’s device. As such, it’s hard to know when it’s taking place. As no packets are sent to the target device, it requires the target to be generating network traffic, i.e. a website can monitor a device’s incoming traffic. This sets it apart from its active counterpart.

Difference Between Active and Passive OS Fingerprinting

Active OS fingerprinting is also a process of identifying the operating system of a device, but requires active engagement to achieve it. In active OS fingerprinting, packets are sent to the target network and the responses are analyzed. On the one hand, the device can be scanned even if it’s idle but on the other, it lets the target know that it’s being fingerprinted.

These differences mean active OS fingerprinting and passive OS fingerprinting have distinct use cases. Active OS fingerprinting is generally used during penetration testing as one of the tools in the kit of a security professional searching for vulnerabilities. It’s also used in network mapping, as a way of creating a full inventory of devices connected to a network.

By contrast, passive OS fingerprinting is more commonly used in network monitoring and allows intrusion detection systems to identify unauthorized devices running unexpected operating systems.

Protect against passive OS tracking with Proxidize Proxies.Protect against passive OS tracking with Proxidize Proxies.

How Does Passive OS Fingerprinting Work?

First, packets are captured from the target device with a tool like Wireshark or tcpdump. All traffic is intercepted without being changed at this stage, and no packets are changed or sent during this process.

Second, the packet headers — the section at the start of a packet responsible for the packet’s correct routing, delivery, and processing — are analyzed for various parameters.

For the IP header field, three things are important:

Time to Live (TTL): This is an 8-bit field in the IPv4 header that defines the number of times a packet can transit through routers before it dies, i.e. it limits a packet’s lifespan. This both conserves bandwidth in a network and stops packets from circulating indefinitely.

Don’t Fragment (DF) Flag: This is one of three control flags in the IPv4 header. When it is set, it tells the router the packet shouldn’t be fragmented.

Type of Service: This is another 8-bit field in the IPv4 header that specifies how the packet should be handled in terms of priority and routing.

Here, the default values of each are relevant. For example, Windows’ default TTL value is 128, while Linux and macOS both have a default TTL of 64. There is an element of uncertainty from the server’s side of things, as it only sees the final value of the TTL (where the TTL decreases by one every hop). This means that a packet with a TTL of 60 (upon arrival) could have originated from a Windows device 68 hops away or a Linux device 4 hops away.

The TCP header field contains the information for establishing connections, transferring data, flow control, and error handling. It contains the following important information:

Window Size: This is a 16-bit value that tells the receiver of the packet how much data (in bytes) it can transmit back to the sender before it should wait for a response.

TCP Options and Order: The TCP header field can include optional fields and these can differ significantly between operating systems. Maximum Segment Size (MSS): This defines the largest amount of data in bytes a device can receive in a single TCP segment, which helps avoid fragmentation. Window Scaling: This can extend the window size beyond the 16-bit limit. Selective Acknowledgements: This lets the sender know about all the segments that have been successfully received, which lets the sender only retransmit the missing segments. Timestamps: This adds the sender’s current timestamp to each segment. Order of TCP Options: The order in which the optional fields appear can differ between operating systems, which is useful for TCP/IP fingerprinting.

Sequence and Acknowledgment Numbers: The sequence number is a 32-bit number that identifies the position of the first byte of the segment in the data stream, which ensures the data is reassembled in the correct order once received. The acknowledgement number is also a 32-bit number, one that indicates the next expected sequence number from the other side. This serves as confirmation to the sender which data has been successfully received.

The third step is to look at differences in protocol implementation.

TCP/IP stack behavior: Each OS has its own way of implementing network protocols and looking at these can help narrow down the OS through unique packet characteristics.

Handling of network conditions: Networks can be congested, require packets to be resent, and more. You can start narrowing down the OS based on how they account for these different scenarios.

Fourth, the timing and sequence of packets is analyzed:

Inter-Packet Timing (IPT): This is the time in between sending packets, i.e. the time between the arrival/departure of one packet and the next. While it is one of the parameters analyzed in OS fingerprinting, several things can influence IPT including network congestion, the type of application generating the traffic, and hardware limitations.

Initial Sequence Numbers (ISN): This is a 32-bit number chosen by both parties in a TCP handshake, which is important for making sure data is transmitted and reassembled in the right order. The ISN is different from the previously mentioned sequence numbers. ISNs are generated with intentional randomness to protect against attacks which different OS do differently. Looking at how they’re generated can help TCP/IP fingerprinting.

Response Times: This is the time between a request being sent to a server and the corresponding response being received, including all delays — even environmental. Because OS process and respond to network requests slightly differently, it’s relevant for OS fingerprinting but the fact response times can be so impacted by something like network congestion, it’s not a reliable parameter.

As with all the other steps, it’s when all these data points are taken together that they contribute to building a broader picture of what a device’s operating system is.

Fifth, the data collected from the packets is compared against a database of known OS fingerprints. Software like p0f automates this process and maintains a large database of fingerprints.

Finally, the results of the comparison is used to generate a best match for the OS, which is usually accompanied by a confidence level.

Passive OS fingerprinting serves a variety of purposes in network management. Because it relies on traffic to be generated by devices, it generally serves as a tool to monitor networks for anything from threat detection — anomalies, intruders, threats, and more — to quality of service and traffic assessments.

Passive OS Fingerprinting and the Proxy Industry

Impact on Anonymity

Passive OS fingerprinting poses a challenge to proxy users. There was a time when the industry considered it an existential threat. How do you defend yourself against something that can identify you despite masking your IP?

Proxies, anti-detect browsers, and similar anonymizing technologies don’t change the underlying way network packets are sent by your operating system. The inception of OS fingerprinting was another weapon in the ever growing arsenal of fingerprinting tools and offered yet another variable in narrowing down a user’s unique fingerprint.

Avoid flagged IPs and improve anonymity using Proxidize Proxies.Avoid flagged IPs and improve anonymity using Proxidize Proxies.

Ways to Hide Passive OS Fingerprint

As it is the proxy that’s communicating with the outside world, OS fingerprint spoofing necessarily happens at the proxy end of the equation. There are a few ways to spoof your TCP/IP fingerprint. Some proxy providers offer built-in solutions. There are also software solutions to change your TCP/IP fingerprint. Some examples include:

IP Personality

OSfooler-ng

OSfuscate

The goal of OS fingerprint spoofing is to hide in the crowd by changing details of your OS to match those of a different one. This is called traffic normalization. It involves modifying your packet headers to conform to norms of specific operating systems.

By altering aspects of the IP header fields, like the TTL value and DF flag; modifying the TCP header fields, i.e. the window size and TCP options; and use algorithms to change how sequence numbers are generated, you can make your packets look like those originating from a different OS and remove those that would help identify inconsistencies.

OS fingerprint spoofing alone is not enough, however. Websites measure a whole host of parameters, of which OS fingerprints are just one part. More often than not, inconsistencies in your browser fingerprints — especially if they contradict other markers — are likely to raise a website’s suspicions.

What Is My Passive OS Fingerprint?

If you want to find out your own passive OS fingerprint you can use Browserleaks. Under the header TCP/IP Fingerprint you will find a few details, namely:

OS: Your operating system.

MTU: The maximum transmission unit, which denotes the largest size, in bytes, a protocol data unit that can be transmitted in a single, unfragmented packet.

TTL: As received by the server, with the estimated number of hops it took to reach it.

JA4T: Part of a family of network fingerprinting tools, JA4T is a passive TCP client fingerprinting tool. It is able to identify intermediaries like proxies, VPNs, and more. The string displayed is your device’s OS fingerprint.

Conclusion

Passive OS fingerprinting is a technique by which websites and network administrators can determine a user’s OS by analyzing their incoming traffic patterns. By measuring the slight differences between a variety of parameters in the IP and TCP headers of incoming packets, a website can create a unique OS fingerprint. This can be possible even if you’re using a proxy or other anonymizing tools like antidetect browsers.

Some of the key parameters a website will look at during passive OS fingerprinting include:

Time-To-Live Value

Don’t Fragment Flag

Window Size

TCP Options and Order

TCP/IP Stack Behavior

Maximum Transmission Unit

Alongside proxy providers who build passive OS fingerprint spoofing into their product, software tools exist to manipulate your packet data to emulate other operating systems.

New passive OS fingerprinting tools are constantly being developed like JA4+, which was released as recently as September 2023, that underline the ever-evolving nature of fingerprinting.

Proxies & Anonymity