2.4 Banner Grabbing, OS Fingerprinting & Scanning Beyond IDS/Firewall
Key Takeaways
- Banner grabbing reads service-response strings (e.g. SSH-2.0-OpenSSH_8.9, Server: Apache/2.4.x) to identify software and version for targeted CVE mapping; it is active and detectable
- Active OS fingerprinting sends crafted probes (Nmap -O) and analyses replies; passive OS fingerprinting (p0f) infers the OS from sniffed traffic without sending any packets
- Stack traits used to fingerprint an OS include initial TTL (64 Linux/macOS, 128 Windows, 255 many network devices), TCP window size, and handling of unusual flag combinations
- IDS/firewall evasion concepts include packet fragmentation (-f), decoy addresses (-D), source IP/MAC spoofing, source-port manipulation (--source-port 53/80), and timing throttling (-T0/-T1)
- Defenders counter these with banner suppression/obfuscation, IDS reassembly and anomaly detection, egress filtering against spoofing, and minimising the externally reachable service surface
Banner Grabbing
Banner grabbing (service fingerprinting) reads the text a service volunteers when you connect, to identify the product and version so you can look up matching vulnerabilities. Connect to TCP 22 and SSH announces SSH-2.0-OpenSSH_8.9p1; an HTTP HEAD request returns Server: Apache/2.4.58 and X-Powered-By: PHP/8.2; SMTP greets with 220 mail.target.com ESMTP Postfix.
Two modes, mirroring fingerprinting:
- Active banner grabbing — you connect/send probes (
telnet host 25,nc host 80,nmap -sV,curl -I). Fast and precise, but the connection is logged. - Passive banner grabbing — you read banners from sniffed traffic, error pages, or third-party data (Shodan banners) without connecting.
Nmap's -sV version detection automates active banner grabbing, matching responses against its service-probe database to report open ports with the exact service and version. Tools you should recognise: Netcat (nc) and Telnet for manual grabs, cURL (curl -I) for HTTP headers, and WhatWeb/Wappalyzer for web-stack fingerprinting.
Why it matters: a banner of Apache/2.4.49 instantly points an attacker at the path-traversal CVE for that exact build, collapsing the gap between recon and exploitation. Countermeasures: suppress or falsify banners (ServerTokens Prod and ServerSignature Off on Apache, server_tokens off on nginx, custom SSH banners, disabling version strings), turn off unneeded services entirely, and patch so that even a leaked version maps to no known flaw. Banner suppression is concealment, not a fix — pair it with timely patching.
OS Fingerprinting
OS fingerprinting identifies the target operating system because exploits and post-exploitation differ sharply between Windows and Linux. CEH tests the active/passive split:
| Active OS fingerprinting | Passive OS fingerprinting | |
|---|---|---|
| Method | Send crafted probes, analyse replies | Sniff existing traffic only |
| Tool | Nmap -O | p0f, Wireshark |
| Detectable? | Yes — sends packets | No — never touches target |
| Accuracy | Higher | Lower, but stealthy |
Both read TCP/IP stack idiosyncrasies that vary by OS:
| Trait | Typical values |
|---|---|
| Initial TTL | 64 (Linux/macOS), 128 (Windows), 255 (many routers) |
| TCP window size | OS/stack-specific defaults |
| DF (Don't Fragment) bit | Set or not, by stack |
| TCP options order | MSS, window scale, SACK ordering differs |
| Response to bad flags | RFC-compliant vs. non-compliant (the Windows-RST behaviour) |
Nmap -O needs at least one open and one closed port to compare responses and produces a confidence-scored guess. Banner suppression and OS-spoofing/scrubbing tools (and stack-normalising proxies) blunt fingerprinting by making the externally observable stack behaviour generic. Passive tools like p0f and Satori sit on a span port and classify every connecting host's OS purely from the SYN it sends — invisible to the target and useful to defenders for asset inventory too.
Scanning Beyond IDS and Firewalls
Real targets sit behind an IDS/IPS and firewall, so CEH covers evasion concepts and their defences:
| Evasion technique | Nmap flag | Idea |
|---|---|---|
| Packet fragmentation | -f, --mtu | Split probes so a stateless sensor sees only fragments, not the full signature |
| Decoy scanning | -D | Mix your real source among spoofed decoy IPs so the true origin is hidden |
| Source IP / MAC spoofing | -S, --spoof-mac | Forge the source address (no replies come back, but it muddies attribution) |
| Source-port manipulation | --source-port 53/80/443 | Slip past rules that trust traffic from DNS/HTTP source ports |
| Idle/zombie scan | -sI | Bounce the scan off a third "zombie" host so the target never sees your IP |
| Timing / throttling | -T0/-T1, --scan-delay | Slow, low-and-slow scans stay under rate-based thresholds |
| MTU/data-length tricks | --data-length | Pad packets to dodge length-based signatures |
Countermeasures
- Packet reassembly at the IDS/IPS so fragmented probes are evaluated as one whole packet — the direct answer to
-f. - Anomaly/behavioural detection for illegal flag combos (Xmas/NULL), excessive fan-out, and source-port-53 traffic that is not DNS.
- Egress and ingress filtering / anti-spoofing (BCP 38) to drop forged source addresses.
- Default-deny firewalls that drop (not reject) filtered ports so scans time out and yield less.
- Reduce attack surface — fewer exposed services means fewer banners and fingerprints to read.
The theme: evasion exploits sensors that look at packets in isolation; defence restores full context through reassembly, statefulness, and behavioural baselining.
A few exam-grade nuances tie these together. Decoy scans (-D) do not hide the fact that a scan happened — they hide which source is real, forcing an analyst to triage many candidate origins; egress filtering and netflow correlation help unmask the genuine sender. Source-port spoofing to 53 or 80 abuses overly trusting rules that permit traffic from common service ports, so a stateful firewall that tracks connection state, rather than trusting a source port, defeats it.
The idle (zombie) scan (-sI) is the stealthiest of all because the target only ever sees the zombie's IP; it works by inferring port state from the zombie's predictable IP-ID sequence, so using modern OSes with randomised IP-IDs removes available zombies. Finally, slow timing (-T0/-T1) beats rate thresholds but cannot beat long-window SIEM correlation that aggregates events over hours or days. Layered, stateful, context-aware detection is the consistent CEH answer.
What is the primary difference between active and passive OS fingerprinting?
An attacker uses Nmap's -f option so a simple signature-based sensor sees only individual packet fragments rather than the full probe. Which defensive capability most directly counters this evasion?
A target host replies to probes with an initial TTL of 128 and Windows-style TCP option ordering. What technique is being used and what does it indicate?