Hi fellas! Lately i released a new version of Intercepter-NG for Android and today i want to discuss one of it's features.
For years, even in original Windows version, Intercepter has used a simple method to detect and distinguish one OS from another. First, it checked the value of TTL by sending ICMP requests and whether there was at least one open TCP port it checked both TTL + TCP Window Size.
That way i was able to get these results:
- Linux 2.4.x\2.6.x
- Linux 3.x\Android
- FreeBSD\MacOS X
- FreeBSD
- OpenBSD
- HP-UX
- Windows 2000\XP SP2
- Windows XP
- Windows 2003
- Windows 7\8\10
- Cisco IOS
- Solaris
Although this list is extremely short, it's better than nothing...
What comes to your mind when you hear 'OS detection'? Right, nmap...but it means that you need to be able to connect to the host you are interested in and spend some time analyzing it.
What if you only have a network capture? Passive OS fingerprinting you'd say...yes, we have Satori and p0f.
Satori and it's database is the only 'up to date' tool and i decided to include it in Intercepter, but the problem arose shortly after i looked deeper on it. It contains many identical TCP fingerprints for different systems - which is good and useful in general. But somehow i have to pick only one result and print it during the network scan.
Satori, p0f and other passive OS fingerprinting tools were intended to work with captures or live traffic from any kind of network, so MAC address was never considered.
In my case, Intercepter works only in ethernet area with direct access to a network devices with unique MAC addresses.
Now, the main idea is to add the first 3 bytes of a known device's MAC to it's TCP SYN\ACK fingerprint and voila! a common linux fingerprint turns into something unique:
C8D3A3;5792:64:1:60:M1460,S,T,N,W1:ZAT=Linux 2.4 ; D-Link DSL-2740U
F81A67;5792:64:1:60:M1460,S,T,N,W1:ZAT=Linux 2.6 ; TP-Link WR842ND
CC5D4E;5792:64:1:60:M1460,S,T,N,W1:ZAT=Linux 2.6 ; ZYXEL Keenetic Giga
8CEA1B;5792:64:1:60:M1460,S,T,N,W1:ZAT=Edge-Core ECS2100 ; Switch
Or a common fingerprint for Android turns into:
F8C39E;65535:64:1:60:M1460,S,T,N,W8:ZAT=Android 9 ; Honor 9 Lite
2047DA;65535:64:1:60:M1460,S,T,N,W8:ZAT=Android 9 ; Xiaomi Redmi Note 5
08CC27;65535:64:1:60:M1460,S,T,N,W8:ZAT=Android 9 ; Motorola E6 Plus
8C3AE3;65535:64:1:60:M1460,S,T,N,W8:ZAT=Android 5 ; LG G2
That way we are able to detect the exact model of a device! Using fingerprints of that type Intercepter can detect a lot of devices just in a few seconds. All we need is to collect as many fingerprints as possible. I didn't want to create a new format, that's why i picked the one from Satori, it's nice and clear, and so, with minor changes the database of Intercepter is suitable for Satori too. There are also generic fingerprints such as:
000000;8192:128:1:60:M1460,N,W8,S,T:AT=Windows 7 / 8 / 2008 / 2012 / 2016 ;
or
000000;65535:64:1:60:M1460,S,T,N,W8:ZAT=Android 5-10+ ;
Intercepter uses them in case it hasn't found the exact value by MAC.
There are 4 ways to gather fingerprints:
1. Built-in button in Android version of Intercepter.
It generates the fingerprint of your own device. Just make sure MAC randomization is turned off.
2. New X-Scan mode shows the fingerprint of a remote device. It needs at least one open TCP port.
3. All unknown fingerprints appear during the network scan as extra info.
4. I've updated the original Intercepter-NG to 1.0+ version. It shows fingerprints for every device on the network - much easier to collect a lot of records.
You've seen some examples above, so if you want to help me, collect fingerprints and set the 'OS version' and\or 'Device model' and mail them to me - intercepter.mail@gmail.com.
For common computers and notebooks only OS information is interesting.
Your help will be useful not only for Intercepter or Satori, but for the other tools such as NetworkMiner. Contribute or die!
Current version of database is published here - https://github.com/intercepter-ng/intercepter-ng.github.io/blob/master/intercepter_fingerprints_database.txt
Site: sniff.su
Mail: intercepter.mail@gmail.com
Twitter: twitter.com/IntercepterNG
Forum: intercepterng.boards.net
Blog: intercepter-ng.blogspot.ru
Satori: https://github.com/xnih/satori
Changelog for 2.6:
+ Automatical Save&Restore of routing rules and iptables
+ Preloaded results of the last scan + prescan on startup
+ Text resize by gestures, tab switch by swipes, vibro reactions
+ OS Fingerprinting system based on Satori format
+ Port Scan upgraded to X-Scan with EternalBlue checker
+ Scanning engine is greatly improved
+ HSTS Spoofing with improved sslstrip
+ Self-diagnosis for troubleshooting
+ LOTS of other fixes and improvements
************
* UI updated
* No more SuperSU and Busybox dependencies -> Magisk
* Android support from 4.4 up to 10+ (x86, ARM, ARMv8)
************