Add OS Fingerprinting

[pilsnerfrajz]

OS Fingerprinting

This adds operating system fingerprinting capabilities to complement the existing features. Users can now identify the OS type based on TTL, window size, and MAC address patterns.

Closes #17.

Fingerprinting Methods

TTL (Time to Live) Analysis: By examining the TTL value in the IP header, disco can make guesses about the operating system. Different OSes have different default TTL values, e.g., 64 for Linux, 128 for Windows. Cisco devices apparently use a TTL of 255, but this has not been tested. It is still supported though.

Window Size Examination: The TCP window size can also provide clues about the OS. For instance, certain OSes use specific window sizes. BSD-like systems often use a window size of 65535. My testing shows that macOS is consistently using a window size of 65535, in line with its BSD-based network stack. To separate macOS and other BSD-like systems from Linux, window size is used. There is currently no reliable way (for me) to separate Linux from the other Unix-like OSes.

MAC Address Pattern Matching: The MAC address of the target reveals the manufacturer of the network card, which can reveal information about the OS. Because newer Apple devices use their own network cards, I implemented a check for Apple MAC address prefixes (e.g., 10:BD:3A) to identify macOS systems. This enables disco to distinguish macOS from other BSD-like systems. This also means that Macs have the most accurate fingerprinting, since MAC fingerprinting has not been implemented for other manufacturers.

Bonus Target Info

The fingerprinting allows for calculations of the estimated number of hops between the scanning host and the target, based on the identified OS's default TTL value. This information could be useful for network diagnostics and understanding the network topology. The MAC address is also printed without Vendor lookup (except Apple), allowing users to gain more information about the target device with a quick online search.

Changed Files

• include/cli.h and src/cli.c
  • Removed files as the tests don't have a real purpose any longer and causes bugs on Linux when new features are added
• include/fingerprint.h
  • Added OS constants and fingerprint struct
  • Added function prototypes
• src/fingerprint.c
  • Added fingerprinting logic based on the previous sections
  • Added hop calculation based on identified OS
• include/syn_scan.h
  • Created a struct to hold various fields for easier addition of new variables to the syn_scan() function
  • Updated docs
• src/syn_scan.c
  • Added logic to capture TTL, TCP window size, and MAC address during SYN scan packet proessing
• src/main.c
  • Updated code with new syn_scan() struct
  • Added various helper functions for printing data
  • Removed excessive usage statements
  • Added printing logic of fingerprinting results
• tests/cli_test.c
  • Update test with new structs and variables
• tests/include/fingerprint_test.h
  • Created header file for fingerprinting tests
• tests/fingerprint_test.c
  • Added fingerprinting tests for Windows, Linux, macOS and a Linux router operating systems
• tests/run_all_tests.c
  • Included fingerprint test in the test suite
• tests/syn_scan_test.c
  • Updated test with new structs and variables
  • Fixed forgotten TODO, which generated an error during testing