Edith Cowan University
Faculty of Computing, Health and Science
School of Computer and Information Science
TCP/IP fingerprinting is a common technique used to detect unique network stack characteristics of an Operating System (OS) . Its usage for network compromise is renowned for performing host discovery and in aiding the blackhat to determine a tailored exploit of detected OSs. The honeyd honeynet is able to countermeasure blackhats utilising TCP/IP fingerprinting via host device emulation on a virtual network. Honeyd allows the creation of host personalities that respond to network stack fingerprinting as a real network would. The nature of this technique however, has shown to provide inconsistent and unreliable results when performed over wired and wireless network mediums. This paper presents ongoing research into the TCP/IP fingerprinting capabilities of the popular host discovery tool Network Mapper (NMAP) on the honeyd honeynet. The forensic analysis of raw packet-captures allowed the researcher to identify differences in the modus operandi and outcomes of fingerprinting over the two mediums. The results of this exploratory study show the process of discovery to uncover how TCP/IP fingerprinting with NMAP and honeyd needs to be tested for effective network countermeasure.