Article Journal in Computer Virology, Springer 2008: SinFP, unification of active and passive operating system fingerprinting
Since omnipresence of firewalls using Network Address Translation and Port Address Translation (NAT/PAT), stateful inspection, and packet normalization technologies, today's approaches to operating system fingerprinting are showing their limits. With this fact in mind, SinFP was developed to attempt to address limitations of nowadays tools. SinFP implements new methods, like the usage of signatures acquired by active fingerprinting when performing passive fingerprinting. Furthermore, SinFP is the first tool performing operating system fingerprinting on IPv6 (both active and passive modes). Thanks to its signature matching algorithm, it is near to useless to add new signatures in its current database. Also, its heuristic matching algorithm makes it highly resilient against signatures that have been modified by routing and/or filtering devices in-between, or against TCP/IP customization methods. This document presents an in-depth explanation of technics implemented within SinFP tool.