CAPEC-312: Active OS Fingerprinting

Overview

CAPEC-312 (Active OS Fingerprinting) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

What the attacker needs

Prerequisites

The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.

Resources required

Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges. A tool capable of sending and receiving packets from a remote system.

Consequences

What a successful CAPEC-312 attack can achieve.

Read Data

Affects: Confidentiality

Hide Activities

Affects: Confidentiality, Access Control, Authorization

The CWE weaknesses that CAPEC-312 exploits.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-224: Fingerprinting

Child

Terminology & mappings

Mapped taxonomies

ATTACK: System Information Discovery (1082)

Frequently asked questions

Common questions about CAPEC-312.

What is CAPEC-312?

An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

What weaknesses does CAPEC-312 target?

CAPEC-312 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

How severe is CAPEC-312?

MITRE rates CAPEC-312 as Low severity with medium likelihood of attack.

References

MITRE CAPEC definition (CAPEC-312) (opens in a new tab)

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.