Standardlikelihood: Mediumseverity: LowStable

CAPEC-312Active OS Fingerprinting

Abstraction
Standard
Status
Stable
Likelihood
Medium
Severity
Low

Description

An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

Related weaknesses· 1

CWE-200

MITRE ATT&CK crosswalk· 1

T1082: System Information Discovery

Related attack patterns· 1

CAPEC-224 (ChildOf)

Exploits1

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-200100%live

Related to1

TypeTargetConfidenceTier
TechniqueSystem Information Discoveryt1082100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Passive OS Fingerprinting
CAPEC
Fingerprinting
CAPEC
DEPRECATED: OS Fingerprinting
CAPEC
TCP Sequence Number Probe
CAPEC
TCP Timestamp Probe
CAPEC
IP ID Sequencing Probe
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.