Passive TCP fingerprinting

[clouedoc]

Hello,

Do you think it would be technically feasible to integrate TCP fingerprinting into fingerproxy?

I naively thought I could layer P0f on top of it, but I would need to edit P0f to save the info about the IP somewhere, then retrieve it in my application code, and that would be ugly and also could be innacurate if multiple clients have the same IP.

I think it would be cleaner if everything was stored inside the headers, in a single simple-to-hack Go program...

(btw, thank you for writing Fingerproxy! It's been really easy to use and customize. I made my own flavour here: https://github.com/clouedoc/fingerproxy-full)

I just want to open the discussion about TCP fingerprinting, I'd be open to contributing such a feature.

Implementation idea

This just some incomplete idea of how to implement this.

1. We receive a TCP connection on the Go side
2. Somehow, this connection might have an unique identifier? Maybe we can just use the timestamp of establishment + the remote IP?
3. Another goroutine looks at all the available network interfaces, parses packets where a TCP connection opened, and sends the info (where? to the "main goroutine"?)
4. When building the header, we can just look at the data we saved in memory somehow? Maybe we can just use a hashmap and garbage-collect old values?

As you can see, I'm a bit fuzzy on the concept.

Unless there is a way to access low-level info about the TCP connection from the Go side, I think we'll need to have another goroutine parsing the networking interface somehow.

Reference

Here are some references to help for a potential implementation

Name	Description
passivetcp-rs	A P0f rewrite in Rust
P0f	Apparently, one of the historical TCP fingerprinting tools?
Wikipedia page

[wi1dcard]

Hi @clouedoc , thanks for the idea! I considered to implement TCP level fingerprinting to fingerproxy as well. IMO, there are two ways, either we do like you said, or we reimplement some part of the TCP stack in golang. Both of them looks requiring quite some work. Firstly, I prefer to see if there is any chance to write a demo or PoC in go, like passivetcp-rs, if that's possible, then we can move on to implement it to fingerproxy. Do you have any interest working on the PoC project?

[clouedoc]

Hello @wi1dcard !

Reimplementing the TCP stack look a like a can of worm I’d rather not open.

Yes you’re right, having something fully written in Go would be the best rather than relying on passivetcp-rs. Sadly, that’ll require some work…

I’ll have to research more this topic for work anyway, so I’ll come back to report some progress.

I think it’s definitely possible to rewrite passivetcp-rs in Go, but it’d be more curious if the approach is viable in the first place (can we really get data fast enough to include it in the HTTP headers?)

Next step

Make a PoC working with passivetcp-rs + fingerproxy + a database —> would that even be possible ? What are the limitations?

Afterwards, if that setup actually works, think about how to make a clean solution that is fully written in Go.

EDIT: yes, I’m interested in working on a PoC, but can’t promise anything right now

[robalb]

Hi everyone! Not sure if this can be useful, but I created a PoC for TCP fingerprinting in GO using eBPF https://github.com/robalb/ebpf-web-fingerprint , and I explained the technical details in a writeup. In my opinion eBPF is the most practical approach, even when weighting in the additional deployment and development complexities.

This is probably not a good fit for this project, that focuses on having a golang-only easy-to-deploy webserver.
Once you have an eBPF module already listening on packets it starts to make sense to also use it for TLS fingerprinting, which means that there will be very little code running on the go side

[clouedoc]

Really cool, thank you for sharing @robalb !

PS: I'll follow your blog from now on too!