From 10fa8a84d17030177d750c3588d596f3d58ed3fc Mon Sep 17 00:00:00 2001 From: anti Date: Sun, 26 Apr 2026 20:30:46 -0400 Subject: [PATCH] docs(roadmap): mark TTL + TCP/IP stack fingerprinting complete TTL extraction was already wired in the active prober and passive sniffer plus profiler rollup; the checkbox was just stale. TCP/IP stack now includes ToS/DSCP/ECN, IP-ID sequence classification, and ISN sequence classification as of the previous three commits. --- development/DEVELOPMENT.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/development/DEVELOPMENT.md b/development/DEVELOPMENT.md index 6bd4f022..0e675f9a 100644 --- a/development/DEVELOPMENT.md +++ b/development/DEVELOPMENT.md @@ -99,7 +99,7 @@ ### Timing & Behavioral - [x] **Inter-packet arrival times** — OS TCP stack fingerprint + beaconing interval detection -- [ ] **TTL values** — Rough OS / hop-distance inference +- [x] **TTL values** — Rough OS / hop-distance inference - [x] **TCP window size & scaling** — p0f-style OS fingerprinting - [x] **Retransmission patterns** — Identify lossy paths / throttled connections - [x] **Beacon jitter variance** — Attribute tooling: Cobalt Strike vs. Sliver vs. Havoc have distinct profiles @@ -107,7 +107,7 @@ - [x] **Data exfil timing** — Behavioral sequencing relative to recon phase ### Protocol Fingerprinting -- [ ] **TCP/IP stack** — ISN patterns, DF bit, ToS/DSCP, IP ID sequence (random/incremental/zero) +- [x] **TCP/IP stack** — ISN patterns, DF bit, ToS/DSCP, IP ID sequence (random/incremental/zero) - [x] **HASSH / HASSHServer** — SSH KEX algo, cipher, MAC order → tool fingerprint - [x] **HTTP/2 fingerprint** — GREASE values, settings frame order, header pseudo-field ordering - [ ] **QUIC fingerprint** — Connection ID length, transport parameters order