Xprobe2
Results 1 to 3 of 3

Thread: Xprobe2

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324

    Xprobe2

    Just released. You can find it here: http://www.sys-security.com/archive/...be2-0.2.tar.gz

    From the Bugtraq email:

    We are pleased to announce the immediate availability of Xprobe2 v0.2,
    which has been officially released at the Blackhat Federal 2003.

    Xprobe2 is a remote active operating system fingerprinting tool with a
    different approach to operating system fingerprinting. Information on
    Xprobe2’s technology can be obtained from [1], [2], and [3].

    The new version of Xprobe2 introduces enhancements and advancements in
    Xprobe2’s development.

    Xprobe2 now supports:

    - Automatic Signature Generation
    - XML based output
    - The TCP Options Timestamp Fingerprinting method (first to be
    introduced at Blackhat USA 2003)


    The source code of Xprobe2 v0.2 can be found at:
    http://www.sys-security.com/archive/...be2-0.2.tar.gz

    MD5 (xprobe2-0.2.tar.gz) = ca723a7e4c8c5001191efdb43e63bbee
    SHA1 (xprobe2-0.2.tar.gz) = fc7231dbe1de518b49d15b8677a0b65661312cb4

    For more information about Xprobe2 0.2 new features please see the
    presentation given at Blackhat Federal 2003:
    http://www.sys-security.com/archive/...BH_FEDERAL.ppt [~600k]


    Yours
    Xprobe2 development team,

    Ofir Arkin [ofir@sys-security.com]
    Founder
    The Sys-Security Group
    http://www.sys-security.com
    PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

    Fyodor Yarochkin [fygrave@tigerteam.net]
    Meder Kydyraliev [Meder@areopag.net]



    [1] http://www.sys-security.com/html/projects/X.html
    [2] “xprobe2 - A 'Fuzzy' Approach to Remote Active Operating System Fingerprinting”, Ofir Arkin & Fyodor Yarochkin, August 2002, http://www.sys-security.com/archive/papers/Xprobe2.pdf
    [3] “The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting”, Ofir Arkin, Fyodor Yarochkin, Meder Kydyraliev, July 2003,
    http://www.sys-security.com/archive/...robe2-v1.0.pdf
    Of course, I had to try it out... my results on my Slack 9.1 2.4.22 kernel machine:

    root@MsMittens:/data/downloads/xprobe2-0.2# xprobe2 -v localhost

    Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net

    [+] Target is localhost
    [+] Loading modules.
    [+] Following modules are loaded:
    [x] [1] ping:icmp_ping - ICMP echo discovery module
    [x] [2] ping:tcp_ping - TCP-based ping discovery module
    [x] [3] ping:udp_ping - UDP-based ping discovery module
    [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
    [x] [5] infogather:portscan - TCP and UDP PortScanner
    [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
    [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
    [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
    [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module
    [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
    [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
    [+] 11 modules registered
    [+] Initializing scan engine
    [+] Running scan engine
    [-] ping:tcp_ping module: no closed/open TCP ports known on 127.0.0.1. Module test failed
    [-] ping:udp_ping module: no closed/open UDP ports known on 127.0.0.1. Module test failed
    [+] No distance calculation. 127.0.0.1 appears to be dead or no ports known
    [+] Host: 127.0.0.1 is up (Guess probability: 25%)
    [+] Target: 127.0.0.1 is alive. Round-Trip Time: 0.00018 sec
    [+] Selected safe Round-Trip Time value is: 0.00035 sec
    icmp_port_unreach::build_DNS_reply(): gethostbyname() failed! Using static ip for www.securityfocus.com in UDP probe[+] Primary guess:
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.30" (Guess probability: 52%)
    [+] Other guesses:
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.34" (Guess probability: 52%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.36" (Guess probability: 52%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.21" (Guess probability: 52%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.20" (Guess probability: 52%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.19" (Guess probability: 52%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.3" (Guess probability: 50%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.25" (Guess probability: 50%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.6" (Guess probability: 50%)
    [+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.23" (Guess probability: 50%)
    [+] Cleaning up scan engine
    [+] Modules deinitialized
    [+] Execution completed.
    I know I have ports open and the OS kernel guess is a bit limiting. So I tried it on my FreeBSD 4.7 box for giggles (again, this box is running stuff on ports and no, no firewall blocking any ports):

    root@MsMittens:/data/downloads/xprobe2-0.2# xprobe2 -v 192.168.0.40

    Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net

    [+] Target is 192.168.0.40
    [+] Loading modules.
    [+] Following modules are loaded:
    [x] [1] ping:icmp_ping - ICMP echo discovery module
    [x] [2] ping:tcp_ping - TCP-based ping discovery module
    [x] [3] ping:udp_ping - UDP-based ping discovery module
    [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
    [x] [5] infogather:portscan - TCP and UDP PortScanner
    [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
    [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
    [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
    [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module
    [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
    [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
    [+] 11 modules registered
    [+] Initializing scan engine
    [+] Running scan engine
    [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.0.40. Module test failed
    [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.0.40. Module test failed
    [+] No distance calculation. 192.168.0.40 appears to be dead or no ports known
    [+] Host: 192.168.0.40 is up (Guess probability: 25%)
    [+] Target: 192.168.0.40 is alive. Round-Trip Time: 0.00111 sec
    [+] Selected safe Round-Trip Time value is: 0.00222 sec
    [+] Primary guess:
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.4" (Guess probability: 70%)
    [+] Other guesses:
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.5" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.6" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.6.2" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.7" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.8" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 5.0" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 5.1" (Guess probability: 70%)
    [+] Host 192.168.0.40 Running OS: "HP JetDirect ROM L.20.07 EEPROM L.20.24" (Guess probability: 61%)
    [+] Host 192.168.0.40 Running OS: "FreeBSD 4.1.1" (Guess probability: 61%)
    [+] Cleaning up scan engine
    [+] Modules deinitialized
    [+] Execution completed.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    mabey it's designed to give hakers headaches thru mis direction.
    ugg now Ihave to type more to keep this from being a one liner.
    uh well I can't think of anything to say at the moment so I will shut up now
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  3. #3
    Senior Member
    Join Date
    Aug 2002
    Posts
    508
    I am bored..so I try out this toy on my box..
    Code:
    $ uname -a
    FreeBSD  5.1-RELEASE FreeBSD 5.1-RELEASE #0: Sat Jul 12 21:28:31 EST 2003     annya@:/usr/src/
    sys/i386/compile/SEEXY  i386
    $ su
    Password:
    # /usr/local/bin/xprobe2 -v localhost
    
    Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopa
    g.net
    
    [+] Target is localhost
    [+] Loading modules.
    [+] Following modules are loaded:
    [x] [1] ping:icmp_ping  -  ICMP echo discovery module
    [x] [2] ping:tcp_ping  -  TCP-based ping discovery module
    [x] [3] ping:udp_ping  -  UDP-based ping discovery module
    [x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
    [x] [5] infogather: portscan  -  TCP and UDP PortScanner
    [x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
    [x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
    [x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
    [x] [9] fingerprint:icmp_info  -  ICMP Information request fingerprinting module
    [x] [10] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
    [x] [11] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
    [+] 11 modules registered
    [+] Initializing scan engine
    [+] Running scan engine
    Pcap::sniffpack: Unknown d_datalink.
    #
    
    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides