Xprobe2

***MrLinus*** · October 13th, 2003, 07:47 PM

Just released. You can find it here: http://www.sys-security.com/archive/...be2-0.2.tar.gz

From the Bugtraq email:

We are pleased to announce the immediate availability of Xprobe2 v0.2,
which has been officially released at the Blackhat Federal 2003.

Xprobe2 is a remote active operating system fingerprinting tool with a
different approach to operating system fingerprinting. Information on
Xprobe2’s technology can be obtained from [1], [2], and [3].

The new version of Xprobe2 introduces enhancements and advancements in
Xprobe2’s development.

Xprobe2 now supports:

- Automatic Signature Generation
- XML based output
- The TCP Options Timestamp Fingerprinting method (first to be
introduced at Blackhat USA 2003)

The source code of Xprobe2 v0.2 can be found at:
http://www.sys-security.com/archive/...be2-0.2.tar.gz

MD5 (xprobe2-0.2.tar.gz) = ca723a7e4c8c5001191efdb43e63bbee
SHA1 (xprobe2-0.2.tar.gz) = fc7231dbe1de518b49d15b8677a0b65661312cb4

For more information about Xprobe2 0.2 new features please see the
presentation given at Blackhat Federal 2003:
http://www.sys-security.com/archive/...BH_FEDERAL.ppt [~600k]

Yours
Xprobe2 development team,

Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

Fyodor Yarochkin [fygrave@tigerteam.net]
Meder Kydyraliev [Meder@areopag.net]

[1] http://www.sys-security.com/html/projects/X.html
[2] “xprobe2 - A 'Fuzzy' Approach to Remote Active Operating System Fingerprinting”, Ofir Arkin & Fyodor Yarochkin, August 2002, http://www.sys-security.com/archive/papers/Xprobe2.pdf
[3] “The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting”, Ofir Arkin, Fyodor Yarochkin, Meder Kydyraliev, July 2003,
http://www.sys-security.com/archive/...robe2-v1.0.pdf

Of course, I had to try it out... my results on my Slack 9.1 2.4.22 kernel machine:

root@MsMittens:/data/downloads/xprobe2-0.2# xprobe2 -v localhost

Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net

[+] Target is localhost
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module
[x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[+] 11 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 127.0.0.1. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 127.0.0.1. Module test failed
[+] No distance calculation. 127.0.0.1 appears to be dead or no ports known
[+] Host: 127.0.0.1 is up (Guess probability: 25%)
[+] Target: 127.0.0.1 is alive. Round-Trip Time: 0.00018 sec
[+] Selected safe Round-Trip Time value is: 0.00035 sec
icmp_port_unreach::build_DNS_reply(): gethostbyname() failed! Using static ip for www.securityfocus.com in UDP probe[+] Primary guess:
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.30" (Guess probability: 52%)
[+] Other guesses:
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.34" (Guess probability: 52%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.0.36" (Guess probability: 52%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.21" (Guess probability: 52%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.20" (Guess probability: 52%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.4.19" (Guess probability: 52%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.3" (Guess probability: 50%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.25" (Guess probability: 50%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.6" (Guess probability: 50%)
[+] Host 127.0.0.1 Running OS: "Linux Kernel 2.2.23" (Guess probability: 50%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

I know I have ports open and the OS kernel guess is a bit limiting. So I tried it on my FreeBSD 4.7 box for giggles (again, this box is running stuff on ports and no, no firewall blocking any ports):

root@MsMittens:/data/downloads/xprobe2-0.2# xprobe2 -v 192.168.0.40

Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net

[+] Target is 192.168.0.40
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module
[x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[+] 11 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.0.40. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.0.40. Module test failed
[+] No distance calculation. 192.168.0.40 appears to be dead or no ports known
[+] Host: 192.168.0.40 is up (Guess probability: 25%)
[+] Target: 192.168.0.40 is alive. Round-Trip Time: 0.00111 sec
[+] Selected safe Round-Trip Time value is: 0.00222 sec
[+] Primary guess:
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.4" (Guess probability: 70%)
[+] Other guesses:
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.5" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.6" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.6.2" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.7" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.8" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 5.0" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 5.1" (Guess probability: 70%)
[+] Host 192.168.0.40 Running OS: "HP JetDirect ROM L.20.07 EEPROM L.20.24" (Guess probability: 61%)
[+] Host 192.168.0.40 Running OS: "FreeBSD 4.1.1" (Guess probability: 61%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

Thread: Xprobe2

Thread Tools

Display

Hybrid View

Xprobe2

Posting Permissions