-
November 28th, 2001, 06:32 PM
#1
OS Fingerprinting Mini-Tutorial
I'm posting this because well, quite frankly, I can.
I'm going to start by posing and answering a few questions.
If you're trying to break into a computer over a network, what's the first thing you need to know?
Well, for starters, knowing what OS you're dealing with will enable to you more specifically target your attacks.
There are various ways of finding out what OS a machine is running, and these techniques are collectively referred to as OS fingerprinting.
The first step, is to make sure that you can't get this info from banners. Sometimes, if a computer is running an FTP, Telnet, POP3, SMTP, or HTTP server, they will give you a banner that you could use to determine what OS it's running. Take the Apache webserver for instance. You can simply telnet to the webserver, request the header using GET / http/1.0 and you might see a line like:
Server: Apache/1.3.19 (Unix) (Red-Hat/Linux) mod_ssl/2.8.1 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01
That tells you right there that it's running on RedHat Linux.
When attempting to fingerprint a computer on a network, usually you need a combination of things to be certain, which brings me to the next section.
There are two main groups of OS Fingerprinting that revolve around two commonly used network protocols: ICMP and TCP.
ICMP OS Fingerprinting deals with examining how a computer responds to various ICMP messages.
One quick example of this is pinging the broadcast address. The broadcast address is (assuming you're using 10.0.0.x as your home LAN's IP space) 10.0.0.255. You can tell *nix boxes apart from Windows PCs and vice versa by pinging the broadcast address because computers running Windows don't respond to the broadcast address. Combine this with something like nmap's -sP option and you can ferret out all the Windows boxes on a network.
An example from a RedHat Linux 7.1 box:
[chsh@compname dir]$ ping 10.0.0.255 -b
WARNING: pinging broadcast address
PING 10.0.0.255 (10.0.0.255) from 10.0.0.132 : 56(84) bytes of data.
Warning: time of day goes back, taking countermeasures.
64 bytes from 10.0.0.132: icmp_seq=0 ttl=255 time=100 usec
64 bytes from 10.0.0.120: icmp_seq=0 ttl=255 time=100 usec
64 bytes from 10.0.0.117: icmp_seq=0 ttl=255 time=100 usec
64 bytes from 10.0.0.132: icmp_seq=0 ttl=255 time=100 usec
64 bytes from 10.0.0.120: icmp_seq=0 ttl=255 time=100 usec
64 bytes from 10.0.0.117: icmp_seq=0 ttl=255 time=100 usec
As you can see, by pinging 10.0.0.255 in the example, we get a response from 10.0.0.132, 10.0.0.120, and 10.0.0.117. Now let's say that we've scanned the entire 10.0.0.1-254 range, and we know that there are also two other computers at 10.0.0.119 and 10.0.0.130. We know they're obviously a different OS than the three that did respond, and Windows does ignore the broadcast address.
From here, you can use some other ICMP or TCP techniques to determine which machines are which OS, but just this one step can cut down your list of possible OSes from about 30 to 2 or 3 and it's a very simple step. If I told you what to do next, it wouldn't be a mini-tutorial, would it?
Keep in mind that many network devices (routers, network printers, etc.) respond to a broadcast request as well.
TCP Fingerprinting is a technique whereby you examine the response (or lack thereof) you get from a computer when requesting a TCP connection.
In my travels, I have found several key differences between the different OSes. Take Windows and Linux as an example. When a port is closed, Windows responds to a connection request with TCP-RST. Linux responds with ICMP-Destination Port Unreachable. This key difference can also help you narrow down what OS you're dealing with.
My goal here was to raise interest and give some slight education on how to determine which OS you're dealing with. All of this information is from my experiences, and if I'm out of date or wrong of any of this, please correct me.
If you want some recommended reading, this is a good start.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 3rd, 2001, 03:58 PM
#2
Junior Member
nmap -O <ip> or nmap -P0 <ip>
that is almost everything you need
http://www.insecure.org/nmap/
-
December 3rd, 2001, 04:12 PM
#3
True, that will work, but what happens when you don't have nmap??
You're a clueless script kiddie standing in front of a computer that you can't hack with.
I'm all for canned apps when you have them available, but there's something to be said for being able to do things yourself.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 3rd, 2001, 05:20 PM
#4
Junior Member
thanx
chsh, thanx for the info. can't wait for more.
evilbob
All that we see or seem is but a dream within a dream.
<=Edgar Allan Poe=>
-
December 3rd, 2001, 05:54 PM
#5
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 3rd, 2001, 05:54 PM
#6
Thanks evilbob, it's nice to know that someone got something out of it.
I'm going to be writing a full tutorial when I get a chance, which will include all the minute differences between the OSes. With christmas and new years though, don't expect it to be until mid January.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 3rd, 2001, 07:52 PM
#7
Junior Member
Originally posted by chsh
True, that will work, but what happens when you don't have nmap??
Well frankly nmap is not IMHO script kiddie program. It is almost the best network scanner there is, if you don´t count commercial scanners.
If you don´t have nmap go and download one Nmap for *nixies can be downloaded from there http://www.insecure.org/nmap/nmap_download.html and for nt http://www.eeye.com/html/Research/Tools/nmapnt.html
There are better scanners than nmap in commercial sites, like ISS Security Scanner (you can´t download this for evaluation) great tool i use it a lot in work, also i should mention ISS internet scanner (you can download the evaluation version from here https://www.iss.net/cgi-bin/download...ion-select.cgi and www.eeye.com has many good programs.
-
December 3rd, 2001, 08:59 PM
#8
Originally posted by virtaava
Well frankly nmap is not IMHO script kiddie program. It is almost the best network scanner there is, if you don´t count commercial scanners.
Agreed, but we're not exactly talking about network scanning are we, we're discussing OS fingerprinting.
Even still, it's a 'canned' app (AKA tool) that eliminates a lot of work and basically makes it trivial to scan entire networks. What IS a 'script kiddie program' then, if not an application that does a hell of a lot with little user interface (like issuing a command line switch or clicking a button)?
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
December 3rd, 2001, 10:01 PM
#9
Junior Member
Originally posted by chsh
Agreed, but we're not exactly talking about network scanning are we, we're discussing OS fingerprinting.
Even still, it's a 'canned' app (AKA tool) that eliminates a lot of work and basically makes it trivial to scan entire networks. What IS a 'script kiddie program' then, if not an application that does a hell of a lot with little user interface (like issuing a command line switch or clicking a button)?
Well IMHO script kiddie program is something like sub7 or net bios hacking tools, that can be used for just particular job.
Nmap is a tool that is in deed scanner, but it´s faster to use such tool to fingerprint OS in particular system, than trying to do it manually and consuming lot of time to identify particular OS, router or something else.
-
December 30th, 2004, 05:18 PM
#10
Junior Member
I have tried nmap before but it is not very accurate. It able to differentiate *nix from Windows but cannot differentiate Window XP or ME or 2000 or 98. May I know how to differentiate Windows Operating System? Is different Window run different services?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|