Sunday, March 25, 2012

Free Best OCR

I just needed a cool yet Free OCR tool and were trying hands on multiple available. BUT finally found the below 3 to be the best in order of perfection and efficiency -


  1. OnlineOCR ( One +plus is that - it gives me a download option with various output format)
  2. Free-OCR
  3. NewOCR

Extract of text from image format is so simplified !!

The Engineering attempts at automated recognition of printed characters started much before World War II. But it was only by early 1950's some commercial attempt was undertaken to have funded R&D on this area.

OCR has taken new feats & heights - I know some of the Engineering efforts from IITG where Handwritten Character Recognition has taken a whole new dimension and heading for interesting feats in this niche area.

Thanks/-

DK




Sunday, March 4, 2012

OS Fingerprinting

Yo Dawg! You never told me its a pure Windows box and I wasted my time trying to do SSH rather than a RDP! A common fuming statement by most of the Ops guys !?

OS Fingerprinting is normally used by attackers to probe a wide variety of hosts and add them in their hit-lists for the next application/OS exploit is released. Idea is they should not be trying IIS exploits against Linux hosts.


Well - in either case lets empower ourselves too how this can be done.

Network traffic from a computer system can be captured and analyzed to detect what OS the host is running. This is possible due to differences in how the TCP/IP stack is implemented in various operating systems.

The TCP/IP fields that may vary include the following:

  1. Initial packet size (16 bits)
  2. Initial TTL (8 bits)
  3. Window size (16 bits)
  4. Max segment size (16 bits)
  5. Window scaling value (8 bits)
  6. "don't fragment" flag (1 bit)
  7. "sackOK" flag (1 bit)
  8. "nop" flag (1 bit)
Some of the most common known TTL and TCP windows set is shown below:

Operating System(OS)

Intial TTL

TCP Windows

size

Linux Kernel (2.4 and 2.6)

64

5840

Windows XP

128

65535

Windows 7, Vista and Server 2008

128

8192

Free BSD

64

65535

Cisco Router (IOS 12.4)

255

4128

Solaris

255

8760

WINDOWS 2000

128

16384







The initial TTL value usually is a little tricky job to analyze since the TTL value of a sniffed packet varies depending on where you sniff it from. The sender system will set the TTL value to the Operating Systems default TTL value - but this value will then be decremented by one (-1) for every router the packet passes through on its way to the destination IP address. Hence an IP packet with a TTL value of 55 can therefore be expected to be a packet with an initial TTL of 64 that has done 9 router hops before it was sniffed.


Very common tool that can be used -

Ping:

As I said ICMP ping is always the first thing and arrive at some initial level of idea what OS the host might be running

Nmap:

I would try multiple nmap combinations to come to a conclusion:

nmap -sV -P0 -O debatestBox.com
nmap -O -v debatestBox.com
nmap -sV debatestBox.com
nmap -vv -O -P0 debatestBox.com

XProbe2:
Xprobe2 is a basically remote, active OS fingerprinting tool -

[root@DebaTestBox ~]# xprobe2 crusador.sdtie.com

Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is crusador.sdtie.com
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[+] Primary guess:
[+] Host 10.X.X.X Running OS: "OpenBSD 2.5" (Guess probability: 90%)



To be contd/-


-DK

RCA - Root Cause Analysis

An important step in finding the root causes of issues or occurrences that happen within a system or organization is root cause analysis (RC...