OS Fingerprinting is normally used by attackers to probe a wide variety of hosts and add them in their hit-lists for the next application/OS exploit is released. Idea is they should not be trying IIS exploits against Linux hosts.
Well - in either case lets empower ourselves too how this can be done.
Network traffic from a computer system can be captured and analyzed to detect what OS the host is running. This is possible due to differences in how the TCP/IP stack is implemented in various operating systems.
The TCP/IP fields that may vary include the following:
- Initial packet size (16 bits)
- Initial TTL (8 bits)
- Window size (16 bits)
- Max segment size (16 bits)
- Window scaling value (8 bits)
- "don't fragment" flag (1 bit)
- "sackOK" flag (1 bit)
- "nop" flag (1 bit)
| Operating System(OS) | Intial TTL | TCP Windows size |
| Linux Kernel (2.4 and 2.6) | 64 | 5840 |
| Windows XP | 128 | 65535 |
| Windows 7, Vista and Server 2008 | 128 | 8192 |
| Free BSD | 64 | 65535 |
| Cisco Router (IOS 12.4) | 255 | 4128 |
| Solaris | 255 | 8760 |
| WINDOWS 2000 | 128 | 16384 |
|
|
|
|
|
|
|
|
The initial TTL value usually is a little tricky job to analyze since the TTL value of a sniffed packet varies depending on where you sniff it from. The sender system will set the TTL value to the Operating Systems default TTL value - but this value will then be decremented by one (-1) for every router the packet passes through on its way to the destination IP address. Hence an IP packet with a TTL value of 55 can therefore be expected to be a packet with an initial TTL of 64 that has done 9 router hops before it was sniffed.
Very common tool that can be used -
Ping:
As I said ICMP ping is always the first thing and arrive at some initial level of idea what OS the host might be running
Nmap:
I would try multiple nmap combinations to come to a conclusion:
nmap -sV -P0 -O debatestBox.com
nmap -O -v debatestBox.com
nmap -sV debatestBox.com
nmap -vv -O -P0 debatestBox.com
XProbe2:
Xprobe2 is a basically remote, active OS fingerprinting tool -
[root@DebaTestBox ~]# xprobe2 crusador.sdtie.com
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is crusador.sdtie.com
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[+] Primary guess:
[+] Host 10.X.X.X Running OS: "OpenBSD 2.5" (Guess probability: 90%)
To be contd/-
-DK
No comments:
Post a Comment