babylon~> telnet hpux.u-aizu.ac.jpTrying 163.143.103.12 ... Connected to hpux.u-aizu.ac.jp.Escape character is '^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
Active OS Fingerprinting(old school)
babylon> telnet ftp.netscape.com 21Trying 207.200.74.26 ...Connected to ftp.netscape.com.Escape character is '^]'.220 ftp29 FTP server ready.SYST215 UNIX Type: L8 Version: SUNOS
Active OS Fingerprinting(old school, a bit more advanced)
babylon> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:‘
Server: Microsoft-IIS/4.0babylon>
Here, we send a HTTP GET request to a remote server, and observe the webserver software which is identified in the response.
Active OS Fingerprinting(old school, last example)
• Sys admins usually turn the login banner OS announce off.
• Applications can be configured to lie.• What we really need is a solution that doesn’t
depend upon the honesty of the application.• Enter: New School Active OS Fingerprinting
Downsides to the old school method
• Pioneered by Queso, a now defunct tool, and improved upon by the widely popular nmap.
• Described by Nmap’s author, Fyodor, in his paper “Remote OS detection via TCP/IP Stack FingerPrinting”, October 18, 1998
• http://www.insecure.org/nmap/nmap-fingerprinting-article.html
New school active Fingerprinting
• His basic idea was to send a specially crafted packet, usually with an invalid/strange set of options (which is where OS vendors usually differ in implementation), and see what happens.
• He uses several methods, none of which individually identify the remote OS, but combined together will give you a good idea.
Fyodor’s fingerprint method
• The FIN probe -- Send a FIN packet (or any packet without an ACK or SYN flag) to an open port and wait for a response.
• The correct RFC 793 behavior is to NOT respond, but many broken implementations such as MS Windows, BSDI, CISCO, and IRIX send a RESET back.
Methods used by Nmap
• IPID sampling -- Most operating systems increment a system-wide IPID value for each packet they send. Others, such as OpenBSD, use a random IPID and some systems (like Linux) use an IPID of 0 in many cases where the "Don't Fragment" bit is not set. Windows does not put the IPID in network byte order, so it increments by 256 for each packet.
• Remember that it was the predictability of the IPID field which Bellovin used in his paper “A technique for counting NATted hosts”.
Methods used by Nmap
• TCP Initial Window -- This simply involves checking the window size on returned packets. This test actually gives us a lot of information, since some operating systems can be uniquely identified by the window alone
• AIX is the only OS which uses 0x3F25
• In their "completely rewritten" TCP stack for NT5, Microsoft uses 0x402E.
• Interestingly, that is exactly the number used by OpenBSD and FreeBSD.
Methods used by Nmap
Top Related