i OS detection – All things in moderation

OS detection

Introduction

Sometimes on a network it is benificial to know the Operating System(OS) of a machine. Accessing a system is easier when you know the OS because you can specifically search the internet for known security holes in the OS. Granted, security holes are usually patched quickly, but you need to know when a security hole exists.
Scanning your own network to detect the OS types can help you to see what a hacker will be able to see about your network.
So, OS fingerpinting is the process of determining the operation system used by a host on a network.

Active fingerpinting

Activate fingerpinting is the process of transmitting packets to a remote host and analysing corresponding replies.

Passive fingerprinting

Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn’t put any traffic on a network.

Fingerprinting techniques

Allmost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techinques are based on analysing:

  • IP TTL values;
  • IP ID values;
  • TCP Window size;
  • TCP options(generally, in TCP SYN and SYN+ACK packets)
  • DHCP reqests;
  • TCMP requests;
  • HTTP packets(generally, User-agent field).

Other techniques are based on analysing:
* Running services;
* Open port patterns.

OS detection with nmap

Nmap is the famous tool for fingerpinting and OS detection is one of the main features.
OS detection database
Nmap has a database which is installed when you install Nmap. The database is used when doing OS detection, but it is noet automaticall updated.

The database is located at /usr/share/nmap/nmap-os-db or /usr/share/local/nmap/nmap-os-db.
Make sure you are using the latest db version. You can download the new version from website. Perform the following commands in a Terminal:

wget https://svn.nmap.org/nmap/nmap-os-db

Nmap OS detection command

sudo nmap -O <target>  

Try an example:

If they block ping probes you can do:(recommended)

sudo nmap -O <target> -Pn  

OS detection with Xprobe

We are familiar with nmap,but with Xprobe is quite strange.
Xprobe is an active OS fingerprinting tool. Xprobe is an alternative to some tools which are heavily dependent upong the usage of the TCP protocol for remote active OS fingerprinting.
This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process.

To install Xprobe2 on ubuntu/debian type the following commands:

sudo apt-get install xprobe2  

Usage:

usage: xprobe2 [options] target
Options:
          -v                       Be verbose
          -r                       Show route to target(traceroute)
          -p <proto:portnum:state> Specify portnumber, protocol and state.
                                   Example: tcp:23:open, UDP:53:CLOSED
          -c <configfile>          Specify config file to use.
          -h                       Print this help.
          -o <fname>               Use logfile to log everything.
          -t <time_sec>            Set initial receive timeout or roundtrip time.
          -s <send_delay>          Set packsending delay (milseconds).
          -d <debuglv>             Specify debugging level.
          -D <modnum>              Disable module number <modnum>.
          -M <modnum>              Enable module number <modnum>.
          -L                       Display modules.
          -m <numofmatches>        Specify number of matches to print.
          -T <portspec>            Enable TCP portscan for specified port(s).
                                   Example: -T21-23,53,110
          -U <portspec>            Enable UDP portscan for specified port(s).
          -f                       force fixed round-trip time (-t opt).
          -F                       Generate signature (use -o to save to a file).
          -X                       Generate XML output and save it to logfile specified with -o.
          -B                       Options forces TCP handshake module to try to guess open TCP port
          -A                       Perform analysis of sample packets gathered during portscan in
                                   order to detect suspicious traffic (i.e. transparent proxies,
                                   firewalls/NIDSs resetting connections). Use with -T.

Figerprint of a Windows machine:

xprobe2 -v <target>

References

http://www.forensicswiki.org/wiki/OS_fingerprinting
https://nmap.org/book/man-os-detection.html
https://www.defcon.org/images/defcon-10/dc-10-presentations/dc10-arkin-xprobe.pdf

Leave a Reply