Fingerprint OS is a method of obtaining information about the operating system. Fingerprint OS is relevant at the initial stage of an attack on a host. Since an attacker can use information about the type of operating system to plan which known vulnerabilities he will be exposed to. The more accurately the attacker determines the type and version of the operating system of the remote host, the more efficiently it is “hacked”. Administrators use all sorts of tricks to make sure they don't pinpoint their operating system. To accurately determine the operating system, you need to use the comprehensive approach described in this document. The process of determining the operating system itself is impossible to imagine without describing the scanning methods. After application, a system fingerprint is created, and a match is selected from a database of previously known fingerprints. There are two types of OS fingerprinting: active and passive. Active Fingerprint OS is the determination of the type of operating system by sending packets to the host under investigation.
Content
1. How to apply OS Fingerprint method to OS fingerprint?
2. Classic OSF Methods
Passive OSF is the determination of the operating system type by analyzing packets coming from the host. The disadvantage of active is that the attacker can be easily spotted by the IDS system, and the advantage is that there is no need to wait for the system in question to send the packet to the attacker, and the attacker himself will send the packet to the system in question at any convenient time. The disadvantage of passive OS detection is that the precondition for an attack is that the attacker host is in the path of the target system, or that the target system contacts the attacker host, and the advantage is that such an attack is very difficult to detect.
How to apply the OS Fingerprint method to fingerprint the OS?
Remote fingerprinting is the process of identifying the host operating system and network services that are listening on specific network ports. This is usually done in various ways: active and passive scanning, sending multiple packets, and analyzing responses. In general, utilities, including nmap, are good at scanning and detecting the version of the remote operating system , but in cases where the host is behind a firewall, these utilities do little to help, or produce ambiguous or incorrect results.
This is especially true for machines whose traffic is heavily filtered by the ITU and can send and receive very few types of packets. In these cases, you need to use other methods to correctly determine the state of the remote computer. We'll cover a few of them, including RING scans and ICMP scans. The first section discusses the various port scanning methods, and the second part attempts to shed some light on OS fingerprinting.
Classic OSF Methods
The classical methods are understood as the collection of the so-called. A banner is a standard service invitation for example: FTPd, HTTPd, SMTPd, telnetd, identd. And accordingly, the type of OS is determined by them. Let's consider in more detail.
OS fingerprint removal
Fingerprinting systems behind the ITU is complicated by the fact that the firewall can modify TCP / IP packets, misleading the system researcher. Operating system fingerprinting methods are classified as passive and active.
Passive OS fingerprint
OS Fingerprint passive scanning is generally not used; instead, it uses an intermediate host (zombie machine) and tries to determine the operating system of the target host by calculating the difference between the IPID values. This method is known as standby scan. You can also try to identify the target operating system by differently referring to the inbound and outbound traffic of the target host. Without considering these methods, let's go directly to active fingerprinting of the remote system.
Active OS fingerprint
With the active use of OS Fingerprint, random packets are sent to the target host and an attempt is made to determine the OS based on the values of the header fields of the TCP / IP packets, such as temporal characteristics or IPID, TOS, TCP ISN, fragmentation flag, etc.
Another old method of detecting a remote OS is by parsing the TTL value of an ICMP echo packet. This is a simple method, however, it cannot tell the difference between different flavors of the same OS, such as win98, XP, and win2k. Usually each OS has a fixed predefined TTL value. The default is 128 on Microsoft operating systems and 256 on Linux.
The following is an example of identifying the remote OS by the TTL value of an ICMP echo reply packet. I just ping the target machine and check the TTL value of the response packet. In this case, it is 113, which indicates that the remote OS belongs to the Windows family, since the initial TTL of these systems is 128, and the route from my machine to the destination is approximately 15 intermediate hosts (113 + 15 = 128). which can be verified with traceroute.
It should be borne in mind that this is not the most reliable method. If the target host is a router or is behind NAT (Network Address Translation), this method will fail. Without going into the details of the known remote OS fingerprinting techniques used in utilities like nmap, I will describe a method that is difficult to implement, but gives good results in identifying the remote OS.
This method is known as RING scan and has a software implementation. The essence of the technique is to send arbitrary SYN packets to an open port and wait for SYN ACK packets. After receiving a SYN ACK packet, it is automatically blocked, which forces the remote host to resend it after a timeout. When calculating the latency between these SYN ACK packets for different hosts, you can collect latency statistics for different operating systems.
This data can be effectively used to identify operating systems that have a similar TCP stack type and are behind the ITU, for example FreeBSD and Windows 2000, which use the same TCP stack type. I give an example in which nmap was unable to correctly identify the OS on two hosts, mistaking both for FreeBSD because one of the hosts was behind a firewall.
Telnetd research
This method requires that the telnetd daemon be running on the remote host and we have the opportunity to establish a connection with it (in many cases now this is a problem because everyone is switching to SSH, but on the wiondows OS, nevertheless, it has just started to be actively used). Previously, systems reported themselves about themselves (this was considered good form) for example:
But now the developers realized their mistake and removed this feature. But the seeding method remains - after establishing a connection, we execute the sysread () function and collect information about the telnet session.
An example of such information:
To correctly interpret the information received from the telnetd daemon, we need the order of the TELOPT (Telnet Option) options, which are defined in telnet.h. Each operating system, with some exceptions, has its own order of these options. After we have received the "fingerprint" in ascii, we must first convert this data into their numerical values (1-255) and then separately compare each value in order with the corresponding TELOPT option.
These TELOPT values can be viewed in /usr/include/arpa/telnet.h.
Exploring HTTPd
HTTP request:
This shows that the remote Windows system is because in the Server field - Web service returns not only the type and version of the Web server itself, but also the OS type.
If the remote responds that the type of Web server is Microsoft-IIS, then most likely it is Windows NT / 2000.
FTPd research
FTP service invitation Usually, it is the invitation itself that matters, or if anonymous access is open, then the information issued by the SYST command.
Having received this answer, we can assume that it is FreeBSD. And if you go to FTP you will receive a message:
This is most likely Linux because wu-ftpd is included as standard on most Linux systems. Sometimes the system announces itself in the header:
Even if the administrator does not forget to change the title, the information can still be obtained by the SYST command:
Identification by identd
This requires port 113 to be open and a connection to the identd daemon must be established. The form of the response is defined in RFC 1413:
Sample answer:
From here you can immediately see that the remote Linux system (in this case it's Debian 2.2) with a 2.2.12 kernel. It so happens that this is not indicated explicitly - for example:
OSF in such cases is carried out at compile time - for this, a base with OSF is preliminarily compiled. Accordingly, in this case it is FreeBSD 4.2-STABLE.
Methods Implemented in the Nmap Scanner
Nmap implements a method to obtain information about the operating system of a remote host by searching the TCP / IP stack for the remote host. Nmap is a great example of active OSF.
A method for polling the TCP / IP stack of a remote host. As a rule, the server's response to any remote action (incoming data packet, request) is a data packet sent to the source of this action (hereinafter, the term “server” means the attacked host, and the term “host” means the attacker's host).
As practice shows, different operating systems react differently to the same request when working on the network. Having studied the characteristics of responses to an OS request, the versions of which are known in advance, it is possible to collect certain statistics by comparing the responses to a request with the type of OS.
Statistical information becomes more detailed when combined influence is used.
Moreover, by studying the server's reaction to an unknown operating system, using the collected statistics, it is possible to determine not only the type, but also the version of the operating system installed on the server. For example, you can accurately distinguish Solaris 2.4 from Solaris 2.50, or Linux kernel 2.0.30 (for all Linux, the kernel version is listed below) from Linux 2.0.35. Let's consider in more detail the basic methods of studying the server operating system.
P0f - passive OS fingerprinting tool
A utility for determining the type of operating system by passively listening to traffic (for example, sniffing a web request);
Hping
Hping is described as a utility that can be used effectively for scanning, fingerprinting, and testing firewalls. Among the most useful features of the utility is the ability to send arbitrary packets from various protocols and perform remote scanning. This is very useful when examining the host's responses to various arbitrary packets.
Content
1. How to apply OS Fingerprint method to OS fingerprint?
2. Classic OSF Methods
Passive OSF is the determination of the operating system type by analyzing packets coming from the host. The disadvantage of active is that the attacker can be easily spotted by the IDS system, and the advantage is that there is no need to wait for the system in question to send the packet to the attacker, and the attacker himself will send the packet to the system in question at any convenient time. The disadvantage of passive OS detection is that the precondition for an attack is that the attacker host is in the path of the target system, or that the target system contacts the attacker host, and the advantage is that such an attack is very difficult to detect.
How to apply the OS Fingerprint method to fingerprint the OS?
Remote fingerprinting is the process of identifying the host operating system and network services that are listening on specific network ports. This is usually done in various ways: active and passive scanning, sending multiple packets, and analyzing responses. In general, utilities, including nmap, are good at scanning and detecting the version of the remote operating system , but in cases where the host is behind a firewall, these utilities do little to help, or produce ambiguous or incorrect results.
This is especially true for machines whose traffic is heavily filtered by the ITU and can send and receive very few types of packets. In these cases, you need to use other methods to correctly determine the state of the remote computer. We'll cover a few of them, including RING scans and ICMP scans. The first section discusses the various port scanning methods, and the second part attempts to shed some light on OS fingerprinting.
Classic OSF Methods
The classical methods are understood as the collection of the so-called. A banner is a standard service invitation for example: FTPd, HTTPd, SMTPd, telnetd, identd. And accordingly, the type of OS is determined by them. Let's consider in more detail.
OS fingerprint removal
Fingerprinting systems behind the ITU is complicated by the fact that the firewall can modify TCP / IP packets, misleading the system researcher. Operating system fingerprinting methods are classified as passive and active.
Passive OS fingerprint
OS Fingerprint passive scanning is generally not used; instead, it uses an intermediate host (zombie machine) and tries to determine the operating system of the target host by calculating the difference between the IPID values. This method is known as standby scan. You can also try to identify the target operating system by differently referring to the inbound and outbound traffic of the target host. Without considering these methods, let's go directly to active fingerprinting of the remote system.
Active OS fingerprint
With the active use of OS Fingerprint, random packets are sent to the target host and an attempt is made to determine the OS based on the values of the header fields of the TCP / IP packets, such as temporal characteristics or IPID, TOS, TCP ISN, fragmentation flag, etc.
Another old method of detecting a remote OS is by parsing the TTL value of an ICMP echo packet. This is a simple method, however, it cannot tell the difference between different flavors of the same OS, such as win98, XP, and win2k. Usually each OS has a fixed predefined TTL value. The default is 128 on Microsoft operating systems and 256 on Linux.
The following is an example of identifying the remote OS by the TTL value of an ICMP echo reply packet. I just ping the target machine and check the TTL value of the response packet. In this case, it is 113, which indicates that the remote OS belongs to the Windows family, since the initial TTL of these systems is 128, and the route from my machine to the destination is approximately 15 intermediate hosts (113 + 15 = 128). which can be verified with traceroute.
It should be borne in mind that this is not the most reliable method. If the target host is a router or is behind NAT (Network Address Translation), this method will fail. Without going into the details of the known remote OS fingerprinting techniques used in utilities like nmap, I will describe a method that is difficult to implement, but gives good results in identifying the remote OS.
This method is known as RING scan and has a software implementation. The essence of the technique is to send arbitrary SYN packets to an open port and wait for SYN ACK packets. After receiving a SYN ACK packet, it is automatically blocked, which forces the remote host to resend it after a timeout. When calculating the latency between these SYN ACK packets for different hosts, you can collect latency statistics for different operating systems.
This data can be effectively used to identify operating systems that have a similar TCP stack type and are behind the ITU, for example FreeBSD and Windows 2000, which use the same TCP stack type. I give an example in which nmap was unable to correctly identify the OS on two hosts, mistaking both for FreeBSD because one of the hosts was behind a firewall.
Telnetd research
This method requires that the telnetd daemon be running on the remote host and we have the opportunity to establish a connection with it (in many cases now this is a problem because everyone is switching to SSH, but on the wiondows OS, nevertheless, it has just started to be actively used). Previously, systems reported themselves about themselves (this was considered good form) for example:
Code:
HPUX
login:But now the developers realized their mistake and removed this feature. But the seeding method remains - after establishing a connection, we execute the sysread () function and collect information about the telnet session.
An example of such information:
Code:
Linux <= 2.2.16: yae ^ xyae yae # yae 'To correctly interpret the information received from the telnetd daemon, we need the order of the TELOPT (Telnet Option) options, which are defined in telnet.h. Each operating system, with some exceptions, has its own order of these options. After we have received the "fingerprint" in ascii, we must first convert this data into their numerical values (1-255) and then separately compare each value in order with the corresponding TELOPT option.
Code:
Ascii: yae ^ xyae
"yae # yae '" Numerical value: 255 253 24 255 253 32 255 253 35 255 253 39 Opt
or
telnet : IAC DO TELOPT_TTYPE IAC DO TELOPT_LINEMODE IAC DO TELOPT_XDISPLOC
\ IAC DO TELOPT_NEW_ENVIRONThese TELOPT values can be viewed in /usr/include/arpa/telnet.h.
Exploring HTTPd
HTTP request:
Code:
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 20 Jul 2002 20:38:04 GMT
Server: Apache/1.3.22 (Win32)
X-Powered-By: PHP/3.0.13
Connection: close
Content-Type: text/htmlThis shows that the remote Windows system is because in the Server field - Web service returns not only the type and version of the Web server itself, but also the OS type.
If the remote responds that the type of Web server is Microsoft-IIS, then most likely it is Windows NT / 2000.
Code:
# echo 'GET / HTTP/1.0\n' | nc victim.com 80 | egrep '^Server:'
Server: Microsoft-IIS/4.0FTPd research
FTP service invitation Usually, it is the invitation itself that matters, or if anonymous access is open, then the information issued by the SYST command.
Code:
---> SYST
215 UNIX Type: L8 Version: BSD-199506
Remote system type is UNIX.
Using binary mode to transfer files.Having received this answer, we can assume that it is FreeBSD. And if you go to FTP you will receive a message:
Code:
220 target FTP server (Version wu-1.2(1) Mon Feb 30 18:04:42 EST 1995) ready.This is most likely Linux because wu-ftpd is included as standard on most Linux systems. Sometimes the system announces itself in the header:
Code:
220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.Even if the administrator does not forget to change the title, the information can still be obtained by the SYST command:
Code:
215 UNIX Type: L8 Version SUNOSIdentification by identd
This requires port 113 to be open and a connection to the identd daemon must be established. The form of the response is defined in RFC 1413:
Code:
The response is of the form <port-on-server>,<port-on-client>:<resp-type> : <add-info>Sample answer:
Code:
>> XXX.XXX.XXX.XXX responded with pidentd 3.0.12 for Linux 2.2.12 (Dec 22 2000 17:00:25)From here you can immediately see that the remote Linux system (in this case it's Debian 2.2) with a 2.2.12 kernel. It so happens that this is not indicated explicitly - for example:
Code:
2.8.5 (Compiled: 11:18:59 Oct 23 2015)OSF in such cases is carried out at compile time - for this, a base with OSF is preliminarily compiled. Accordingly, in this case it is FreeBSD 4.2-STABLE.
Methods Implemented in the Nmap Scanner
Nmap implements a method to obtain information about the operating system of a remote host by searching the TCP / IP stack for the remote host. Nmap is a great example of active OSF.
A method for polling the TCP / IP stack of a remote host. As a rule, the server's response to any remote action (incoming data packet, request) is a data packet sent to the source of this action (hereinafter, the term “server” means the attacked host, and the term “host” means the attacker's host).
As practice shows, different operating systems react differently to the same request when working on the network. Having studied the characteristics of responses to an OS request, the versions of which are known in advance, it is possible to collect certain statistics by comparing the responses to a request with the type of OS.
Statistical information becomes more detailed when combined influence is used.
Moreover, by studying the server's reaction to an unknown operating system, using the collected statistics, it is possible to determine not only the type, but also the version of the operating system installed on the server. For example, you can accurately distinguish Solaris 2.4 from Solaris 2.50, or Linux kernel 2.0.30 (for all Linux, the kernel version is listed below) from Linux 2.0.35. Let's consider in more detail the basic methods of studying the server operating system.
P0f - passive OS fingerprinting tool
A utility for determining the type of operating system by passively listening to traffic (for example, sniffing a web request);
p0f v3
lcamtuf.coredump.cx
Hping
Hping is described as a utility that can be used effectively for scanning, fingerprinting, and testing firewalls. Among the most useful features of the utility is the ability to send arbitrary packets from various protocols and perform remote scanning. This is very useful when examining the host's responses to various arbitrary packets.
