| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
Introduction
Sometimes on a network it is benificial to know the Operating
System(OS) of a machine. Accessing a system is easier when you know the
OS because you can specifically search the internet for known security
holes in the OS. Granted, security holes are usually patched quickly,
but you need to know when a security hole exists.[出自:jiwo.org]
Scanning your own network to detect the OS types can help you to see what a hacker will be able to see about your network.
So, OS fingerpinting is the process of determining the operation system used by a host on a network.
Active fingerpinting
Activate fingerpinting is the process of transmitting packets to a remote host and analysing corresponding replies.
Passive fingerprinting
Passive fingerprinting is the process of analysing packets from a host on a network. In this case, fingerprinter acts as a sniffer and doesn’t put any traffic on a network.
Fingerprinting techniques
Allmost all fingerprinting techniques are based on detecting difference in packets generated by different operating systems.
Common techinques are based on analysing:
- IP TTL values;
- IP ID values;
- TCP Window size;
- TCP options(generally, in TCP SYN and SYN+ACK packets)
- DHCP reqests;
- TCMP requests;
- HTTP packets(generally, User-agent field).
Other techniques are based on analysing:
* Running services;
* Open port patterns.
OS detection with nmap
Nmap is the famous tool for fingerpinting and OS detection is one of the main features.
OS detection database
Nmap has a database which is installed when you install Nmap. The
database is used when doing OS detection, but it is noet automaticall
updated.
The database is located at/usr/share/nmap/nmap-os-dbor/usr/share/local/nmap/nmap-os-db.
Make sure you are using the latest db version. You can download the new
version from website. Perform the following commands in a Terminal:
wget https://svn.nmap.org/nmap/nmap-os-db
Nmap OS detection command
sudo nmap -O <target>
Try an example:
If they block ping probes you can do:(recommended)
sudo nmap -O <target> -Pn
OS detection with Xprobe
We are familiar with nmap,but with Xprobe is quite strange.
Xprobe is an active OS fingerprinting tool. Xprobe is an alternative to
some tools which are heavily dependent upong the usage of the TCP
protocol for remote active OS fingerprinting.
This is especially true when trying to identify some Microsoft based
operating systems, when TCP is the protocol being used with the
fingerprinting process.
To install Xprobe2 on ubuntu/debian type the following commands:
sudo apt-get install xprobe2
Usage:
usage: xprobe2 [options] target
Options:
-v Be verbose
-r Show route to target(traceroute)
-p <proto:portnum:state> Specify portnumber, protocol and state.
Example: tcp:23:open, UDP:53:CLOSED
-c <configfile> Specify config file to use.
-h Print this help.
-o <fname> Use logfile to log everything.
-t <time_sec> Set initial receive timeout or roundtrip time.
-s <send_delay> Set packsending delay (milseconds).
-d <debuglv> Specify debugging level.
-D <modnum> Disable module number <modnum>.
-M <modnum> Enable module number <modnum>.
-L Display modules.
-m <numofmatches> Specify number of matches to print.
-T <portspec> Enable TCP portscan for specified port(s).
Example: -T21-23,53,110
-U <portspec> Enable UDP portscan for specified port(s).
-f force fixed round-trip time (-t opt).
-F Generate signature (use -o to save to a file).
-X Generate XML output and save it to logfile specified with -o.
-B Options forces TCP handshake module to try to guess open TCP port
-A Perform analysis of sample packets gathered during portscan in
order to detect suspicious traffic (i.e. transparent proxies,
firewalls/NIDSs resetting connections). Use with -T.
Figerprint of a Windows machine:
xprobe2 -v <target>
