Join
DevilOps
@devilops
scanning
August 30, 2021

OS Fingerprinting - определение версии операционной системы хоста

Требуется: Определить удаленно версию операционной системы хоста

OS Fingerptinting, или определение версий операционных систем, может осуществляться в двух режимах - активном, при котором идет сканирование хоста с управляющей системы, и пассивном - при сборе данных по сети.

В данном случае, рассматривается активный fingerprinting.

Для реализации данной задачи можно использовать две основные утилиты - xprobe и один из самых известных сетевых сканеров, nmap

XPROBE

Во избежание ошибок вывода версий операционных систем, утилиту нужно устанавливать с официального репозитория. В качестве обязательных требований - нужно установить компилятор gcc и библиотеку libcap - именно указанной версии, т.к. с более новой - не соберется из исходников. 

$ sudo apt-get install libpcap0.8-dev
$ sudo apt-get install gсс

Скачиваем приложение, и компилируем из исходников:

$ git clone https://github.com/binarytrails/xprobe2
$ cd xprobe
$ ./configure
$ make
$ sudo make install

Опций у утилиты немного. Полный список опций можно посмотреть по команде -h, а из наиболее полезного: 

v - Be verbose 
-r Show route to target(traceroute-like output)
-T <portspec> Enable TCP portscan for specified port(s). Example: -T21-23,53,110
-U <portspec> Enable UDP portscan for specified port(s).
-o <fname> Use logfile to log everything.
-X Generate XML output and save it to logfile specified with -o

Пример использования:

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 10.0.2.157
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 10.0.2.157. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 10.0.2.157. Module test failed
[-] No distance calculation. 10.0.2.157 appears to be dead or no ports known
[+] Host: 10.0.2.157 is up (Guess probability: 50%)
[+] Target: 10.0.2.157 is alive. Round-Trip Time: 0.49945 sec
[+] Selected safe Round-Trip Time value is: 0.99890 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 10.0.2.157 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%)
[+] Other guesses:
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%)
[+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

NMAP

Недаром nmap называют швейцарским ножом любого пентестера или администратора. Процессы, происходящие при сканировании хоста, довольно сложны, однако для проведения fingerprinting нужно всего лишь указать опцию -O. Опция -v требуется для более развернутого вывода сканирования. 

administrator@F5-WS083:~/xprobe2$ sudo nmap -O -v 10.0.2.157
[sudo] password for administrator: 
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-30 14:53 MSK
Initiating Ping Scan at 14:53
Scanning 10.0.2.157 [4 ports]
Completed Ping Scan at 14:53, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:53
Completed Parallel DNS resolution of 1 host. at 14:53, 0.01s elapsed
Initiating SYN Stealth Scan at 14:53
Scanning hp-6ezxyjvanw82 (10.0.2.157) [1000 ports]
Discovered open port 135/tcp on 10.0.2.157
Discovered open port 139/tcp on 10.0.2.157
Completed SYN Stealth Scan at 14:53, 1.14s elapsed (1000 total ports)
Initiating OS detection (try #1) against hp-6ezxyjvanw82 (10.0.2.157)
Nmap scan report for hp-6ezxyjvanw82 (10.0.2.157)
Host is up (0.00024s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
135/tcp open  msrpc
139/tcp open  netbios-ssn
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 - SP3
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Incremental
Read data files from: /usr/bin/../share/nmap
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds
           Raw packets sent: 1101 (49.134KB) | Rcvd: 1017 (41.230KB)

Какую информацию может предоставить nmap?

  • Device type - вывести более высокоуровневый тип устройства - роутер, свитч, принтер, и т.д.
  • OS CPE - идентификация устройства по Common Platform Enumeration (CPE)
  • Network Distance - количество хопов до хоста
  • Uptime guess - предположительный аптайм хоста судя по отдельным заголовкам TCP

Так же, помимо fingerprinting на основе данных TCP, есть иной режим сканирования - анализ по открытым портам, т.к. часто сервисы систем работают только на определенных операционных системах. Пример такого сканирования приведен ниже:

administrator@F5-WS083:~/xprobe2$ sudo nmap -sV -O -v 10.0.2.157
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-30 14:55 MSK
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 14:55
Scanning 10.0.2.157 [4 ports]
Completed Ping Scan at 14:55, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:55
Completed Parallel DNS resolution of 1 host. at 14:55, 0.00s elapsed
Initiating SYN Stealth Scan at 14:55
Scanning hp-6ezxyjvanw82 (10.0.2.157) [1000 ports]
Discovered open port 135/tcp on 10.0.2.157
Discovered open port 139/tcp on 10.0.2.157
Completed SYN Stealth Scan at 14:55, 1.14s elapsed (1000 total ports)
Initiating Service scan at 14:55
Scanning 2 services on hp-6ezxyjvanw82 (10.0.2.157)
Completed Service scan at 14:55, 6.01s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against hp-6ezxyjvanw82 (10.0.2.157)
NSE: Script scanning 10.0.2.157.
Initiating NSE at 14:55
Completed NSE at 14:55, 0.00s elapsed
Initiating NSE at 14:55
Completed NSE at 14:55, 0.00s elapsed
Nmap scan report for hp-6ezxyjvanw82 (10.0.2.157)
Host is up (0.00028s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE     VERSION
135/tcp open  msrpc       Microsoft Windows RPC
139/tcp open  netbios-ssn Microsoft Windows netbios-ssn
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3
OS details: Microsoft Windows XP SP2 - SP3
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds
           Raw packets sent: 1101 (49.134KB) | Rcvd: 1018 (41.286KB)
@thomaskovenant
August 30, 2021, 17:06
0 views
0 reactions