OS Fingerprinting - определение версии операционной системы хоста
Требуется: Определить удаленно версию операционной системы хоста
OS Fingerptinting, или определение версий операционных систем, может осуществляться в двух режимах - активном, при котором идет сканирование хоста с управляющей системы, и пассивном - при сборе данных по сети.
В данном случае, рассматривается активный fingerprinting.
Для реализации данной задачи можно использовать две основные утилиты - xprobe и один из самых известных сетевых сканеров, nmap
XPROBE
Во избежание ошибок вывода версий операционных систем, утилиту нужно устанавливать с официального репозитория. В качестве обязательных требований - нужно установить компилятор gcc и библиотеку libcap - именно указанной версии, т.к. с более новой - не соберется из исходников.
$ sudo apt-get install libpcap0.8-dev $ sudo apt-get install gсс
Скачиваем приложение, и компилируем из исходников:
$ git clone https://github.com/binarytrails/xprobe2 $ cd xprobe $ ./configure $ make $ sudo make install
Опций у утилиты немного. Полный список опций можно посмотреть по команде -h, а из наиболее полезного:
v - Be verbose -r Show route to target(traceroute-like output) -T <portspec> Enable TCP portscan for specified port(s). Example: -T21-23,53,110 -U <portspec> Enable UDP portscan for specified port(s). -o <fname> Use logfile to log everything. -X Generate XML output and save it to logfile specified with -o
Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected] [+] Target is 10.0.2.157 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 10.0.2.157. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 10.0.2.157. Module test failed [-] No distance calculation. 10.0.2.157 appears to be dead or no ports known [+] Host: 10.0.2.157 is up (Guess probability: 50%) [+] Target: 10.0.2.157 is alive. Round-Trip Time: 0.49945 sec [+] Selected safe Round-Trip Time value is: 0.99890 sec [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Primary guess: [+] Host 10.0.2.157 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%) [+] Other guesses: [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%) [+] Host 10.0.2.157 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 100%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
NMAP
Недаром nmap называют швейцарским ножом любого пентестера или администратора. Процессы, происходящие при сканировании хоста, довольно сложны, однако для проведения fingerprinting нужно всего лишь указать опцию -O. Опция -v требуется для более развернутого вывода сканирования.
administrator@F5-WS083:~/xprobe2$ sudo nmap -O -v 10.0.2.157 [sudo] password for administrator: Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-30 14:53 MSK Initiating Ping Scan at 14:53 Scanning 10.0.2.157 [4 ports] Completed Ping Scan at 14:53, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:53 Completed Parallel DNS resolution of 1 host. at 14:53, 0.01s elapsed Initiating SYN Stealth Scan at 14:53 Scanning hp-6ezxyjvanw82 (10.0.2.157) [1000 ports] Discovered open port 135/tcp on 10.0.2.157 Discovered open port 139/tcp on 10.0.2.157 Completed SYN Stealth Scan at 14:53, 1.14s elapsed (1000 total ports) Initiating OS detection (try #1) against hp-6ezxyjvanw82 (10.0.2.157) Nmap scan report for hp-6ezxyjvanw82 (10.0.2.157) Host is up (0.00024s latency). Not shown: 998 closed ports PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn Device type: general purpose Running: Microsoft Windows XP OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP2 - SP3 Network Distance: 2 hops TCP Sequence Prediction: Difficulty=257 (Good luck!) IP ID Sequence Generation: Incremental Read data files from: /usr/bin/../share/nmap OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.39 seconds Raw packets sent: 1101 (49.134KB) | Rcvd: 1017 (41.230KB)
Какую информацию может предоставить nmap?
- Device type - вывести более высокоуровневый тип устройства - роутер, свитч, принтер, и т.д.
- OS CPE - идентификация устройства по Common Platform Enumeration (CPE)
- Network Distance - количество хопов до хоста
- Uptime guess - предположительный аптайм хоста судя по отдельным заголовкам TCP
Так же, помимо fingerprinting на основе данных TCP, есть иной режим сканирования - анализ по открытым портам, т.к. часто сервисы систем работают только на определенных операционных системах. Пример такого сканирования приведен ниже:
administrator@F5-WS083:~/xprobe2$ sudo nmap -sV -O -v 10.0.2.157 Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-30 14:55 MSK NSE: Loaded 45 scripts for scanning. Initiating Ping Scan at 14:55 Scanning 10.0.2.157 [4 ports] Completed Ping Scan at 14:55, 0.04s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:55 Completed Parallel DNS resolution of 1 host. at 14:55, 0.00s elapsed Initiating SYN Stealth Scan at 14:55 Scanning hp-6ezxyjvanw82 (10.0.2.157) [1000 ports] Discovered open port 135/tcp on 10.0.2.157 Discovered open port 139/tcp on 10.0.2.157 Completed SYN Stealth Scan at 14:55, 1.14s elapsed (1000 total ports) Initiating Service scan at 14:55 Scanning 2 services on hp-6ezxyjvanw82 (10.0.2.157) Completed Service scan at 14:55, 6.01s elapsed (2 services on 1 host) Initiating OS detection (try #1) against hp-6ezxyjvanw82 (10.0.2.157) NSE: Script scanning 10.0.2.157. Initiating NSE at 14:55 Completed NSE at 14:55, 0.00s elapsed Initiating NSE at 14:55 Completed NSE at 14:55, 0.00s elapsed Nmap scan report for hp-6ezxyjvanw82 (10.0.2.157) Host is up (0.00028s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn Device type: general purpose Running: Microsoft Windows XP OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP2 - SP3 Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.67 seconds Raw packets sent: 1101 (49.134KB) | Rcvd: 1018 (41.286KB)