| ||
After the TCP and UDP ports have been cataloged on a range of targets, it is useful to further classify the types of devices and hosts by operating system and firmware type (for example, Windows, IOS, Linux, and so on). While some of the open ports may suggest one operating system over another, it always helps to conduct additional testing using techniques that corroborate our hypothesis.
Popularity: | 5 |
Simplicity: | 6 |
Impact: | 5 |
Risk Rating: | 5 |
A clever technique for further identifying the innards of a target host or device is stack fingerprinting (http://www. insecure .org/nmap/nmap-fingerprinting-article.html), which observes the unique idiosyncrasies present in most OSs and firmware when they respond to certain network requests .
Let's try using the built-in OS detection option -O within Nmap on the VoIP devices in our internal SIP test bed environment to see how accurate it is:
[root@domain2 ~]# nmap -O -P0 192.168.1.1-254 Starting Nmap 4.01 (http://www.insecure.org/nmap/) at 2006-02-20 01:03 CST Interesting ports on 192.168.1.21: (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:04:13:24:23:8D (Snom Technology AG) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.264 days (since Sun Feb 19 18:43:56 2006) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on 192.168.1.22: (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:0F:34:11:80:45 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS3-04-3-00, PC030301) Interesting ports on 192.168.1.23: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:15:62:86:BA:3E (Cisco Systems) Device type: VoIP phoneVoIP adapter Running: Cisco embedded OS details: Cisco VoIP Phone 7905/7912 or ATA 186 Analog Telephone Adapter Interesting ports on 192.168.1.24: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:0E:08:DA:DA:17 (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway Interesting ports on 192.168.1.25: (The 1670 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 4144/tcp closed wincim MAC Address: 00:0B:82:06:4D:37 (Grandstream Networks) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.01%P=i686-pc-linux-gnu%D=2/20%Tm=43F96A02%O=80%C=4144%M=000B82) TSeq(Class=TD%gcd=1%SI=1%IPID=I%TS=U) T1(Resp=Y%DF=Y%W=109%ACK=S++%Flags=AS%Ops=M) T2(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T2(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T2(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=109%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=1000%ACK=S++%Flags=AR%Ops=) T5(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=800%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=400%ACK=S++%Flags=AR%Ops=) T7(Resp=Y%DF=Y%W=C00%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) Interesting ports on 192.168.1.27: (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 5060/tcp open sip MAC Address: 00:04:F2:03:15:46 (Polycom) Device type: X terminalload balancer Running: Neoware NetOS, HP embedded, Cisco embedded OS details: Cisco 11151/Arrowpoint 150 load balancer, Neoware (was HDS) NetOS V. 2.0.1 or HP Entria C3230A Interesting ports on 192.168.1.51: (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 443/tcp open https MAC Address: 00:04:13:23:34:95 (Snom Technology AG) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.265 days (since Sun Feb 19 18:43:55 2006) Interesting ports on 192.168.1.52: (The 1671 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 23/tcp open telnet MAC Address: 00:15:62:EA:69:E8 (Cisco Systems) Device type: VoIP phone Running: Cisco embedded OS details: Cisco IP phone (POS3-04-3-00, PC030301) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1672 scanned ports on 192.168.1.53 are: closed MAC Address: 00:04:0D:50:40:B0 (Avaya) Too many fingerprints match this host to give specific OS details Interesting ports on 192.168.1.54: (The 1671 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http MAC Address: 00:0E:08:DA:24:AE (Sipura Technology) Device type: VoIP adapter Running: Sipura embedded OS details: Sipura SPA-841/1000/2000/3000 POTS<->VoIP gateway Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1672 scanned ports on 192.168.1.55 are: closed MAC Address: 00:E0:11:03:03:97 (Uniden SAN Diego R&D Center) Aggressive OS guesses: NetJet Version 3.0 - 4.0 Printer (94%), Cray UNICOS/mk 8.6 (93%), Intel NetportExpress XL Print Server (93%), Kyocera IB-21 Printer NIC (93%), Kyocera Printer (network module IB-21E 1.3.x) (93%), OkiData 20nx printer with OkiLAN ethernet module (93%), Okidata 7200 Printer (93%), Okidata OKI C5100 Laser Printer (93%), Okidata OKI C7200 Printer (93%), Zebra Technologies TLP2844-Z printer (93%) No exact OS matches for host (test conditions non-ideal). Interesting ports on 192.168.1.56: (The 1669 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 1005/tcp open unknown MAC Address: 00:0D:61:0B:EA:36 (Giga-Byte Technology Co.) Device type: general purpose Running: Microsoft Windows 2003/.NETNT/2K/XP OS details: Microsoft Windows 2003 Server or XP SP2 Interesting ports on 192.168.1.57: (The 1670 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 80/tcp open http 5060/tcp open sip MAC Address: 00:01:E1:02:C8:DB (Kinpo Electronics) No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=4.01%P=i686-pc-linux-gnu%D=2/20%Tm=43F96A29%O=80%C=1%M=0001E1) TSeq(Class=TD%gcd=9C4%SI=0%IPID=I%TS=U) TSeq(Class=TD%gcd=9C4%SI=1%IPID=I%TS=U) TSeq(Class=TD%gcd=9C4%SI=0%IPID=I%TS=U) T1(Resp=Y%DF=N%W=578%ACK=S++%Flags=AS%Ops=M) T2(Resp=N) T3(Resp=Y%DF=N%W=578%ACK=S++%Flags=AS%Ops=M) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=F%UCK=E%ULEN=134%DAT=E) Interesting ports on 192.168.1.103: (The 1666 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 113/tcp open auth 3306/tcp open mysql MAC Address: 00:09:7A:44:15:DB (Louis Design Labs.) Device type: general purpose Running: Linux 2.4.X2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.265 days (since Sun Feb 19 18:44:17 2006) Interesting ports on 192.168.1.104: (The 1669 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 5060/tcp open sip Device type: general purpose Running: Linux 2.4.X2.5.X2.6.X OS details: Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7, Linux 2.6.3 - 2.6.10 Uptime 0.261 days (since Sun Feb 19 18:49:06 2006) Nmap finished: 84 IP addresses (14 hosts up) scanned in 77.843 seconds
Not too shabby! By the time this book goes to press, hopefully a few of the unknown device fingerprints will have been included in the latest version of Nmap. We plan on contributing the OS fingerprints that are currently undetected in our continuous testing to the Nmap tool in order to give back to the community.
Nmap is simply one of several tools that analyze TCP, UDP, and ICMP protocol requests for OS and device identification. Other tools include Xprobe2 by Ofir Arkin (http://www.sys-security.org/index.php?page=xprobe), Queso by El Apostols (http://packetstormsecurity.org/UNIX/ scanners /queso-980922.tar.gz), and Snacktime by Tod Beardsley (http://www.planb-security.net/wp/snacktime.html) to name a few.
Unfortunately, there's no easy fix to prevent attackers from determining an OS or device based on network responses. Preventing ICMP, TCP, and UDP port scanning will likely make this task much more difficult for an attacker. However, because of the variety of other detection methods available, this will likely not act as an effective deterrent. Shutting down unnecessary ports on services and devices (WWW, FTP, telnet, and so on) is the best way to prevent information leakage about your VoIP deployment.