|< Day Day Up >|
TCP stack fingerprinting involves hurling a variety of packet probes at a target and predicting the remote OS by comparing changes in responses against a database. Nmap, by Fyodor of Insecure .org, is considered the best tool for the job. Nmap runs on Linux and Windows and can craft custom- fragmented packets.
9.2.1 Nmap Test
Let's try downloading Nmap (http://www.insecure.org/nmap) and using it against a remote host, with the following command:
nmap -v -sS -O ###.com
In this case, we're scanning a remote host running a pre-release version of Windows .NET Server RC2, so it's going to be tough to accurately fingerprint .
Host ###.com (xxx.xx.xx.xx) appears to be up ... good. Initiating SYN half-open stealth scan against ###.com (xxx.xx.xx.xx) Adding TCP port 88 (state open). Adding TCP port 17 (state open). Adding TCP port 389 (state open). Adding TCP port 9 (state open). Adding TCP port 19 (state open). Adding TCP port 1068 (state open). Adding TCP port 636 (state open). Adding TCP port 593 (state open). Adding TCP port 1067 (state open). Adding TCP port 53 (state open). Adding TCP port 13 (state open). Adding TCP port 464 (state open). Adding TCP port 445 (state open). Adding TCP port 135 (state open). Adding TCP port 5000 (state open). Adding TCP port 7 (state open). Adding TCP port 1026 (state open). Adding TCP port 3389 (state open). The SYN scan took 0 seconds to scan 1523 ports. For OSScan assuming that port 7 is open and port 1 is closed and neither are firewalled Interesting ports on ###.com (xxx.xx.xx.xx): (The 1505 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 17/tcp open qotd 19/tcp open chargen 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open loc-srv 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1026/tcp open nterm 1067/tcp open instl_boots 1068/tcp open instl_bootc 3389/tcp open msrdp 5000/tcp open fics TCP Sequence Prediction: Class=random positive increments Difficulty=14410 (Worthy challenge) Sequence numbers: 3AD7953F 3AD8570E 3AD97977 3ADA2100 3ADB1400 3ADB9658 Remote operating system guess: Windows 2000 RC1 through final release Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Nmap was impressively close, but not quite correct. The challenge was a little unfair, though, since the OS is a pre-release version. We used this example to emphasize the fact that TCP stack fingerprinting is based on an empirical database that must be regularly updated.
9.2.2 Nmap Techniques
Fyodor has written a classic paper (listed in the references at the end of this chapter) that delves into the intricacies of the Nmap fingerprinting engine. Nmap uses the following techniques:
9.2.3 Defeating Nmap
There have been attempts to provide fingerprinting countermeasures. One example is IP Personality (http://ippersonality. sourceforge .net), a Linux netfilter module that allows you to vary the IP stack behavior in response to particular attack probes. The patch allows you to emulate the behavior of any system listed in Nmap's list of OS fingerprints . In essence, each variety of probe elicits a different "personality" from the module, resulting in a different response. Some features can even be applied to routed traffic and thus fool scans directed to machines that are behind the router.
Note that Nmap assumes that if a port is open, the service associated with that port number is up ”not always a useful assumption. For example, some port monitoring programs hold ports open in an attempt to fool scanners and keep the connection open so they can spy on the attacker.
|< Day Day Up >|