Operating System Fingerprinting Technique

OS fingerprinting: os fingerprinting refers to detection of target computer operation system.

Since different operating system responds differently to the same kind of ICMP message it is very important for an attacker to determine the exact operating system running on target system.

Also attacker can carry out attacks by taking over the vulnerabilities/bugs found in that particular operating system.

There are four areas that we will look at to determine the operating system.

1. TTL – what the operating system sets the time to live on the outbound packet.

2. Window size – what the operating system sets the window size at.

3. DF – does the operating system set the don’t fragment bit.

     4. TOS – does the operating system set the type of service and if so at what.

There are two different types of OS fingerprinting technique –

Active OS Fingerprinting – remote active operating system fingerprinting is the process of actively determining a targeted network nods underlying operating system by probing the targeted system with several packets and examining the response or lack thereof received?

      The traditional approach is to examine the TCP/IP stack behavior (IP, TCP, UDP and ICMP protocols)  

      of a targeted network element when probed with several legitimate and malformed packets.

 

Passive OS fingerprinting- passive fingerprinting is based on sniffer traces from the remote system. Instead of actively querying the remote system all you need to do is capture packets you can determine the operation system of the remote host. 

Just like in active fingerprinting passive fingerprinting is based on the principle that every operation systems IP stack has its own idiosyncrasies. By analyzing sniffer traces and identifying these differences you may be able determine the operating system of the remote host.

Read More

Network Hacking with Port Scanners

Port Scanning: port scanning is carried out to determine a list of open ports on the remote host that have certain services or daemons running. In port scanning, the attacker connects to various TCP and UDP ports and tries to determine which ports are in listening mode.

1     TCP Port Scanning: Almost all port scans are based on the client sending a packet containing a particular flag to the target port of the remote system to determine whether the port is open. Following table lists the type of flags a TCP packet header can contain.

 

A typical TCP/IP three way handshake can be described as follows:

1)      The client sends a SYN packet to the server.

2)      The server replies with a SYN packet and acknowledges the clients SYN packet by sending an ACK packet.

3)      The client acknowledges the SYN sent by the server.

Different technique of TCP port scanning are:

                        

1) TCP connect port scanning

2) TCP SYN scanning

3) SYN/ACK scanning

4) TCP FIN scanning

5) TCP NULL scanning

6) TCP Xmas tree scanning

UDP Ports Scanning: In UDP port scanning, a UDP packet is sent to each port on the target host one by one.

If the remoter port is closed then the server replies with a port unreachable ICMP error message. If the port is open then no such error message is generated.

FTP Bounce Port Scanning:  The FTP bounce port scanning technique was discovered by hobbit. He revealed a very interesting loophole in the FTP protocol that allowed user connected to the FTP service of a particular system to connect to any port of another system. This loophole allows anonymous port scanning.

Read More