 | |
| |||||||
| Home | Register | Projects | Blogs | FAQ | Calendar | Search | Today's Posts | Mark Forums Read | Free Directory | Free DNSReport | Tags |
| Notices |
| Hacking Discuss the art of hacking, your experiences, etc... |
OS FingerprintingThis is a discussion on "OS Fingerprinting" within the Hacking part of the Computer Security: Discussions section; If you do have something(papers,codes,etc) related to the OS fingerprinting using TCP/IP without insecure.org documents, you are welcome to share them here, thx.... |
 |
| | LinkBack | Thread Tools | Display Modes |
16-06-05
| ||||
| ||||
 OS Fingerprinting If you do have something(papers,codes,etc) related to the OS fingerprinting using TCP/IP without insecure.org documents, you are welcome to share them here, thx.  |
| Sponsor | ||
| ||
| |
|
16-06-05
| ||||
| ||||
| ha no I have forgot about packetstorm, request filled I think ^^ |
|
17-06-05
| |||
| |||
| Here's what i came up with after searching around a lil bit http://www.phrack.org/show.php?p=57&a=7 Haven't read it yet, so i'm letting you read it and find what you need ^^ You can download some fingerpriting tools from the following page : http://www.zone-h.com/en/download/category=14/ What is nice, is that some of them have the src included  Another paper over here, but i don't think that what you are looking for. It's entitled "Defeating TCP/IP Stack Fingerprinting" http://www.usenix.org/publications/libr ... mart_html/ i remember having a paper that explained how to detect remote OS via a perl script I think i lost it though :/ Gonna look for it anyway ... Enjoy your reading m8 :lol: |
|
17-06-05
| ||||
| ||||
| already knowing this so but thanx anyway, have been reading some c codes tonight about all this , it doesnt looks like so hard, the harder part is to determine all TCP fingerprints needed to recognize an os version etc. |
|
20-06-05
| |||
| |||
| have two ideas : *making the first public fingerprinting tools based on RPC UUID fingerprints, it will rocks sure *implement "RING" or "SnackTime" feature ( fingerprinting based on tcp RTT )into an optimised tool , and be sure so many people will supprt you to build a massive database of OS fingerprints :) now my staffs. wish you could read Persian then I could link you to my detailed post on this topic which is kind of refrence of most known cool figerprinting methods :) =================================== RPC UUID Fingerprinting & COM Object Fingerprinting =================================== Security Friday crew did a nice job and shared their research on RPC fingerprinting . here it is : http://www.blackhat.com/presentations/w ... ki-up2.pdf you probebly know their "RPCscan" PoC tool . I`ve also discussed this method in DailyDave list and got GREAT hints. I think most of you follow that list , so I`ll not spam the from by pasting them all here again . just some short ideas where to begin . Intresting posts began right here : https://www.immunitysec.com/pipermail/d ... 02003.html And Jean rocks here :> https://www.immunitysec.com/pipermail/d ... 02029.html follow two given links for detailed info. is time for Dave to present about his technique used in CANVAS , which is known as "COM Object fingerprinting" . a brand new method btw :) https://www.immunitysec.com/pipermail/d ... 02031.html Finally Minds , here leak pice of usefull code , which gives us some idea how Dave may dig arround COM objects . The "axFuzz" https://www.immunitysec.com/pipermail/d ... 02035.html ( be carefull about the enum code while running . highly recommend NOT to run it on your working box . ) ====================================== TCP RTT fingerprinting : ====================================== There are some tools already available based on thos technique , but non of them looks intresting and usefull in real-use . but I think it`s just cus of lacking a good DB of fingerprints . like "tcp/ip stack" old technique , if the comunity supper the project , it`s even more trustable than "tcp/ip stack fingerprinting" technique IMO. "RING" was the first PoC provided , and here is it`s paper : http://www.planb-security.net/wp/ring.html http://www.intranode.com/fr/doc/ring-full-paper.pdf "SnackTime" followed "RING" and enhanced it in right dirrection. http://www.planb-security.net/wp/snacktime.html =========================================== Some other techniques make sence are fingerprinting based on HTTP responses . which I think is easy to bind in Dfind . Hat-square provied nice tool called "HTTPring" based on thos idea . it was developed to fingerprint web-server I thnink , but why not ehnacing the idea to fingerprint OS ? ;) http://net-square.com/httprint/index.html ========================================== AND my own little idea based on terminal service , to identify windows version . remember "TScrack" days ? it would be gread if we code something which connect to TS port and read/analyze that logon window banner and let us know which version of windows is running . at least it can make us sure if it`s NT/xp/2k/2k3 and standard/Enterprise/Web eddition . it`s much to know isn`t ? finally an automated tool will be much faster than using any client to connect to service and loock what`s going on there . hmm , anything else ? I`ll add if google showed me any.[/url] |
|
20-06-05
| ||||
| ||||
| ok thx man |
|
20-06-05
| |||
| |||
| All this reminds me of a tool made by some member of THC (www.thc.org) It's called THC SMBget and it's used to get workgroup, smbserver and OS. For the leet coders around, i found u the src  Code: /*
* This is a little smb OS-detection tool which gets workgroup, smbserver and OS
* works for all tested samba versions on different platforms
* like: macosx,aix,solaris,linux,bsd and all Windows platforms !
* below you can see some sample outputs:
*
* Windows 2003 gives me:
* Remote OS:
* ----------
* WINDOMAIN1
* Windows Server 2003 5.2
* Windows Server 2003 3790
*
* Windows NT gives me:
* Remote OS:
* ----------
* WINDOMAIN2
* NT LAN Manager 4.0
* Windows NT 4.0
*
* Windows 2k gives me:
* Remote OS:
* ----------
* WINDOMAIN3
* Windows 2000 LAN Manager
* Windows 5.0
*
* Windows XP gives me:
* Remote OS:
* ----------
* WINDOMAIN4
* Windows 2000 LAN Manager
* Windows 5.1
*
* Samba gives me:
* Remote OS:
* ----------
* SAMBADOMAIN1
* Samba 2.0.7
* Unix
*
* COMPILE:
* cl THCsmbgetOS.c
*
* RUN:
* C:\ccode\THCsmbgetOS>THCsmbgetOS.exe gnpctx01
*
* -------------------------------------------------------
* THCsmbgetOS v0.1 - gets group, server and os via SMB
* by Johnny Cyberpunk (jcyberpunk@thc.org)
* -------------------------------------------------------
*
*[*] Connecting Port 139....
*[*] Sending session request....
*[*] Sending negotiation request....
*[*] Sending setup account request....
*[*] Successful....
*
* Remote OS:
* ----------
* MYNTDOMAIN
* Windows Server 2003 5.2
* Windows Server 2003 3790
*
* Enjoy,
*
* http://www.thc.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
char sessionrequest[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30\x2e"
"\x31\x32\x00";
char setupaccount[] =
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x5c\x02"
"\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff\xff\x02\x00\x5c\x02\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0b"
"\x00\x00\x00\x6e\x74\00\x70\x79\x73\x6d\x62\x00";
int main(int argc, char *argv[])
{
unsigned short smbport=139;
unsigned char *infobuf;
unsigned int sock,addr,i;
int rc;
struct sockaddr_in smbtcp;
struct hostent * hp;
WSADATA wsaData;
unsigned int zeroc=0;
printf("\n-------------------------------------------------------\n");
printf(" THCsmbgetOS v0.1 - gets group, server and os via SMB\n");
printf(" by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
printf("-------------------------------------------------------\n");
if(argc<2)
{
printf("gimme host or ip\n");
exit(-1);
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(smbtcp.sin_addr),hp->h_addr,hp->h_length);
else
smbtcp.sin_addr.s_addr = addr;
if (hp)
smbtcp.sin_family = hp->h_addrtype;
else
smbtcp.sin_family = AF_INET;
smbtcp.sin_port=htons(smbport);
infobuf=malloc(256);
memset(infobuf,0,256);
printf("\n[*] Connecting Port 139....\n");
rc=connect(sock, (struct sockaddr *) &smbtcp, sizeof (struct sockaddr_in));
if(rc==0)
{
printf("[*] Sending session request....\n");
send(sock,sessionrequest,sizeof(sessionrequest)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-1);
}
memset(infobuf,0,256);
printf("[*] Sending negotiation request....\n");
send(sock,negotiate,sizeof(negotiate)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-2);
}
memset(infobuf,0,256);
printf("[*] Sending setup account request....\n");
send(sock,setupaccount,sizeof(setupaccount)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-3);
}
else if (rc==0)
{
printf("[*] Successful....\n");
printf("\nRemote OS:\n");
printf("----------");
printf("\nI got back a null buffer ! WINXP sometimes does it\n");
}
else
{
printf("[*] Successful....\n");
printf("\nRemote OS:\n");
printf("----------");
i=rc;
while ((--i>0)&&(zeroc<4))
{
if (infobuf[i]==0x00)
{
printf("%s\n",(char *)&(infobuf[i+1]));
zeroc++;
}
}
}
printf("\n\n");
}
else
printf("can't connect to smb port 139!\n");
shutdown(sock,1);
closesocket(sock);
free(infobuf);
exit(0);
} |
|
21-06-05
| |||
| |||
| yeah eXovel , nice job the SMBget is ,BUT take a look here in provided sample in code : Quote:
all alike tools/codes need at least basic IPC null session , which is long patched since release of SP2 on XP and SP1 on 2003 . also CD versions of every 2k ( sp4 installed builting ) are patched against that staff(not sure about it ) AND , this methos is only usefull when you have access to SMB port ( 139t/445u) then ? then it limit the work to open host/networks . so any other way ? yes take time and scan a range of hosts ( win32 ) for 1000-2000 ports. you`ll be intrested on number of open ports even on filtered ones. so how to use those open staff to fingerprint ? hard and easy . in case of SMB we`ll probebly fail. here the RPC and COM fingerprinting methods comes usefull . RPC , will be possible if you find some UUID let you enum it anonymousely , which I think is Dave`s favor ! and about COM , I think it`s much easier to find/enum anonymous binds. just asked about COM staff from Dave . hope to get some responce |
| Sponsor | ||
| ||
| |
Linear Mode
