View Full Version : OS Fingerprinting
If you do have something(papers,codes,etc) related to the OS fingerprinting using TCP/IP without insecure.org documents, you are welcome to share them here, thx.
ha no I have forgot about packetstorm (http://www.packetstormsecurity.com), request filled I think ^^
Here's what i came up with after searching around a lil bit
http://www.phrack.org/show.php?p=57&a=7
Haven't read it yet, so i'm letting you read it and find what you need ^^
You can download some fingerpriting tools from the following page :
http://www.zone-h.com/en/download/category=14/
What is nice, is that some of them have the src included :)
Another paper over here, but i don't think that what you are looking for.
It's entitled "Defeating TCP/IP Stack Fingerprinting"
http://www.usenix.org/publications/libr ... mart_html/ (http://www.usenix.org/publications/library/proceedings/sec2000/full_papers/smart/smart_html/)
i remember having a paper that explained how to detect remote OS via a perl script
I think i lost it though :/
Gonna look for it anyway ...
Enjoy your reading m8 :lol:
already knowing this so but thanx anyway, have been reading some c codes tonight about all this , it doesnt looks like so hard, the harder part is to determine all TCP fingerprints needed to recognize an os version etc.
do you remember that lsasrv.dll remote exploit ?
one version of that had os fingerprinting . that may help but I think that was limited somehow .
have two ideas :
*making the first public fingerprinting tools based on RPC UUID fingerprints,
it will rocks sure
*implement "RING" or "SnackTime" feature ( fingerprinting based on tcp RTT )into an optimised tool ,
and be sure so many people will supprt you to build a massive database
of OS fingerprints :)
now my staffs. wish you could read Persian then I could link you to
my detailed post on this topic which is kind of refrence of most known cool
figerprinting methods :)
===================================
RPC UUID Fingerprinting & COM Object Fingerprinting
===================================
Security Friday crew did a nice job and shared their research on RPC fingerprinting . here it is :
http://www.blackhat.com/presentations/w ... ki-up2.pdf (http://www.blackhat.com/presentations/win-usa-04/bh-win-04-seki-up2.pdf)
you probebly know their "RPCscan" PoC tool .
I`ve also discussed this method in DailyDave list and got GREAT hints.
I think most of you follow that list , so I`ll not spam the from by pasting them all here again . just some short ideas where to begin .
Intresting posts began right here :
https://www.immunitysec.com/pipermail/d ... 02003.html (https://www.immunitysec.com/pipermail/dailydave/2005-June/002003.html)
And Jean rocks here :>
https://www.immunitysec.com/pipermail/d ... 02029.html (https://www.immunitysec.com/pipermail/dailydave/2005-June/002029.html)
follow two given links for detailed info.
is time for Dave to present about his technique used in CANVAS , which is
known as "COM Object fingerprinting" . a brand new method btw :)
https://www.immunitysec.com/pipermail/d ... 02031.html (https://www.immunitysec.com/pipermail/dailydave/2005-June/002031.html)
Finally Minds , here leak pice of usefull code , which gives us some idea
how Dave may dig arround COM objects . The "axFuzz"
https://www.immunitysec.com/pipermail/d ... 02035.html (https://www.immunitysec.com/pipermail/dailydave/2005-June/002035.html)
( be carefull about the enum code while running . highly recommend NOT to run it on your working box . )
======================================
TCP RTT fingerprinting :
======================================
There are some tools already available based on thos technique ,
but non of them looks intresting and usefull in real-use . but I think it`s
just cus of lacking a good DB of fingerprints . like "tcp/ip stack" old technique , if the comunity supper the project , it`s even more trustable
than "tcp/ip stack fingerprinting" technique IMO.
"RING" was the first PoC provided , and here is it`s paper :
http://www.planb-security.net/wp/ring.html
http://www.intranode.com/fr/doc/ring-full-paper.pdf
"SnackTime" followed "RING" and enhanced it in right dirrection.
http://www.planb-security.net/wp/snacktime.html
===========================================
Some other techniques make sence are fingerprinting based on HTTP
responses . which I think is easy to bind in Dfind . Hat-square provied
nice tool called "HTTPring" based on thos idea . it was developed to fingerprint web-server I thnink , but why not ehnacing the idea to fingerprint OS ? ;)
http://net-square.com/httprint/index.html
==========================================
AND my own little idea based on terminal service , to identify windows
version . remember "TScrack" days ?
it would be gread if we code something which connect to TS port and read/analyze that logon window banner and let us know which version of windows is running . at least it can make us sure if it`s
NT/xp/2k/2k3 and standard/Enterprise/Web eddition . it`s much to know isn`t ? finally an automated tool will be much faster than using any client to connect to service and loock what`s going on there .
hmm , anything else ? I`ll add if google showed me any.[/url]
very useful info mate , but not many windows os's have RDC port opened .
All this reminds me of a tool made by some member of THC (www.thc.org (http://www.thc.org))
It's called THC SMBget and it's used to get workgroup, smbserver and OS.
For the leet coders around, i found u the src :D
/*
* This is a little smb OS-detection tool which gets workgroup, smbserver and OS
* works for all tested samba versions on different platforms
* like: macosx,aix,solaris,linux,bsd and all Windows platforms !
* below you can see some sample outputs:
*
* Windows 2003 gives me:
* Remote OS:
* ----------
* WINDOMAIN1
* Windows Server 2003 5.2
* Windows Server 2003 3790
*
* Windows NT gives me:
* Remote OS:
* ----------
* WINDOMAIN2
* NT LAN Manager 4.0
* Windows NT 4.0
*
* Windows 2k gives me:
* Remote OS:
* ----------
* WINDOMAIN3
* Windows 2000 LAN Manager
* Windows 5.0
*
* Windows XP gives me:
* Remote OS:
* ----------
* WINDOMAIN4
* Windows 2000 LAN Manager
* Windows 5.1
*
* Samba gives me:
* Remote OS:
* ----------
* SAMBADOMAIN1
* Samba 2.0.7
* Unix
*
* COMPILE:
* cl THCsmbgetOS.c
*
* RUN:
* C:\ccode\THCsmbgetOS>THCsmbgetOS.exe gnpctx01
*
* -------------------------------------------------------
* THCsmbgetOS v0.1 - gets group, server and os via SMB
* by Johnny Cyberpunk (jcyberpunk@thc.org)
* -------------------------------------------------------
*
* Connecting Port 139....
* Sending session request....
* Sending negotiation request....
* Sending setup account request....
* Successful....
*
* Remote OS:
* ----------
* MYNTDOMAIN
* Windows Server 2003 5.2
* Windows Server 2003 3790
*
* Enjoy,
*
* http://www.thc.org
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
char sessionrequest[] =
"\x81\x00\x00\x44\x20\x43\x4b\x46\x44\x45\x4e\x45\x 43\x46\x44\x45"
"\x46\x46\x43\x46\x47\x45\x46\x46\x43\x43\x41\x43\x 41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x00\x20\x45\x4b\x45\x44\x46\x 45\x45\x49\x45"
"\x44\x43\x41\x43\x41\x43\x41\x43\x41\x43\x41\x43\x 41\x43\x41\x43"
"\x41\x43\x41\x43\x41\x41\x41\x00";
char negotiate[] =
"\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x5c\x02"
"\x00\x00\x00\x00\x00\x0c\x00\x02\x4e\x54\x20\x4c\x 4d\x20\x30\x2e"
"\x31\x32\x00";
char setupaccount[] =
"\x00\x00\x00\x48\xff\x53\x4d\x42\x73\x00\x00\x00\x 00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00\x5c\x02"
"\x00\x00\x00\x00\x0d\xff\x00\x00\x00\xff\xff\x02\x 00\x5c\x02\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x 00\x00\x00\x0b"
"\x00\x00\x00\x6e\x74\00\x70\x79\x73\x6d\x62\x00";
int main(int argc, char *argv[])
{
unsigned short smbport=139;
unsigned char *infobuf;
unsigned int sock,addr,i;
int rc;
struct sockaddr_in smbtcp;
struct hostent * hp;
WSADATA wsaData;
unsigned int zeroc=0;
printf("\n-------------------------------------------------------\n");
printf(" THCsmbgetOS v0.1 - gets group, server and os via SMB\n");
printf(" by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
printf("-------------------------------------------------------\n");
if(argc<2)
{
printf("gimme host or ip\n");
exit(-1);
}
if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}
hp = gethostbyname(argv[1]);
if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{
printf("socket() error...\n");
exit(-1);
}
if (hp != NULL)
memcpy(&(smbtcp.sin_addr),hp->h_addr,hp->h_length);
else
smbtcp.sin_addr.s_addr = addr;
if (hp)
smbtcp.sin_family = hp->h_addrtype;
else
smbtcp.sin_family = AF_INET;
smbtcp.sin_port=htons(smbport);
infobuf=malloc(256);
memset(infobuf,0,256);
printf("\n Connecting Port 139....\n");
rc=connect(sock, (struct sockaddr *) &smbtcp, sizeof (struct sockaddr_in));
if(rc==0)
{
printf(" Sending session request....\n");
send(sock,sessionrequest,sizeof(sessionrequest)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-1);
}
memset(infobuf,0,256);
printf(" Sending negotiation request....\n");
send(sock,negotiate,sizeof(negotiate)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-2);
}
memset(infobuf,0,256);
printf(" Sending setup account request....\n");
send(sock,setupaccount,sizeof(setupaccount)-1,0);
Sleep(500);
rc=recv(sock,infobuf,256,0);
if(rc<0)
{
printf("error = %d (rc=%u)\n\n",WSAGetLastError(),rc);
return (-3);
}
else if (rc==0)
{
printf(" Successful....\n");
printf("\nRemote OS:\n");
printf("----------");
printf("\nI got back a null buffer ! WINXP sometimes does it\n");
}
else
{
printf(" Successful....\n");
printf("\nRemote OS:\n");
printf("----------");
i=rc;
while ((--i>0)&&(zeroc<4))
{
if (infobuf[i]==0x00)
{
printf("%s\n",(char *)&(infobuf[i+1]));
zeroc++;
}
}
}
printf("\n\n");
}
else
printf("can't connect to smb port 139!\n");
shutdown(sock,1);
closesocket(sock);
free(infobuf);
exit(0);
}
Hope this helps :)
yeah eXovel , nice job the SMBget is ,BUT
take a look here in provided sample in code :
* Sending session request....
* Sending negotiation request....
* Sending setup account request....
* Successful....
got me ?
all alike tools/codes need at least basic IPC null session , which is long patched since release of SP2 on XP and SP1 on 2003 . also CD versions of
every 2k ( sp4 installed builting ) are patched against that staff(not sure about it )
AND , this methos is only usefull when you have access to SMB port ( 139t/445u)
then ?
then it limit the work to open host/networks .
so any other way ? yes
take time and scan a range of hosts ( win32 ) for 1000-2000 ports.
you`ll be intrested on number of open ports even on filtered ones.
so how to use those open staff to fingerprint ?
hard and easy . in case of SMB we`ll probebly fail.
here the RPC and COM fingerprinting methods comes usefull .
RPC , will be possible if you find some UUID let you enum it anonymousely , which I think is Dave`s favor !
and about COM , I think it`s much easier to find/enum anonymous binds.
just asked about COM staff from Dave . hope to get some responce :)
http://www.digitaldefense.net/labs/tools/404print.c
os version ( model - sp ) finger printing through IIS
might help I dunno , was searching the net !
vBulletin® v3.7.2, Copyright ©2000-2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by
vBSEO 3.1.0