Measure the test taker's knowledge about system information collection before hacker attacks.

Understanding the operating system is very important for everyone in the computing industry. To become a hacker, you must have a deep understanding of the operating system. Next we will discuss this issue with everyone.
Let's first look at the basic process of hacker intrusion: 1. Identify the operating system of the intrusion object-> 2. Scan the port, determine the services opened (these two steps may be performed at the same time)-> 3. Select the intrusion method for the data-driven operating system and the services opened, there are usually two methods: "overflow" and "weak-mouth speculation"-> 4. obtain the highest power of the system-> 5. Place backdoors, clear logs, and leave (maybe some disks leave).
As you can see above, the identification of operating system types is the most basic and relevant step in the entire process. It is conceivable that if you don't even know what the other party's operating system is, you have nothing to do with intrusion.
Few people may have asked themselves why we need to know each other's operating system first? In fact, the reason we understand the operating system is that we need to understand the operating status of the system memory and how it controls the memory based on the technology, and how to process the input and output data. Nothing in the world can be perfect (of course, this is also the driving force that we humans are constantly pursuing), and as a complex computer system, it is always prone to errors in the Process of controlling memory and processing data (especially after other applications are installed). The system itself also has various vulnerabilities and deficiencies. Hackers exploit these vulnerabilities and errors to intrude into the system. Various intrusion tools that are currently popular on the Internet are compiled by hackers after analyzing system vulnerabilities and existing errors. (Buffer overflow is the most common)
As a general hacker, as long as we are good at using ready-made intrusion tools, we can achieve our goal of intrusion. However, because different systems have different operating principles, different intrusion tools can only target the corresponding operating systems. Therefore, the identification of the operating system is essential, which requires us to have a good understanding of the operating system, I have some basic knowledge about the network (it is not so easy to be a hacker). I have a bunch of articles on the Internet about various operating systems. You can check them on your own.
Here we will introduce this simple operating system identification method for you and hope it will be useful to you.
1. Identify the Operating System Using ping
C: \> ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes = 32 time <10 ms TTL = 128
Reply from 10.1.1.2: bytes = 32 time <10 ms TTL = 128
Reply from 10.1.1.2: bytes = 32 time <10 ms TTL = 128
Reply from 10.1.1.2: bytes = 32 time <10 ms TTL = 128
Ping statistics for 10.1.1.2:
Packets: Sent = 4, stored ED = 4, Lost = 0 (0% loss ),
Approximate round trip times in milli-seconds:
Minimum = 0 ms, Maximum = 0 ms, Average = 0 ms
C: \>
C: \> ping 10.1.1.6
Pinging 10.1.1.6 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.6: bytes = 32 time = 250 ms TTL = 237
Reply from 10.1.1.6: bytes = 32 time = 234 ms TTL = 237
Reply from 10.1.1.6: bytes = 32 time = 234 ms TTL = 237
Ping statistics for 10.1.1.6:
Packets: Sent = 4, stored ED = 3, Lost = 1 (25% loss ),
Approximate round trip times in milli-seconds:
Minimum = 234 ms, Maximum = 250 ms, Average = 179 ms
Based on the TTL value of ICMP packets, we can probably know the host type. For example, if TTL = 125, the host should be a windows host, and if TTL = 235, the host should be a UINX series host. In the two examples above, 10.1.1.2 is the child of win2000, while 10.1.1.6 is the child of usung (Sunos 5.8. This is because the machines in different operating systems process and respond to ICMP packets differently, and the TTL value is reduced by 1 every time a router exists. Therefore, the TTL reply value is different. The corresponding TTL value to the operating system type depends on your observation and accumulation.
 
2. directly connect to the Port Based on the returned information
This method is the most widely used method. Let's look at several instances.
1. If the host has port 80 enabled, We can telnet (if there is an NC, it is best to use NC, it does not need to be blindly typed) its port 80.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1998 Microsoft Corp.
C: \> telnet 10.1.1.2 80
Enter get and press enter (note that this is blind)
If return,
HTTP/1.1 400 Bad Request
Server: Microsoft-Microsoft IIS/5.0
Date: Fri, 11 Jul 2003 02:31:55 GMT
Content-Type: text/html
Content-Length: 87
The parameter is incorrect.
The connection to the host is lost.
C: \>
This must be a windows host.
If return,
Method Not Implemented
Get to/not
Supported.
Invalid method in request get
Apache/1.3.27 Server at gosiuniversity.com Port 80
The connection to the host is lost.
C: \>
Then most of them are the machines of the UINX system.
2. If the host has port 21 enabled, we can directly go to FTP.
C: \> ftp 10.1.1.2
If return,
Connected to 10.1.1.2.
220 sgyyq-c43s950 Microsoft FTP Service (Version 5.0 ).
User (10.1.1.2none )):
So this is certainly a win2000 machine, we can also know the host name, host name is the sgyyq-c43s950. This FTP is an FTP server that comes with windows IIS.
If return,
Connected to 10.1.1.3.
220 Serv-u ftp Server v4.0 for WinSock ready...
User (10.1.1.3none )):
You can also be certain that it is a windows host, because Serv-u ftp is an FTP server specially developed for the windows platform.
If return,
Connected to 10.1.1.3.
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
User (10.1.1.3none )):
This is a UINX machine.
 
3. If port 23 is enabled, this is simple and telnet directly.
If return,
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
Login:
So it must be a windows host.
If return,
Sunoperating 5.8
Login:
Needless to say, this is of course a UINX machine, and the version is SunOS 5.8.
3. Use special software to identify
Most of the software that has the function of identifying the operating system uses the operating system protocol stack recognition technology. This is because the TCP/IP protocol is unified when different manufacturers compile their own operating systems, but there is no uniform provision for the TCP/IP protocol stack, manufacturers can write TCP/IP protocol stacks according to their own requirements, resulting in different protocol stacks between operating systems. Therefore, we can distinguish different operating systems by analyzing different protocol stacks. As long as we establish a database corresponding to the protocol stack and the operating system, we can accurately identify the operating system. Currently, using this technology to identify operating systems is the most accurate and scientific. Therefore, it is also known as "fingerprint technology" for operating systems ". Of course, the ability and accuracy of identification depend on the database establishment of each software.
The following is a brief introduction to the two identification software.
1. The famous nmap uses active detection. During the detection, it will actively send a detection package to the target system based on the data packet that the target machine responds, the operating system of the opposite host. The usage is as follows:
F: \ nmap> nmap-vv-sS-O 10.1.1.5
Starting nmap V. 3.00
Host IS ~ 123456 ADCD (10.1.1.5) appears to be up... good.
Initiating SYN Stealth Scan against IS ~ 123456 ADCD (10.1.1.5)
Adding open port 139/tcp
Adding open port 7070/tcp
Adding open port 554/tcp
Adding open port 23/tcp
Adding open port 1025/tcp
Adding open port 8080/tcp
Adding open port 21/tcp
Adding open port 5050/tcp
Adding open port 9090/tcp
Adding open port 443/tcp
Adding open port 135/tcp
Adding open port 1031/tcp
Adding open port 3372/tcp
Adding open port 25/tcp
Adding open port 1433/tcp
Adding open port 3389/tcp
Adding open port 445/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 1 second to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither ar
Rewalled
Interesting ports on IS ~ 123456 ADCD (10.1.1.5 ):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1031/tcp open iad2
1433/tcp open ms-SQL-s
3372/tcp open msdtc
3389/tcp open ms-term-serv
5050/tcp open mmcc
7070/tcp open realserver
8080/tcp open http-proxy
9090/tcp open zeus-admin
Remote operating system guess: Windows 2000/XP/ME
OS Fingerprint:
TSeq (Class = RI % gcd = 1% SI = 21F8% IPID = I % TS = 0)
T1 (Resp = Y % DF = Y % W = FAF0 % ACK = S ++ % Flags = AS % Ops = MNWNNT)
T2 (Resp = Y % DF = N % W = 0% ACK = S % Flags = AR % Ops =)
T3 (Resp = Y % DF = Y % W = FAF0 % ACK = S ++ % Flags = AS % Ops = MNWNNT)
T4 (Resp = Y % DF = N % W = 0% ACK = O % Flags = R % Ops =)
T5 (Resp = Y % DF = N % W = 0% ACK = S ++ % Flags = AR % Ops =)
T6 (Resp = Y % DF = N % W = 0% ACK = O % Flags = R % Ops =)
T7 (Resp = Y % DF = N % W = 0% ACK = S ++ % Flags = AR % Ops =)
PU (Resp = Y % DF = N % TOS = 0% IPLEN = 38% RIPTL = 148% RIPCK = E % UCK = E % ULEN = 134% DAT = E)
TCP Sequence Prediction: Class = random positive increments
Difficulty = 8696 (Worthy challenge)
Tcp isn Seq. Numbers: 5B9022E2 5B914E12 5B92A495 5B93915A 5B94A9B5 5B95CC64
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Remote operating system guess: Windows 2000/XP/ME indicates NMAP's judgment on the operating system type. A lot of information is returned, and NMAP is the king of scanning.
2. The sky eye adopts a passive detection method. Instead of sending data packets to the target system, the system passively detects the communication data on the network and analyzes the data to determine the type of the operating system. It works well with supersan.
The specific usage is not described here. If you are interested, you can search for articles on how to use Skyeye on the Internet.
The above describes some basic methods for operating system identification. Due to my limited level and improper features, Please master your axe
 
From the BLOG of Major League hackers