Hacker's essential skills talk about the temptation before the hacker attacks _ Web surfing

The understanding of the operating system, for every person in the computing industry is very important, to become a hacker is to be a deep and profound understanding of the operating system. Here are some questions to discuss with you.
Let's take a look at the basic process of hacking: 1, to determine the intrusion of the operating system->2, scan the port, to determine the opening of those services (these two steps may be simultaneous)->3, according to the operating system and open services to select intrusion methods, usually have "overflow" and "weak mouth guessing" Two methods->4, get the highest power of the system->5, put the back door, clear the log leave (perhaps have a lattice to leave).

It can be known from the above that the identification of the operating system type is the most basic and important step in the process. Imagine, if you do not even know what the other side of the operating system, you want to invade with the impossible to talk about.

Perhaps very few people ask themselves, why do we have to understand each other's operating system first? In fact, the reason we understand the operating system is because we want to understand how the system memory works, how it is based on what technology to control memory, and how to handle input and output data. Nothing in the world can be perfect (which is, of course, the driving force of our human pursuit), and as a complex computer system, it is always possible to make mistakes in controlling memory and processing data (especially after installing other applications), The system itself will also have a wide range of weaknesses and deficiencies. Hackers are able to invade by exploiting these weaknesses and errors. Nowadays, all kinds of intrusion tools that are popular on the internet are compiled by hackers after analyzing the weaknesses of the system and the existing errors. (which is most common with "buffer Overflow")

As a general hacker, we are good at using off-the-shelf intrusion tools, we can achieve the purpose of the invasion. But because different systems work differently, different intrusion tools can only be targeted at the appropriate operating system. Therefore, the recognition of the operating system is essential, which requires us to have a good understanding of the operating system, the network has a certain basic knowledge (to be a hacker or not so easy), on the introduction of various operating systems, on the internet there are piles of articles, we can go to check.

Here to introduce a simple method of operating system recognition for everyone, hope to be useful to everyone.

First, use Ping to identify the operating system

C:\>ping 10.1.1.2

Pinging 10.1.1.2 with bytes of data:

Reply from 10.1.1.2:bytes=32 time<10ms ttl=128
Reply from 10.1.1.2:bytes=32 time<10ms ttl=128
Reply from 10.1.1.2:bytes=32 time<10ms ttl=128
Reply from 10.1.1.2:bytes=32 time<10ms ttl=128

Ping statistics for 10.1.1.2:
Packets:sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trips times in Milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\>
C:\>ping 10.1.1.6

Pinging 10.1.1.6 with bytes of data:

Request timed out.
Reply from 10.1.1.6:bytes=32 time=250ms ttl=237
Reply from 10.1.1.6:bytes=32 time=234ms ttl=237
Reply from 10.1.1.6:bytes=32 time=234ms ttl=237

Ping statistics for 10.1.1.6:
Packets:sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trips times in Milli-seconds:
Minimum = 234ms, Maximum = 250ms, Average = 179ms

We have the value of the TTL of the ICMP message and we can probably know the type of the host. such as: ttl=125 about the host should be Windows series of machines, ttl=235 about the host should be the Uinx series of the machine. As the above two examples, 10.1.1.2 is Win2000 's machine, and 10.1.1.6 is Uinx (Sunos 5.8) of the machine. This is because the different operating system of the ICMP packet processing and response is different, TTL value per router will be reduced by 1. This results in a different TTL recovery value. For the TTL value and operating system type of correspondence, but also rely on people to pay more attention to observation and accumulation.

Second, the information returned directly through the join port

This method should be said to be the most used method, let's look at a few examples below.

1, if the machine opened 80 ports, we can telnet (of course, if there is NC is best with NC, it can not be blind to play) its 80 ports.

Microsoft Windows 5.00.2195 [Version]
(C) Copyright 1985-1998 Microsoft Corp.

C:\>telnet 10.1.1.2 80
Enter Get carriage return (note that this is a blind call)
If returned,
http/1.1 Bad Request
server:microsoft-iis/5.0
Date:fri, June 2003 02:31:55 GMT
Content-type:text/html
content-length:87

The parameter is incorrect.

The connection to the host is lost.
C:\>
So this is definitely a Windows machine.
If returned,

Method not implemented
Get To/not
Supported.
Invalid method in Request get

apache/1.3.27 Server at gosiuniversity.com Port 80

The connection to the host is lost.
C:\>
So most of them are uinx systems.

2, if the machine opened 21 ports, we can directly ftp up

C:\>ftp 10.1.1.2
If returned,
Connected to 10.1.1.2.
sgyyq-c43s950 Microsoft FTP Service (Version 5.0).
User (10.1.1.2none)):
Then this must be a Win2000 machine, we can also know the host name, host name is sgyyq-c43s950. This FTP is an FTP server with IIS from Windows.
If returned,
Connected to 10.1.1.3.
Serv-u FTP Server v4.0 for WinSock ready ...
User (10.1.1.3none)):
It is also certain that it is a Windows machine, because Serv-u FTP is an FTP server developed specifically for the Windows platform.
If returned,
Connected to 10.1.1.3.
Ready, dude (vsftpd 1.1.0:beat me, break Me)
User (10.1.1.3none)):
So this is a uinx machine.

3, if opened 23 port, this is simple, direct telnet up.

If returned,
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
Login

So this must be a Windows machine.

If returned,
SunOS 5.8
Login

Needless to say, this is certainly a uinx machine, and the version is SunOS 5.8.

Third, the use of specialized software to identify

This kind of software which has the function of identifying the operating system, mostly adopts the technology of operating system protocol stack recognition. This is because the different manufacturers in the preparation of their own operating system, although the TCP/IP protocol is unified, but the TCP/IP protocol stack is not to do uniform provisions, manufacturers can according to their own requirements to write TCP/IP protocol stack, resulting in the operating system between the stack of different protocols. So we can analyze the different protocol stack to distinguish different operating systems, as long as the protocol stack and the operating system corresponding to the database, we can accurately identify the operating system. At present, the use of this technology to identify the operating system is the most accurate, but also the most scientific. It is also known as "fingerprint technology" for identifying operating systems. Of course, the ability and accuracy of recognition depends on the database establishment of each software.

The following is a brief introduction to the two feature-aware software.

1, the famous nmap, it is the use of active detection, detection will be active to the target system to send probe packets, according to the target machine response to the data packet to rebel machine operating system. Usage is as follows:

F:\nmap>nmap-vv-ss-o 10.1.1.5
Starting Nmap v. 3.00
Host IS~123456ADCD (10.1.1.5) appears to is up ... good.
Initiating SYN Stealth Scan against IS~123456ADCD (10.1.1.5)
Adding open port 139/tcp
Adding open port 7070/tcp
Adding open port 554/tcp
Adding open port 23/tcp
Adding open port 1025/tcp
Adding open port 8080/tcp
Adding open port 21/tcp
Adding open port 5050/tcp
Adding open port 9090/tcp
Adding open port 443/tcp
Adding open port 135/tcp
Adding open port 1031/tcp
Adding open port 3372/tcp
Adding open port 25/tcp
Adding open port 1433/tcp
Adding open port 3389/tcp
Adding open port 445/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 1 second to Scan 1601.
For Osscan assuming so port is open and port 1 are closed and neither AR
Rewalled
Interesting ports on IS~123456ADCD (10.1.1.5):
(The 1583 ports scanned but not shown below are in state:closed)
Port State Service
21/TCP Open FTP
23/tcp Open Telnet
25/TCP Open SMTP
80/TCP Open http
135/TCP Open Loc-srv
139/TCP Open NETBIOS-SSN
443/TCP Open HTTPS
445/TCP Open Microsoft-ds
554/TCP Open RTSP
1025/TCP Open Nfs-or-iis
1031/TCP Open Iad2
1433/TCP Open Ms-sql-s
3372/tcp Open MSDTC
3389/TCP Open Ms-term-serv
5050/TCP Open MMCC
7070/TCP Open Realserver
8080/TCP Open Http-proxy
9090/TCP Open Zeus-admin
Remote Operating System Guess:windows 2000/xp/me
OS fingerprint:
Tseq (class=ri%gcd=1%si=21f8%ipid=i%ts=0)
T1 (RESP=Y%DF=Y%W=FAF0%ACK=S++%FLAGS=AS%OPS=MNWNNT)
T2 (resp=y%df=n%w=0%ack=s%flags=ar%ops=)
T3 (RESP=Y%DF=Y%W=FAF0%ACK=S++%FLAGS=AS%OPS=MNWNNT)
T4 (resp=y%df=n%w=0%ack=o%flags=r%ops=)
T5 (resp=y%df=n%w=0%ack=s++%flags=ar%ops=)
T6 (resp=y%df=n%w=0%ack=o%flags=r%ops=)
T7 (resp=y%df=n%w=0%ack=s++%flags=ar%ops=)
PU (resp=y%df=n%tos=0%iplen=38%riptl=148%ripck=e%uck=e%ulen=134%dat=e)

TCP Sequence prediction:class=random Positive increments
difficulty=8696 (Worthy Challenge)
TCP ISN Seq. numbers:5b9022e2 5b914e12 5b92a495 5b93915a 5b94a9b5 5B95CC64
IPID Sequence Generation:incremental

Nmap Run completed--1 IP address (1 host up) scanned in 2 seconds

The Remote operating system Guess:windows 2000/xp/me This line is nmap to the operating system type of judgment. Also returned a lot of information, nmap worthy of the king of the scan.

2, the sky Eye, using the passive detection method. does not send packets to the target system, but passively detects the communication data on the network and analyzes the data to determine the type of operating system. It is good to use Supersan with the fruit.

Specific use of the method, this is not specifically introduced. Interested friends can go to the Internet to search for the use of the sky-eye article, there will be a lot of.

The above explains some basic methods to recognize the operating system. Because my level is limited, improper place, also please master treatise!