Using TCP/IP protocol stack fingerprint for remote Operating system identification _ Web surfing

Overview

This article discusses how to query the TCP/IP protocol stack of a host to collect valuable information. First
First, I enumerated several "classic" operating system identification methods outside the stack fingerprint. And then
I described the "process status" of the stack fingerprint tool. Next, let the remote host leak its
Some techniques of information. Finally detailing my implementation (NMAP), and using it to get some
The operating system information of the popular website.
Reason Hot network

I think the usefulness of identifying the OS running on a system is fairly obvious, so this section
will be very short. One of the most powerful examples is that many security vulnerabilities are OS-related. Just imagine you're
Make a breakthrough test and discover that port 53 is open. If that's the vulnerable version of BIND,
You only have one chance to use it because a failed attempt kills the daemon. With the right
TCP/IP fingerprint, you will soon find that it is running ' Solaris 2.51 ' or ' Linux 2.0.35 '
And so adjust your shell code.

A bad example is when someone scans 500,000 hosts to find out what OS they're running on.
and which ports are open. And wait for someone to post (say) there's a root flaw in Sun's Comsat
In the daemon, our children can find ' udp/512 ' and ' Solaris 2.6 ' from their list.
These two words and immediately get a full page full page of the box that gets the root privilege. Must recognize
Recognize that that's the behavior of the Scripting Boy (script KIDDIE). You proved your incompetence, and.
And no one, not even the other side, can find you vulnerable to failure to fix the leak in time.
The edu thing left an impression. People also _ less _ leave an impression if you use your newly found access
To destroy the government Web site, in exchange for an arrogant how powerful you are and how the administrators Fool
Stupid words.

Another use is social engineering. If you scan the target company and Namp reports a ' Datavoice
Txpor tprism 3000 T1 csu/dsu 6.22/2.06 '. Then the hacker takes ' Datavoice
Support ' for the name of the call and discuss some of their prism 3000 problems. "We're going to
Publish a security vulnerability but want our current customers to install the patch first-I just sent
You ... "Some naïve administrators will assume that only datavoice-appointed engineers will
Their CSU/DSU know so much.

Another potential use of this capability is to evaluate the company you want to trade. In selecting a new ISP
Before, scan them to see what equipment is used. Those "99 dollars per year" deal don't listen.
Up so well when you find them with cheap routers and a bunch of Windows running machines
Provides PPP services when the device is available.

Classic Technology

The stack fingerprint solves the problem of OS identification in a unique way. I think the technology is the most sure, but
There are many other solutions now. Unfortunately, this is still the most effective of them:

playground~> telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12 ...
Connected to hpux.u-aizu.ac.jp.
Escape character is ' ^] '.

HP-UX Hpux b.10.01 A 9000/715 (TTYP2)

Login

There is no need to pay so much effort on fingerprints, if the machine can tell the world loudly that they are transported
What is the line! Unfortunately, many manufacturers deliver _ existing _ systems with this type of logo
And many administrators did not close it. [Translator: sic] just because there are other
method to find the OS running (such as fingerprints), but not that we should notify each attempt to connect
Next to the idiot our OS and architecture.

The problem with this technology is that more and more people turn off the logo, and many systems do not give more
More information, and a few "lies" in the sign. But all you have to do is read the sign.
Way OS and OS version check if you're spending thousands of dollars on the commercial ISS scanners
Words. Download Nmap or queso instead of them to save money for you:).

Even if you turn off the flag, many applications are still happy to give such a letter when asked
Interest. For example, this FTP server:

payfonez> Telnet ftp.netscape.com 21
Trying 207.200.74.26 ...
Connected to ftp.netscape.com.
Escape character is ' ^] '.
FTP29 FTP Server (UNIX (r) System V release 4.0) ready.
Syst
215 UNIX Type:l8 Version:sunos

First, it gives the default system details flag. And if we give the ' Syst ' life
Make it happy to send back more information.

If the FTP anon is supported, we can often download/bin/ls or other binary text
To determine the architecture it has built. Many other applications are too casual about the information. Like a Web server:

playground> echo ' get/http/1.0\n ' | NC hotbot.com 80 | Egrep ' ^server: '
server:microsoft-iis/4.0
Playground>

Hmmm ... I was amazed at how these guys were running.

Other classic technologies include DNS host information logging (less effective) and social engineering. If
It listens to 161/UDP (SNMP), using the ' snmpwalk ' and ' public ' in the CMU SNMU Toolkit
Communication name you can definitely get a lot of information.

Current fingerprint problem

Nmap is not the first program to identify an OS with a TCP/IP fingerprint. Johan's Universal IRC spoofing
The program SIRC includes a very basic fingerprint technology starting with version 3 (or earlier). It tasted
Try to divide the host into "Linux", "4.4BSD", "Win95", or "Unknown" classes through
Several simple TCP flag tests.

Another such program is Checkos, author Shok on version 7 finally has the confidence in this year
January public release. Fingerprint technology and SIRC exactly the same, even _ code _ are many with
Kind of place. Checkos had been in private for a long time before the public release, so I don't know who stole it.
But it seems that no one trusts each other. Checkos added is the Telnet flag check, useful
But there are questions that have been said before. [UPDATE: Shok wrote that Checkos had no intention of releasing the public and this
That's why he didn't look for SIRC to get permission for those codes. ]

SU1D also wrote an OS checker. He called it SS and its version 3.11 could identify 12
The same OS type. I have a preference for it because he permits my Nmap program some Network code:).

And then the queso. This is up to date and is a huge leap for other programs. Not
is because they have introduced some new tests, and they are first (as I see) to refer to the OS
Lines _ Move out of the _ code. Other scanned code like:

/* FROM SS */
if ((Flagsfour & Th_rst) && (Flagsfour & Th_ack) && (winfour = 0) &&
(Flagsthree & Th_ack))
Reportos (Argv[2],argv[3], "Livingston portmaster Comos");

Instead, queso moved the code to a configuration file, apparently making it easier to expand and increase the
Adding an OS becomes a simple job of adding a few lines to the fingerprint file.

Queso was written by one of Savage,apostols.org's masters.

One problem with all of the above questions is that only a very limited number of fingerprints are tested to
Limits the level of detail of the answer. I want to know not only ' this machine is OpenBSD, FreeBSD,
Or NetBSD ', I want to know exactly what it is and the version number. Again, I hope
Look at the ' Solaris 2.6 ' and not just ' Solaris '. For this, I have a series of fingerprints
Technologies are studied, which are described in the next section.
Fingerprint methodology

There are many technologies that can be used to define network stack fingerprints. Basically, you just have to find the operation
Differences between systems and write probes to identify them. If you combine enough of these, you can not
They are often carefully differentiated. For example, Nmap can reliably identify the Solaris 2.4 and Solaris 2.5-2.51
and Solaris 2.6. He can distinguish the Linux kernel from 2.0.30 to 2.0.31-34 or 2.0.35.
Here are some techniques:

Fin detector--here we send a fin bag (or any other package without ACK or SYN
TAG) to an open port and wait for a response. The correct RFC793 behavior is not
Response, but many problematic implementations such as MS Windows, BSDI, CISCO,
Hp/ux,mvs, and Irix sent back a reset. Many existing tools use this technique
Postoperative

BOGUS Mark Detector--Queso is the first one I've ever seen with this smart technique.
Manager The idea is to set an undefined TCP "tag" (64 or 128) in SYN
The TCP head of the package. The Linux machine keeps this tag in response before it 2.0.35.
I have not found this error in other OS. However, some operating systems are like reset
Connect when they get a syn+ bogus package. This behavior to identify it
are useful.

TCP ISN Sampling-the idea is to find out that TCP is implemented when responding to a connection request
The selected initialization sequence number pattern. This can be divided into many groups, such as the traditional 64K
(many old Unix machines), random increments (new version of Solaris, IRIX, FreeBSD,
Digital UNIX, Cray, and many others), really "random" (Linux 2.0.*,
OpenVMS, new AIX, etc.). Windows machines (and some others) use a
A "time dependent" model, each time isn is added a small solid
Destiny. Needless to say, this is almost as easy to break as the old 64K behavior. Of course I
The preferred technique is "constant". The machine always uses the exact same isn:). I have
The 3Com hub (with 0x803) and the Apple LaserWriter printer (
With the 0xc7001) on the see.

You can also, for example, calculate the variance of its random number, GCD, and
The differences between the other functions and numbers of the sequence number are further grouped.

Be aware that isn generation and security are closely related. To find out more, contact
SDSC's "security expert" Tsutome shimmy Shimomura and asked what he knew
Of Nmap is the first program I've seen to use it to identify the OS.

No division--many operating systems begin to set IP "Don t Fragment" in some packets sent out
Bit This brings a variety of performance benefits (although it may also be annoying-this
Is the reason that Nmap's segmented scan is not valid for the Solaris machine. Anyway
Not all OS do this and other things do differently, so pass the note
This bit means we can even collect more information about the target OS. In those two programs,
I've never seen this before.

TCP Initialization Window-This only includes checking the window size of the returned package. Older scans
The device simply uses a non 0 window in the RST package to represent the "BSD 4.4 clan". New
Some, such as queso and nmap, keep an accurate trace of the window because it is specific
The OS is basically constant. This test actually gives a lot of information because some can be
Uniquely OK (for example, AIX is the only one known to be 0x3f25). In them "completely
Overridden in the NT5 TCP stack, Microsoft is using 0x402e. The interesting thing is that
This is exactly the same as the number used in OpenBSD and FreeBSD.

ACK Value--although you would think that this would be completely standard, in some cases of different implementations the ACK
The value of the field is different. For example, if you send a fin| psh| URG to a
The TCP port that is closed. Most implementations will set the ACK to your initial sequence number,
and windows and some silly printers will give you the sequence number plus 1. If you send a
syn| fin| Urg| PSH to an open port, Windows is very odd.
Some times it sends back the serial number, but it is also possible to send back the serial number plus 1, or even
A random number may be sent back. We wondered what Microsoft was writing about.
Code.

ICMP error message End--some (smart) OS built with RFC 1812
To limit the rate of transmission of various error messages. For example, the Linux kernel (in net/ipv4/icmp.h)
Limit Destination Unreachable message generation 80 per 4 seconds, violation results in a 1/4
Seconds of punishment. One way to test this is to send a bunch of packets to some random high UDP end.
The mouth and counted the unreachable messages received. I've never seen it, and I actually
It was not added to the nmap (except as a UDP port scan). This test will
Let OS identification take a little longer because you need to send a batch of packages and wait for them to come back. And
It can be painful to deal with network loss.

ICMP message Reference--RFC stipulates that ICMP error messages can refer to part of the error
The source message. For a port unreachable message, almost all implementations only send back IP please
Ask for a header plus 8 bytes. However, Solaris sends back a little more, while Linux is more.
This allows Nmap to recognize Linux even when no one has a listening port
and Solaris hosts.

ICMP error message response integrity-My idea came from Theo De Raadt (OpenBSD
Development manager) Posted in Comp.security.unix's article. Just mentioned that the machine
Will send a part of the original message back together with the Port unreachable error. However a
Some machines tend to use your message header as a "scratch paper" when initializing the process.
There will be a slight change in the time to get it back. For example, AIX and BSDI send back an IP "
The full length field is at 20 bytes. Some Bsdi,freebsd,openbsd,ultrix,
and Vaxen changed the IP ID you sent. Because the TTL changes the check and
Some machines (AIX, FreeBSD, etc.) send back the wrong or 0 checks and. Anyway
Nmap 9 kinds of tests on ICMP errors to distinguish between such nuances.

Service type--for ICMP Port unreachable message I see the service type (TOS) for the packet to be returned
Value. Almost all implementations in this ICMP error use 0 except Linux with 0xc0.
This is not a standard TOS value, but rather an unused priority domain (AFAIK)
Part I don't know why, but if they change to 0, we can tell.
The old system _ and _ also can distinguish the old system and the new system.

Segmented control-This is a secure network company (now a bunch of Windows users in Nai
Owned) by Thomas H. Ptacek's favorite technology. It benefits from the fact that it is not
The same implementation often controls overwriting IP segments in different ways. Some will overwrite the old with the new
Part, in other cases the old priority. There are a lot of different things that you might use to decide
Decide how to reorganize the packet. I'm not involved in this feature because there's no easy way
Sending IP fragments (especially, not allowed on Solaris). About overriding
Paragraph For more information, you can see the thesis of IDs (www.secnet.com)

TCP Options-This is simply a gold mine for leaking information. Its benefits lie in:
1 This is usually optional (ha!):) So not all implementations are supported.
2 If an implementation emits a request setting the option, the target is set by setting it back
Support should be expressed in.
3 can be set in one packet and test all options at a time.

Nmap send these options to almost all the possible packages:

Window scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;

When you get a response, see if that option is sent back, which is supported. Some operations
Systems such as the nearest FreeBSD machine support all of the above, while others, such as Linux 2.0.X
Few are supported. The latest Linux 2.1.x kernel supports all of the above. Other
On the one hand, they have a more vulnerable TCP sequence generation method. Go and have a look.

Even if several operating systems support the same set of options, sometimes you can still pass the option
_ value _ to distinguish them. For example, if you send a small MSS value to a Linux machine,
It will use that MSS to generate an answer for you. Other hosts will give you a different value.

Even if you get the same support option set and the same value, you can still pass
The _ order _ and padding words provided by the option are identified, such as Solaris returning ' Nntnwme '
Said:

And Linux 2.2.122 back to MENNTNW. The same option, the same value, but not
In the same order!

I've never seen other OS detection tools take advantage of the TCP option, but it's very useful.

For the same reason there are several other useful options I will detect, like those supporting T/TCP
and selective confirmation.

Development age-even with all the tests above, Nmap still cannot differentiate Win95 from the TCP stack,
WinNT, or Win98. It's amazing, especially Win98 than Win95 late.
Now 4 years. You may think that they have to be improved in some ways (like supporting more
Multiple TCP options so that we can detect the changes and identify them. Unfortunate
, that's not the case. The NT stack is obviously a crappy thing to put in 95.
And no changes were made to 98.

But don't give up hope, there's another way. You can simply do the early windows
DOS attacks (Ping of Death, WinNuke, etc.) rather than at the time as Teardrop
and land to do some more. Is after each attack, ping them to see if they're broken.
Off. When you finally crash them, you can narrow down a service pack
or patches.

This is not added to the nmap, although I admit it is very tempting:).

SYN Flood Limit--some operating systems will stop new connection attempts if you send too many
Forge SYN to it (fake pack to avoid your kernel reset connection). Many operating systems
The EC can only handle 8 packages. The most recent Linux kernel (including other operating systems)
Allow different ways, such as Syn cookies, to prevent this from becoming a serious problem. So you
You can try to send 8 packets from a forged address to the target open port and try again.
No connection was established to discover some information. It didn't happen in the nmap because someone didn't like it.
Huan you use SYN flood and even you explain it's just want to know the operating system it runs
Nor make them calm.

Nmap Implementation and Results

I have already made a reference implementation of the OS detection technique mentioned above (except what I said is not included).
I added them to my nmap scanner, so what does it know about fingerprints when it's analyzed?
The port is turned on or off without you telling. It can also be in Linux,*bsd, and
Solaris 2.51 and 2.6, and some other operating systems are ported between.

The new version of Nmap reads a fingerprint template file. The following are examples of syntax:

Fingerprint IRIX 6.2-6.4 # to Lamont granquist
Tseq (class=i800)
T1 (df=n%w=c000| EF2A%ACK=S++%FLAGS=AS%OPS=MNWNNT)
T2 (resp=y%df=n%w=0%ack=s%flags=ar%ops=)
T3 (resp=y%df=n%w=c000| EF2A%ACK=O%FLAGS=A%OPS=NNT)
T4 (df=n%w=0%ack=o%flags=r%ops=)
T5 (df=n%w=0%ack=s++%flags=ar%ops=)
T6 (df=n%w=0%ack=o%flags=r%ops=)
T7 (df=n%w=0%ack=s%flags=ar%ops=)
PU (df=n%tos=0%iplen=38%riptl=148%rid=e%ripck=e%uck=e%ulen=134%dat=e)

Look at the first line (I added the ' > ' tag):

> Fingerprint IRIX 6.2-6.3 # to Lamont granquist

This simply indicates that the fingerprint covers IRIX version 6.2 to 6.3 and the annotation indicates Lamont Granquist
Kindly send me the IP address or fingerprint of the test with IRIX machine.

> Tseq (class=i800)

This indicates that isn sampling is placed in the "i800 group". This means that each new serial number is larger than the previous one.
An integer multiple of 800.

> T1 (df=n%w=c000| EF2A%ACK=S++%FLAGS=AS%OPS=MNWNNT)

This test is called T1 (smarter than test1?). ）。 This test we sent a SYN pack
A set of TCP options to an open port. "Don ' t fragment" df=n to answer.
Bit must not be set. w=c000| EF2A means that the window features received must be 0xc000 or
EF2A. Ack=s++ is that the response must be the serial number we sent plus 1. Flags=as meaning for
The ACK and SYN tags are in the answer. Ops=mnwnnt the option to answer must be in this order:

> T2 (resp=y%df=n%w=0%ack=s%flags=ar%ops=)

Test 2 includes a null and the same option to an open port. Resp=y says we
Must get an answer. Ops= indicates that there must be no options included in the answer. If the whole
Use '%ops= ' to match any option.

> T3 (resp=y%df=n%w=400%ack=s++%flags=as%ops=m)

Test 3 is a syn| fin| Urg| PSH W/options to an open port.

> T4 (df=n%w=0%ack=o%flags=r%ops=)

This is an ACK to the open port. Notice there is no resp= here. This means lack of answers.
(such as a packet dropped on the network or blocked by a firewall) will not prevent the other tests from matching.
We are so because virtually all OS will answer, so the lack of answers is always the net source
Thus is not the OS itself caused. Tests 2 and 3 have RESP tags because there os_ really _ discard it
Instead of answering them.

> T5 (df=n%w=0%ack=s++%flags=ar%ops=)
> T6 (df=n%w=0%ack=o%flags=r%ops=)
> T7 (df=n%w=0%ack=s%flags=ar%ops=)

These tests are syn,ack, and fin| psh| URG, respectively, to a closed port.
Always set the same option. Of course it gave the name ' T5 ', ' T6 ', and ' T7 ':).

> PU (df=n%tos=0%iplen=38%riptl=148%rid=e%ripck=e%uck=e%ulen=134%dat=e)

This big guy is a Port unreachable message test. Now you should know df=n. Tos=0 meaning
The IP service domain type is 0. The next two domains give the message header IP full length (16) returned
The full length of the domain and IP headers. Rid=e is that the RID value in the returned part of the original package should be
The same as the original (as we send out). Ripck=e said there was no modification to the check and (
Change the words with ripck=f). Uck=e indicates that the UDP check and is also correct. The following is UDP
Length 0x134 and dat=e indicate that they correctly return our UDP data. Because most
Implementations (including this) do not send back any of our UDP packets, they default to Dat=e.

This version of Nmap with this feature is in private for the sixth beta test cycle. You
When I read it, maybe it's done, maybe not. Visit http://www.insecure.org/nmap/
To get the latest version.

Popular site Snapshots

Here are the results of our efforts. We can now randomly select an Internet site to judge it
The OS used. Many of them modify the Telnet flag, and so on. To keep the information confidential. But
It's no use for our new fingerprints! It's also a good way to uncover < fill in your favorite silly os>.
How stupid the household is. :)

The commands used in these examples are: nmap-ss-p 80-o-v < host >

Also note that most scans are performed in 98-10-18. After that, some guys will upgrade/
Changed their servers.

Notice that I don't like every website here.

# "Hacker" sites or (both) think Yes
www.l0pht.com => OpenBSD 2.2-2.4
www.insecure.org => Linux 2.0.31-34
www.rhino9.ml.org => Windows 95/nt # didn't say:)
www.technotronic.com => Linux 2.0.31-34
www.nmrc.org => FreeBSD 2.2.6-3.0
www.cultdeadcow.com => OpenBSD 2.2-2.4
www.kevinmitnick.com => Linux 2.0.31-34 # free kevin!
www.2600.com => FreeBSD 2.2.6-3.0 Beta
www.antionline.com => FreeBSD 2.2.6-3.0 Beta
www.rootshell.com => Linux 2.0.35 # changed to OpenBSD after they got it.

# Security providers, consultants, etc.
www.repsec.com => Linux 2.0.35
Www.iss.net => Linux 2.0.31-34
www.checkpoint.com => Solaris 2.5-2.51
Www.infowar.com => win95/nt

# OS Manufacturer
www.li.org => Linux 2.0.35 Linux International edition
www.redhat.com => Linux 2.0.31-34 # I wonder what they release:)
www.debian.org => Linux 2.0.35
www.linux.org => Linux 2.1.122-2.1.126
www.sgi.com => IRIX 6.2-6.4
www.netbsd.org => NetBSD 1.3X
www.openbsd.org => Solaris 2.6 # Ah, hey:)
www.freebsd.org => FreeBSD 2.2.6-3.0 Beta

# The Federation
www.harvard.edu => Solaris 2.6
www.yale.edu => Solaris 2.5-2.51
www.caltech.edu => SunOS 4.1.2-4.1.4 # hello! This is the:) of the 90 's.
www.stanford.edu => Solaris 2.6
www.mit.edu => Solaris 2.5-2.51 # So many good schools like sun?
# It's probably a 40% discount for edu:)
www.berkeley.edu => UNIX OSF1 V 4.0,4.0b,4.0d
www.oxford.edu => Linux 2.0.33-34 # Dude!

# Disabled website
www.aol.com => IRIX 6.2-6.4 # No wonder they're so insecure:)
www.happyhacker.org => OpenBSD 2.2-2.4 # morbid, Carolyn?
# Even the safest OS is useless in the hands of incompetent administrators.

# Other
Www.lwn.net => Linux 2.0.31-34 # This is the Linux news site!
www.slashdot.org => Linux 2.1.122-2.1.126
www.whitehouse.gov => IRIX 5.3
sunsite.unc.edu => Solaris 2.6

Note: In their security white paper, Microsoft speaks of their lax security: "
This assumption has changed in the years that Windows NT is gaining popularity largely because
Its security characteristics ". Well, from my point of view windows is not very common in security groups:).
From this I only see 2 windows machines, and for Nmap Windows is _ easy _
It's too broken to tell (first class smart)

Of course, there is more to be examined. This is the website of Ultra-secret Transmeta Company.
Interestingly, the company was founded mainly by Paul Allen of Microsoft, rather than its employee Linus Torvalds.
So are they going with Paul in NT or into the Linux revolution? Let's see:

We use the order:
Nmap-ss-f-o transmeta.log-v-o www.transmeta.com/24

This says SYN scans consistent ports (from/etc/services), records results to ' Transmeta.log ',
In detail, perform an OS scan and scan the ' C ' address where the www.transmeta.com resides. This
Is the result summary: hot Network

Neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
www.transmeta.com (206.184.214.11) => Linux 2.0.30
neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
ssl.transmeta.com (206.184.214.15) = > Linux Unknown version
linux.kernel.org (206.184.214.34) => Linux 2.0.35
www.linuxbase.org ( 206.184.214.35) => Linux 2.0.35 may be the same machine as above.