Please enable JavaScript.
Coggle requires JavaScript to display documents.
Step :three: Detecting the Operating System (Active Stack Fingerprinting,…
Step :three: Detecting the Operating System
Making guesses from Available ports
Windows
Port 445
Port 139
Port 135
TCP Port 3389 used for Remote Desktop Protocol
UNIX
Portmapper TCP Port 111
Berkeley R services TCP 512–514
NFS TCP Port 2049
high-number ports (3277x and above)
Keep in mind
:reminder_ribbon:the greater the number of services running, the greater the likelihood of a system compromise.
:reminder_ribbon: Some services are operating system specific
Stack Fingerprinting
Definition
Allows the user to ascertain quickly each host’s operating
system with a high degree of probability.
Types
Active Stack Fingerprinting
Sending packets to the targeted System
Passive Stack Fingerprint
passively monitors network traffic to determine the operating
system in using.
Active Stack Fingerprinting
FIN probe
A FIN packet is sent to an open
port. if respond with a FIN/ACK then its windows..
Bogus flag probe
in the SYN packet. Linux will
respond with the flag set in their response
packet.
Initial Sequence Number
(ISN) by trying to find a pattern when responding to a connection request.
Don’t fragment bit
This bit can be monitored to determine what types of operating systems exhibit this behavior.
TCP initial window size
this size is a unique and
can greatly add to the accuracy of the fingerprint mechanism.
ACK value
some implementations return the sequence number you sent, and others return a sequence number + 1.
ICMP error message
This type of probe is also helpful in
determining if UDP ports are open.
ICMP message quoting
By examining the quoted message, you may be able to make some assumptions about the target operating system.
ICMP error message—echoing integrity
By examining the types of alterations that are made to the headers, you may be able to make some assumptions about the target operating system.
Type of service (TOS)
Most stack implementations use 0.
Fragmentation handling
By noticing how probe packets are reassembled, you can make some assumptions about the target operating system.
TCP Options
Passive Stack Fingerprinting
Window size
What does the operating system
set as the window size :question:
TTL
What does the operating system set as
the time-to-live on the outbound packet :question:
DF
Does the operating system set the “Don’t fragment bit” :question:
Limitations
:ONE: Applications that build their own packets do not use the same signature as the operating system. Therefore, your results may not be accurate
:TWO: You must be in a position to capture these packets
:three: A remote host can easily change the connection attributes.