Remote OS detection @ Articles -> Security ::: TCP/IP, services papers, guides Jan 17 2003, 14:11 (UTC+0) assassin007 writes: Remote Operating System detection is definitely an essential part of a successful hack. It helps in knowing about the vulnerabilities of the Operating System running on the remote system. There are a lot of tools and techniques to find the Operating System running on a remote system. The telnet method: This is a very simple technique to know about the remote OS and the version running from the welcome banner when telnet daemon is running. But there is no guarantee that you will definitely find the OS running from the welcome banner. There are an increasing number of cases that system administrators turn these banners off or provide fake information. Below is an example of a telnet session that gave some valuable information about the OS running on a remote server. Connected to xyz.org. Escape character is .^].. UNIX Type: L8 Login: The FTP method: This method is similar to the above method. Normally the welcome banner displayed when you connect to an FTP server will reveal some information about the OS running on the remote system. But there is a possibility that the administrator may disable the banner. But don.t worry; the .SYST. command will feed you the information you want. Connected to ftp.2600.com 220 . You are 9 out of a possible 20. 220 ftp.2600.com FTP server ready. User (ftp.2600.com:(none)): anonymous 331 Guest login ok, send your email address as password. Password: 230- Welcome to ftp.2600.com, the 2600 FTP server. 230 Guest login ok, access restrictions apply. ftp> literal syst 215 UNIX Type: FTP2600 ftp> The above example shows how it is possible to find the OS running from the FTP. The HTTP method: This method is very useful and the OS running on a remote system can be easily known with this method. But there must be a web server running on the remote system to determine the remote OS and the version of the web server running on that remote host. This is quite easy, all you have to do is to telnet to port 80 (the HTTP server port) of the remote system. Any server running a website will accept such connections on port 80. After you.ve connected to that, type something and press enter twice. That will display an error message with information about the type of web server running, its version and sometimes the Operating system running. Fingerprinting: Finger printing is a technique used to obtain information about a remote host. There are a lot of fingerprinting methods used by different fingerprinting software to obtain some valuable information about remote host. The basic working of these techniques is based on the responses generated by an OS, time taken to give a response to the request, time difference between two successive responses etc. When we send a packet to a remote system, depending on the Operating System running we get response back. The responses we get back vary from one OS to other OS. Thus we can easily identify the Operating System used by the remote host. There are a lot of fingerprinting methods; here we will discuss some of them in brief: The FIN probe: This is the most common method used by many fingerprinting software. In this we send a FIN packet to an open port on the remote host and wait for response. According to RFC793, the open port should not respond back to the FIN packet. But of the operating systems respond back with a RST packet. Thus we can differentiate the Operating Systems that give a response with RST and that which didn.t give any response. TCP Initial Window: This method involves checking of window sizes on the packets from the remote host. Some operating systems use a unique window which helps us in identifying the OS from the packets received. The window sizes of the packets received are taken and they are tallied with the window sizes of each operating system to find out the remote OS running. Don.t Fragment: Some of the Operating Systems use the .Don.t Fragment. flag on some of the packets they send in different cases. This helps in knowing about the Operating System running on remote system. ISN Sampling: This method involves comparing the Initial Sequence Number (ISN) used by the remote host in response to a connection request with the known values of ISN used by different operating systems in response to a request. Thus we can predict the operating system running. BOGUS flag probe: In this method an undefined flag is set in the TCP header of a SYN packet requesting a connection with the remote host. Some operating systems receiving such packets will try to reset the connection with SYN+BOGUS packet. This could also be used in identifying the OS. ICMP Error Message Quenching: Some operating systems limit the rate at which the error messages are sent back. In this a number of packets are sent to a high UDP port on the remote host and the number of port unreachable messages received is counted. This helps in identifying the OS. But the problem with this method is that since ICMP is unreliable and connectionless there is a possibility that all the packets will arrive at their destination. ICMP Message quoting: The ICMP quotes back part of the original message with every ICMP error message. Each operating system will quote definite amount of message to the ICMP error messages. The peculiarity in the error messages received from various types of operating systems helps us in identifying the remote host.s OS. ICMP error message echoing integrity: As mentioned above, the ICMP have to send back part of the original message back with every ICMP error message. Some machines use the original headers as .scratch space. during their initial processing. From this, the machine receiving the ICMP error messages back can determine the OS being used on the remote system. ACK Value: Though the TCP/IP standards and specifications are same for all the operating systems but in implementation each operating system will differ from one another in some aspects. When we send a packet to a remote system some systems acknowledge the packet with an ACK with the same ISN. Some will ACK with ISN+1. The difference in the sequence number of the ACK packet with the ISN could be used to determine the remote host.s Operating System. Reference: Remote OS detection via TCP/IP Stack FingerPrinting by Fyodor (www.insecure.org). The original document could be found at http://www.insecure.org/nmap/nmap-fingerprinting-article.txt Tools Available: There are a lots of tools available to find the remote hosts operating system. But Nmap is the best among all those. It can reliably distinguish various versions of an Operating system with ease, it can distinguish Linux kernel 2.0.30 from 2.0.31-34 or 2.0.35 etc. You can download Nmap from .http://www.insecure.org/Nmap/. MineSweeper is another such tool for windows which is capable of performing Ping sweeps, Reverse DNS sweeps, TCP & UDP port scans, OS identification and application identification. MineSweeper can be downloaded from .http://www.hoobie.net/mingsweeper/. For your Information: Below are the IP fingerprint of different versions of Windows Operating System generated by MineSweeper 1.00a5 Fingerprint Windows 98 v2 # BaseType MS Win 9x TSeq(Class=TD%gcd=<6%SI=FFF) T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT) T2(DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) msIClass(TTL=128) msI1(DF=N%C=00%DFE=Y%TOS=00) # TOS=C4 when the EnableUserTOS reg key is set #msI1(DF=N%C=00%DFE=Y%TOS=00|C4) # If you uncomment this you also match ME systems msI2(Resp=N) msI3(Resp=N) msI4(DF=N%C=%DFE=N%TOS=00)