The content of the article
The first stage of the pentest is, as you know, intelligence. Once you establish which system is running on the remote host, you can begin to look for loopholes in it. From this article you will learn about seven tools that help at this stage, and at the same time you will see how exactly they calculate the OS.
Around the same historical period, when the monkey got off the tree and for some reason decided to become a man, she learned to use tools. Since then, it has been the case: each monkey gets its own food using its own tools, which distinguishes it from other representatives of the fauna. And one of the richest arsenals of handy tools among primates possess, of course, pentesters and hackers.
It is not surprising: to study remote systems and exploit vulnerabilities discovered in them with bare hands is like trying to scare a hedgehog with naked enthusiasm and indefatigable enthusiasm. That is both impractical, and by and large useless. Moreover, even a hedgehog is understandable that the first and most important stage in the study of any system is intelligence and data collection. On it and focus our attention.
If you regularly read “Hacker,” you have probably already seen the mention of many of these programs. Perhaps you are familiar with the term TCP / IP stack fingerprinting, which denotes the principle of their work.
Let's take a wide view from a bird's eye
litter flight the most relevant utilities suitable for this purpose, and try to evaluate their features and capabilities.
A couple of buzzwords
Experienced pentesters, hackers and those who consider themselves as such can safely skip a couple of milkshakes and this section, for the rest we will conduct a short theoretical excursion. Obviously, at the initial stage of reconnaissance, the remote system appears to us as a “black box”, and in the best case, we only know the IP address. At a minimum, you need to find out which ports are open on the host under study, which operating system it is running, what software is installed there and is able to communicate with the network. And only then, having collected the necessary information, you can look for vulnerabilities and think about how to turn them for the benefit of mankind.
In the case of a conventional computer or laptop, determining the operating system is easiest. If you look a bit cloudy when you look at the screen, it means Windows is there, I wanted to collect something from the source – definitely Linux. With a remote host, such a trick will not work, so we can only evaluate indirect signs. You can determine which operating system is running on the host using passive and active methods. In the first case, sniffing with tools such as Wireshark and subsequent traffic analysis are usually used. In the second case, the principle of patterns is used: each OS has a characteristic set of open ports on which you can knock and evaluate their availability. And then, looking at this picturesque picture, draw the appropriate conclusions. In both cases, we examine the similarity of the fingerprints of the operating system, which is why the set of methods is commonly called fingerprinting.
As a rule, all methods of passive traffic analysis come down to studying the TCP / IP stack on a remote machine. Package headers contain fields whose values are specific to strictly defined operating systems. For example, the TTL (Time To Live) packet lifetime of 64 is most commonly found on Linux and FreeBSD. If the fragmentation flag (DF, Don’t Fragment) is not set in the header, this hints that we are dealing with OpenBSD. Other indirect features are window size, maximum segment size (MSS), window scaling value, sackOK flag state. With the exception method, we can calculate the OS that is spinning on the host of interest to us. And utilities, which will be discussed later, will facilitate this business.
- Site: nmap.org
- Platform: GNU / Linux, macOS, Windows (x86)
This is a very popular cross-platform tool with a rich history and a wide arsenal of functionality. He knows a lot and besides fingerprinting, but we are primarily interested in his “intelligence capabilities”.
The current version of Nmap 7.80 has an intuitive graphical interface, but for oldfags, a mode of operation from the command line is provided. In this case, you can use the command
nmap -O -PN (URL), where URL is the address of the site under investigation. Quite
stubborn stubborn ones can compile tools from sources kindly published on the developers website.
The utility gives a diagnosis about the operating system installed on the host, but the probability of this or that option can reach 90% or even more. In principle, this is quite enough to understand in which direction to dig further.
In addition, the program kindly displays information about the version of the server running there, about open ports, information obtained as a result of processing DNS queries, IP and IPv6 addresses, and Classless inter-domain routing (CIDR) data. Softina can perform reverse DNS lookup (DNS lookup), and also displays a large amount of other useful information. Nmap provides several scanning scenarios, the choice of which depends on the objectives of the researcher.
The principles of the program are described in detail in the documentation on the official website, and if the basic capabilities of Nmap are not enough for you, you can read the article on their expansion. The utility is really very powerful: it even allows you to bypass firewalls, perform DoS and other types of attacks. In a word, a useful tool if you know how to handle it.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru