Active Operating System Identification
The active techniques discussed here either query the host or servicesdirectly to deduce the operating system, or direct more general queries
at the IP stack and check the responses for known patterns.
Banners
Many services will pass information to a client on completion of the 3-
way handshake, or after a simple protocol query. Telnet-ing or FTP-ing
to a host will often reveal the host OS type and the software type and
versions as part of the welcome message (commonly referred to as the
banner). Furthermore, by using telnet or a tool such as NetCat (nc) we
may connect to any port - for example the web port - and construct
simple queries to trigger further responses containing valuable
software and OS information.
Binaries
If we have FTP access to a host, and the banners have been deliberately
obscured, we still have other options. Many FTP servers will allow
download of the utilities in the ~ftp/bin directory (ls, cd etc.). By
grabbing and examining these binaries, we should find compilation
information including compiler and OS information for the platform.
Port Signatures
The services revealed on a simple port scan can disclose considerable
information about the underlying system.
Windows Computers
Windows computers normally have a selection of TCP and UDP ports
in the range 137, 138 and 139 (NetBIOS Name, Datagram and Session).
An NT or 2000 server may be identified by the small services running -
e.g. finger on TCP/79 which normally won’t be found on a Windows 9x
box.
No comments:
Post a Comment