OS profiling for noobs like Pash

It sounds like they are using simple reconnaissance and enumeration techniques that even most entry level ethical hackers would use. One of the most common ways to detect which operating system may be at a certain ip address is probe through various ports/protocols such as tcp, udp, icmp, etc to see what is open and how they respond. Almost every operating system handles their response differently and by detecting the details within the reponse one can intelligently guess and detect the operating system as well as find any potential open ports for exploitation.

Take a look at the Remote OS Detection chapter from NMAP:

Chapter*8.*Remote OS Detection

There are a number of tools that allow you to do both active and passive reconnaissance and you may want to play around in a lab environment to the types of responses you may get. For a previous company, we would actually manipulate the packet through our F5 to mask detection from external sources.... and various other methods to assist with internal security.

Edit: Here is an example using NMap in my lab with simple arguments -sT -A (simple Connect scan with OS fingerprinting)

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

What down77 said. Send a server specially crafted packets and see how it responds.

Depending on what other services are running on this server, you may be revealing information via error pages or special commands. You know a site is running PHP if it responds to any of the special PHP GUIDs etc...

Devilsbane

Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.

Devilsbane wrote: »

Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.

One problem you could run into with this is what if the device you are trying to ping is an appliance/printer/router/etc? Basing it on ping alone leaves too many type 1 errors (false positive).

SecurityFriday ["RestrictAnonymous=1" has no meaning !]

How do you have restrict anonymous configured? 1 doesn't cut it

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

Honestly, no.

It could still be a desktop running those services? Nothing says that has to be a server to me. Even NBTSTAT gives me more of a hunch with netbios names coming back at me. You don't call a server CWS001 do you? You call it SVR001 or something. But there again I guess that's why I don't work in security, you will probably tell me it's all down to the way the listening ports are ordered or something

But, your points are all taken on board, in reality this is a perfect opportunity for me to learn some stuff about hacking techniques. But in the real real world, im on annual leave next week and I need to get a solution to them by Friday

So I guess I have some more work to be doing tomorrow

Ohh and Andy, it's set to 2. But still, its been working in production for months without issue. Also, update your blog you lazy bozo, im interested in reading your's and Paul's rambling's

Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: http://www.metasploit.com/modules/auxiliary/scanner/smb/smb_login

It sounds like they might just be wanting you to disable NetBIOS altogether.

Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...

moss12

Hey Pash,

You have come a long way from retail assistant to successful IT personal.
What position are you doing now? very inspiring indeed.

down77 wrote: »

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

What is Windows Sever (2003?)?

Pash wrote: »

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

Honestly, no.

It could still be a desktop running those services? Nothing says that has to be a server to me.

25 = SMTP
80 = Web
110 = POP
135 = DCOM
139 = NetBIOS
445 = SMB over TCP so Win2K+
1025 = Most likely Windows RPC
3389 = RDP

These are just based on what are the well known port allocations. There isn't anything stopping you from running your webserver on port 4953 and your SMTP server on port 80 except for making it difficult for others to use.

Assuming that no ports are blocked then we're probably looking at a W2K+ machine. Its got SMTP and POP running but none of the other Exchange ports. The webserver doesn't have SSL enabled as its only listening to port 80. It is unlikely to be a *NIX server running Samba due to the combination of services that are running but it is possible that it could be.

Considering it does have SMTP, POP and a web server running then I'd hazard a guess that it is one of the server editions of Windows and not a regular workstation.

So yes. It is possible to do some reasonable guesses just based on what ports have something listening on them.

If you run some of the tools that Dynamik listed then you'll find out even more. You don't even need user accounts to gather this information.

knwminus wrote: »

What is Windows Sever (2003?)?

for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done

Ghetto Honeypot...

dynamik wrote: »
for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done
Ghetto Honeypot...

I am assuming the first part sets monitoring on those ports coming inbound. What does the part "Do { ncat..." do?

I'm not your wife; run it and find out. Then do a netstat -antp.

(That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)

dynamik wrote: »

I'm not your wife; run it and find out. Then do a netstat -antp.

(That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)

Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol

knwminus wrote: »

Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol

Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google...

Read-up on Bash for-loops while you're at it

dynamik wrote: »

Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google...

Read-up on Bash for-loops while you're at it

Ouch. When did that happen? I don't even have my security plus yet

. Fair enough. Guess that adds one more thing I have to do tonight.

knwminus wrote: »

I don't even have my security plus yet .

I've noticed; I've seen CCIE logs shorter than the one you have going for your Security+.

Seriously though, CCNA: Security trumps that by far. No whining allowed

dynamik wrote: »

Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: Metasploit Penetration Testing Framework - Module Browser

It sounds like they might just be wanting you to disable NetBIOS altogether.

Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...

haha mate no need to apologise, I am just interested in reading more of the same and I think you have a good combo with you two writing stuff.

Thanks very much for the advice mate, as with the others!

And yeh I agree, I think IBM just think it's ok to put their headed logo everywhere and think they can call themselves decent pen testers. I have seen pen tests from other vendors for other customers and they have included their methods.

moss12 wrote: »

Hey Pash,

You have come a long way from retail assistant to successful IT personal.
What position are you doing now? very inspiring indeed.

I do such a broad IT job that it's a nightmare to move away from. That said, ive been to interviews, second interviews for the last 6 months. Only one instance was a step forwards rather than a side step, and I lost out to a single other candidate. For now, I am still searching, but happy doing 1st/2nd/3rd line all in one

Cheers to the rest of ya, points taken!

dynamik wrote: »

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

What... no tcpdump or wireshark as well?

Yes the example I posted was from a Win2k3 Server running as a honeypot in a lab environment.

I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."

down77 wrote: »

What... no tcpdump or wireshark as well?

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

down77 wrote: »

I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

dynamik wrote: »

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

I am using zenmap atm (does this mean I am a gui noob?

), it's very handy. Just trying different ideas.

dynamik wrote: »

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

Seriously though, I do have some coworkers that can look at the raw packet **** and tell you way too much about the target. Maybe not every intimate detail, but a surprising amount of information can be detected. I also hope to get to this level in the next few years but in the meantime I'm still learning..

Oh, and another fun link for you guys on the topic:

OS Fingerprinting through RTOs

Pash wrote: »

I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

I am using zenmap atm (does this mean I am a gui noob? ), it's very handy. Just trying different ideas.

Zenmap is a great tool and to be honest, I use it as well on my main OS partition (work requires Windows as primary OS). There is nothing wrong with using a GUI as long as you understand what is going on behind the scene.

Pash wrote: »

I am using zenmap atm (does this mean I am a gui noob? ), it's very handy. Just trying different ideas.

Yep, we can still be friends though.

down77 wrote: »

I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

I always do. I actually use windump since my host OS is Win7, and I have various attack VMs bridged through that. It's necessary because sometimes you have people freak the eff out when something goes wrong on their network. No matter what it is, they always blame you. You have to cover yourself.

If you want to have some fun with pcaps, check out: NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer

We always review ours once we get back at the hotel. We've found places that are seriously misconfigured and blasting out passwords in clear-text, etc. You can often find some interesting things.

Wow. Ive enjoyed today, in between the odd crappy call about opening polciies on our customers ssg's I have been working on this in vmware!

I think the best solution I have to completely lock down this stuff, ie stop anonymous null sessions and stop OS profiling is to implement full IPSEC policy with Kerbaros authentication. You don't have a token you are not coming in.

I am not sure about the overhead on this yet, and of course, not even DORA will fire off on an ip renew if your server is running DHCP.

Great stuff. Let's do some more testing.

Pash wrote: »

stop OS profiling is to implement full IPSEC policy with Kerbaros authentication. You don't have a token you are not coming in.

You're going to insist that you use IPSEC to even connect to your servers? o.O

tiersten wrote: »

You're going to insist that you use IPSEC to even connect to your servers? o.O

not saying we will recommend it. i need to get the policy working first and understand how much i can lock down with it as well as the overhead for doing this.

Pash wrote: »

not saying we will recommend it. i need to get the policy working first and understand how much i can lock down with it as well as the overhead for doing this.

You're nuts :P The server is going to slow to a crawl if you do this.

You also won't be able to stop the profiling from probing the network stack.

Enable the firewall and only allow connections to services that require network access. e.g. It is unlikely that you need the ability to use DCOM over the network.
Disable all unnecessary services.
Change any settings for network services like the anonymous settings for CIFS.
Check that the security settings are correct for all accounts and services. A good one to check is for extra OUs. I'v seen so many places with weird test OUs that somebody added but never removed.

Doing crazy things like insisting every connection to your server has use IPSEC is just overboard and you'll run into performance problems along with a massive load of compatibility issues. The crypto operations alone in IPSEC will chew up a large percentage of your CPU. It won't stop the ability for tools like NMAP to probe the network stack by sending malformed or invalid packets and seeing how the server responds anyway.

Restricting the release of system information as much as possible is a good thing but at the end of the day, you can't completely block it. Your users still have to be able to connect to the server. The services you run are most likely not under your complete control so you won't be able to modify them to not expose certain snippets of information. It isn't the end of the world if I work out that the server is a W2K3 box so long as you've properly secured it. The IBM team are complaining because you're exposing information like shares when you can hide it easily.