OS profiling for noobs like Pash

PashPash Member Posts: 1,600 ■■■■■□□□□□
Hi Security nuts!,

Ok so, you guys can earn your salt with me today if you have suggestions :D. The homies from IBM security division are giving me **** again this week. They have completed a PEN test this week again for my customer. They seem to think that we havent actually fixed an underlying issue with the good ole windows NULL sessions security entailments that have been going on for years.

They claim, that SMB can leak operating system information over port TCP 445 (or I am guessing over 139 as well if NETBT is on right?).

First of all, they suggest the Fix is the good old "RestrictAnonymous" registry change. This is fine, but this still does not stop anonymous connections to the server.

They then go on to mention changing the "TransportBindName" reg info to block access to port 445 on the server.

My question is (because they don't reveal it), how are IBM doing their OS profiling using SMB/NBTSTAT or whatever they are using when they have an anonymous connection with their servers?

If you can help me out, it's rep, e-cookies and a beer if ever in Central London :)

Cheers,

Pash
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
«1

Comments

  • down77down77 Member Posts: 1,009
    It sounds like they are using simple reconnaissance and enumeration techniques that even most entry level ethical hackers would use. One of the most common ways to detect which operating system may be at a certain ip address is probe through various ports/protocols such as tcp, udp, icmp, etc to see what is open and how they respond. Almost every operating system handles their response differently and by detecting the details within the reponse one can intelligently guess and detect the operating system as well as find any potential open ports for exploitation.

    Take a look at the Remote OS Detection chapter from NMAP:

    Chapter*8.*Remote OS Detection

    There are a number of tools that allow you to do both active and passive reconnaissance and you may want to play around in a lab environment to the types of responses you may get. For a previous company, we would actually manipulate the packet through our F5 to mask detection from external sources.... and various other methods to assist with internal security.

    Edit: Here is an example using NMap in my lab with simple arguments -sT -A (simple Connect scan with OS fingerprinting)

    Discovered open port 25/tcp on 10.x.x.x
    Discovered open port 110/tcp on 10.x.x.x
    Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
    Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
    Discovered open port 1025/tcp on 10.x.x.x
    Discovered open port 3389/tcp on 10.x.x.x <---- RDP
    Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
    Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

    Based on that, can you guess the OS?
    CCIE Sec: Starting Nov 11
  • tierstentiersten Member Posts: 4,505
    What down77 said. Send a server specially crafted packets and see how it responds.

    Depending on what other services are running on this server, you may be revealing information via error pages or special commands. You know a site is running PHP if it responds to any of the special PHP GUIDs etc...
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.
    Decide what to be and go be it.
  • down77down77 Member Posts: 1,009
    Devilsbane wrote: »
    Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.

    One problem you could run into with this is what if the device you are trying to ping is an appliance/printer/router/etc? Basing it on ping alone leaves too many type 1 errors (false positive).
    CCIE Sec: Starting Nov 11
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    How do you have restrict anonymous configured? 1 doesn't cut it ;)

    SecurityFriday ["RestrictAnonymous=1" has no meaning !]
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Discovered open port 25/tcp on 10.x.x.x
    Discovered open port 110/tcp on 10.x.x.x
    Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
    Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
    Discovered open port 1025/tcp on 10.x.x.x
    Discovered open port 3389/tcp on 10.x.x.x <---- RDP
    Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
    Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

    Based on that, can you guess the OS?

    Honestly, no.

    It could still be a desktop running those services? Nothing says that has to be a server to me. Even NBTSTAT gives me more of a hunch with netbios names coming back at me. You don't call a server CWS001 do you? You call it SVR001 or something. But there again I guess that's why I don't work in security, you will probably tell me it's all down to the way the listening ports are ordered or something ;)

    But, your points are all taken on board, in reality this is a perfect opportunity for me to learn some stuff about hacking techniques. But in the real real world, im on annual leave next week and I need to get a solution to them by Friday :D So I guess I have some more work to be doing tomorrow icon_sad.gif

    Ohh and Andy, it's set to 2. But still, its been working in production for months without issue. Also, update your blog you lazy bozo, im interested in reading your's and Paul's rambling's ;)
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

    Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

    Run p0f and just connect to shares, remote desktop, etc.

    The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

    Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: http://www.metasploit.com/modules/auxiliary/scanner/smb/smb_login

    It sounds like they might just be wanting you to disable NetBIOS altogether.

    Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...
  • moss12moss12 Banned Posts: 220 ■■□□□□□□□□
    Hey Pash,

    You have come a long way from retail assistant to successful IT personal.
    What position are you doing now? very inspiring indeed.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    down77 wrote: »

    Discovered open port 25/tcp on 10.x.x.x
    Discovered open port 110/tcp on 10.x.x.x
    Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
    Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
    Discovered open port 1025/tcp on 10.x.x.x
    Discovered open port 3389/tcp on 10.x.x.x <---- RDP
    Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
    Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

    Based on that, can you guess the OS?

    What is Windows Sever (2003?)?
  • tierstentiersten Member Posts: 4,505
    Pash wrote: »
    Discovered open port 25/tcp on 10.x.x.x
    Discovered open port 110/tcp on 10.x.x.x
    Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
    Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
    Discovered open port 1025/tcp on 10.x.x.x
    Discovered open port 3389/tcp on 10.x.x.x <---- RDP
    Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
    Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

    Based on that, can you guess the OS?

    Honestly, no.

    It could still be a desktop running those services? Nothing says that has to be a server to me.
    25 = SMTP
    80 = Web
    110 = POP
    135 = DCOM
    139 = NetBIOS
    445 = SMB over TCP so Win2K+
    1025 = Most likely Windows RPC
    3389 = RDP

    These are just based on what are the well known port allocations. There isn't anything stopping you from running your webserver on port 4953 and your SMTP server on port 80 except for making it difficult for others to use.

    Assuming that no ports are blocked then we're probably looking at a W2K+ machine. Its got SMTP and POP running but none of the other Exchange ports. The webserver doesn't have SSL enabled as its only listening to port 80. It is unlikely to be a *NIX server running Samba due to the combination of services that are running but it is possible that it could be.

    Considering it does have SMTP, POP and a web server running then I'd hazard a guess that it is one of the server editions of Windows and not a regular workstation.

    So yes. It is possible to do some reasonable guesses just based on what ports have something listening on them.

    If you run some of the tools that Dynamik listed then you'll find out even more. You don't even need user accounts to gather this information.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    knwminus wrote: »
    What is Windows Sever (2003?)?
    for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done
    

    Ghetto Honeypot...
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    dynamik wrote: »
    for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done
    
    Ghetto Honeypot...


    I am assuming the first part sets monitoring on those ports coming inbound. What does the part "Do { ncat..." do?
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I'm not your wife; run it and find out. Then do a netstat -antp.

    (That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    dynamik wrote: »
    I'm not your wife; run it and find out. Then do a netstat -antp.

    (That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)

    Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    knwminus wrote: »
    Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol

    Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google... icon_lol.gif

    Read-up on Bash for-loops while you're at it icon_cool.gif
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    dynamik wrote: »
    Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google... icon_lol.gif

    Read-up on Bash for-loops while you're at it icon_cool.gif

    Ouch. When did that happen? I don't even have my security plus yet icon_redface.gif. Fair enough. Guess that adds one more thing I have to do tonight.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    knwminus wrote: »
    I don't even have my security plus yet icon_redface.gif.

    I've noticed; I've seen CCIE logs shorter than the one you have going for your Security+. ;)

    Seriously though, CCNA: Security trumps that by far. No whining allowed :D
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    dynamik wrote: »
    Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

    Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

    Run p0f and just connect to shares, remote desktop, etc.

    The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

    Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: Metasploit Penetration Testing Framework - Module Browser

    It sounds like they might just be wanting you to disable NetBIOS altogether.

    Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...

    haha mate no need to apologise, I am just interested in reading more of the same and I think you have a good combo with you two writing stuff. :)

    Thanks very much for the advice mate, as with the others!

    And yeh I agree, I think IBM just think it's ok to put their headed logo everywhere and think they can call themselves decent pen testers. I have seen pen tests from other vendors for other customers and they have included their methods.
    moss12 wrote: »
    Hey Pash,

    You have come a long way from retail assistant to successful IT personal.
    What position are you doing now? very inspiring indeed.

    I do such a broad IT job that it's a nightmare to move away from. That said, ive been to interviews, second interviews for the last 6 months. Only one instance was a step forwards rather than a side step, and I lost out to a single other candidate. For now, I am still searching, but happy doing 1st/2nd/3rd line all in one :p

    Cheers to the rest of ya, points taken!
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • down77down77 Member Posts: 1,009
    dynamik wrote: »
    Run p0f and just connect to shares, remote desktop, etc.

    The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

    What... no tcpdump or wireshark as well?

    Yes the example I posted was from a Win2k3 Server running as a honeypot in a lab environment.

    I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."
    CCIE Sec: Starting Nov 11
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    down77 wrote: »
    What... no tcpdump or wireshark as well?

    You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.
    down77 wrote: »
    I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."

    Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

    Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    dynamik wrote: »
    You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.



    Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

    Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

    I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

    I am using zenmap atm (does this mean I am a gui noob? icon_sad.gif), it's very handy. Just trying different ideas.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • down77down77 Member Posts: 1,009
    dynamik wrote: »
    You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.



    Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

    Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

    I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

    Seriously though, I do have some coworkers that can look at the raw packet **** and tell you way too much about the target. Maybe not every intimate detail, but a surprising amount of information can be detected. I also hope to get to this level in the next few years but in the meantime I'm still learning..

    Oh, and another fun link for you guys on the topic:

    OS Fingerprinting through RTOs
    CCIE Sec: Starting Nov 11
  • down77down77 Member Posts: 1,009
    Pash wrote: »
    I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

    I am using zenmap atm (does this mean I am a gui noob? icon_sad.gif), it's very handy. Just trying different ideas.

    Zenmap is a great tool and to be honest, I use it as well on my main OS partition (work requires Windows as primary OS). There is nothing wrong with using a GUI as long as you understand what is going on behind the scene.
    CCIE Sec: Starting Nov 11
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Pash wrote: »
    I am using zenmap atm (does this mean I am a gui noob? icon_sad.gif), it's very handy. Just trying different ideas.

    Yep, we can still be friends though.
    down77 wrote: »
    I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

    I always do. I actually use windump since my host OS is Win7, and I have various attack VMs bridged through that. It's necessary because sometimes you have people freak the eff out when something goes wrong on their network. No matter what it is, they always blame you. You have to cover yourself.

    If you want to have some fun with pcaps, check out: NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer

    We always review ours once we get back at the hotel. We've found places that are seriously misconfigured and blasting out passwords in clear-text, etc. You can often find some interesting things.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Wow. Ive enjoyed today, in between the odd crappy call about opening polciies on our customers ssg's I have been working on this in vmware!

    I think the best solution I have to completely lock down this stuff, ie stop anonymous null sessions and stop OS profiling is to implement full IPSEC policy with Kerbaros authentication. You don't have a token you are not coming in.

    I am not sure about the overhead on this yet, and of course, not even DORA will fire off on an ip renew if your server is running DHCP.

    Great stuff. Let's do some more testing.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • tierstentiersten Member Posts: 4,505
    Pash wrote: »
    stop OS profiling is to implement full IPSEC policy with Kerbaros authentication. You don't have a token you are not coming in.
    You're going to insist that you use IPSEC to even connect to your servers? o.O
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    tiersten wrote: »
    You're going to insist that you use IPSEC to even connect to your servers? o.O

    not saying we will recommend it. i need to get the policy working first and understand how much i can lock down with it as well as the overhead for doing this.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • tierstentiersten Member Posts: 4,505
    Pash wrote: »
    not saying we will recommend it. i need to get the policy working first and understand how much i can lock down with it as well as the overhead for doing this.
    You're nuts :P The server is going to slow to a crawl if you do this.

    You also won't be able to stop the profiling from probing the network stack.
  • tierstentiersten Member Posts: 4,505
    Enable the firewall and only allow connections to services that require network access. e.g. It is unlikely that you need the ability to use DCOM over the network.
    Disable all unnecessary services.
    Change any settings for network services like the anonymous settings for CIFS.
    Check that the security settings are correct for all accounts and services. A good one to check is for extra OUs. I'v seen so many places with weird test OUs that somebody added but never removed.

    Doing crazy things like insisting every connection to your server has use IPSEC is just overboard and you'll run into performance problems along with a massive load of compatibility issues. The crypto operations alone in IPSEC will chew up a large percentage of your CPU. It won't stop the ability for tools like NMAP to probe the network stack by sending malformed or invalid packets and seeing how the server responds anyway.

    Restricting the release of system information as much as possible is a good thing but at the end of the day, you can't completely block it. Your users still have to be able to connect to the server. The services you run are most likely not under your complete control so you won't be able to modify them to not expose certain snippets of information. It isn't the end of the world if I work out that the server is a W2K3 box so long as you've properly secured it. The IBM team are complaining because you're exposing information like shares when you can hide it easily.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    One place put us on a really locked down switchport with NAC; we couldn't see anything. What was the point of having us come out for a test? There was an unused workstation next to us with an unrestricted connection to the internal network. If only they put as much effort into physical security... icon_lol.gif
Sign In or Register to comment.