Os fingerprinting
Exercise 1 - OS Fingerprinting
OS fingerprinting can be classified into two types, namely active and passive fingerprinting. Active fingerprinting is the most reliable and accurate when compared to passive fingerprinting technique. However, active fingerprinting cannot be used in highly secured or firewalled environments as it may trigger an alert to the network administrator. On the other hand, passive fingerprinting enables the attackers to anonymously identify the operating system on the target host.
In this exercise, you will use Nmap to perform active OS fingerprinting and P0F tool to perform passive OS fingerprinting.
Please refer to your course material or use your preferred search engine to research this topic in more detail.
Task 1 - Identifying Operating System Running on Remote Host using Nmap
In this task, you will actively determine the operating system running on PLABSA01 device. You will use Nmap to perform this task. In the first steps, you will connect to PLABKALI01.
Step 1
Ensure you have powered on the required devices and connect to PLABKALI01.
Type root in the Username field.
Step 2
When prompted, type the following password in the Password field:
Passw0rdClick Sign In.
Step 3
The PLABKALI01 desktop is displayed.
Step 4
From the desktop of the PLABKALI device, click Root Terminal icon located on the taskbar on the left.
Step 5
The root terminal window opens.
Step 6
At the command prompt of the root terminal, type the following command and press Enter:
nmap -sS -O 192.168.0.1 192.168.0.4
The given command fingerprints the operating system running on PLABSA01 and PLABWIN10. The command uses the following switches:
- -sS = Performs TCP SYN Scan
- -O = Enables OS Detection
Notice that the output first shows the scan report for 192.168.0.1(PLABSA01). The scan report determines that the operating system running on PLABSA01 is Microsoft Windows 2012| 7| 8.1.
Step 7
Scroll down the root terminal window to see the scan report for 192.168.0.4 (PLABWIN10).
The report shows that the operating system running on PLABWIN10 is Microsoft Windows 10 build 10074 - 10586.
Task 2 - Identifying Operating Systems Running on Remote Host using P0F tool
If you want to fingerprint remote operating system while remaining stealthy as possible, passive reconnaissance is the only solution. During passive reconnaissance, no packets are sent to the target machine.
Hence, there is no risk of being identified by target’s security measures such as firewall and Intrusion Detection System (IDS). However, the reliability of passive reconnaissance methods is less when compared to active reconnaissance methods.
The TCP/IP stack is implemented in all operating systems, however, the way in which they are implemented are slightly different from each other. Hence, the packets sent out by different operating systems have slightly different attributes. The logic behind passive reconnaissance is to capture a packet by sniffing and analyse the same for the difference in attributes.
The analysis details are then compared against a database to identify the operating system that sent the packet.
In this task, you will passively fingerprint the operating system running on PLABSA01 device by using P0F tool on PLABKALI01.
Step 1
For the purpose of this demonstration, enable the HTTP web service (port 80) on PLABSA01.
Connect to PLABSA01.
Close Server Manager.
From the taskbar, click the XAMPP application icon.
Step 2
XAMPP Control Panel will appear.
This should enable apache web service with Damn Vulnerable Web Application (DVWA) running on port 80.
Step 3
Switch back to PLABKALI01 and ensure the device is still powered on.
To passively fingerprint the operating system running on PLABSA01, from the desktop of the PLABKALI device, click Root Terminal icon located on the taskbar on the left (if applicable).
The root terminal window opens.
Step 4
Type the following command at the command prompt of the root terminal of Kali Linux and press Enter:
p0f -p -i eth0
The given command specifies the following switches:
- -p = Put the listening interface in promiscuous mode
- -i = Listen on the specified interface (this demo listens on the eth0 interface)
From the output observe that P0F passively listens for packets on PLABKALI01.
Step 5
Unlike active finger printing, packets need to be sent from PLABSA01 system for the P0F tool to capture and analyse them. You can send the packets through FTP, TELNET, NETCAT, or by accessing the respective IP address through a browser.
For this demonstration, you will access the web service on PLABSA01 that you enabled in Step 1 through the browser on Kali device.
Minimize the root terminal window.
Click the Firefox ESR icon located on the taskbar on the left.
Mozilla Firefox opens.
In the address bar of Mozilla Firefox, type and press Enter:
192.168.0.1
The web service at PLABSA01 is accessed.
Step 6
Minimize Firefox ESR and maximize Kali Linux root terminal.
Notice that the P0F tool has captured several packets to and from the PLABSA01 device. Notice the SYN-ACK packet that was sent from PLABSA01 to PLABKALI01 while you were accessing the HTTP web service.
In addition, observe that the operating system identified in the first packet (SYN) is Linux 3.11 and newer. This is the operating system running on PLABKALI01 system. The operating system identified in the third packet (SYN_ACK) is Windows 7 or 8, which is the operating system the P0F tool identified on PLABSA01.
Shutdown all virtual machines used in this lab, by using the power functions located in the Tools bar before proceeding to the next module. Alternatively, you can log out of the lab platform.
Comments
Post a Comment