Presentation is loading. Please wait.

Presentation is loading. Please wait.

Next Generation Active Operating System Fingerprinting Founder O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0.

Published byPercival Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "Next Generation Active Operating System Fingerprinting Founder O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0."— Presentation transcript:

1 Next Generation Active Operating System Fingerprinting Founder O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P The Present & Future of Xprobe2 Ofir Arkin ofir@sys-security.com

2 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 2 In memory of true explorers – The STS-107 crew

3 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 3 Agenda  Introduction –Ofir Arkin –The Xprobe2 project  Parameters effecting the accuracy of active operating system fingerprinting  Xprobe2 v0.2 RC1 advanced functionality  Demo – Xprobe2 v0.2 RC1  The future of active operating system fingerprinting  Questions

4 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 4 Material Available for Download http://www.sys-security.com  Xprobe2 0.2 RC 1 Source Code  This presentation  A white paper titled “The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting”

5 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 5 Ofir Arkin  CISO of an International Telephone Carrier  Founder, The Sys-Security Group  Computer Security Researcher –Etherleak: Ethernet frame padding information leakage (with Josh Anderson) –IP Telephony Security (Security risk factors with IP Telephony based networks, numerous advisories and white papers) –ICMP Usage In Scanning (Security related issues with the ICMP protocol) –Information Warfare (trace-back)  Member, the Honeynet project

6 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 6 Xprobe/Xprobe2 Project  Open Source Project  Developers –Ofir Arkin –Fyodor Yarochkin –Meder Kydyraliev  Xprobe2 is a remote active operating system fingerprinting tool  Xprobe2 presents an alternative to other remote active operating system fingerprinting tools  Voted one of the top 75 security tools (at the top 50)

7 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 7 Xprobe/Xprobe2 Project - Usage Examples  Get the right context for: –IDS Systems –Vulnerability Assessment Tools  Build a network inventory  and many other usage scenarios

8 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 8 Xprobe/Xprobe2 Project  The project reflects our beliefs and ideas  We hope it contributes to the security community at large  Contributions are always welcomed  We dedicate our spare time to work on the project  Did we say Open Source?

9 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 9 Xprobe/Xprobe2 Project History  Initial alpha release (Xprobe v0.0.1) at the Blackhat briefings USA 2001, June 2001 –Relying on ICMP-based active OS fingerprinting methods found by Ofir Arkin (specified in the “ICMP Usage In Scanning” research paper) –Static decision tree –Was not signature-based –It was only a mission statement - Alpha – limited in functionality

10 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 10 Xprobe/Xprobe2 Project History  Xprobe2 0.1 beta was released last year at Defcon X: –Based on a signature database –First open source fingerprinting tool to use fuzzy logic matching algorithm between probe results to a signature database (strict signature matching suffers from a number of accuracy issues) –Xprobe2 0.1 beta was using only ICMP-based fingerprinting tests

11 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 11 Xprobe/Xprobe2 Project History  Xprobe2 0.1 release (April 2003) –Sends RFC compliant packets –A lot of bug fixes –Support for IP ID = SENT fingerprinting method –Major signature DB update –Documentation on how to add your own signatures

12 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 12 Xprobe/Xprobe2 Project History  Xprobe2 v0.2 RC1 released July 31 st 2003  A white paper titled “The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting” is also to be released today

13 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 13 Issues with Active OS fingerprinting

14 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 14 The Issue with Hardware-based Devices  When fingerprinting operating systems we fingerprint the way an operating system (the software) reacts to different fingerprinting probes a tool uses  With a hardware based device we fingerprint the way a device’s firmware reacts to the different fingerprinting probes  Hardware based devices of the same manufacture will usually run the same, or a slightly different, firmware (or software) version  It will be either one version for all, or a particular version for a particular functionality

15 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 15 The Issue with Hardware-based Devices  Example: A Cisco 7200 router will be fingerprinted exactly the same as Cisco’s Aironet 1100/1200 wireless access points  It is not possible to distinguish between different hardware based products, and their functionality, manufactured by Cisco and using IOS, when using traditional active operating system fingerprinting methods  It is possible to identify these devices as manufactured by Cisco and using IOS  It is also possible to divide these devices into groups according to fingerprints differences with the IOS versions they are using, but not to discover their functionality

16 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 16 The Issue with Hardware-based Devices  Another example is the Foundry Network’s Net/Fast/Big Iron family  If the designers of a fingerprinting tool failed to understand these issues, the results received, which are based on a corrupted database, will be unreliable

17 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 17 The Way Probe Results Are Being Matched  A Strict Signature Matching based Tool –Would search for a 100% match between the received results and the tool’s signature database –If a 100% match is not found, than no match is found and the run fails –Extremely sensitive to environmental affects on the probed target, and on the network which the probed target resides on

18 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 18 The Way Probe Results Are Being Matched  Fuzzy Logic –Xprobe2  First to implement a statistical analysis based mathematical algorithm to provide with a best effort match between probe results, received from a targeted system, to a signature database  Uses one of the simplest forms of Optical Character Recognition (OCR), by utilizing a matrix based fingerprints matching based on statistical calculation of scores for each test performed –Using a fuzzy logic approach, provides better resistance against environmental affects which might take their toll on a target system and on probe packets

19 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 19 The Way Probe Results Are Being Matched  Fuzzy Logic (continue) –The quality of the results produced with an active operating system fingerprinting tool using a fuzzy logic approach would be higher –This is if the tool will not suffer from design flaws, and will use a large base of fingerprinting tests –The fuzzy logic implementation with Xprobe2 still misses the ability to assign different weights to different fingerprinting tests –This ability is required since some fingerprinting tests should have bigger impact over the overall fingerprinting results

20 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 20 The Use of a Fixed Number of Fingerprinting Tests  A fixed number of fingerprinting tests is used  A fixed number of parameters are examined  In theory: Possible matches = tests X parameters examines X parameters permutations  Although the overall number of possible matches is currently much higher than the number of the current available network elements, certain test classes cannot deliver the expected results and provide with a clear distinction between different network elements

21 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 21 The Use of a Fixed Number of Fingerprinting Tests  A better tool for active OS fingerprinting would be required to utilize fingerprinting tests, which would examine many parameter values with the probe’s reply  These parameter values would need to be different among many network elements  Therefore a number of this kind of tests is required to be used in order to achieve a broader distinction between different network elements  It suggests that the usage of more parameter rich fingerprinting tests with an active operating fingerprinting tool will provide better overall results

22 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 22 The Use of a Certain Fingerprinting Niche

23 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 23 The Use of a Certain Fingerprinting Niche

24 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 24 The Use of a Certain Fingerprinting Niche  This fixation brings into light the inability of such tools to deal with situations were the fingerprinting tests they use do not yield an adequate result about a certain operating system or even a class of operating systems

25 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 25 No Changes Are Made To the TCP/IP Stacks Of New Versions Of Operating Systems  The behavior of the TCP/IP stack of newly released operating systems hardly changes compared to an older version of the same operating system, or  Changes made to a newly released operating system’s TCP/IP stack might affect a certain protocol behavior only  The result? Inability of some active operating system fingerprinting tools which rely on a certain fingerprinting niche to distinguish between different versions of the same operating system or even between a class of the same operating system family

26 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 26 No Changes Are Made To the TCP/IP Stacks Of New Versions Of Operating Systems [root@angelfire NG]# xprobe2 -v x.x.x.x XProbe2 v.0.1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x][1] ICMP echo (ping) [x][2] TTL distance [x][3] ICMP echo [x][4] ICMP Timestamp [x][5] ICMP Address [x][6] ICMP Info Request [x][7] ICMP port unreach [+] 7 modules registered [+] Initializing scan engine [+] Running scan engine [+] Host: x.x.x.x is up (Guess probability: 100%) [+] Target: x.x.x.x is alive [+] Primary guess: [+] Host x.x.x.x Running OS: "Sun Solaris 5 (SunOS 2.5)" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 100%)

27 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 27 No Changes Are Made To the TCP/IP Stacks Of New Versions Of Operating Systems [root@angelfire NG]# /usr/local/bin/nmap -sT -O x.x.x.x Starting nmap 3.28 ( www.insecure.org/nmap/ ) at 2003-06-18 19:14 IDT Interesting ports on x.x.x.x: (The 1628 ports scanned but not shown below are in state: closed) Port State Service 21/tcp filtered ftp 22/tcp filtered ssh 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 465/tcp open smtps 1029/tcp open ms-lsa 1433/tcp open ms-sql-s 2301/tcp open compaqdiag 5555/tcp open freeciv 5800/tcp open vnc-http 5900/tcp open vnc 6000/tcp filtered X11 Remote operating system guess: Windows NT 3.51 SP5, NT4 or 95/98/98SE Nmap run completed -- 1 IP address (1 host up) scanned in 3.334 seconds

28 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 28 The Inability to Determine the Exact Software Service Pack  Traditional active operating system fingerprinting tools are usually unable to identify the installation of software service packs on a targeted machine  For example, traditional active operating system fingerprinting tools will identify a targeted machine runs Microsoft Windows 2000, but will not be able to determine which service pack version is installed (if any at all)

29 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 29 Some Fingerprinting Tests May Have Bigger Impact on the Overall Results  Some fingerprinting tests may have bigger impact over the overall accuracy of the test results compared to other fingerprinting tests used  If these tests fail, for some reason, the quality of the produced results will be lowered significantly, especially with tools using strict signature matching  The affect of a failure of a mark key test on the results a tool using a fuzzy logic approach produces will be less significant, although it might take its toll as well

30 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 30 Some Fingerprinting Tests May Have Bigger Impact on the Overall Results spanion:~ # xprobe2 -v x.x.x.x XProbe2 v.0.1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.netfygrave@tigerteam.netofir@sys- security.com [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x][1] ICMP echo (ping) [x][2] TTL distance [x][3] ICMP echo [x][4] ICMP Timestamp [x][5] ICMP Address [x][6] ICMP Info Request [x][7] ICMP port unreach [+] 7 modules registered [+] Initializing scan engine [+] Running scan engine [+] Host: x.x.x.x is up (Guess probability: 100%) [+] Target: x.x.x.x is alive [+] Primary guess: [+] Host x.x.x.x Running OS: "Microsoft Windows XP Professional / XP Professional SP1" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Microsoft Windows 2000/2000SP1/2000SP2/2000SP3" (Guess probability: 100%)

31 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 31 Some Fingerprinting Tests May Have Bigger Impact on the Overall Results spanion:~ # xprobe2 -v -D 1 -D 2 -D 3 x.x.x.x XProbe2 v.0.1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x][1] ICMP Timestamp [x][2] ICMP Address [x][3] ICMP Info Request [x][4] ICMP port unreach [+] 4 modules registered [+] Initializing scan engine [+] Running scan engine [+] All alive tests disabled [+] Target: x.x.x.x is alive [+] Primary guess: [+] Host x.x.x.x Running OS: "Microsoft Windows XP Professional / XP Professional SP1" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Microsoft Windows 2000/2000SP1/2000SP2/2000SP3" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Microsoft Windows ME" (Guess probability: 100%) Not using the ICMP echo fingerprinting module

32 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 32 Different Networking Devices May Alter A Packet’s Field Value

33 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 33 A Firewalled Target Systems

34 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 34 A Firewalled Target Systems  Probed systems might be firewalled  If a remote active operating system fingerprinting tool relies on sending and/or receiving of particular packet types and those packets are dropped by a firewall protecting the target system(s) chances are that the quality of the results would be degraded to the point false results or no results at all will be produced

35 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 35 The Use of Malformed Packets  If malformed packets are used, a filtering device may drop the packets, if the filtering device analyzes packets for non-legitimate content  Therefore the quality of the results produced by utilizing a fingerprinting tests relying on malformed packets will be degraded and in some cases even fail  Malformed packets may have another affect, they might cause some TCP/IP stacks to crash

36 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 36 A TCP/IP Stack’s Behavior Might Be Altered  Some characteristics of a TCP/IP stack’s behavior can be altered by a machine’s system administrator: –Tunable parameters of the TCP/IP stack might be changed e.g. the sysctl command on the various *BSDs, the ndd command on Sun Solaris, etc. –Numerous patches exist for some open source operating system’s kernels that alter the way the particular operating system’s TCP/IP stack responses to certain packets  If a remote active operating system fingerprinting tool is using some of the TCP/IP based parameters that can be altered as part of its fingerprinting test, the quality of the results would be effected and questionable when these parameter values will be altered

37 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 37 The Quality of the Signature Database  The quality of the results produced by an active operating system fingerprinting tool is not only a factor of programming and topology  It is much effected from the way the signature database of the tool was and is built  If signatures submitted to the database were and are obtained in a wrongfully manner than the signature database should be regarded as corrupt  The results produced by the tool will not be accurate

38 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 38 The Quality of the Signature Database  One can find false information quite easily in signature databases of some tools  For example: nmap has a TCP “EOL” in the middle of a TCP Options list of some fingerprints

39 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 39 The Inability to Identify the Underlying Architecture Platform  Usually, active operating system fingerprinting tools will identify the operating system of a network node, but not its underlying platform  The knowledge about the underlying platform is extremely important for tools performing vulnerability assessment, network inventory, etc., which rely on the results of the active operating system fingerprinting tool (i.e. nessus)

40 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 40 The Inability to Scale  An active operating system fingerprinting tool should have the ability to scan large networks  Must not use many packets to do so  For any router and switch there is an upper limit to the number of packets per second it can process  Beyond that limit, some packets will be dropped, but more important, the router/switch might suffer from a denial of service condition  Therefore it is very important to balance the scan rate with the network and network elements abilities

41 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 41 Inability to Control the Fingerprinting Modules to Be Executed  When scanning different machines on different topologies some tests would be proved useless. Controlling which tests to use would result with better accuracy and less chance of being detected  One needs to control the fingerprinting tests a certain tool has to offer according to her/his needs  Furthermore, we would like an active OS fingerprinting tool to be able to detect certain scanning conditions and to react, by switching scanning tactics

42 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 42 Inability to Control the Fingerprinting Modules to Be Used

43 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 43 Xprobe2 v0.2 RC1 Advanced Functionality

44 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 44 Xprobe2 v0.2 RC1 Advanced Functionality  New Discovery Modules  The ability to totally control the tools’ modules operation  The use of best of breed TCP/IP stack fingerprinting techniques (more fingerprinting modules)  A port scanner  A mechanism for automatic calculation of the receive timeout(s) of modules  A new signature DB built from scratch

45 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 45 New Discovery Modules  Designed to perform host detection, firewall detection, and to provide information for the automatic receive timeout mechanism  Two new discovery modules are introduced, the “TCP ping” and “UDP ping” discovery modules  They are not executed by default  One must specify, using the “-p” command line option, an open or a closed TCP port for the TCP ping discovery module to be executed, and a closed UDP port for the UDP ping discovery module to be executed

46 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 46 New Discovery Modules  The aim of the discovery modules is to elicit a response from a targeted host, either a SYN|ACK or a RST as a response for the TCP ping discovery module and an ICMP port unreachable as a response for the UDP ping discovery module  The round trip time calculated for a successful run of a discovery module is used with the automatic receives timeout mechanism

47 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 47 The Ability to Totally Control the Modules Operation with Xprobe2 – Module Execution  With the “-D” command line option one can specify which Xprobe2 modules not to use  With the “-M” command line option one can specify which Xprobe2 modules to use

48 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 48 The Ability to Totally Control the Modules Operation with Xprobe2 – Module Execution Order

49 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 49 The Ability to Totally Control the Modules Operation with Xprobe2 – Module Execution, Example “- D” [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf –D infogather:ttl_calc -D 9 –p TCP:139:open x.x.x.x Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.netfygrave@tigerteam.netofir@sys-security.com [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:portscan - TCP and UDP PortScanner [x] [5] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [6] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [7] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [8] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [9] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 9 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] Host: x.x.x.x is up (Guess probability: 66%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.09818 sec [+] Selected safe Round-Trip Time value is: 0.19636 sec [+] Primary guess: [+] Host x.x.x.x Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 100%)

50 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 50 The Ability to Totally Control the Modules Operation with Xprobe2 – Module Execution, Example “- M” [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf –M ping:icmp_ping –M fingerprint:icmp_echo –M fingerprint:icmp_port_unreach -p TCP:23:open x.x.x.x Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net,ofir@sys-security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [3] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [+] 3 modules registered [+] Initializing scan engine [+] Running scan engine [+] Host: x.x.x.x is up (Guess probability: 100%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.05988 sec [+] Selected safe Round-Trip Time value is: 0.11975 sec [+] Primary guess: [+] Host x.x.x.x Running OS: "Cisco IOS 11.2" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Cisco IOS 11.1" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "NetBSD 1.5.3" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "NetBSD 1.5.2" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "NetBSD 1.5.1" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "NetBSD 1.5" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "OpenBSD 2.5" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "NetBSD 1.4.3" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "NetBSD 1.4.2" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "Cisco IOS 11.3" (Guess probability: 93%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

51 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 51 The Ability to Totally Control the Modules Operation with Xprobe2  Except for the “TCP ping”, “UDP ping”, and the port scanner module, all Xprobe2’s modules will be executed by default  Combined with Xprobe2’s other command line options (such as “-s” and “-t”), the complete control over the tool’s operations and usage is given to the end user  This complete control over Xprobe2’s way of operation allows one to execute different modules according to the topology it is facing  The “-L” command line option can be used to list available modules

52 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 52 The Ability to Totally Control Modules and Features of Xprobe2 [root@fremont src]#./xprobe2 -L Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net,ofir@sys-security.com, meder@areopag.net Following modules are available (by keyword) ping:icmp_ping ping:tcp_ping ping:udp_ping infogather:ttl_calc infogather:portscan fingerprint:icmp_echo fingerprint:icmp_tstamp fingerprint:icmp_amask fingerprint:icmp_info fingerprint:icmp_port_unreach fingerprint:tcp_hshake usage:./xprobe2 [options] target Options: -v Be verbose -r Show route to target(traceroute) -p Specify portnumber, protocol and state. Example: tcp:23:open, UDP:53:CLOSED -c Specify config file to use. -h Print this help. -o Use logfile to log everything. -t Set initial receive timeout or roundtrip time. -s Set packsending delay (milseconds). -d Specify debugging level. -D Disable module number. -M Enable module number. -L Display modules. -m Specify number of matches to print. -P Enable portscanning module -T Specify TCP port(s) to scan. Example: -T21-23,53,110 -U Specify UDP port(s) to scan. -f force fixed round-trip time (-t opt).

53 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 53 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques  Searched for a TCP-based fingerprinting module with maximum impact over the overall fingerprinting results  A test which will use as much parameters as possible and provide with a real added value  We have decided on adding a TCP module based on the TCP 3-way handshake

54 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 54 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques  The parameters with the SYN request sent resembles the parameters used with a Linux telnet request  Unlike other tools, which use a similar module, Xprobe2 examines parameters found in the IP and TCP layers

55 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 55 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques Currently not implemented Will be used to identify Microsoft based operating systems

56 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 56 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques – Example (without) [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf -p TCP:25:open -D 11 x.x.x.x Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [+] 10 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] Host: x.x.x.x is up (Guess probability: 75%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.00156 sec [+] Selected safe Round-Trip Time value is: 0.00312 sec [+] Primary guess: [+] Host x.x.x.x Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 100%) [+] Host x.x.x.x Running OS: "HP UX 11.0" (Guess probability: 95%)...

57 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 57 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques – Example (with) [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf -p TCP:25:open x.x.x.x Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 11 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] Host: x.x.x.x is up (Guess probability: 75%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.09717 sec [+] Selected safe Round-Trip Time value is: 0.19434 sec [+] Primary guess: [+] Host x.x.x.x Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 93%) [+] Host x.x.x.x Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 90%)...

58 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 58 The Use of Best of Breed TCP/IP Stack Fingerprinting Techniques  Combined with Xprobe2’s other fingerprinting modules, the TCP handshake module greatly enhance Xprobe2’s abilities, overall accuracy, and the ability to provide results when executed against different topologies

59 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 59 Port Scanner  The success of executing some of Xprobe2’s fingerprinting modules depends on successfully probing an open TCP port and a closed UDP port  Therefore we have implemented a port scanner module as an independent module to Xprobe2 0.2 RC1  By default Xprobe2 does not tie the port scanner module with its fingerprinting modules and therefore it maintains the minimal usage of packets to discover a targeted system’s underlying operating system

60 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 60 Port Scanner, Usage [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf -s 0.1 -P –T 20-40,80 x.x.x.x Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 11 modules registered

61 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 61 [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on x.x.x.x. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] No distance calculation. x.x.x.x appears to be dead or no ports known [+] Host: x.x.x.x is up (Guess probability: 25%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.00149 sec [+] Selected safe Round-Trip Time value is: 0.00298 sec [+] Portscan results for x.x.x.x: [+] Stats: [+] TCP: 4 - open, 18 - closed, 0 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered [+] Portscan took 2.50 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 21 open ftp [+] TCP 22 open ssh [+] TCP 23 open telnet [+] TCP 37 open time [+] Other ports are in closed state. [+] Primary guess: [+] Host x.x.x.x Running OS: "HP UX 11.0" (Guess probability: 100%) [+] Other guesses: [+] Host x.x.x.x Running OS: "HP UX 11.0i" (Guess probability: 96%) [+] Host x.x.x.x Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 90%) [+] Host x.x.x.x Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 90%) [+] Host x.x.x.x Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 87%) [+] Host x.x.x.x Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 87%) [+] Host x.x.x.x Running OS: "OpenBSD 2.5" (Guess probability: 78%) [+] Host x.x.x.x Running OS: "OpenBSD 2.9" (Guess probability: 78%) [+] Host x.x.x.x Running OS: "NetBSD 1.4" (Guess probability: 78%) [+] Host x.x.x.x Running OS: "NetBSD 1.4.1" (Guess probability: 78%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

62 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 62 Port Scanner, Usage  When the port scanner module is used, knowledge about opened TCP ports, and closed UDP ports will be used as parameters for other modules  For example, the port used for the TCP handshake module will be one that was already discovered as opened by the port scanner  Currently with Xprobe2 v0.2RC1 the modules which receive input from the port scanner module are the ICMP port unreachable module and the TCP handshake module

63 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 63 Port Scanner, -P and -p

64 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 64 Port Scanner, Controlling the Sending Stream  A command line option, “-s”, was added to control the sending stream of packets  The command line controls the time interval between each SYN packet sent and/or UDP datagram sent  The value given is represented in milliseconds  If the “-s” command line option is not used, Xprobe2 RC1 will use a default time interval of 10 milliseconds between SYN packets sent and/or UDP datagram sent (i.e. 100 packets per second)

65 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 65 Port Scanner, Controlling the Sending Stream  Controlling the stream of packets the port scanner will generate is an important feature, allowing one to adjust the paste of the scan, not allowing denial of service conditions to be introduced (against networking gear the packets go through, or even against the targeted machine), and adjusting the port scanner’s paste to accommodate network and host related issues (the network is congested, old networking gear, etc.)

66 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 66 Port Scanner, Controlling the Sending Stream  In some situations one must use the “-s” option to specify a longer delay between packets sent, since a target operating system (i.e. FreeBSD, Cisco routers) might have an automatic feature to rate-limit the number of replies it sends per a certain amount of time

67 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 67 Port Scanner, Controlling the Sending Stream spanion:~/tmp/xprobe2-0.2rc1/src #./xprobe2 -v -c../etc/xprobe2.conf -P -U 516-520 -T 20-30 192.168.0.150 Xprobe2 v.0.2rc1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is 192.168.0.150 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 11 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.0.150. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.0.150. Module test failed [+] No distance calculation. 192.168.0.150 appears to be dead or no ports known [+] Host: 192.168.0.150 is up (Guess probability: 25%) [+] Target: 192.168.0.150 is alive. Round-Trip Time: 0.00064 sec [+] Selected safe Round-Trip Time value is: 0.00128 sec

68 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 68 Port Scanner, Controlling the Sending Stream [+] Portscan results for 192.168.0.150: [+] Stats: [+] TCP: 3 - open, 7 - closed, 1 - filtered [+] UDP: 2 - open, 3 - closed, 0 - filtered [+] Portscan took 0.34 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 21 open ftp [+] TCP 23 open telnet [+] TCP 25 open smtp [+] TCP 30 filtered N/A [+] UDP 517 open talk [+] UDP 518 open ntalk [+] Other ports are in closed state. [+] Primary guess: [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.22" (Guess probability: 100%) [+] Other guesses: [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.23" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.24" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.25" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.8" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.7" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.6" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.5" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.4" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.3" (Guess probability: 100%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

69 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 69 Port Scanner, Controlling the Sending Stream spanion:~/tmp/xprobe2-0.2rc1/src #./xprobe2 -v -c../etc/xprobe2.conf -s 0.04 -P -U 516-520 -T 20- 30 192.168.0.150 Xprobe2 v.0.2rc1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is 192.168.0.150 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 11 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.0.150. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.0.150. Module test failed [+] No distance calculation. 192.168.0.150 appears to be dead or no ports known [+] Host: 192.168.0.150 is up (Guess probability: 25%) [+] Target: 192.168.0.150 is alive. Round-Trip Time: 0.00080 sec [+] Selected safe Round-Trip Time value is: 0.00159 sec Effecting the receive timeout of the Port Scanner module

70 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 70 Port Scanner, Controlling the Sending Stream [+] Portscan results for 192.168.0.150: [+] Stats: [+] TCP: 3 - open, 8 - closed, 0 - filtered [+] UDP: 2 - open, 3 - closed, 0 - filtered [+] Portscan took 0.81 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 21 open ftp [+] TCP 23 open telnet [+] TCP 25 open smtp [+] UDP 517 open talk [+] UDP 518 open ntalk [+] Other ports are in closed state. [+] Primary guess: [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.22" (Guess probability: 100%) [+] Other guesses: [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.23" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.24" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.25" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.8" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.7" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.6" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.5" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.4" (Guess probability: 100%) [+] Host 192.168.0.150 Running OS: "Linux Kernel 2.2.3" (Guess probability: 100%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

71 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 71 A Mechanism for Automatic Calculation of the Receive Timeout  An automatic receive timeout calculation mechanism was implemented with Xprobe2 v0.2 RC1  The mechanism allows Xprobe2 to be time efficient taking into account the terrain it works in and against  Xprobe2 is fast: 0.5 – 2.0 seconds on a Local LAN for OS fingerprinting 1 IP address  Xprobe2 RC1 uses three receive timeouts: –For the discovery modules (ICMP ping, TCP ping, UDP ping) –For the port scanner –For the fingerprinting modules

72 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 72 A Mechanism for Automatic Calculation of the Receive Timeout  Xprobe2 uses the three different discovery modules in order to calculate the receiving timeout for its fingerprinting modules  The timeout used is the longest round-trip time of a discovery modules used (ICMP echo, TCP ping, UDP ping) times two (RTT*2) measured in milliseconds  The TCP ping and UDP ping discovery modules will not be executed by default  In order to allow a proper receive timeout for the ICMP echo discovery module itself, one can use the “-t” command line option and specify the receiving timeout in milliseconds

73 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 73 A Mechanism for Automatic Calculation of the Receive Timeout – The Port Scanner Module

74 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 74 Maintaining a Quality Signature Database  Xprobe2’s signature database is tightly controlled  New signatures will be added to the database if, and only if, we can verify them against a test system we control or have legitimate access to  We see the signature database issue as a mandatory issue for the success of the tool  It is very easy to corrupt a signature database where it would lead to false and inaccurate results

75 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 75 Maintaining a Quality Signature Database  Xprobe2’s signature database was re-built from scratch currently containing over 160 signatures –All of the Microsoft based Operating Systems starting with Microsoft Windows 95. Uniquely identifying: –Microsoft Windows 2003 Standard Edition –Microsoft Windows 2003 Enterprise Edition –Microsoft Windows 2000 Server SP4 –Microsoft Windows 2000 Server SP3 –The entire Linux Kernel branches of 2.4.x, 2.2.x

76 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 76 Maintaining a Quality Signature Database –FreeBSD 2.2.7, 2.2.8, 3.1, 3.2, 3.3, 3.4, 3.5.1, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.6.2, 4.7, 4.8, 5.0, 5.1 –OpenBSD 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3 –NetBSD 1.6.1, 1.6, 1.5.3, 1.5.2, 1.5.1, 1.5, 1.4.3, 1.4.2, 1.4.1, 1.4, 1.3.3, 1.3.2, 1.3.1, 1.3 –Cisco IOS 12.2, 12.0, 11.3, 11.2, 11.1 –And many more…

77 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 77 Xprobe2 v0.2 RC1 Demo

78 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 78 Vive La Republic

79 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 79

80 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 80 spanion:~/tmp/xprobe2-demo2/src #./xprobe2 -v -c../etc/xprobe2.conf -P -T 20-40,80 -p tcp:80:open www.radio-france.fr Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com, meder@areopag.net [+] Target is www.radio-france.fr [+] Loading modules. [+] Following modules are loaded:... [+] 11 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on 195.154.101.11. Module test failed [+] Host: 195.154.101.11 is up (Guess probability: 75%) [+] Target: 195.154.101.11 is alive. Round-Trip Time: 0.10166 sec [+] Selected safe Round-Trip Time value is: 0.20333 sec [+] Portscan results for 195.154.101.11: [+] Stats: [+] TCP: 3 - open, 19 - closed, 0 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered [+] Portscan took 0.52 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 25 open smtp [+] TCP 37 open time [+] TCP 80 open http [+] Other ports are in closed state. [+] Primary guess: [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.16" (Guess probability: 78%) [+] Other guesses: [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.15" (Guess probability: 78%) [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.14" (Guess probability: 78%) [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.13" (Guess probability: 78%) [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.12" (Guess probability: 78%) [+] Host 195.154.101.11 Running OS: "Linux Kernel 2.4.11" (Guess probability: 78%)... [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed. 2.4.16-2.4.5 will be fingerprinted the same

81 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 81

82 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 82 spanion:~/tmp/xprobe2-demo2/src #./xprobe2 -v -c../etc/xprobe2.conf -D fingerprint:icmp_echo -D fingerprint:icmp_tstamp -D fingerprint:icmp_amask -D fingerprint:icmp_info -P -T 21,22,23,25,37,53,80,111 -p tcp:80:open www.paris4.sorbonne.fr Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.net [+] Target is www.paris4.sorbonne.fr [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [7] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 7 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on 195.220.117.6. Module test failed [+] Host: 195.220.117.6 is up (Guess probability: 75%) [+] Target: 195.220.117.6 is alive. Round-Trip Time: 0.08710 sec [+] Selected safe Round-Trip Time value is: 0.17420 sec

83 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 83 [+] Portscan results for 195.220.117.6: [+] Stats: [+] TCP: 3 - open, 4 - closed, 1 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered [+] Portscan took 0.56 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 21 open ftp [+] TCP 25 open smtp [+] TCP 80 open http [+] TCP 111 filtered sunrpc [+] Other ports are in closed state. [+] Primary guess: [+] Host 195.220.117.6 Running OS: "Sun Solaris 9 (SunOS 2.9)" (Guess probability: 88%) [+] Other guesses: [+] Host 195.220.117.6 Running OS: "HP UX 11.0" (Guess probability: 83%) [+] Host 195.220.117.6 Running OS: "HP UX 11.0i" (Guess probability: 83%) [+] Host 195.220.117.6 Running OS: "Sun Solaris 8 (SunOS 2.8)" (Guess probability: 83%) [+] Host 195.220.117.6 Running OS: "Sun Solaris 6 (SunOS 2.6)" (Guess probability: 77%) [+] Host 195.220.117.6 Running OS: "Sun Solaris 7 (SunOS 2.7)" (Guess probability: 77%) [+] Host 195.220.117.6 Running OS: "FreeBSD 4.1.1" (Guess probability: 72%) [+] Host 195.220.117.6 Running OS: "FreeBSD 4.2" (Guess probability: 72%) [+] Host 195.220.117.6 Running OS: "FreeBSD 4.3" (Guess probability: 72%) [+] Host 195.220.117.6 Running OS: "FreeBSD 4.4" (Guess probability: 72%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

84 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 84

85 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 85 Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.net [+] Target is www.france-biotech.org [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [7] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [8] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 10 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:udp_ping module: no closed/open UDP ports known on 193.243.229.58. Module test failed [+] Host: 193.243.229.58 is up (Guess probability: 75%) [+] Target: 193.243.229.58 is alive. Round-Trip Time: 0.10693 sec [+] Selected safe Round-Trip Time value is: 0.21386 sec

86 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 86 [+] Portscan results for 193.243.229.58: [+] Stats: [+] TCP: 2 - open, 2 - closed, 18 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered [+] Portscan took 0.91 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 20 closed ftp-data [+] TCP 21 open ftp [+] TCP 22 closed ssh [+] TCP 80 open http [+] Other ports are in filtered state. [+] Primary guess: [+] Host 193.243.229.58 Running OS: "Microsoft Windows XP SP1a" (Guess probability: 88%) [+] Other guesses: [+] Host 193.243.229.58 Running OS: "Microsoft Windows XP SP1" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows XP" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 88%) [+] Host 193.243.229.58 Running OS: "Microsoft Windows 2000 Workstation SP3" (Guess probability: 88%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

87 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 87

88 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 88 spanion:~/tmp/xprobe2-demo2/src # telnet www.environnement.gouv.fr 80 Trying 212.23.165.173... Connected to www.environnement.gouv.fr. Escape character is '^]'. hello HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Wed, 23 Jul 2003 19:28:44 GMT Content-Type: text/html Content-Length: 87 Error The parameter is incorrect. Connection closed by foreign host. spanion:~/tmp/xprobe2-demo2/src #

89 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 89 The Ability to Totally Control the Modules Operation with Xprobe2 – Module Execution, Example “- D” [root@fremont src]#./xprobe2 -v -c../etc/xprobe2.conf –D infogather:ttl_calc -D 9 –p TCP:80:open www.environnement.gouv.fr Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.netfygrave@tigerteam.netofir@sys- security.com [+] Target is x.x.x.x [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:portscan - TCP and UDP PortScanner [x] [5] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [6] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [7] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [8] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [9] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 9 modules registered [+] Initializing scan engine [+] Running scan engine... [+] Host 212.23.165.173 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 78%)

90 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 90

91 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 91 spanion:~/tmp/xprobe2-demo2/src #./xprobe2 -v -c../etc/xprobe2.conf -P -T 21,22,23,25,37,53,80 www.premier-ministre.gouv.fr Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.net [+] Target is www.premier-ministre.gouv.fr [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_info - ICMP Information request fingerprinting module [x] [10] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [11] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 11 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on x.x.x.x. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] No distance calculation. x.x.x.x appears to be dead or no ports known [+] Host: x.x.x.x is up (Guess probability: 25%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.16804 sec [+] Selected safe Round-Trip Time value is: 0.33608 sec

92 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 92 [+] Portscan results for x.x.x.x: [+] Stats: [+] TCP: 2 - open, 5 - closed, 0 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered [+] Portscan took 0.29 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 22 open ssh [+] TCP 80 open http [+] Other ports are in closed state. [+] Primary guess: [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.12" (Guess probability: 71%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.11" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.10" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.9" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.8" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.7" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.6" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.5" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.4" (Guess probability: 71%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.3" (Guess probability: 71%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

93 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 93 spanion:~/tmp/xprobe2-demo2/src #./xprobe2 -v -c../etc/xprobe2.conf -D 6 -D 7 -D 8 -D 9 -P -T 21,22,23,25,37,53,80 www.premier-ministre.gouv.fr Xprobe2 v.0.2 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys- security.com, meder@areopag.net [+] Target is www.premier-ministre.gouv.fr [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [7] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [+] 7 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on x.x.x.x. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on x.x.x.x. Module test failed [+] No distance calculation. x.x.x.x appears to be dead or no ports known [+] Host: x.x.x.x is up (Guess probability: 25%) [+] Target: x.x.x.x is alive. Round-Trip Time: 0.17040 sec [+] Selected safe Round-Trip Time value is: 0.34081 sec [+] Portscan results for x.x.x.x : [+] Stats: [+] TCP: 2 - open, 5 - closed, 0 - filtered [+] UDP: 0 - open, 0 - closed, 0 - filtered

94 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 94 [+] Portscan took 0.29 seconds. [+] Details: [+] Proto Port Num. State Serv. Name [+] TCP 22 open ssh [+] TCP 80 open http [+] Other ports are in closed state. [+] Primary guess: [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.18" (Guess probability: 83%) [+] Other guesses: [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.19" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.20" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.21" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.22" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.23" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.24" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.25" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.4" (Guess probability: 83%) [+] Host x.x.x.x Running OS: "Linux Kernel 2.2.3" (Guess probability: 83%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.

95 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 95 The Future of Active Operating System Fingerprinting

96 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 96 The Future of Active Operating System Fingerprinting  The terrain we scan from and against is a major factor in producing accurate results  One cannot compare the scanning conditions of a local network versus a well fortified Internet web site  With the latter the number of TCP/IP based stack fingerprinting tests that can be successfully used is limited, usually to the opened service(s) on the Internet connected system (i.e. TCP port 80)

97 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 97 The Future of Active Operating System Fingerprinting  We have already noted that an active operating system fingerprinting tool usually must use several different operating system fingerprinting tests in order to provide with accurate results  With only a limited success of its fingerprinting tests, the quality of the results produced by an active operating system fingerprinting tool will be significantly degraded  A way to compensate for operating system fingerprinting tests which we would not be able to use in situations that will prove them useless must be found

98 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 98 The Future of Active Operating System Fingerprinting  Another issue, which needs to be resolved, is the inability to differentiate between different operating systems of the same manufacture  A part of the remedy is to use application layer based fingerprinting tests tailored towards the services found opened on the targeted system(s) and/or a service commonly found with the operating system family in question  The criteria for adopting one such test, is that it should be hard or impossible to trick the test, and that it will produce accurate results when executed against well fortified Internet connected systems

99 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 99 The Future of Active Operating System Fingerprinting  Traditional TCP/IP stack based operating system fingerprinting tests must be tailored for maximum impact over the overall fingerprinting results when used in situation in which the targeted system has a limited exposure  The TCP/IP stack based operating system fingerprinting tests to be used must not be easily defeated by commonly found defense systems (i.e. a SYN | FIN scan will be useless when a site is being defended by a stateful inspection-based firewall)  The other part of the remedy is much harder to be implemented:

100 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 100

101 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 101 Credits  Sebastian Krahmer – libusi++  Scut – Fuzzy logic comments and suggestions  I. Levin – Fuzzy implementation comments  Elie a.k.a. Lupin Bursztein – Patches, bug fixes  Those behind the usage of hashing for port scanning (done in 1998 by an Israeli Hacker’s group)

102 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 102 Further Reading  Arkin Ofir, “ICMP Usage in Scanning” research project http://www.sys-security.com  Arkin Ofir, “ICMP Usage in Scanning” version 3.0, June 2001 http://www.sys-security.com/html/projects/icmp.html  Arkin Ofir & Fyodor Yarochkin, “X – Remote ICMP based OS fingerprinting Techniques”, August 2001 (This paper describes the first generation of Xprobe). http://www.sys-security.com/archive/papers/X_v1.0.pdf

103 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 103 Further Reading  Arkin Ofir & Fyodor Yarochkin, “ICMP based remote OS TCP/IP stack fingerprinting techniques”, Phrack Magazine, Volume 11, Issue 57, File 7 of 12, Published August 11, 2001. http://www.sys-security.com/archive/phrack/p57-0x07  Arkin Ofir & Fyodor Yarochkin, “Xprobe2 - A ‘Fuzzy’ Approach to Remote Active Operating System Fingerprinting”, http://www.sys- security.com/archive/papers/Xprobe2.pdf, August 2002.http://www.sys- security.com/archive/papers/Xprobe2.pdf  Arkin Ofir, Fyodor Yarochkin, Meder Kydyraliev, “The Present & Future of Xprobe2 – Next Generation Active Operating System Fingerprinting ”, July 2003.

104 O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0 0 3 T H E S Y S – S E C U R I T Y G R O U P 104 Questions?

Download ppt "Next Generation Active Operating System Fingerprinting Founder O F I R A R K I N, F O U N D E R, T H E S Y S – S E C U R I T Y G R O U P© 2 0 0 0 – 2 0."

Similar presentations

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 7 TCP/IP Suite Error and Control Messages CCNA2: Module 8, 9.

WXES2106 Network Technology Semester /2005 Chapter 7 TCP/IP Suite Error and Control Messages CCNA2: Module 8, 9.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.

Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.

TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google