HostedDB - Dedicated UNIX Servers
nst_13 13 Today, an increasing number of systems keep their banners turned off or make their banners display forged information. Some applications leak information. A good example is the SYST command on FTP servers and IIS server: [root@pooh] # telnet 192.168.1.17 get HTTP/1.1 400 Bad Request Server: Microsoft-IIS/4.0 Date: Thu, 28 Oct 1999 08:29:46 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head><body>The parameter is incorrect. </body></html> 4.2 DNS HINFO Record   The Host information record is a pair of strings identifying the host’s hardware type and the operating system22.   www IN HINFO “Sparc Ultra 5” “Solaris 2.6” This is an old technique that is rarely effective today because administrators avoid using this record. 4.3 TCP/IP Stack Fingerprinting Stack fingerprinting is a technique that uses distinct variations in TCP stack implementation to determine the type of a remote operating system. The idea is to send “specific” TCP packets to the target IP and observe the response. The response will be unique to a certain group or individual operating system(s). The response varies because one vendor’s IP stack implementation is not the same as another. This comes from different interpretation of specific RFC guidelines when vendors wrote their TCP/IP stack. The tools often used for stack fingerprinting are Queso23 written by Savage, and Nmap. Nmap has a larger database of responses of operating systems than any other tool. In order to get maximum reliability, Nmap needs at least one port opened at the target host. The definite information source of the subject is Fyodor’s article “Remote OS Detection via TCP/IP Stack Fingerprinting”. 24 4.3.1 Types of Probes Used to Determine the Operating System Type   1. The FIN Probe A FIN packet is sent to an open port. RFC 793 states that the correct behavior is not to respond to the FIN packet. Many stack implementations will respond with a RESET. This group includes: Windows, BSDI, CISCO, HP-UX, MVS, and IRIX with a RESET. 22 Paul Albitz & Cricket Liu, DNS & BIND, third edition, O’reilly 1998. 23 Queso, http://apostols.org/projectz/queso 24 www.insecure.org/nmap/nmap-fingerprintng-article.html