nst_13
13
Today, an increasing number of systems keep their banners turned off or make their banners
display forged information.
Some applications leak information. A good example is the SYST command on FTP servers
and IIS server:
[root@pooh] # telnet 192.168.1.17
get
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/4.0
Date: Thu, 28 Oct 1999 08:29:46 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>
4.2 DNS HINFO Record
The Host information record is a pair of strings identifying the hosts hardware type and the
operating system22.
www
IN
HINFO
Sparc Ultra 5
Solaris 2.6
This is an old technique that is rarely effective today because administrators avoid using this
record.
4.3 TCP/IP Stack Fingerprinting
Stack fingerprinting is a technique that uses distinct variations in TCP stack implementation to
determine the type of a remote operating system.
The idea is to send specific TCP packets to the target IP and observe the response. The
response will be unique to a certain group or individual operating system(s). The response
varies because one vendors IP stack implementation is not the same as another. This comes
from different interpretation of specific RFC guidelines when vendors wrote their TCP/IP
stack.
The tools often used for stack fingerprinting are Queso23 written by Savage, and Nmap. Nmap
has a larger database of responses of operating systems than any other tool. In order to get
maximum reliability, Nmap needs at least one port opened at the target host.
The definite information source of the subject is Fyodors article Remote OS Detection via
TCP/IP Stack Fingerprinting. 24
4.3.1 Types of Probes Used to Determine the Operating System Type
1.
The FIN Probe
A FIN packet is sent to an open port. RFC 793 states that the correct behavior is not
to respond to the FIN packet.
Many stack implementations will respond with a RESET. This group includes:
Windows, BSDI, CISCO, HP-UX, MVS, and IRIX with a RESET.
22
Paul Albitz & Cricket Liu, DNS & BIND, third edition, Oreilly 1998.
23
Queso, http://apostols.org/projectz/queso
24
www.insecure.org/nmap/nmap-fingerprintng-article.html