Shulou(Shulou.com)05/31 Report--

This article introduces how Nmap identifies the host fingerprint. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

0x01

Nmap maintains a nmap-os-db database that stores thousands of operating system information. To put it simply, Nmap identifies the operating system information of the target host through the fingerprint information of the TCP/IP protocol stack. This is mainly due to the fact that some implementations of TCP/IP are not mandatory in the RFC standard, so the implementation of TCP/IP in different systems may have their own specific ways, and these details are different. It provides a scheme for nmap to identify operating system information. Specifically, Nmap selects a port of close and open respectively and sends it to a well-designed TCP/UDP packet, which may also be an ICMP packet. Then according to the receipt of the return message, a system fingerprint is generated. The matching system is found by comparing the fingerprint generated by detection with the fingerprint in the nmap-os-db database. In the worst case, when there is no way to match, enumerate all possible information in the form of probability.

The so-called fingerprint is the data feature extracted by a specific reply packet.

0x02

The path of Nmap-os-db in kali is as follows

I put him on win for easy access.

This is the version of the fingerprint library.

Take this as an example.

The first few behavior comment lines indicate the operating system and version corresponding to this fingerprint.

The Fingerprint keyword defines a new fingerprint, followed by a fingerprint name.

The Class line is used to specify the category to which the fingerprint belongs, specifying the system's vendor (manufacturer), OS family (system category), OS generation (generation operating system), and and device type (device type).

Next comes the CPE line, which is very important and uses the CPE (CommonPlatformEnumeration, common platform enumeration) format to describe the system's information. Using the standard CPE format to describe the operating system type is convenient for the exchange of information between Nmap and the outside world. For example, the specific information of the operating system described by CPE can be quickly found from the online open source database.

The CPE format here as a fingerprint description field is as follows:

Cpe:/:

The next 13 lines from SEQ to IE are specific fingerprint data description lines. When comparing fingerprints, we compare the specific data in these 13 lines. If there is a match, the target machine is the system type described by the fingerprint.

SEQ describes the sequential generation mode; OPS describes the value of the optional field in the TCP packet; WIN describes the initial window size of the TCP packet; ECN (ExplicitCongestionNotification) describes the characteristics of the TCP when explicitly specifying the congestion notification; T1-T7 describes the field characteristics of the TCP reply packet; U1 describes the characteristics of the reply generated by sending the packet to the closed UDP; IE describes the characteristics generated by sending the ICMP packet to the target.

0x03

During system detection, five different tests are performed, each consisting of one or more packets, and the response of the target system to each packet helps determine the type of operating system.

The five different tests are:

1.sequencegeneration

2.ICMPecho

3.tcp explicit congestion notification

4.TCP

5.UDP

Look at it separately.

Sequence generation (sequencegeneration):

The sequence generation test consists of six packets that are sent separately every 100ms, all of which are TCP SYN packets. The results of each TCP SYN package will help NMAP determine the type of operating system.

ICMP echo (ICMPecho):

Two ICMP request packets with different settings are sent to the target system, and the resulting response will help to verify the operating system type.

TCP explicit congestion Notification (explicitcongestion notification):

When many packets are generated and pass through the router, it will cause its load to increase, which is called congestion. The result is that the system slows down to reduce congestion so that the router does not lose packets. This packet is sent only to get a response from the target system. Because different operating systems process the package in different ways, the specific value returned can be used to determine the operating system.

TCP: six packets are sent in this test. Some packets with specific packet settings are sent to open or closed ports. The results will also vary from operating system to operating system.

All TCP packets are sent with the following different flags:

No sign

SYN, FIN, URG and PSH

ACK

SYN

ACK

FIN, PSH and URG

UDP: this test consists of a packet sent to a closed port. If this port on the target system is closed and a message that the ICMP port is unreachable is returned, then there is no firewall.

0x04

Take kali as an example, if all ports are closed, the

If you open a port 80, you can detect that this is a linux system.

0x05

Next, through bag-grabbing analysis

144are scanned machines, 138are machines running nmap

As I mentioned earlier, the only port developed on kali is 80, so you can see that this series of packages are destined for port 80 in wireshark.

Sequence generation (SEQ, OPS, WIN, and T1)

A series of six tcp probes is sent to generate four response lines, each of which is an tcpsyn packet, connected to an open port detected on the remote machine.

The sequence (sequence) and acknowledgement number (acknowledgementnumbers) of these packets are random, and the tcp options and tcp window field values are different.

Specifically, it is as follows:

Packet # 1: window scale (10), NOP, MSS (1460), timestamp (TSval: 0xFFFFFF; TSecr: 0), SACK permitted. The windowfield is 1.

As shown in 2006

Packet # 2: MSS (1400), window scale (0), SACKpermitted, timestamp (TSval: 0xFFFFFF; TSecr: 0), EOL. The windowfield is 63.

As shown in 2009

Packet # 3: Timestamp (TSval: 0xFFFFFFF; TSecr:0), NOP, NOP, window scale (5), NOP, MSS. The window field is4.

As shown in 2012

Packet # 4: SACK permitted, Timestamp (TSval:0xFFFFFFFF; TSecr: 0), window scale (10), EOL. The window field is 4.

As shown in 2015

Packet # 5: MSS, SACK permitted, Timestamp (TSval: 0xFFFFFFF; TSecr: 0), window scale (10), EOL. The windowfield is 16.

As shown in 2018

Packet # 6: MSS, SACK permitted, Timestamp (TSval: 0xFFFFFFF; TSecr: 0). The window field is 512.

As shown in 2021

In the figure above, 2006-2007 is a pair of syn and the corresponding returned synack.

A total of 6 pairs of 2006-2007 and 2019-2022 prizes in total

The results of these tests include four result category rows.

The first SEQ contains the results of sequence analysis based on probe packets. These test results are GCD,SP,ISR,TI,II,TS and SS.

The SEQ test sends six TCPSYN packets to the open port of the target machine and takes back the SYN/ ACK packets. Each of these SYN / ACK packets contains a 32-bit initial sequence number (ISN). The calculation of GCD,SP,ISR is troublesome. GCD is calculated according to ISN. ISR,SP is calculated according to GCD.

The screenshot below is the ISN in six tcpsyn packages

TI checks the IP header ID field of the response. At least three responses must be received before the test can be included. If the values of the ID field are all 0, the IP header ID field of the 2007, 2013, 20113, 20113, 20119, 2022 packet of the IP header is 0.

So the value of TI is Z

TS checks the TSval (the first four bytes of the option) based on the TCP timestamp option in the response of the SEQ probe

If the timestamp option value is not 0, it still needs to be calculated, which is troublesome. According to the calculation result, the TS value is 1 or 7 or 8.

From the packet, take 2007 as an example, you can know that the TS value is 1 or 7 or 8.

The next line of OPS contains the TCPoption received for each probe (the test name is O1 to O6).

In order, that is, 2007 is O1, the 2010 bit O2.

Take 2007 as an example

Its corresponding string is M5B4ST11NW7:

M stands for Maximumsegment size,1460. The hexadecimal is 5B4.

S stands for SackPermitted

T stands for Timestamp, or 11 if TSval,TSecr is not even 0

N stands for NOP

W stands for Windowscale with a size of 7

O2-O6, and so on.

The WIN line contains the windowsize of response (named W1 through W6).

Take 2013 as an example

Windowsize is 28960

The last line T1 associated with these detectors contains various test values for packet#1. These results are applied to the R ·D ·F ~ (- 1) T ~ (TM), TG ~ W ~ (W), S ~ (S), A ~ (th), F ~ (nd), O ~ (nd) Rd and Q tests. These tests are only reported for the first probe because they are almost always the same for each probe

R indicates whether the target is responding, and if there is a response, it is Y

DF indicates whether the bit that forbids the router to segment the packet is set. If it is set, it is Y. You can see that it has been set from the figure below.

T represents the initial TTL. As you can see in the following figure, T should be 39.

TG is the guessed initial TTL value. If the actual TTL value is found, the field will not be printed.

S checks the 32-bit sequence number field in the TCP header and compares it with the TCP confirmation number in the probe that triggered the response. Then it records the appropriate value. In the following figure, you can see that sequencenumber is 0, so the value of S is Z

Comparison of the confirmation number acknowledgementnumber in the A test response with the sequence number in the corresponding probe

In the following figure, you can see that the acknowledgementnumber of 2017 is 1, and the sequencenumber of 2016 is 0, which means that 2017 of acknowledgementnumber equals 2016 of sequencenumber+1.

So the value of An is S+

F record tcpflag in response

The following figure takes 2017 as an example, An and S are set in flags, so the value of F is AS

RD is the result of a checksum for the data of the reset package. If there is no data or no checksum or the checksum is invalid, 0

As can be seen in the following figure, there is no check, and the Rd value is 0.

Q is mainly aimed at two points: one is that the reserved field of tcpheader is not 0, and if it appears, "R" is recorded in Q.

The other is that when URGflag is not set, there is a non-zero URG pointer field

As you can see in the above picture, none of them exist, so Q is empty.

Emm, I'm so tired. This is the case with bag grabbing and analysis, and it's over according to the opposite.

Let's come to a conclusion:

Nmap is the most powerful leader in actively identifying fingerprints of remote hosts in the open source world.

On how Nmap is to identify the host fingerprint to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.