Shulou(Shulou.com)06/01 Report--

Nmap Network Security Audit (4) remote operating system and Service Detection Technology remote operating system Detection

Many tools provide remote detection of the operating system, and you can use Nmap to find outdated or unauthorized systems on the network.

But there is no tool that can provide absolutely accurate remote operating system information. Almost all tools use guessing, by sending a probe to the target, and then guessing the system based on the target's response. Most of the probes are in the form of TCP and UDP packets, and the details of the check include the initial sequence number (ISN), TCO option, IP identifier (ID), digital timestamp, etc. Each system responds differently to these probes, and these tools extract the feature parts of these responses and record them in a database, as does Nmap.

Operating system detection in Nmap also provides the classification of information about the running time of the system and the predictability of the TCP sequence, and uses the-O parameter to scan the operating system through the port scan.

Nmap-O 192.168.126.1

This command will use Nmap's default SYN scan method for port detection, but the operating system detection option can be used in conjunction with other detection techniques. When using the-- osscan-limit parameter, Nmap only detects the operating system for hosts that meet the condition of "ports with both stateful open and closed".

Operating system fingerprint identification

The methods of judging the target computer operating system remotely can be divided into two categories.

Active method: means that the client actively sends information to the remote host, and the remote host generally responds to these messages and will reply to some messages. If the sender analyzes the information, it is possible to know the operating system type of the remote host.

Passive method: it does not send any data packets to the target operating system, but collects the data packets flowing through the network through various packet grabbing tools, and then obtains the operating system information of the target computer from these messages.

Nmap does not use passive mode. Nmap's active mode uses an operating system fingerprint scan package with up to 15 probes. Fingerprint is a mechanism of identity authentication. Each operating system has different characteristics. The response data of the target host can be viewed by sending probes to the computer. This process is the process of operating system fingerprint analysis. The probe makes use of protocols such as TCP,UDP,ICMP. These cleverly designed probes can detect subtle differences in the target operating system.

We can use the-O parameter with Nmap.

Nmap-O-F 192.168.126.1

As we continue to increase the parameters, it may put a greater burden on the system, but also reveal more information about us, making it easier for IPS/IDS to detect.

Operating system fingerprint scanning as a management tool

Nmap can also be used as a sharp weapon for network managers. Using this tool, network managers can save a lot of time and energy, let's use the following instruction to see what effect it has.

Nmap-sV-F-- fuzzy-- osscan-guess 192.168.0.103

Here I am scanning my own physical machine, with the firewall on, it is detected that my virtual machine version is vmware15.

I'll use this instruction to try the virtual machine again, and the scan result is fine.

If we want to accurately detect the remote operating system through nmap, it is difficult, so here we use the parameter-osscan-guess, which has a guessing function, which guesses the type of operating system closest to the target. We can use this instruction to simply find those insecure systems in the target network and quickly obtain insecure applications on the target. As maintainers, we can use this as early as possible to improve the security of the system.

We've been saying that nmap can't determine the target system 100% and can only rely on guesses. When nmap cannot determine the target operating system, nmap will output the TCP/IP fingerprint file of the system and give the possibility of each system type. Nmap also hopes that we can submit this fingerprint file and finally verify the true type of the system to help nmap update the operating system fingerprint database. Here we will not scan the website, or use our own virtual machine.

Through the scan results, we found that in this scan, we did not get the exact value of the target system, but we can see that the result gives a value of TCP/IP fingerprint, that is, the content behind the OS.

This output is not the result of a single scan, but of multiple scans, including SCAN, SEQ, OPS, WIN, ECN, T1~T7, U1, and IE. Each scan result uses% as the separator, and some scan results may be empty (RD=0, which means that the RD result does not get any actual content). The test result must exactly match the definition of the operating system fingerprint in order to match the entries in the fingerprint database. For example, T1 (R = N) indicates that no results have been returned for this test.

Let's analyze the results of the first SCAN.

SCAN (V=7.80%E=4%D=11/3%OT=80%CT=7%CU=40895%PV=Y%DS=1%DC=D%G=Y%M=000C29%TM=5DBE8A64%P=i686-pc-windows-windows)

This line represents the version of nmap currently being scanned and some other relevant local information.

Version 7.80 indicates the version of nmap currently in use

The date of the scan indicated by the date of the scan, as indicated by the date of the scan.

OT=80%CT=7 indicates the TCP port used in the fingerprint recognition process

CU=40895 indicates the UDP port used in the fingerprint recognition process

PV=Y indicates whether the destination IP address belongs to a private IP address (Y=yes N=no)

DS=1 indicates the number of hops from the host where the nmap is located to the target host

GambiY said that the scan results are good and can be submitted to iNSEcure.Org (that is, nmap's website).

TM=5DBE8A64 indicates the time consumed by the scan

P=i686-pc-windows-windows indicates the operating system type of the host on which the nmap resides

The following test results (SEQ, OPS, WIN, T1) are obtained by sending a very clever set of probes to the open TCP port on the target.

SEQ (SP=FD%GCD=1%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=U)

SP=FD represents the initial sequence number (ISN) of the TCP

GCD=1 represents the increment of TCP

ISR=10D represents the rate of ISN

TI=I indicates the ID value of the IP header in the SEQ probe echo packet

II=I indicates the ID value of the IP header in the ICMP probe response packet

TS=U represents the timestamp information of a TCP packet

OPS test results

OPS (O1=M5B4NW8NNS%O2=M5B4NW8NNS%O3=M5B4NW8%O4=M5B4NW8NNS%O5=M5B4NW8NNS%O6=M5B4NNS)

O1=M5B4 indicates the most big data segment that a TCP packet can transmit each time.

ST11 represents the optional information of the ACK and the timestamp content of the packet

N is represented as an empty operation

W0 indicates the window size

The meaning of O2 and O3....O6 is the same as O1.

WIN test results

WIN (W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)

This test result gives the initial window size of the return values of six probes.

W1=2DA0

W2=2DA0

W3=2DA0

W4=2DA0

W5=2DA0

W6=2DA0

ECN test results

ECN (Rainy% DFFFFF% WWFFF% Orange M5B4NW8NNS% CCroomN% Q =)

Relative indicates whether the target has responded to us.

DF=Y indicates whether the segmentation flag bit of the IP packet is set.

Tweak 40 indicates that the TT1 value in the echo packet IP W=FFFF represents the size information of the TCP initialization window

O=M5B4NNS represents information about TCP options

CC=Y represents the congestion control capability of the target. Y indicates that the target supports ECN

The first probe responded. The second probe is an empty packet with the content of the DF bit set, and the window size of this packet is 128.

The third probe is a packet with FIN, URG, PSH, and SYN identities set. The packet size is 256. The fourth probe is a TCP packet with the ACK bit set, and this packet also has the DF bit set, with a size of 1024. The fifth probe is a packet with a window size of 31337. The sixth packet is a window size of 32768, which is usually sent to a closed port. The seventh packet sets the FIN, URG, and PSH flags, and this probe is also sent to a closed port with a window size of 65535.

The result of U1 is based on the return of the UDP packet probe, and the data part of this probe is 300C characters.

IE probe is based on ICMP protocol and consists of two probes.

New operating system fingerprint information submission address http://iNSEcure.org/Nmap/submit/

Using Nmap for service discovery

Nmap provides more precise service and version detection options, which can be done by adding the option-sV. There are more options for services and version testing.

-sV (version detection)

You can also turn on operating system probe and service discovery at the same time using-A

-- allports (scan all ports)

Usually when we use nmap for version detection, we don't scan all the ports of the target, but skip some ports. Scan all ports if necessary.

-version-intensity 0-9 (set version scan intensity)

When version scanning-sV is performed, nmap sends a series of messages, each assigned a value between 1 and 9. The higher the number, the more likely the service is to be correctly identified. The higher the intensity, the longer the scanning time. The strength value is between 0 and 9, and the default is 7.

-- version-light (lightweight mode)

-- versiom-light is actually equivalent to a scan with an intensity value of 2 mentioned above. This lightweight mode is faster to scan, but it is also much less likely to be successful in scanning services.

-- version-all (try each probe)

-- version-all is equivalent to a scan with an intensity value of 9. Ensure that all probe messages are tried on each port.

-- version-trace (tracking version scanning activity)

This will be nmap printing out detailed debugging information about what is being scanned. It is a subset of the information obtained with-- packet-trace.

-sR (RPC scan)

This method is used in conjunction with many port scanning methods. It executes SunRPC programs and NULL commands on all TCP/UDP ports that are found to be open, trying to determine if they are RPC ports, and if so, what programs and version numbers they are. (if you are a new version of nmap, you will be prompted with the following:-sR is now an alias for-sV and activates version detection as well as RPC scan, to the effect that-SR is an alias for-sV, so this instruction is the same as-sV.)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.