Kali Linux渗透测试实战 2.2 操作系统指纹识别
Kali Linux渗透测试实战 2.2 操作系统指纹识别
2.2 操作系统指纹识别
2.2.1 Banner抓取
2.2.2 TCP 和 ICMP 常规指纹识别技术
TCP数据报格式
ICMP首部格式
TTL与TCP窗口大小
FIN探测
BOGUS flag 探测
TCP ISN 抽样
IPID 抽样
TCP Timestamp
ACK值
ICMP错误信息
DHCP
2.2.3 数据包重传延时技术
2.2.4 使用Nmap进行操作系统探测..
一般性探测
指定网络扫描类型.
设置扫描条件
推测结果.
2.2.5 使用Xprobe2进行操作系统探测
2.2.6 使用p0f进行操作系统探测
2.2.7 使用miranda进行操作系统探测
小结
2.2 操作系统指纹识别
LAMPLNMPwindows server 2003 IIS6.0windows server 2008 R2 IIS7.5
2.2.1 Banner
Banner
bannerBannerapatheexchange
Banner
telnet 80bannerServer: Microsoft-HTTPAPI/2.0
IISISAPIBanner
ISAPI
IIS
asp.netX-Powered-By.net
webapachenginx
bannerbanner
banner
webftpsmtpbanner2.3Banner
2.2.2 TCP ICMP
TCP/IPRFC
TCP/IP
TCP
tcp
flags6
URGACKPSHRSTSYNFIN
URG
ACK
PSHpush
RSTTCP
SYNTCP
FINTCP
Sequence Number16
32
1
4TCPTCP20
16
16TCP
16URG
TCP4TCPTCPMSSTCP20TCP206549565535202065495
ICMP
icmp
DataICMP
TTLTCP
TTLTCP
RFCTTLTTL
TTLTCP
FIN
RFC793FINRESETMS Windows, BSDI, CISCO, HP/UX, MVS, IRIX
BOGUS flag
FLAG TCP SYNLinux 2.0.35FLAG
TCP ISN
TCPISNISNISN
IPID
IPISN
TCP Timestamp
有的操作系统不支持该特性,有的操作系统以不同的更新频率来更新时间戳,还有的操作系统返回0。
ACK
ACKACK+1
ICMP
ICMPICMP
DHCP
DHCPRFC154121312132436143884578DHCP
2.2.3
2.2.2
TCPTCPISNACK
TCPRFC
TCP
2.2.4 Nmap
Nmap-O
nmap -O 192.168.1.1/24
192.168.1.1 C255ip
192.168.1.11.1Tp-link
MAC Address: A8:15:4D:85:4A:30 (Tp-link Technologies Co.)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.23 - 2.6.38
Network Distance: 1 hop
192.168.1.101android
MAC Address: 18:DC:56:F0:65:E0 (Yulong Computer Telecommunication Scientific(shenzhen)Co.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=12/27%OT=7800%CT=1%CU=39712%PV=Y%DS=1%DC=D%G=Y%M=18DC5
OS:6%TM=52BD035E%P=x86_64-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%C
OS:I=Z%II=I%TS=7)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4S
OS:T11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5
OS:=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%
OS:T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T
OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=
OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(
OS:R=Y%DFI=N%T=40%CD=S)
nmapandroid
192.168.1.102windows 7 sp1
Device type: general purpose
Running: Microsoft Windows 7
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1
OS details: Microsoft Windows 7 SP0 - SP1
192.168.1.106ios 5.0
MAC Address: CC:78:5F:82:98:68 (Apple)
Device type: media device|phone
Running: Apple iOS 4.X|5.X|6.X
OS CPE: cpe:/o:apple:iphone_os:4 cpe:/a:apple:apple_tv:4 cpe:/o:apple:iphone_os:5 cpe:/o:apple:iphone_os:6
OS details: Apple Mac OS X 10.8.0 - 10.8.3 (Mountain Lion) or iOS 4.4.2 - 6.1.3 (Darwin 11.0.0 - 12.3.0)
192.168.1.106windows7 sp1
MAC Address: 7C:C3:A1:A7:EF:8E (Apple)
Too many fingerprints match this host to give specific OS details
192.168.1.119windows server 2008 r2,vmware
MAC Address: 00:0C:29:AA:75:3D (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2008
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
Network Distance: 1 hop
192.168.1.128centOS 6.4VMware
MAC Address: 00:0C:29:FE:DD:13 (VMware)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.0 - 3.9
nmap
TCP SYN
nmap –sS -O 192.168.1.1/24
nmap -sS -O --osscan-limit 192.168.1.119/24
Nmap--osscan-guess; --fuzzy
2.2.5 Xprobe2
Xprobe2ICMPNmap2005
xprobe2
xprobe2 -v www.iprezi.cn
2.2.6 p0f
p0f3.06bp0fNAT
p0f
-f fname (p0f.fp) 路径,不指定则使用默认数据库。
-i iface
log文件,只有同一网卡的log文件才可以附加合并到本次监听中来。
p0f ;
–i参数指定的网卡为混杂模式;
API并发数,默认为20,上限为100;
(默认值: c = 1,000, h = 10,000).
p0f -i eth0 –p
eth0
p0f1
p0f2
p0f2windows78nmapwindows7 windows7 sp1
nmap
p0f3
p0f3Windows NT 6.1; WOW64; Trident/7.0; rv:11.0UserAgentwindows7 64IE11
2.2.7 miranda
mirandaUPNPmiranda
miranda -v -i eth0
eth0
mirandaupnpupnpmsearchupnp
upnp
CTRL +Chost list
host get [index]upnp
host info [index]
TP-Linkwindows 7
RINGCron-OSKali Linux
2.3--
更多相关文章 www.xuanhun521.com,原文链接
ps:对此文章或者安全、安全编程感兴趣的读者,可以加qq群:Hacking:303242737;Hacking-2群:147098303;Hacking-3群:31371755;hacking-4群:201891680;Hacking-5群:316885176
评论暂时关闭