Kali Linux渗透测试实战 2.2 操作系统指纹识别

文章由LinuxBoy分享于2019-04-02 09:04:36热评（623）

Kali Linux渗透测试实战 2.2 操作系统指纹识别

2.2 操作系统指纹识别

2.2.1 Banner抓取

2.2.2 TCP 和 ICMP 常规指纹识别技术

TCP数据报格式

ICMP首部格式

TTL与TCP窗口大小

FIN探测

BOGUS flag 探测

TCP ISN 抽样

IPID 抽样

TCP Timestamp

ACK值

ICMP错误信息

DHCP

2.2.3 数据包重传延时技术

2.2.4 使用Nmap进行操作系统探测..

一般性探测

指定网络扫描类型.

设置扫描条件

推测结果.

2.2.5 使用Xprobe2进行操作系统探测

2.2.6 使用p0f进行操作系统探测

2.2.7 使用miranda进行操作系统探测

小结

2.2 操作系统指纹识别

LAMPLNMPwindows server 2003 IIS6.0windows server 2008 R2 IIS7.5

2.2.1 Banner

Banner

bannerBannerapatheexchange

Banner

telnet 80bannerServer: Microsoft-HTTPAPI/2.0

IISISAPIBanner

ISAPI

IIS

asp.netX-Powered-By.net

webapachenginx

bannerbanner

banner

webftpsmtpbanner2.3Banner

2.2.2 TCP ICMP

TCP/IPRFC

TCP/IP

TCP

tcp

flags6

URGACKPSHRSTSYNFIN

URG

ACK

PSHpush

RSTTCP

SYNTCP

FINTCP

Sequence Number16

4TCPTCP20

16TCP

16URG

TCP4TCPTCPMSSTCP20TCP206549565535202065495

ICMP

icmp

DataICMP

TTLTCP

RFCTTLTTL

TTLTCP

FIN

RFC793FINRESETMS Windows, BSDI, CISCO, HP/UX, MVS, IRIX

BOGUS flag

FLAG TCP SYNLinux 2.0.35FLAG

TCP ISN

TCPISNISNISN

IPID

IPISN

TCP Timestamp

有的操作系统不支持该特性，有的操作系统以不同的更新频率来更新时间戳，还有的操作系统返回0。

ACK

ACKACK+1

ICMP

ICMPICMP

DHCP

DHCPRFC154121312132436143884578DHCP

2.2.3

2.2.2

TCPTCPISNACK

TCPRFC

TCP

2.2.4 Nmap

Nmap-O

nmap -O 192.168.1.1/24

192.168.1.1 C255ip

192.168.1.11.1Tp-link

MAC Address: A8:15:4D:85:4A:30 (Tp-link Technologies Co.)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.23 - 2.6.38

Network Distance: 1 hop

192.168.1.101android

MAC Address: 18:DC:56:F0:65:E0 (Yulong Computer Telecommunication Scientific(shenzhen)Co.)

No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=6.40%E=4%D=12/27%OT=7800%CT=1%CU=39712%PV=Y%DS=1%DC=D%G=Y%M=18DC5

OS:6%TM=52BD035E%P=x86_64-unknown-linux-gnu)SEQ(SP=100%GCD=1%ISR=109%TI=Z%C

OS:I=Z%II=I%TS=7)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4S

OS:T11NW6%O5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5

OS:=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%

OS:T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=

OS:R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T

OS:=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=

OS:0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(

OS:R=Y%DFI=N%T=40%CD=S)

nmapandroid

192.168.1.102windows 7 sp1

Device type: general purpose

Running: Microsoft Windows 7

OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1

OS details: Microsoft Windows 7 SP0 - SP1

192.168.1.106ios 5.0

MAC Address: CC:78:5F:82:98:68 (Apple)

Device type: media device|phone

Running: Apple iOS 4.X|5.X|6.X

OS CPE: cpe:/o:apple:iphone_os:4 cpe:/a:apple:apple_tv:4 cpe:/o:apple:iphone_os:5 cpe:/o:apple:iphone_os:6

OS details: Apple Mac OS X 10.8.0 - 10.8.3 (Mountain Lion) or iOS 4.4.2 - 6.1.3 (Darwin 11.0.0 - 12.3.0)

192.168.1.106windows7 sp1

MAC Address: 7C:C3:A1:A7:EF:8E (Apple)

Too many fingerprints match this host to give specific OS details

192.168.1.119windows server 2008 r2,vmware

MAC Address: 00:0C:29:AA:75:3D (VMware)

Device type: general purpose

Running: Microsoft Windows 7|2008

OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8

Network Distance: 1 hop

192.168.1.128centOS 6.4VMware

MAC Address: 00:0C:29:FE:DD:13 (VMware)

Device type: general purpose

Running: Linux 3.X

OS CPE: cpe:/o:linux:linux_kernel:3

OS details: Linux 3.0 - 3.9

nmap

TCP SYN

nmap –sS -O 192.168.1.1/24

nmap -sS -O --osscan-limit 192.168.1.119/24

Nmap--osscan-guess; --fuzzy

2.2.5 Xprobe2

Xprobe2ICMPNmap2005

xprobe2

xprobe2 -v www.iprezi.cn

2.2.6 p0f

p0f3.06bp0fNAT

p0f

-f fname (p0f.fp) 路径，不指定则使用默认数据库。

-i iface

log文件，只有同一网卡的log文件才可以附加合并到本次监听中来。

p0f ;

–i参数指定的网卡为混杂模式；

API并发数，默认为20，上限为100；

(默认值: c = 1,000, h = 10,000).

p0f -i eth0 –p

eth0

p0f1

p0f2

p0f2windows78nmapwindows7 windows7 sp1

nmap

p0f3

p0f3Windows NT 6.1; WOW64; Trident/7.0; rv:11.0UserAgentwindows7 64IE11

2.2.7 miranda

mirandaUPNPmiranda

miranda -v -i eth0

eth0

mirandaupnpupnpmsearchupnp

upnp

CTRL +Chost list

host get [index]upnp

host info [index]

TP-Linkwindows 7

RINGCron-OSKali Linux

2.3--

更多相关文章 www.xuanhun521.com,原文链接

ps：对此文章或者安全、安全编程感兴趣的读者，可以加qq群：Hacking:303242737;Hacking-2群：147098303；Hacking-3群：31371755；hacking-4群:201891680;Hacking-5群：316885176

推荐文章：

Kali Linux渗透测试实战 2.2 操作系统指纹识别