How can you know which operating system is running on a specific remote host? The technique to answer this question corresponds to the fingerprinting of the operating system and is executed by sending a specific set of packages to the remote host and see how it behaves. Each operating system responds differently, which allows it to be identified.
This will be a set of two diaries covering how nmap and p0f performs OS fingerprinting.
This diary will cover nmap. For its content, a virtual machine will be used in VMWare with Ubuntu 16.04 operating system and a network capture, which can be downloaded from here. The following topology is being used:
Now we perform an nmap OS fingerprint scan to 192.168.42.131 using -O option:
The only opened port we find is TCP/22. So, after performing a network capture, we can have a look to all the packets being sent to that specific port using the following wireshark filter: ip.src == 192.168.42.1 and ip.addr == 192.168.42.131 and tcp.port == 22
Now we proceed to break down packet number 2003. Below you can see its hex dump. Can you get the same values as me for the fields that I will describe below? Remember that the package includes the level 2 headers of the OSI model:
Let's verify the responses for some specific packets. There are no TCP answers for packet 2023 (TCP packet with no flags):
What about the answer for packet 2003?
These answers are processed by nmap to determine what is the operating system of the remote host.
How can you forge the remote host answers to these specific nmap os fingerprint packets? Let's use OSFooler:
1. Download the tool:
2. Setup and install the tool. You need to have previously installed python-setuptools and python-nfqueue:
3. Update the tool with the latest nmap database:
4. Let's find a fingerprint for Windows 8 to forge:
5. Let's forge the answers of the linux machine to make it look a Windows 8.1:
6. To nmap, the linux machine now looks like a Windows 8.1:
Do you know any other interesting tools to fool OS fingerprint? Feel free to comment this diary or contact us.
Manuel Humberto Santander Pelaacuteez
Apr 9th 2020
1 month ago