Service and OS detection

2.3. Service and OS detection

During the previous phases, we should have gathered a list of not only alive hosts but also, information about open and closed ports for each host.

The next step is to identify which services are running on these ports. This is a very important step simply because it allows us to narrow down our attack surface. It gives us the last bit of information necessary to begin researching potential exploits on the target systems.

2.3.1. Banner Grabbing

The term banner refers to the message that the service, running on the target host, sends back when another host tries to establish a connection to it. Many banners contain information such as the current version of the service (commonly default settings).

To grab the banner, we can use tools like telnet, netcat, or ncat. These tools can be used to read and write data across networks. In other words, they allow us to establish a connection between 2 hosts, exchange files, attach and execute applications, and much more.

For example, we can use ncat [ipaddress] 22 to connect using SSH (port 22) to a server. The server will return a banner containing the SSH version as the result.

In a HTTP server, we will not receive an answer until we send the server some data (will be further discussed in Web App Pentesting section)

2.3.2. Probing Services

You can see that we cannot solely rely on the information from banner-grabbing alone. We must leverage increasingly more accurate techniques to detect the exact version of the services running on the remote host.

To do this we can use tools such as nmap and its service detection features. This operates differently from the banner grabbing technique used. Nmap probes the remote services, parses the responses, and then attempts to verify if there is a match within its signature database to the parsed data. By querying the services and analyzing the responses, nmap is able to determine the service protocol, the application name, the version number, hostname, and much more.

Command:

nmap -sV [options] [TargetIP]

If we want to instruct nmap to run on a specific port, we can use the -p option. If we want to increase the output verbosity, we can use the -v. Also notice that service detection has some specific options too:

  • -sV: Probe open ports to determine service/version info

  • --version-intensity <level>: 0 ~ 9 (light ~ all probes)

  • --version-light: Limit to most likely probes (intensity 2)

  • --version-all: Try every single probe (intensity 5)

  • --version-trace: Show detailed version scan activity

2.3.3. OS Fingerprinting

Once we identify the services running on the remote host, we can move on and start the OS detection phase.

There are 2 types of OS detection:

  • Passive OS fingerprinting Identifies the remote OS with packets that are received, without sending any packets. For example: analyzing traffic that we have already captured

  • Active OS fingerprinting Send packets and waits for response (or lack of one). Active OS fingerprinting sometimes sends unexpected packets, because different implementations respond differently to such errors.

TCP/IP fingerprinting, also known as either TCP stack fingerprinting or OS fingerprinting, is the process of determining the identity of the OS. TCP fingerprinting works by sending TCP packets to one or more ports on the target and then analyzing how the host TCP stack responds.

Many of the specifications for TCP/IP are left open to interpretation. So, each vendor implements the TCP/IP stack a bit differently therefore, creating a unique identifier/fingerprint. Nmap compares the results it obtains to its internal database of OS fingerprints and, if there is a match, prints out the detected OS.

Here you can find a detailed list of techniques used by nmap, while here you can read a good article that briefly explains these fingerprinting methodologies.

  • Active OS fingerprinting Command:

    nmap -O -n ipaddress

    It will return all possible OSes.

    You can also use -A to retrieve all necessary information

    nmap -A -n ipadress

  • Passive OS Fingerprinting Aside from active methods of discovering nearby hosts and OS, we also have a great tool at our disposal that allows us to conduct passive fingerprinting of hosts on a network.

This tool is known as P0f by Michal Zalewski. You can read more about P0f at the following link

With P0f, we can get the following information from hosts on a network without sending a single packet:

  • Host uptime

  • OS / software

  • Distance from our current host (TTL)

  • User-Agents

P0f comes preinstalled on Kali Linux, and the quickest way to get it up running is with the following command:

# ./p0f -i eth0
PreviousDetect Live Hosts and PortsNextFirewall/IDS Evasion

Last updated