Pentester's arsenal, defining the system
by V1NC3NT - December 10, 2020 at 04:08 PM
[Image: GH2op5P.gif]

Pentester's arsenal. We collect utilities for remote detection of the operating system

The first stage of a pentest is, as you know, intelligence. Only after establishing which system is running on the remote host can you start looking for loopholes in it. In this article, you will learn about seven tools that help at this stage, and at the same time you will see exactly how they calculate the operating system.Around the same historical period, when the monkey climbed down from the tree and for some reason decided to become a man, she learned to use tools. Since then, it has become the custom: each monkey obtains its own food using its own tools, which favorably distinguishes it from other representatives of the fauna. And one of the richest arsenals of handy tools among primates is certainly possessed by pentesters and hackers.It is not surprising: to study remote systems and exploit the vulnerabilities found in them with bare hands is like trying to scare a hedgehog with naked fervor and irrepressible enthusiasm. That is, it is both impractical and, by and large, useless. Moreover, it is even a no brainer that the first and most important stage in the study of any system is intelligence and information gathering. We will focus our attention on it.

My opinion
Experienced pentesters, hackers and those who consider themselves as such can safely skip a couple of milkshakes and this section, for the rest we will conduct a short theoretical excursion. Obviously, at the initial stage of reconnaissance, the remote system appears to us as a "black box", and at best we only know the IP address. At a minimum, you need to find out what ports are open on the host under investigation, what operating system it runs, what software is installed there and is able to interact with the network. And only then, having collected the necessary information, you can look for vulnerabilities and think about how to turn them for the benefit of humanity.In the case of an ordinary computer or laptop, it is easiest to determine the operating system. If, when looking at the screen, it slightly muddied, it means that there is Windows, I wanted to collect something from the source - definitely Linux. With a remote host, such a trick will not work, so we can only evaluate indirect signs. Determining which operating system is running on a host can be done by passive and active methods.In the first case, sniffing using tools like Wireshark and subsequent traffic analysis is usually used. In the second case, the principle of patterns is used: each OS has a characteristic set of open ports, which you can knock on and assess their availability. And then, looking at this picturesque picture, draw the appropriate conclusions. In both cases, we are examining the semblance of fingerprints of the operating system, therefore, the set of methods is usually called fingerprinting.As a rule, all methods of passive traffic analysis boil down to studying the TCP / IP stack on a remote machine. Packet headers contain fields that are specific to specific operating systems. For example, a TTL (Time To Live) packet lifetime of 64 is most common on Linux and FreeBSD. If the header is not set to the fragmentation flag (DF, Dont Fragment), it hints that we are dealing with OpenBSD.Other indirect signs are the window size, the maximum segment size (MSS), the window scaling value, and the state of the sackOK flag. Using the elimination method, we can calculate the OS that is running on the host of interest to us. And the utilities, which will be discussed, will facilitate this matter.

Website: []
Platform: GNU/Linux,macOS,Windows(x86)
It is a very popular cross-platform tool with a rich history and wide arsenal of functionality. He can do a lot besides fingerprinting, but we are primarily interested in his "intelligence capabilities".
The current version of Nmap 7.80 has an intuitive graphical interface, but for oldfags there is a command line mode. In this case, you can use the nmap -O -PN [URL] command, where URL is the site being examined. The very stubborn ones can compile the tool from the sources, kindly published on the developers' site.
[Image: 01-1.png]
Nmap site crawl report
The utility gives a very rough diagnosis about the operating system installed on the host, but the probability of one or another variant can reach 90% and even more. In principle, this is quite enough to understand in which direction to dig further.In addition, the program kindly displays information about the version of the server running there, about open ports, information obtained as a result of processing DNS requests, IP and IPv6 addresses, Classless inter-domain routing (CIDR) data. Softina can perform reverse DNS lookup, and also displays a large amount of other useful information. Nmap provides several scan scenarios, the choice of which depends on the goals of the researcher.The principles of the program are described in detail in the documentation on the official website. The utility is very powerful indeed: it even allows you to bypass firewalls, perform DoS and other types of attacks. In short, a useful tool if you know how to handle it.

Website: []
Platform: GNU/Linux,Windows
NetworkMiner is a traffic analyzer that the developers themselves classify as the Network Forensic Analysis Tool (NFAT). Tulza uses a passive method of analyzing a remote system, which means that it leaves no traces and allows the researcher to act unnoticed.
[Image: 01-2.png]
NetworkMiner interface is quite simple and straightforward
The utility can be downloaded from the site [], and from the [developers page] source code available.
NetworkMiner allows you to track established connections and analyze packets transmitted over the network, extracting useful information from them about the hosts with which your computer is exchanging information. The initial data for analysis is TTL (packet lifetime), frame size, flags set in packet headers.Individual frames can also be examined with NetworkMiner. To do this, use the Frames tab - here you can find data on the size of the frame, IP addresses and ports of the sender and recipient, as well as other useful information. In addition, it is possible to analyze demon banners. All this information allows you to recreate the structure of the network where packet capture is performed: this is especially useful for wireless networks, the internal kitchen of which is unfamiliar to you.This tool has one more gorgeous function: it can extract files from traffic transmitted via FTP, TFTP, HTTP, HTTP / 2, SMB, SMB2, SMTP, POP3 and IMAP protocols. That is, it can be used to intercept a file transmitted by e-mail, FTP, LAN or simply in the user's browser. NetworkMiner can extract X.509 certificates from encrypted traffic. Beauty, and more!In general, we have before us quite a powerful sniffer, capable of doing magic in skillful hands. Well, fingerprinting and OS detection is just one of its widest possibilities.

p0f v3
Site: []
Platform: GNU/Linux,Windows,macOS
[Image: P0f.png]
This is not just a fairly well-known sniffer, but a program that combines a whole set of mechanisms for analyzing intercepted packets and fingerprinting. At the same time, determining the type of OS on a remote host (even in cases where Nmap did not cope with this task, for example, due to the use of a firewall on the network) is declared by the developers as one of the main functions.In addition, p0f is able to determine if there is NAT, shapers or firewalls in the network, track packet traces to a given node and calculate its uptime. At the same time, the tool does not generate any of its own requests and other suspicious traffic, which in itself is an indisputable advantage if the researcher wants to remain unnoticed on the network.The p0f v3 version was rewritten by the developers from scratch, so the "fingerprint database" is not the most complete there. According to the official site, the program lacks data on older versions of operating systems like Windows 9x, IRIS and the like. But users can help the project by adding the results of their own experiments with the program to the databases.

Website: []
Platform: Windows
The free utility NetScanTools Basic appeared in 2009 and has undergone only minor changes since then. She does not know how much: with her help you can get Whois data (and without it, probably nothing), run traceroute (for those who do not know how to use the command line), send DNS queries and ping remote hosts, and so, and so, and squatting, that is, controlling the ping parameters. Not much.But the commercial Pro version boasts more features. It can work with various protocols, including ARP and SNMP, intercept and analyze packets, obtain DNS records for specified IP addresses, search for open TCP and UDP ports on a remote host, determine the SMB versions it supports, search for devices on the network, including SMTP servers with open relays. In an Active Directory network, NetScanTools can find all shared folders, even hidden ones. The software includes a TCP, UDP, ICMP, CDP, RAW packet generator, in which you can change various parameters, thanks to which NetScanTools easily and naturally turns into a flooder.
[Image: 01-3.png]
NetScanTools is an interesting tool with tons of features. Sorry, paid
In general, we can say that NetScanTools Pro is a rather interesting project that includes tools for active and passive network research. But the $ 249 price tag is a bit biting, especially when you consider that quite free NetworkMiner and Nmap have almost the same set of basic functions. However, you can download a 30-day trial version from the developer's site, which will help you decide whether to look for a crack for a pack of bucks, or it is better to use freeware software.

X probe
Site: []
Platform: GNU/Linux
It is a Linux utility that uses proactive fingerprinting techniques based on the same techniques and scripts used by Nmap. One of the most interesting features of the X probe is its ability to detect honeypots (honeypot servers specially designed to catch gullible hackers) and suspicious hosts with modified TCP / IP stack settings.Using the fuzzy logic algorithms embedded in the software, the X probe allows you to detect services hidden by the firewall. In addition to determining the operating system on a remote host using ICMP requests, the program's capabilities include scanning TCP and UDP ports. Unfortunately, the latest version of the utility is dated 2014 and it seems that the project has practically not developed since then.

Site: []
Platform: GNU/Linux
[Image: use-ettercap-intercept-passwords-with-ar...-w1456.jpg]
Ettercap is a well-known sniffer in narrow circles, often used for attacks like MiTM. It works in almost all Linux except OpenSuSe, as well as UNIX / BSD platforms, except Solaris. They say that especially powerful shamans ran Ettercap even on macOS, but there is no documentary confirmation of these rumors, because those who succeeded died bursting with pride.Like other sniffers, this one can work with Telnet, FTP, IMAP, SMB, LDAP and several others, but with Ettercap you can also gut encrypted traffic transmitted over HTTPS and SSH. Despite the fact that the tool was created with an eye to MiTM, it can be used to identify remote operating systems using fingerprinting, along with such routine procedures as determining IP, open ports running on the studied service node, adapter type and MAC address of the network interface.After installation and launch, Ettercap begins to sniff traffic on the network and collect the result in profiles created by the program, from where it can be extracted for analysis. This analysis allows you to establish, in particular, data such as IP address, host name and type, the estimated version of the OS running there, open pores and running services. An ample starter kit for any explorer.

The github at [] contains a rich archive of utilities and exploits that can become an excellent help for a pentester. All the software was long and painstakingly assembled by a team of like-minded malefactors called, founded in 1995 and, judging by the activity on Twitter, is doing well to this day. The dudes offer many interesting projects, but we are mainly interested in the tools from the section []. Here, in particular, you can find the Amap scanner, which allows you to track services running on non-standard ports.Some naive sysadmins sincerely hope that they can protect themselves from an attack if they set up, for example, an FTP server, SSH or Telnet on some non-standard port instead of the usual one. It is with such cunning admins that Amap is designed to fight. Conventional scanners knock on standard ports, analyze the received responses, and if they do not match what is expected, they break off. Amap instead polls the entire port range and checks the responses against its database for a match. Thus, a service running on a port is identified by its characteristic features contained in the response.Some naive sysadmins sincerely hope that they can protect themselves from an attack if they set up, for example, an FTP server, SSH or Telnet on some non-standard port instead of the usual one. It is with such cunning admins that Amap is designed to fight.

[Image: GH2op5P.gif]

Possibly Related Threads…
Thread Author Replies Views Last Post
Pentester Academy All Courses (Ethical Hacking) Llight32 282 28,518 November 30, 2021 at 10:07 PM

 Users browsing this thread: 1 Guest(s)