Finding OS type

[Ruckas]

I'm just curious if you can tell someones OS once you have thier IP address? I always asumed you would be albe to do it using DOS. But until recently I had no need to find out the OS using an IP address... How would you go about it?


Thanks, Ruckas-

 

[n0cmonkey]

nmap or p0f, depending on the situation.

 

[drag]

Well normally you can't. You can run a port scan. This will reveal the services that are running on that computer. Lots of services are OS specific. Like if you have port 13 (used for daytime service.) open then they are probably running a Unix or Linux OS. If they have netbios stuff running then they are probably running Windows.

Also nicer port scanners run whats called "tcp fingerprinting" (I think that's what they are called). Different OSes run different tcp/ip stacks and these leave a veriaty of indicators in how the packets they produce are structured. As long as they stick to standards there is no problem with compatability, but there still is room for creativity.

So using these differences you can figure out to a sort-of level of what OS they are running. For instance one scan may say that it is using linux 2.2.4-2.4.12 or maybe Win95/98/NT 4.0. So you can get a so-so indication.

Also if they are running a ftp server, a web server, a e-mail or or anything you can access using a telnet client it will often just go and straight out tell you the OS and a bunch of other information.

Like this: http://forums.anandtech.com/adffasdfasdf

From that link to a default 404 page you can see that anandtech is using a microsoft server to run these forums. Of course If I was running a Apache webserver I could take a copy of the MS 404 webpage and use that to hide the indentity of my server. Lots of times people will replace these pages and ftp-style headers to hide information or simply to make it more pleasent or informational.

A good free software port scanner is nmap.

Becarefull when using it. It is considured very rude to port scan people. As is it is sometimes a prelude to a cracker attack. People keep track of logs and look for that sort of activity. If you make yourself a nusience then they will probably e-mail your ISP. Lots of times this sort of thing would violate your user agreements and get you kicked off your ISP.

Also it can be considured "hacker" behavior and is legally frowned apon. Which is silly because everytime you connect to a server you are doing a port scan. Of course the difference is that your only accessign 1 port instead of a few hundred key ports at a time.

So use common sense. It's like sneeking a peak thru someone's living room window.

 

[n0cmonkey]

Originally posted by: drag
Well normally you can't. You can run a port scan. This will reveal the services that are running on that computer. Lots of services are OS specific. Like if you have port 13 (used for daytime service.) open then they are probably running a Unix or Linux OS. If they have netbios stuff running then they are probably running Windows.

Also nicer port scanners run whats called "tcp fingerprinting" (I think that's what they are called). Different OSes run different tcp/ip stacks and these leave a veriaty of indicators in how the packets they produce are structured. As long as they stick to standards there is no problem with compatability, but there still is room for creativity.

So using these differences you can figure out to a sort-of level of what OS they are running. For instance one scan may say that it is using linux 2.2.4-2.4.12 or maybe Win95/98/NT 4.0. So you can get a so-so indication.

Also if they are running a ftp server, a web server, a e-mail or or anything you can access using a telnet client it will often just go and straight out tell you the OS and a bunch of other information.

Like this: http://forums.anandtech.com/adffasdfasdf

From that link to a default 404 page you can see that anandtech is using a microsoft server to run these forums. Of course If I was running a Apache webserver I could take a copy of the MS 404 webpage and use that to hide the indentity of my server. Lots of times people will replace these pages and ftp-style headers to hide information or simply to make it more pleasent or informational.

A good free software port scanner is nmap.

Becarefull when using it. It is considured very rude to port scan people. As is it is sometimes a prelude to a cracker attack. People keep track of logs and look for that sort of activity. If you make yourself a nusience then they will probably e-mail your ISP. Lots of times this sort of thing would violate your user agreements and get you kicked off your ISP.

Also it can be considured "hacker" behavior and is legally frowned apon. Which is silly because everytime you connect to a server you are doing a port scan. Of course the difference is that your only accessign 1 port instead of a few hundred key ports at a time.

So use common sense. It's like sneeking a peak thru someone's living room window.

People pay attention to port scans?

 

[drag]

Originally posted by: n0cmonkey

People pay attention to port scans?

Sure. Firewalls can be set up to detect port scans. Repeated scans over and over again can cause them to alert.

Most firewalls can detect normal scans, most can't detect stuff like nmap's stealth scanning, but some can. I doubt there are many people that sit there and detect things normally, but plenty of firewalls can be configured to record alerts about stuff like that.

Annoy them enough and they'd probably fire off a e-mail to the originating ISP.

Also it is sometimes a nice things to do. If you can trace the originator of the port scan and figure out if it is a zombie machine or not. I've done that a couple times when I got bored. Looked thru my firewall logs and scanned some of the people that scanned me. If it looks like there was a trojan installed on it, then I'd sent out a e-mail to the abuse/admin type person as indicated in the whois look-ups. If I was a admin for a network I'd probably be a bit more pro-active about it, but right now it is just more of a occasional amusement. If one of my computers was hacked and was annoying people, I'd like to know about it.

I figure 95% of admins would be to lazy to double check things, but they should. Repeated port scanning can indicate that someone is purposly probing your network for vunerablities, probably be a good idea to block them. Of course they could just be curious to find out what services your offering to the internet, which is entertaining to visit places that aren't advertised on the web.

 

[BlackOmen]

nmap does very good os detection. Unfortunately, as drag points out, it is rude to port scan someone. That said, I've port scanned my dad's XP box running Zone Alarm and I've never seen anything logged later on.

Also pointed out by drag, it will most likely be against your ISP's terms of service if you port scan someone, so it would be best if you asked permission first. While your at it, you can ask them what os they're running.............

 

[Ruckas]

Yeah, I'm not trying to be l33t. I just want to impress someone that might give me a job..Heh...

So when you say "port scan," does that mean ping 'IP' in dos? I'm using a windows ME box, and a windows 2000 box.. Could you elaborate on port scanning? Thanks...

 

[Haden]

First, you are mixing DOS and Windows CLI, there is no legacy dos in win2k at all. Infact dos never was supposed to be network os, and doesn't come with net support by default.
Port scan generally means you try to initiate connection to variuos ports, if there is "something" listening on some port, one can try to investigate it further.

 

[n0cmonkey]

Originally posted by: Ruckas
Yeah, I'm not trying to be l33t. I just want to impress someone that might give me a job..Heh...

So when you say "port scan," does that mean ping 'IP' in dos? I'm using a windows ME box, and a windows 2000 box.. Could you elaborate on port scanning? Thanks...

Look for the NT/2k port of nmap. Read the docs. Try it against your other machine. Post specific questions then.

nmap is located at insecure.org/nmap. I think.

 

[n0cmonkey]

Originally posted by: drag

Originally posted by: n0cmonkey

People pay attention to port scans?

Sure. Firewalls can be set up to detect port scans. Repeated scans over and over again can cause them to alert.

Most firewalls can detect normal scans, most can't detect stuff like nmap's stealth scanning, but some can. I doubt there are many people that sit there and detect things normally, but plenty of firewalls can be configured to record alerts about stuff like that.

Annoy them enough and they'd probably fire off a e-mail to the originating ISP.

Also it is sometimes a nice things to do. If you can trace the originator of the port scan and figure out if it is a zombie machine or not. I've done that a couple times when I got bored. Looked thru my firewall logs and scanned some of the people that scanned me. If it looks like there was a trojan installed on it, then I'd sent out a e-mail to the abuse/admin type person as indicated in the whois look-ups. If I was a admin for a network I'd probably be a bit more pro-active about it, but right now it is just more of a occasional amusement. If one of my computers was hacked and was annoying people, I'd like to know about it.

I figure 95% of admins would be to lazy to double check things, but they should. Repeated port scanning can indicate that someone is purposly probing your network for vunerablities, probably be a good idea to block them. Of course they could just be curious to find out what services your offering to the internet, which is entertaining to visit places that aren't advertised on the web.

I think this borders on a religious war. I definitely see your points, but (you knew this word would appear here didn't you? ) there is too much scanning on the internet to warrant paying attention to it. By scanning, I mean nmap style scanning, not vulnerability scanning (I don't know about you, but I consider them very seperate things). Having watched IDS and firewall systems for major networks out there, I came to the conclusion that port scanning alarms are too tricky to bother with. If you set the threshhold too high, you miss everything. If you set it too low, you recieve false alarms by the truck load.

Yes, port scans are the typical first wave of an attack, but not always. I admit, I've been overly curious of systems I don't own in the past (my recent firewall policy should make nmap useless from the inside ). That does not mean I am going to attack anyone. One of my favorite things to do when I am really bored is to nmap for http or ftp servers in my, or adjacent, netblocks. I've stumbled onto some worthwhile porn using this technique. But responding to every port scan would consume more time than it is worth.

And what is the point of reporting some but not others? I think this is basically an all or nothing type of situation. And most security analysts don't have the time to pick through every port scan.

I guess if you archived port scans for a short period of time (month at most?), but did not show them on any real time (heh) IDS/Firewall display they could be helpful for forensics type work. Over all, I think post scans can be ignored, but I definitely look forward to reading other opinions on the issue.

*Do my recent posts seem slightly out of character to anyone else?

 

[drag]

Oh sure you exactly right. Nobody will care about a couple port scans, but after 20-30 scans from the same person might start to annoy some people.

 

[n0cmonkey]

Originally posted by: drag
Oh sure you exactly right. Nobody will care about a couple port scans, but after 20-30 scans from the same person might start to annoy some people.

To me that means automated scans, and nothing I can legally do will stop them

 

[Ruckas]

I get the sense you guys are avoiding the question. Or simply don't know... On the other hand, I could be totally wrong and I just made a complete ass of myself...

Using dos, can I 'port scan' my other computer that's on my network, and be able to figure out what OS it's using?!

Perhaps by a read out in dos or something? I guess when you say "have more specific questions" you asume I know more than I do.

Thanks, anyways...

Ruckas-

 

[n0cmonkey]

Originally posted by: Ruckas
I get the sense you guys are avoiding the question. Or simply don't know... On the other hand, I could be totally wrong and I just made a complete ass of myself...

Using dos, can I 'port scan' my other computer that's on my network, and be able to figure out what OS it's using?!

Perhaps by a read out in dos or something? I guess when you say "have more specific questions" you asume I know more than I do.

Thanks, anyways...

Ruckas-

I am not aware of any native DOS programs that can determine the OS of a system. Using some Windows programs on the other hand (they may exist in later versions of DOS, I don't know, I stopped using DOS when Win2k came out) you may be able to. Look at the net command. It may be able to determine the OS (or maybe some of the netbios programs, nbname? Or something).

 

[Sunner]

Originally posted by: Ruckas
I get the sense you guys are avoiding the question. Or simply don't know... On the other hand, I could be totally wrong and I just made a complete ass of myself...

Using dos, can I 'port scan' my other computer that's on my network, and be able to figure out what OS it's using?!

Perhaps by a read out in dos or something? I guess when you say "have more specific questions" you asume I know more than I do.

Thanks, anyways...

Ruckas-

The answer is already in this thread.

Use nmap, you can scan an entire netblock(say every address on 192.168.0.x) with it, and determine, with pretty good accuracy, what OS they're running.

Scanning my own box gives me this:

Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2003-12-08 14:39 CET
Host litovel (x.x.x.x) appears to be up ... good.
Initiating SYN Stealth Scan against litovel (x.x.x.x) at 14:39
Adding open port 6000/tcp
Adding open port 21/tcp
Adding open port 22/tcp
Adding open port 1241/tcp
The SYN Stealth Scan took 1 second to scan 1657 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on litovel (x.x.x.x):
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
1241/tcp open nessus
6000/tcp open X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20, Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=2CCAD1%IPID=Z)
T1(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=7FFF%ACK=S++%Flags=AS%Ops=MNNTNW)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

TCP Sequence Prediction: Class=random positive increments
Difficulty=2935505 (Good luck!)
TCP ISN Seq. Numbers: 14972658 14BF8D59 148F182F 150B884A 1497535C 14A131F7
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 5.865 seconds

And in DOS(which is not the same as the WinXP/2K command prompt) you can't do this natively, except by making some assumptions about banners and such various servers respond with.
Download nmap and be a happy camper.