Chapter 3: Countermeasures
3.1 OS Fingerprinting Tools Detection
3.1.2 Detecting Other OS Fingerprinting Tools
further packets received from that system.
[+] Initializing scan engine [+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 10.0.0.6. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 10.0.0.6. Module test failed
[-] No distance calculation. 10.0.0.6 appears to be dead or no ports known [+] Host: 10.0.0.6 is up (Guess probability: 50%)
[+] Target: 10.0.0.6 is alive. Round-Trip Time: 0.00024 sec [+] Selected safe Round-Trip Time value is: 0.00049 sec
[-] icmp_port_unreach::build_DNS_reply(): gethostbyname() failed! Using static ip for www.securityfocus.com in UDP probe
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open [+] Primary guess:
[+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare Version 03.0.01eTc1"
(Guess probability: 100%) [+] Other guesses:
[+] Host 10.0.0.6 Running OS: "Linux Kernel 2.4.21" (Guess probability: 91%) [+] Host 10.0.0.6 Running OS: "Linux Kernel 2.4.22" (Guess probability: 91%) [+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare Version 07.5.04T53"
(Guess probability: 91%)
[+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare Version 07.5.05KT53"
(Guess probability: 91%)
[+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare 07.6.01BT51" (Guess probability: 91%)
[+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare 07.6.04aT51" (Guess probability: 91%)
[+] Host 10.0.0.6 Running OS: "Foundry Networks IronWare 07.7.01eT53" (Guess probability: 91%)
[+] Host 10.0.0.6 Running OS: "Linux Kernel 2.4.23" (Guess probability: 91%) [+] Host 10.0.0.6 Running OS: "Linux Kernel 2.4.24" (Guess probability: 91%)
From the above results it is seen that Xprobe2 was not effected by the installation of the OSF module on the target system. This was expected as Xprobe2 mainly gets its results from returned ICMP messages.
QueSo was tested and it gave the following output:
linux:/# queso 10.0.0.6:22
10.0.0.6:22 * Standard Solaris 2.x, Linux 2.2.??? 2.4.???, MacOS
This output appeared even if OSF was not loaded. QueSo was not able to determine the exact OS running on the target system.
It was then decided that SAINT (Security Administrator's Integrated Network Tool) must be used to determine how secure the target is (found at www.wwdsi.com/saint). The following output was seen when OSF was not loaded:
linux:/# saint 10.0.0.6
> bin/udp_scan: are we talking to a dead host or network?
>
10.0.0.6:
Services:
auth SSH
The OSF module was then loaded, and the following output was observed from SAINT:
linux:/# saint 10.0.0.6
> > bin/udp_scan: are we talking to a dead host or network?
As seen above, when OSF was loaded, SAINT was not able to detect even open ports from the target.
Strobe (http://linux.maruhn.com/sec/strobe.html) was also tested. Strobe
was not able to detect any open ports on the target system when a general port scanning test was performed. The target system's /var/log/messages file gave the following:
Jul 13 11:53:02 linux-g5ii sshd[12819]: Did not receive identification string from 10.0.0.5
The following output was given the Strobe did a scan specifically on port 22 (SSH).
linux:/# strobe 10.0.0.6:22
strobe 1.05 © 1995 – 1999 Julian Assange <[email protected]>
attempting port=22 host=10.0.0.6
10.0.0.6 22 ssh #SSH Remote Login Protocol -> SSH-1.99-OpenSSH-4.2\n
The file /var/log/messages showed the following:
Jul 13 11:48:07 linux-g5ii sshd[11989]: Did not receive identification string from 10.0.0.5
This proves that strobe is not as good as Nmap in doing general port scans and open ports are not known. Strobe was able to identify that port 22 was open and the service that was running on it.
McClure et. al. highly recommends a Microsoft Windows based port scanner and OS fingerprinter, NetworkActiv Port Scanner. This OS fingerprinting tool uses the same principle as Xprobe2, in that ICMP packets are sent to the target. With the target allowing ICMP messages, NetworkActiv Port Scanner reported the following OS running on the target:
Primary guess(es) with 100% Match:
MacOSX
Linux kernel 2.0.29 Linux kernel 2.2.10
Linux kernel 2.2.14-20000612 Linux kernel 2.2.16C32III Linux kernel 2.2.19-3cl Linux kernel 2.2.20 Linux kernel 2.4.2-2 Linux kernel 2.4.7-10 Linux kernel 2.4.9-6 Linux kernel 2.4.18 Linux kernel 2.4.18-3 GNU/Linux 2.1 GNU/Linux 3.0 SunOS 5.6 SunOS 5.8 Solaris 8 pSOSystem AIX
FreeBSD FreeBSD/i386 HP JetDirect
Secondary guess(es) with 0% Match:
Unknown
All ICMP messages were then rejected, and NetworkActiv Port Scanner reported the following OS on the target:
Primary guess(es) with 100% Match:
MacOSX
Linux kernel 2.0.29 Linux kernel 2.2.10
Linux kernel 2.2.14-20000612 Linux kernel 2.2.16C32III Linux kernel 2.2.19-3cl Linux kernel 2.2.20 Linux kernel 2.4.7-10 Linux kernel 2.4.9-6 Linux kernel 2.4.18 Linux kernel 2.4.18-3 GNU/Linux 2.1 GNU/Linux 3.0 Solaris 8 FreeBSD FreeBSD/i386 HP JetDirect
Secondary guess(es) with 66% Match:
Windows ME - on Ethernet
Windows 2000 Professional - Stock/SP1/SP2
Windows 2000 Professional - Stock/SP1/SP2 on Ethernet Windows 2000 Professional - SP3 on Ethernet
Windows 2000 Professional - SP3
Windows XP Home Edition - on Ethernet Windows XP Professional - on Ethernet Windows XP Professional
Linux kernel 2.4.2-2
Solaris pSOSystem
Netopia R5200-K v4.3.8 Cisco 3620 WAN Router Cisco 6509/7200 Router Cisco GSR 12016
The result of the above output indicates that NetworkActiv Port Scanner is not as specific as Nmap, and was not able to pin-point the OS running on the target.
This again indicates that Nmap is a better OS fingerprinting tool. With the above tests performed, it shows that OSF block packets from Nmap but not other OS scanning tools. OSF also has the advantage that should a new type of OS fingerprinting tool become available, its fingerprint can be added to OSF's database.
The attacker might be able to realise that he is being countered, when he is trying to scan ports of a system with Nmap and the results show that the ports are all closed, especially, for example, when the attacker is able to connect to a web server at the same IP address with a web browser. This is a disadvantage of the current version of the OSF module, and this will result in a cycle of improvements that will be made by the developers of the OSF module and Nmap.
The only way Nmap can do an OS fingerprint of a system, is when the data length of the packet is changed. This is a weakness of the OSF module. To counteract this vulnerability, the OSF module should increase the TCP/IP analysis of more fields compared to the few fields currently observed.