Using the TCP / IP Stack for remote operating system to discriminate correctly identifying the type of operating system in the network security field, it is important to understand.
Traditional technology
The traditional discriminant operating system is identified by direct landing of the host. such as:
MyHost ~> Telnet HPUX.Server1.Net Trying 123.123.123.123 .... connected to hpux.server1.net. Escape character is '^]'
HP-UX HPUX B.10.01 A 9000/715 (TTYP2)
Login:
Through Telnet login attempts, we can easily determine this is a HP 9000 series server, the operating system is HP UNIX, 10.01. If a malicious attacker has mastered this, then from the Internet network, find the loophole about this type of server and operating system is not a difficult thing. In fact, many experienced administrators have recognized the severity of this situation and have modified login information by changing /etc/issue ketc/issus.net. This can at least confuse the attackers of most of them, that is, even the famous ISS Internet Scanner cannot be easily determined where the operating system is.
But even if so, it is still not possible to prevent others from obtaining the type of operating system through other means. Some other services that work properly on the server, such as FTP Server or Web Server will expose the identity of the system.
Let's look at the example below:
1. Use FTP Server to get system types
Myhost ~> telnet ftp.target.com 21 Trying 123.123.123.123 ... connected to ftp.target.com escape character is '^]' 220 ftp1 ftp server (UNIX (r) system v release 4.0) Readysyst 215 Unix Type: L8 Version: Sunos
Ok, at this time, although we have no harvest on the Telnet port of the landing system, but at a vastness of the FTP port. When the FTP Server told the landmer, the system is a UNIX system, and then uses the syst command (completely legal), it tells the travelers further information. Here we don't intend to discuss the problem of attacks, but the acquisition of this information is enough to make an experienced attacker plan a successful intrusion!
2. Use Web Server to get information
MYHOST ~> Echo 'get / http / 1.0 / n' | nc target.com 80 | egrep '^ Server:' Server: Microsoft-IIS / 4.0 MyHost ~>
Yes, Web Server once again frankly "who I am"!
There are also some ways to use host information (not very reliable) to use the host information of Query DNS to see the registration domain name, or use social engineering methods to get, and use certain hosts. SNMP public group to query.
Current technology ------ Method for using TCP / IP stack fingerprint
We have found that information that is trying to log in is sometimes more useful information, but it is difficult to ensure its authenticity and correctness. Therefore, some people have developed the TCP / IP stack in the network operating system as a special "fingerprint" to determine the real identity of the system. This accuracy is quite high because the sophisticated administrator is unlikely to modify the stack parameters of the network's underlying network. Currently, there are many tools that use this technique, and more famous are NMAP, Checkos, Queso, etc. With this technology, you can accurately reduce Solaris 2.6, 2.5-2.51, 2.4 or the tightness of Linux's kernel! Its implementation is mainly several of the following:
Using the FIN detection: By sending a FIN package (or any ACK or SYN tag) to the target host and wait for a response. Many systems such as MS-Windows, BSDI, Cisco, HP / UX, MVS, and IRIX return a reset. Using the BOGUS tag: By sending a SYN package, it contains a TCP header that is not defined. Then the response in the Linux system will contain this unfringed tag, while some other systems are closed after receiving the SYN BOGU package. With these features, you can distinguish between some operating systems. Sampling using TCP ISN: This is a method of searching for the initialization sequence length template with a particular operating system. Using it can classify many systems, such as earlier UNIX systems are 64K lengths. Some new UNIX systems are randomized length (Solaris, Irix, FreeBSD, Digital UNIX, CRAY, etc.) Use the Don't Fragment bit: Many operating systems use this bit in the transmitted package, thereby determining the operating system Types of. Using TCP initialization window: Only simply checks the window length contained in the return package. This technology is only determined according to the different initialization window sizes of each operating system.
