Lab 3: Perform OS Discovery

 

Lab 3: Perform OS Discovery

Module 03: Scanning Networks

Lab 3: Perform OS Discovery

Task 1: Identify the Target System’s OS with Time-to-Live (TTL) and TCP Window Sizes using Wireshark



open wireshark

select ethernet2

open cmd

ping 10.10.10.16  in this case windwos server

stop scanning on wireshark

Choose any packet of the ICMP reply 

should say in the info  echo (ping) reply 

The TTL value is recorded as 128, which means that the ICMP reply possibly came from a Windows-based machine.

Start capturing packets 

go to cmd

ping 10.10.10.9

stop capturing packets

The TTL value is recorded as 64, which means the ICMP reply possibly came from a Linux-based machine.

end



Lab Scenario

As a professional ethical hacker or a pen tester, the next step after discovering the open ports and services running on the target range of IP addresses is to perform OS discovery. Identifying the OS used on the target system allows you to assess the system’s vulnerabilities and the exploits that might work on the system to perform additional attacks.

Lab Objectives

  • Identify the target system’s OS with Time-to-Live (TTL) and TCP window sizes using Wireshark
  • Perform OS discovery using Nmap Script Engine (NSE)
  • Perform OS discovery using Unicornscan

Overview of OS Discovery/ Banner Grabbing

Banner grabbing, or OS fingerprinting, is a method used to determine the OS that is running on a remote target system.

There are two types of OS discovery or banner grabbing techniques:

  • Active Banner Grabbing Specially crafted packets are sent to the remote OS, and the responses are noted, which are then compared with a database to determine the OS. Responses from different OSes vary, because of differences in the TCP/IP stack implementation.

  • Passive Banner Grabbing This depends on the differential implementation of the stack and the various ways an OS responds to packets. Passive banner grabbing includes banner grabbing from error messages, sniffing the network traffic, and banner grabbing from page extensions.

Parameters such as TTL and TCP window size in the IP header of the first packet in a TCP session plays an important role in identifying the OS running on the target machine. The TTL field determines the maximum time a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values differ for different OSes: you can refer to the following table to learn the TTL values and TCP window size associated with various OSes.

Operating System (OS)Time To LiveTCP Window Size
Linux (Kernel 2.4 and 2.6)645840
Google Linux645720
FreeBSD6465535
OpenBSD6416384
Windows 95328192
Windows 200012816384
Windows XP12865535
Windows 98, Vista and 7 (Server 2008)1288192
iOS 12.4 (Cisco Routers)2554128
Solaris 72558760
AIX 4.36416384

]

Wireshark is a network protocol analyzer that allows capturing and interactively browsing the traffic running on a computer network. It is used to identify the target OS through sniffing/capturing the response generated from the target machine to the request-originated machine. Further, you can observe the TTL and TCP window size fields in the captured TCP packet. Using these values, the target OS can be determined.

Here, we will use the Wireshark tool to perform OS discovery on the target host(s).

  1. Click Windows 10 to switch to the Windows 10 machine.

  2. In the Desktop, double-click Wireshark shortcut.

    Screenshot

  3. The Wireshark Network Analyzer main window appears; double-click the available ethernet or interface (here, Ethernet2) to start the packet capture, as shown in the screenshot.

    If Software Update window appears, click Remind me later.

    Screenshot

  4. Open the Command Prompt, type ping 10.10.10.16 and press Enter.

    10.10.10.16 is the IP address of the Windows Server 2016 machine.

    Screenshot

  5. Observe the packets captured by Wireshark.

    Screenshot

  6. Choose any packet of the ICMP reply from the Windows Server 2016 (10.10.10.16) to Windows 10 (10.10.10.10) machines and expand the Internet Protocol Version 4 node in the Packet Details pane.

  7. The TTL value is recorded as 128, which means that the ICMP reply possibly came from a Windows-based machine.

    Screenshot

  8. Now, stop the capture in the Wireshark window by clicking on the Stop button from the toolbar.

    wire.png

  9. Now, click the Start capturing packets button from the toolbar. If an Unsaved packets… pop-up appears, click Continue without Saving.

    wire2.png

  10. Wireshark will start capturing the new packets.

  11. In the Command Prompt window, type ping 10.10.10.9 and press Enter.

    10.10.10.9 is the IP address of the Ubuntu machine.

    Screenshot

  12. Observe the packets captured by Wireshark.

  13. Choose any packet of ICMP reply from the Ubuntu (10.10.10.9) to Windows 10 (10.10.10.10) machine and expand the Internet Protocol Version 4 node in the Packet Details pane.

  14. The TTL value is recorded as 64, which means the ICMP reply possibly came from a Linux-based machine.

    Screenshot

  15. Stop the capture in the Wireshark window by clicking on the Stop button.

  16. This concludes the demonstration of identifying the OS of the target system using Wireshark.

  17. Close all open windows and document all the acquired information.

Comments

Post a Comment

Popular posts from this blog

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Image
  Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Module 03: Scanning Networks Lab 3: Perform OS Discovery Task 2: Perform OS Discovery using Nmap Script Engine (NSE) open zenmap nmap -A [Target IP Address]   = -A: to perform an aggressive scan. nmap -O [Target IP Address]   = -O: performs the OS discovery. nmap --script smb-os-discovery.nse [Target IP Address]   = --script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). end Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time o...
Read more