主动信息收集之操作系统识别
一、操作系统识别
操作系统识别技术
- 种类繁多
- 好产品采用多种技术组合
TTL起始值
- 默认情况,但不准确,因可修改TTL进行伪造
- Windows: 128 (65- 128)
- Linux/ Unix : 64 (1-64)
- 某些Unix : 255
被动识别
- IDS
- 抓包分析
二、识别方法
1、python脚本
ttl_os.py
#!/usr/bin/python import logging logging.getLogger("scapy.runtime").setLevel(logging.ERROR) from scapy.all import * import sys if len(sys.argv)!=2: print("Usage - ./ttl_os.py [IP Address]") print("Example - ./t tl_os.py 10.10.10.1") print("Example will perform ttl analysis to attempt to determine whether the system is windows or Linux/Unix") sys.exit() ip=sys.argv[1] an=sr1(IP(dst=str(ip))/ICMP(),timeout=1,verbose=0) if an==None: print("No response was returned!") else: if int(an[IP].ttl)<=64: print("Host is Linux/Unix!") else : print("Host is windows!")
测试:
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# python3 ./ttl_os.py 10.10.10.131 Host is windows! ┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# python3 ./ttl_os.py 10.10.10.129 Host is Linux/Unix!
2、nmap
使用多种技术识别,结合服务特征
示例:
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap 10.10.10.129 -O Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 03:32 EST Nmap scan report for 10.10.10.129 Host is up (0.0013s latency). Not shown: 992 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 143/tcp open imap 445/tcp open microsoft-ds 5001/tcp open commplex-link 8080/tcp open http-proxy MAC Address: 00:0C:29:DE:5D:BA (VMware) Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.17 - 2.6.36 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds ┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# nmap 10.10.10.131 -O Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-04 03:32 EST Nmap scan report for 10.10.10.131 Host is up (0.00071s latency). Not shown: 988 closed ports PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 777/tcp open multiling-http 1027/tcp open IIS 6002/tcp open X11:2 7001/tcp open afs3-callback 7002/tcp open afs3-prserver 31337/tcp open Elite MAC Address: 00:0C:29:76:04:88 (VMware) Device type: general purpose Running: Microsoft Windows XP OS CPE: cpe:/o:microsoft:windows_xp::sp2 cpe:/o:microsoft:windows_xp::sp3 OS details: Microsoft Windows XP SP2 or SP3 Network Distance: 1 hop OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.85 seconds
3、xprobe2
更专业的工具,但结果依旧存在误差
示例:
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# xprobe2 Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu usage: xprobe2 [options] target Options: -v Be verbose -r Show route to target(traceroute) -p <proto:portnum:state> Specify portnumber, protocol and state. Example: tcp:23:open, UDP:53:CLOSED -c <configfile> Specify config file to use. -h Print this help. -o <fname> Use logfile to log everything. -t <time_sec> Set initial receive timeout or roundtrip time. -s <send_delay> Set packsending delay (milseconds). -d <debuglv> Specify debugging level. -D <modnum> Disable module number <modnum>. -M <modnum> Enable module number <modnum>. -L Display modules. -m <numofmatches> Specify number of matches to print. -T <portspec> Enable TCP portscan for specified port(s). Example: -T21-23,53,110 -U <portspec> Enable UDP portscan for specified port(s). -f force fixed round-trip time (-t opt). -F Generate signature (use -o to save to a file). -X Generate XML output and save it to logfile specified with -o. -B Options forces TCP handshake module to try to guess open TCP port -A Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections). Use with -T. ┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# xprobe2 10.10.10.131 1 ⨯ Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu [+] Target is 10.10.10.131 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 10.10.10.131. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 10.10.10.131. Module test failed [-] No distance calculation. 10.10.10.131 appears to be dead or no ports known [+] Host: 10.10.10.131 is up (Guess probability: 50%) [+] Target: 10.10.10.131 is alive. Round-Trip Time: 0.46900 sec [+] Selected safe Round-Trip Time value is: 0.93800 sec [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Primary guess: [+] Host 10.10.10.131 Running OS: ����TV (Guess probability: 100%) [+] Other guesses: [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: ����TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: ����TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Host 10.10.10.131 Running OS: � ��TV (Guess probability: 100%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
4、p0f(被动)
可结合ARP欺骗识别权威OS
示例:
┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# p0f -h --- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> --- p0f: invalid option -- 'h' Usage: p0f [ ...options... ] [ 'filter rule' ] Network interface options: -i iface - listen on the specified network interface -r file - read offline pcap data from a given file -p - put the listening interface in promiscuous mode -L - list all available interfaces Operating mode and output settings: -f file - read fingerprint database from 'file' (/etc/p0f/p0f.fp) -o file - write information to the specified log file -s name - answer to API queries at a named unix socket -u user - switch to the specified unprivileged account and chroot -d - fork into background (requires -o or -s) Performance-related options: -S limit - limit number of parallel API connections (20) -t c,h - set connection / host cache age limits (30s,120m) -m c,h - cap the number of active connections / hosts (1000,10000) Optional filter expressions (man tcpdump) can be specified in the command line to prevent p0f from looking at incidental network traffic. Problems? You can reach the author at <lcamtuf@coredump.cx>. ┌──(root💀kali)-[/home/kali/Desktop/Tools] └─# p0f -i eth0 --- p0f 3.09b by Michal Zalewski <lcamtuf@coredump.cx> --- [+] Closed 1 file descriptor. [+] Loaded 322 signatures from '/etc/p0f/p0f.fp'. [+] Intercepting traffic on interface 'eth0'. [+] Default packet filtering configured [+VLAN]. [+] Entered main event loop. #测试时故意触发个 .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (syn) ]- | | client = 10.10.10.135/51404 | os = Linux 2.2.x-3.x | dist = 0 | params = generic | raw_sig = 4:64+0:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (mtu) ]- | | client = 10.10.10.135/51404 | link = Ethernet or modem | raw_mtu = 1500 | `---- .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (syn+ack) ]- | | server = 10.10.10.129/80 | os = Linux 2.6.x | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*4,5:mss,sok,ts,nop,ws:df:0 | `---- .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (mtu) ]- | | server = 10.10.10.129/80 | link = Ethernet or modem | raw_mtu = 1500 | `---- .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (http request) ]- | | client = 10.10.10.135/51404 | app = Firefox 10.x or newer | lang = English | params = none | raw_sig = 1:Host,User-Agent,Accept=[text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],Connection=[keep-alive],Upgrade-Insecure-Requests=[1],?If-Modified-Since,?If-None-Match,?Cache-Control:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | `---- .-[ 10.10.10.135/51404 -> 10.10.10.129/80 (http response) ]- | | server = 10.10.10.129/80 | app = Apache 2.x | lang = none | params = none | raw_sig = 1:Date,Server,Connection=[Keep-Alive],Keep-Alive=[timeout=15, max=100],?ETag,?Vary:Content-Type,Accept-Ranges:Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (syn) ]- | | client = 10.10.10.135/51406 | os = Linux 2.2.x-3.x | dist = 0 | params = generic | raw_sig = 4:64+0:0:1460:mss*44,7:mss,sok,ts,nop,ws:df,id+:0 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (mtu) ]- | | client = 10.10.10.135/51406 | link = Ethernet or modem | raw_mtu = 1500 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (uptime) ]- | | client = 10.10.10.135/51406 | uptime = 8 days 12 hrs 56 min (modulo 49 days) | raw_freq = 1000.00 Hz | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (syn+ack) ]- | | server = 10.10.10.129/80 | os = Linux 2.6.x | dist = 0 | params = none | raw_sig = 4:64+0:0:1460:mss*4,5:mss,sok,ts,nop,ws:df:0 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (mtu) ]- | | server = 10.10.10.129/80 | link = Ethernet or modem | raw_mtu = 1500 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (uptime) ]- | | server = 10.10.10.129/80 | uptime = 0 days 0 hrs 35 min (modulo 198 days) | raw_freq = 240.00 Hz | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (http request) ]- | | client = 10.10.10.135/51406 | app = ??? | lang = English | params = none | raw_sig = 1:Host,User-Agent,Accept=[*/*],Accept-Language=[en-US,en;q=0.5],Accept-Encoding=[gzip, deflate],Connection=[keep-alive],?Referer,?If-Modified-Since,?If-None-Match,?Cache-Control:Accept-Charset,Keep-Alive:Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 | `---- .-[ 10.10.10.135/51406 -> 10.10.10.129/80 (http response) ]- | | server = 10.10.10.129/80 | app = Apache 2.x | lang = none | params = none | raw_sig = 1:Date,Server,Connection=[Keep-Alive],Keep-Alive=[timeout=15, max=100],?ETag,?Vary:Content-Type,Accept-Ranges:Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch mod_python/3.3.1 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1 | `----
不忘初心,方得始终。
分类:
kali 渗透测试学习笔记
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?