OS profiling for noobs like Pash

Pash · 07-28-2010, 04:27 PM

Hi Security nuts!,

Ok so, you guys can earn your salt with me today if you have suggestions

. The homies from IBM security division are giving me shit again this week. They have completed a PEN test this week again for my customer. They seem to think that we havent actually fixed an underlying issue with the good ole windows NULL sessions security entailments that have been going on for years.

They claim, that SMB can leak operating system information over port TCP 445 (or I am guessing over 139 as well if NETBT is on right?).

First of all, they suggest the Fix is the good old "RestrictAnonymous" registry change. This is fine, but this still does not stop anonymous connections to the server.

They then go on to mention changing the "TransportBindName" reg info to block access to port 445 on the server.

My question is (because they don't reveal it), how are IBM doing their OS profiling using SMB/NBTSTAT or whatever they are using when they have an anonymous connection with their servers?

If you can help me out, it's rep, e-cookies and a beer if ever in Central London

Cheers,

Pash

down77 · 04:46 PM

It sounds like they are using simple reconnaissance and enumeration techniques that even most entry level ethical hackers would use. One of the most common ways to detect which operating system may be at a certain ip address is probe through various ports/protocols such as tcp, udp, icmp, etc to see what is open and how they respond. Almost every operating system handles their response differently and by detecting the details within the reponse one can intelligently guess and detect the operating system as well as find any potential open ports for exploitation.

Take a look at the Remote OS Detection chapter from NMAP:

Chapter*8.*Remote OS Detection

There are a number of tools that allow you to do both active and passive reconnaissance and you may want to play around in a lab environment to the types of responses you may get. For a previous company, we would actually manipulate the packet through our F5 to mask detection from external sources.... and various other methods to assist with internal security.

Edit: Here is an example using NMap in my lab with simple arguments -sT -A (simple Connect scan with OS fingerprinting)

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

tiersten · 07-28-2010, 04:45 PM

What down77 said. Send a server specially crafted packets and see how it responds.

Depending on what other services are running on this server, you may be revealing information via error pages or special commands. You know a site is running PHP if it responds to any of the special PHP GUIDs etc...

Devilsbane · 07-28-2010, 05:06 PM

Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.

down77 · 07-28-2010, 05:43 PM

Quote:

Originally Posted by Devilsbane

Also can't you use ping to differentiate between unix and windows? If I am remembering right, windows uses a default TTL of 128 while Unix systems have a default of 64.

One problem you could run into with this is what if the device you are trying to ping is an appliance/printer/router/etc? Basing it on ping alone leaves too many type 1 errors (false positive).

dynamik · 07-28-2010, 06:10 PM

How do you have restrict anonymous configured? 1 doesn't cut it

SecurityFriday ["RestrictAnonymous=1" has no meaning !]

Pash · 10:39 PM

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

Honestly, no.

It could still be a desktop running those services? Nothing says that has to be a server to me. Even NBTSTAT gives me more of a hunch with netbios names coming back at me. You don't call a server CWS001 do you? You call it SVR001 or something. But there again I guess that's why I don't work in security, you will probably tell me it's all down to the way the listening ports are ordered or something

But, your points are all taken on board, in reality this is a perfect opportunity for me to learn some stuff about hacking techniques. But in the real real world, im on annual leave next week and I need to get a solution to them by Friday

So I guess I have some more work to be doing tomorrow

Ohh and Andy, it's set to 2. But still, its been working in production for months without issue. Also, update your blog you lazy bozo, im interested in reading your's and Paul's rambling's

dynamik · 11:30 PM

Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: http://www.metasploit.com/modules/au.../smb/smb_login

It sounds like they might just be wanting you to disable NetBIOS altogether.

Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...

moss12 · 07-28-2010, 11:42 PM

Hey Pash,

You have come a long way from retail assistant to successful IT personal.
What position are you doing now? very inspiring indeed.

knwminus · 07-29-2010, 12:30 AM

Quote:

Originally Posted by down77

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

What is Windows Sever (2003?)?

tiersten · 07-29-2010, 12:53 AM

Quote:

Originally Posted by Pash

Discovered open port 25/tcp on 10.x.x.x
Discovered open port 110/tcp on 10.x.x.x
Discovered open port 445/tcp on 10.x.x.x <--- Notice SMB
Discovered open port 135/tcp on 10.x.x.x <--- Notice MS RPC
Discovered open port 1025/tcp on 10.x.x.x
Discovered open port 3389/tcp on 10.x.x.x <---- RDP
Discovered open port 139/tcp on 10.x.x.x <--- Notice NetBios
Discovered open port 80/tcp on 10.x.x.x <--- Another fun opening

Based on that, can you guess the OS?

Honestly, no.

It could still be a desktop running those services? Nothing says that has to be a server to me.

25 = SMTP
80 = Web
110 = POP
135 = DCOM
139 = NetBIOS
445 = SMB over TCP so Win2K+
1025 = Most likely Windows RPC
3389 = RDP

These are just based on what are the well known port allocations. There isn't anything stopping you from running your webserver on port 4953 and your SMTP server on port 80 except for making it difficult for others to use.

Assuming that no ports are blocked then we're probably looking at a W2K+ machine. Its got SMTP and POP running but none of the other Exchange ports. The webserver doesn't have SSL enabled as its only listening to port 80. It is unlikely to be a *NIX server running Samba due to the combination of services that are running but it is possible that it could be.

Considering it does have SMTP, POP and a web server running then I'd hazard a guess that it is one of the server editions of Windows and not a regular workstation.

So yes. It is possible to do some reasonable guesses just based on what ports have something listening on them.

If you run some of the tools that Dynamik listed then you'll find out even more. You don't even need user accounts to gather this information.

dynamik · 07-29-2010, 01:05 AM

Quote:

Originally Posted by knwminus

What is Windows Sever (2003?)?

Code:

for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done

Ghetto Honeypot...

knwminus · 01:15 AM

Quote:

Originally Posted by dynamik

Code:

for p in 25 80 110 135 139 445 1025 3389 ; do { ncat -lk $p & }; done

Ghetto Honeypot...

I am assuming the first part sets monitoring on those ports coming inbound. What does the part "Do { ncat..." do?

dynamik · 07-29-2010, 01:15 AM

I'm not your wife; run it and find out. Then do a netstat -antp.

(That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)

knwminus · 07-29-2010, 01:17 AM

Quote:

Originally Posted by dynamik

I'm not your wife; run it and find out. Then do a netstat -antp.

(That is using the Nmap version of netcat; you might have to adjust it slightly based on what you have installed.)

Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol

dynamik · 07-29-2010, 01:19 AM

Quote:

Originally Posted by knwminus

Meh. I guess I have no choice. Will you at least tell me if it is the same for vanilla nmap on say a ubuntu or fedora laptop? Or do I have to look that up to ? lol

Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google...

Read-up on Bash for-loops while you're at it

knwminus · 07-29-2010, 01:26 AM

Quote:

Originally Posted by dynamik

Sorry dude, you're past the hand-holding stage. Worse-case scenario is you get an error. Then you have something to Google...

Read-up on Bash for-loops while you're at it

Ouch. When did that happen? I don't even have my security plus yet

. Fair enough. Guess that adds one more thing I have to do tonight.

dynamik · 07-29-2010, 01:41 AM

Quote:

Originally Posted by knwminus

I don't even have my security plus yet

.

I've noticed; I've seen CCIE logs shorter than the one you have going for your Security+.

Seriously though, CCNA: Security trumps that by far. No whining allowed

Pash · 07-29-2010, 05:33 AM

Quote:

Originally Posted by dynamik

Sorry dude, school's killing me. I just need to survive another two months, and then I'm going to hit the blog hard.

Actually, that'll provide tools with a ton of information. Get Nmap and run nmap -O <ip>

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

Edit: Metasploit has some SMB scanning utilities that do OS fingerprinting as well: Metasploit Penetration Testing Framework - Module Browser

It sounds like they might just be wanting you to disable NetBIOS altogether.

Also, it's really weak to not disclose your methods. Every report I write includes screen shots of the tools I use, commands I run, etc. I want the person reading the report to be able to recreate whatever condition and see it for themselves. I think that adds value...

haha mate no need to apologise, I am just interested in reading more of the same and I think you have a good combo with you two writing stuff.

Thanks very much for the advice mate, as with the others!

And yeh I agree, I think IBM just think it's ok to put their headed logo everywhere and think they can call themselves decent pen testers. I have seen pen tests from other vendors for other customers and they have included their methods.

Quote:

Originally Posted by moss12

Hey Pash,

You have come a long way from retail assistant to successful IT personal.
What position are you doing now? very inspiring indeed.

I do such a broad IT job that it's a nightmare to move away from. That said, ive been to interviews, second interviews for the last 6 months. Only one instance was a step forwards rather than a side step, and I lost out to a single other candidate. For now, I am still searching, but happy doing 1st/2nd/3rd line all in one

Cheers to the rest of ya, points taken!

down77 · 07-29-2010, 12:24 PM

Quote:

Originally Posted by dynamik

Run p0f and just connect to shares, remote desktop, etc.

The amount of information you get just from basic network communications will vary quite a bit between OS, even between service packs of the same OS in some cases.

What... no tcpdump or wireshark as well?

Yes the example I posted was from a Win2k3 Server running as a honeypot in a lab environment.

I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."

dynamik · 07-29-2010, 12:47 PM

Quote:

Originally Posted by down77

What... no tcpdump or wireshark as well?

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

Quote:

Originally Posted by down77

I also agree that IBM *should* have posted their methods but many times large organizations consider them as "internal" or "proprietary."

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

Pash · 07-29-2010, 01:10 PM

Quote:

Originally Posted by dynamik

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

I am using zenmap atm (does this mean I am a gui noob?

), it's very handy. Just trying different ideas.

down77 · 07-29-2010, 01:10 PM

Quote:

Originally Posted by dynamik

You can fingerprint an OS by looking at a pcap? You're more l33t than me! I'm going to focus on intrusion analysis in 2011, so maybe I'll get more accustomed to what different OSes look like at the packet level.

Yea, but they could still give an overview of what the tool was doing (i.e. NetBIOS queries). Some vague recommendation just leaves the customer with a mystery. I also provide direction for remediation in my reports.

Even worse, the person performing the test might not understand how the tool works and is genuinely unable to explain it. It happens.

I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

Seriously though, I do have some coworkers that can look at the raw packet dump and tell you way too much about the target. Maybe not every intimate detail, but a surprising amount of information can be detected. I also hope to get to this level in the next few years but in the meantime I'm still learning..

Oh, and another fun link for you guys on the topic:

OS Fingerprinting through RTOs

down77 · 07-29-2010, 01:13 PM

Quote:

Originally Posted by Pash

I so wish we could get you guys to do these pen tests. Unfortunately the call comes from HO which for our customers means Tokyo.

I am using zenmap atm (does this mean I am a gui noob?

), it's very handy. Just trying different ideas.

Zenmap is a great tool and to be honest, I use it as well on my main OS partition (work requires Windows as primary OS). There is nothing wrong with using a GUI as long as you understand what is going on behind the scene.

dynamik · 07-29-2010, 02:04 PM

Quote:

Originally Posted by Pash

I am using zenmap atm (does this mean I am a gui noob?

), it's very handy. Just trying different ideas.

Yep, we can still be friends though.

Quote:

Originally Posted by down77

I am still but a padawan oh Jedi Master... but what self respecting Cyber-Jedi doesn't keep a sniffer/packet analyzer going when getting down and dirty!

I always do. I actually use windump since my host OS is Win7, and I have various attack VMs bridged through that. It's necessary because sometimes you have people freak the eff out when something goes wrong on their network. No matter what it is, they always blame you. You have to cover yourself.

If you want to have some fun with pcaps, check out: NetworkMiner Network Forensic Analysis Tool (NFAT) and Packet Sniffer

We always review ours once we get back at the hotel. We've found places that are seriously misconfigured and blasting out passwords in clear-text, etc. You can often find some interesting things.