手指.

htm.

释放双眼,带上耳机,听听看~!

finger.htm,

被动指纹是一种在敌人不知情的情况下了解敌人的方法。具体来说,您可以使用嗅探器跟踪来确定远程主机的操作系统和其他特性。虽然不是100%准确,但通过查看TTL、TOS、窗口大小和DF位,可以获得令人惊讶的好结果。包括有关在Linux和Solaris上更改计算机指纹的信息。

,<!--X-URL:http://www.enteract.com/~lspitz/finger.html--><!--日期:2000年4月27日星期四格林尼治时间18:48:06!doctype html public“-//w3c//dtd html 4.0 transitional//en”> 被动指纹识别隐藏远程主机,而他们不知道 被动指纹识别 Lance Spitzner 上次修改时间:2000年4月27日 网络安全的挑战之一是了解坏人。要了解你的威胁并更好地防范它们,你必须了解你的敌人;被动指纹是一种在敌人不知情的情况下了解敌人的方法。具体来说,您可以使用嗅探器跟踪来确定远程主机的操作系统和其他特征。虽然不是100%准确,但您可以获得令人惊讶的好结果。 指纹识别 传统上,操作系统指纹识别是使用活动工具(如queso或nmap)完成的。这些工具的工作原理是,每个操作系统的IP堆栈都有自己的特性。具体来说,每个操作系统对各种格式错误的数据包。我们只需建立一个数据库,了解不同操作系统如何响应不同的数据包。然后,要确定远程主机的操作系统,向其发送各种格式错误的数据包,确定其响应方式,然后将这些响应与数据库进行比较;Fyodor的“nmap”是使用此方法时的首选工具。他还就此撰写了详细的论文。 被动指纹遵循相同的概念,但实现方式不同。被动指纹基于远程系统的嗅探器跟踪。您所需做的只是捕获从远程系统发送的数据包,而不是主动查询远程系统。根据这些数据包的嗅探器跟踪,您可以可以确定远程主机的操作系统。就像在主动指纹识别中一样,被动指纹识别的原理是每个操作系统的IP堆栈都有自己的特性。通过分析嗅探器跟踪并识别这些差异,您可以确定远程主机的操作系统主机。 区别 我们将从四个方面来确定操作系统(但是还有其他可以使用的签名)。这四个区别是: TTL-操作系统设置的生存时间n出站数据包窗口大小-操作系统设置窗口大小的值。

DF-操作系统是否设置了不分段位。

TOS-操作系统是否设置了服务类型,如果设置了服务类型,则通过分析一个数据包,您可能能够确定远程操作系统。此系统不是100%准确,对于某些操作系统比其他操作系统工作得更好。但是,它是一个很好的起点。在我们进一步讨论之前,举个例子是最简单的;下面是发送数据包的系统的嗅探器跟踪。此系统对我发起了mountd攻击,因此我想了解更多信息。我不想指指或nmap可能泄露给我的盒子。相反,我想被动地研究信息;此签名是使用我的嗅探器snort(嗅探器选项)捕获的。http://www.clark.net/~roesch/security.html>snort。 04/20-21:41:48.129662 129.142.224.3:659->172.16.1.107:604 TCP TTL:45 TOS:0x0 ID:56257 **F**A*Seq:0x9DD90553 Ack:0xE3C65D7-Win:0x7D78 根据我们的4个标准,我们确定以下各项: TTL:45 窗口大小:0x7D78;(或小数点32120)

DF:Don’t Fragment位设置为

TOS:0x0

之后,我们将此信息与签名数据库进行比较。基于该数据库,此数据包似乎是从Linux框(可能是Red Hat 6.0内核2.2.5)发送的,我发现TTL是确定源操作系统的较好工具之一。从上面的嗅探器跟踪中,您可以看到它被设置为45。这很可能意味着它经过19个跃点到达我们,这意味着原始TTL被设置为64。这在对远程主机执行跟踪路由后得到确认。如果您对远程主机检测traceroute感到担忧,可以将traceroute时间设置为live(默认为30跳),即比远程主机少一或两跳(-m选项)。例如,在本例中,我们将对远程主机执行traceroute,但只使用18个跳(traceroute-m 18)。这将为您提供路径信息(包括其上游提供程序),而无需实际接触远程主机。 我发现窗口大小是另一个有效的工具,特别是使用的大小和大小更改的频率。这里我们看到它设置为0x7D78,这是Linux常用的默认窗口大小。Linux、FreeBSD和Solaris也倾向于在整个会话中保持相同的窗口大小。Cisco路由器(至少2514年版)和Windows/NT窗口大小不断变化。另外,我发现如果在最初的三方握手之后测量窗口大小(由于TCP启动缓慢),那么窗口大小会更精确。有关窗口大小的详细信息,请参阅Stevens,“TCP/IP图解,第1卷”第20章。 大多数系统使用DF位集,因此这是有限值的。在进一步测试之后,我觉得TOS也是有限值的。这似乎比操作系统更基于会话。换句话说,与其说是操作系统决定了TOS,不如说是协议的使用。TOS确实需要更多的测试。因此,根据上面的信息,特别是TTL和窗口大小,您可以将结果与签名数据库进行比较,并在一定程度上确定操作系统(在我们的例子中是Linux内核2.2.x)。 可以跟踪其他几个区域,例如初始序列号或初始IP标识号。例如,Cisco路由器倾向于从0开始IP标识号,而不是随机分配它们。这些和其他签名可以与上面列出的四种方法有助于识别远程操作系统。作为一点附加信息,我们还可以确定远程用户在发送数据包(或运行suid程序)时是根用户。源端口低于1024。 要考虑的一件事是,被动指纹识别可能会失败。远程主机调整数据包的TTL、窗口大小、DF或TOS设置相对简单,要更改默认TTL值: Solaris:ndd-set/dev/ip ip_def_TTL’number’ Linux:echo’number’>/proc/sys/net/ipv4/ip_default_TTL NT:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters 但是,通过组合各种不同的签名,例如TTL、窗口大小,和IP标识号,你可以对远程系统进行近似。<字体> < P>字体>被动指纹可以用于其他目的。它可以被坏人用作“秘密”指纹识别。例如,要确定“潜在受害者”的操作系统,例如Web服务器,只需要从服务器请求一个网页,然后分析嗅探器跟踪;这样就不需要使用各种IDS系统都能检测到的主动工具。此外,被动指纹识别可用于识别远程代理防火墙。由于代理防火墙为客户端重建连接,因此可以根据我们讨论的签名来标识代理防火墙。 构建数据库 通过使用Telnet、FTP、http和SSH协议测试各种系统来构建数据库。需要使用各种其他协议、会话和系统进行更多的测试。另外,另一个可能有价值的签名是ICMP有效负载。如果您有任何要添加到数据库的签名,请将它们发送到lance@spitzner.net 结论 Passive Fingerprinting使您能够在敌人不知情的情况下了解敌人。尽管没有一条信息可以肯定地识别操作系统,通过结合几个签名,您可以对远程系统进行近似。 < P>谢谢下面的人的帮助和想法: Edward Skoudis > Marty Roesch > Dragos Ruiu > B> < B> < I>字体“= HelviTIC窄,Arial Narrow”>作者的生物< /字体> < /B> < BR> < I>字体“= PalATION”,《古董》一书“>兰斯·斯皮兹纳喜欢在家里炸毁他的Unix系统来学习。在此之前,他是一名快速部署部队的军官,在那里他引爆了不同性质的东西。您可以通过lance@spitzner.net与他联系; 白皮书/出版物

finger.htm,

Passive Fingerprinting is a method to learn more about the enemy, without them knowing it. Specifically, you can determine the operating system and other characteristics of the remote host using nothing more then sniffer traces. Though not 100% accurate, you can get surprisingly good results by looking at the TTL, TOS, Window Size, and DF bit. Includes information on changing your machines fingerprint on Linux and Solaris.

,<!-- X-URL: http://www.enteract.com/~lspitz/finger.html -->
<!-- Date: Thu, 27 Apr 2000 18:48:06 GMT -->
<BASE HREF="http://www.enteract.com/~lspitz/finger.html">

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta name="description" content="Tools and methods used by most common black hat threat on the Internet, the Script Kiddie">
<meta name="keywords" content="hacking,security,script kiddie,exploits,scans,black hat,root,tools,methods">
<meta name="GENERATOR" content="Mozilla/4.72 [en] (Win98; U) [Netscape]">
<title>Passive Fingerprinting</title>
</head>
<body link="#0000FF">
<i><font ><font size=+1>IDing remote hosts, without them knowing</font></font></i> <br>
<b><font face="Palatino,Book Antiqua"><font size=+4>Passive Fingerprinting</font></font></b>
<p>
<font face="Palatino,Book Antiqua"><font size=-1><a href="mailto:lance@spitzner.net?Subject=Passive Fingerprinting">Lance
Spitzner</a></font></font>
<br>Last Modified: 27 April, 2000
<p><b><font>One of the challenges of network
security is learning about the bad guys.&nbsp; To understand your threats
and better protect against them, you have to <a href="http://www.enteract.com/~lspitz/enemy.html">Know
Your Enemy</a>.&nbsp; Passive Fingerprinting is a method to learn more
about the enemy, without them knowing it.&nbsp; Specifically, you can determine
the operating system and other characteristics of the remote host using
nothing more then sniffer traces.&nbsp; Though not 100% accurate, you can
get surprisingly good results.</font></b>
<p><b><font face="Palatino,Book Antiqua"><font size=+2>Fingerprinting</font></font></b>
<br><font >Traditionally, Operating System
fingerprinting has been done using active tools, such as queso or nmap.&nbsp;
These tools operate on the principle that every operating system's IP stack
has its own idiosyncrasies.&nbsp; Specifically, each operating system responds
differently to a variety of malformed packets.&nbsp; All one has to do
is build a database on how different operating systems respond to different
packets.&nbsp; Then, to determine the operating system of a remote host,
send it a variety of malformed packets, determine how it responds, then
compare these responses to a database.&nbsp; Fyodor's <a href="http://www.insecure.org/nmap">nmap</a>
is tool of choice when using this methodology.&nbsp; He has also written
a <a href="http://www.insecure.org/nmap/nmap-fingerprinting-article.txt">
detailed paper</a></font> on this.
<p>
<font >Passive fingerprinting follows the
same concept, but is implemented differently.&nbsp; Passive fingerprinting
is based on sniffer traces from the remote system.&nbsp; Instead of actively
querying the remote system, all you need to do is capture packets sent
from the remote system.&nbsp; Based on the sniffer traces of these packets,
you can determine the operating system of the remote host.&nbsp; Just like
in active fingerprinting, passive fingerprinting is based on the principle
that every operating system's IP stack has its own idiosyncrasies.&nbsp;
By analyzing sniffer traces and identifying these differences,&nbsp; you
may be able determine the operating system of the remote host.</font>
<br>&nbsp;
<p><b><font face="Palatino,Book Antiqua"><font size=+2>The Differences</font></font></b>
<br><font >There are four areas that we will look at to determine the operating system (however
there are other signatures that can be used). These four differences are:</font>
<ul>
<li>
<font >TTL - What the operating system sets
the Time To Live on the outbound packet</font></li>

<li>
<font >Window Size - What the operating system
sets the Window Size at.</font></li>

<li>
<font >DF - Does the operating system set the
Don't Fragment bit.</font></li>

<li>
<font >TOS - Does the operating system set
the Type of Service, and if so, at what</font></li>
</ul>
<font >By analyzing these factors of a packet, you
may be able to determine the remote operating system.&nbsp; This system
is not 100% accurate, and works better for some operating systems then
others.&nbsp; However, it is a great place to start.&nbsp; Before we go
any further, an example would be the easiest thing to do.&nbsp; Below is
the sniffer trace of a system sending a packet.&nbsp;
This system launched a mountd exploit against me, so I want to learn more
about it.&nbsp; I do not want to finger or nmap the box, that could give
me away.&nbsp; Rather, I want to study the information passively.&nbsp;&nbsp;
This signature was captured using <a href="http://www.clark.net/~roesch/security.html">snort</a>,
my sniffer of choice.</font>
<p><font face="Courier New,Courier">04/20-21:41:48.129662 129.142.224.3:659
-> 172.16.1.107:604</font>
<br><font face="Courier New,Courier">TCP TTL:45 TOS:0x0 ID:56257</font>
<br><font face="Courier New,Courier">***F**A* Seq: 0x9DD90553&nbsp;&nbsp;
Ack: 0xE3C65D7&nbsp;&nbsp; Win: 0x7D78</font><font face="Courier New,Courier"></font>
<p><font >Based on our 4 criteria, we identify
the following:</font>
<ul>
<li>
<font >TTL: 45</font></li>

<li>
<font >Window Size: 0x7D78&nbsp; (or 32120
in decimal)</font></li>

<li>
<font >DF: The Don't Fragment bit is set</font></li>

<li>
<font >TOS: 0x0</font></li>
</ul>
<font >We then compare this information to
a <a href="traces.txt">database of signatures</a>.&nbsp; Based on the database,
it appears this packet was sent from a Linux box, potentially Red Hat 6.0
kernel 2.2.5.&nbsp; Based on initial testing, I have found the TTL to be
one of the better tools to determine source operating system.&nbsp; From our sniffer
trace above, you can see it is set at 45.&nbsp; This most likely means
it went through 19 hops to get to us, meaning the original TTL was set
at 64.&nbsp; This is confirmed after doing a traceroute to the remote host.
If you are concerend about the remote host detecting your traceroute,
you can set your traceroute time-to-live (default 30 hops), to be one
or two hops less then the remote host (-m option). For example, in this
case we would do a traceroute to the remote host, but using only 18
hops (traceroute -m 18). This gives you the path information
(including their upstream provider) without actually touching the remote host.
<p>
I have found the Window Size to be another effective tool, specifically
what size is used and how often the size changes.&nbsp;
Here we see it set at 0x7D78, a default Window Size commonly used by
Linux.&nbsp; Linux, FreeBSD, and Solaris also tend to maintain the same
Window Size throughout a session. Cisco routers (at least my 2514)
and Windows/NT Window Sizes are constantly changing. Also, I have found
that Window Size is more accurate if measured after the initial three-way handshake
(due to TCP slow start). For more information on Window Size, see Stevens,
"TCP/IP Illustrated, Volume 1" Chapter 20.
<p>
Most systems use the DF bit set, so this is of limited value.&nbsp; After
further testing, I feel that TOS is also of limited value. This seems
to be more session based then operating system. In other words, its not
so much the operating system that determines the TOS, but the protocol
used. TOS defintely requires some more testing.&nbsp; So,
based on the information above, specifcally TTL and Window size,
you can compare the results to the <a href="traces.txt"> database of
signatures</a> and with a degree of confidence determine the OS (in
our case, Linux kernel 2.2.x). </font>
<p>
There are several other areas that can be tracked, such as initial sequence
numbers or initial IP Identification numbers. For example, Cisco routers
tend to start IP Identification numbers at 0, instead of
randomly assigning them. These and other signatures can be combined with
the four listed above to help identify remote operating systems. As a bit
of additional information, we can also determine the remote user was root
when sending the packets (or running an suid program). The source port
is below 1024.
<p>
One thing to consider is Passive Fingerprinting can be defeated.&nbsp;
It is relatively simple for a remote host to adjust the TTL,
Window Size, DF, or TOS setting on packets.&nbsp; For example,
to change the default TTL value:<BR>
<b>Solaris:</b> ndd -set /dev/ip ip_def_ttl 'number'<br>
<b>Linux:</b> echo 'number' > /proc/sys/net/ipv4/ip_default_ttl<br>
<b>NT:</b> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
<p>
However, by combining a variety of different signatures, such as TTL, Window Size,
and the IP Identification number, you can make an approximation of the remote system.</font>
<p>
<font>Passive fingerprinting can be used for several other purposes. It can be used
by the bad guys as 'stealthy' fingerprinting.&nbsp; For example, to determine
the Operating System of a 'potential victim', such as a webserver, one only
needs to request a webpage from the server, then analyze the sniffer traces.&nbsp;
This bypasses the need for using an active tool that can be detected by various
IDS systems.&nbsp; Also, Passive fingerprinting may be used to identify remote
proxy firewalls. Since proxy firewalls rebuild connection for clients, it may
be possible to ID the proxy firewalls based on the signatures we have discussed.
<p>
<b><font face="Palatino,Book Antiqua"><font size=+2>Building the Database</font></font></b>
<br><font ><a href="http://www.enteract.com/~lspitz/traces.txt"> The database</a>
was built by testing a variety of systems with the Telnet, FTP, HTTP, and SSH protocol.
More testing needs to be conducted using various other protocols,
sessions, and systems. Also, another signature that may be valuable
are <a href="http://dev.whitehats.com/papers/passive/index.html">ICMP payloads.</a>
If you have any signatures to add to the database, please
send them to <a href="mailto:lance@spitzner.net?Subject=Passive Fingerprinting">
lance@spitzner.net</a>.</font>
<p>
<b><font face="Palatino,Book Antiqua"><font size=+2>Conclusion</font></font></b>
<br><font >Passive fingerprinting gives you the ability to learn about the enemy,
without them knowing it.&nbsp; Though no single piece of information can positively
identify a operating system, by combining several signatures, you can make an
approximation of the remote system.</font>
<p>
Thanks to the following people for their help and ideas:<br>
Marty Roesch<br>
Edward Skoudis<br>
Dragos Ruiu<br>
<p>
<b><i><font face="Helvetica-Narrow,Arial Narrow">Author's bio</font></i></b>
<br><i><font face="Palatino,Book Antiqua">Lance Spitzner enjoys learning
by blowing up his Unix systems at home. Before this, he was an <a href="http://www.enteract.com/~lspitz/officer.html">Officer
in the Rapid Deployment Force,</a> where he blew up things of a different
nature. You can reach him at <a href="mailto:lance@spitzner.net">lance@spitzner.net</a>
.</font></i>
<br>&nbsp;
<br>&nbsp;
<center><table BORDER=5 >
<tr>
<td><i><font face="Braggadocio"><font color="#800000"><font size=+2><a href="http://www.enteract.com/~lspitz/pubs.html">Whitepapers
/ Publications</a></font></font></font></i></td>
</tr>
</table></center>

</body>
</html>

人已赞赏
安全工具

ids.ps

2020-2-6 3:28:37

安全工具

how.defaced.apache.org.txt

2020-2-6 3:28:40

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索