Active Stack Fingerprinting

The OS fingerprinting refer to any method used to determine what operating system is running on a remote computer. OS fingerprinting is an essential part of network reconnaissance, because the attacker has a greater possibility of succeeding in this attack if he can formulate his attack strategy based on operating system specific vulnerability.
Remote OS fingerprinting is carried out by noting the way the remote system responds to specifically crafted TCP packets. These can range from examining the default TCP window size in a packet, to measuring the amount of data in ICMP packets, and even gauging TCP initial sequence numbers. Similar to port scanning, there are several method to successfully fingerprint an OS. Querying the services running on a target machine is often the simplest way for OS fingerprinting.
Active stack fingerprint is based on the principle that an operating system's IP stack has its own unique way of responding to specially crafted TCP packets. This is due to the different interpretation that vendor abide with while implementing the TCP/IP stack on the particular OS. In active fingerprinting, a variety of malformed packets are sent to the remote host, and the responses compared to a database.
In Nmap, active stack fingerprint is done through eight tests:

1. A TCP packet with the SYN and ECN -Echo flags enabled is sent to an open TCP port.
2. A TCP packet with no flags enabled is sent to an open TCP port.
3. A TCP packet with the URG, PSH, SYN and FIN flags enabled is sent to an open TCP port.
4. A TCP packet with the ACK flag enabled is sent to an open TCP port.
5. A TCP packet with the SYN flag enabled is sent to a closed TCP port.
6. A TCP packet with the ACK flag enabled is sent to a closed TCP port.
7. A TCP packet with the URG, PSH and FIN flag enabled is sent to a closed TCP port.
8. A UDP packet is sent to a closed UDP port. The objective is to extract an ICMP port unreachable message back from the target machine.

One more test that Nmap performs is names TSeq for TCP sequenceability test. The test tries to determine the sequence generation patterns of the TCP initial sequence number also known as TCP ISN sampling , the IP identification numbers also known as IPID sampling and the TCP timestamp numbers. The test is performed by sending six TCP packets with the SYN flag enabled to an open TCP port. The objective is to find partterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request. THese can be categorized into many groups such as traditional 64K (many old UNIX), Random increment (newer version of Solaris, IRIX, FreeBSD, Digital Unix, Cray etc), True "random" (Linux 2.0.*, OpenVMS, newer AIX etc). Windows boxes use a "time dependent" model where the ISN is incremented by a fixed amount each time period.
Most operating system increment a system-wide IPID value for each packet they send. Others such as OpenBSD, use a random IPID and some system (like Linux) use an IPID of 0 in many cases where the "Don't Fragment" bit is not set. Windows does not put the IPID in network byte order, so it increments by 256 for each packet. Another number that can be sequenced for OS detection purposes is the TCP timestamp option values. Some system do not support the feature; others increment the value at frequencies of 2HZ, 100HZ or 1000HZ and still other return 0.

Port Scanning Tools (4) : Nmap

NMap or Network Mapper, written by Fyodor, is considered the best port scanning tool available currently. Nmap is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single host. Nmap uses raw IP packets in innovative ways to determine what host available on the network, what service (port) they are offering, what operating system (and OS version) they are running, what type of packet filters /firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL. Can be downloaded from http://nmap.org/
NMap does the remote OS detection in detail on Active Stack Fingerprinting.
Nmap support several way to spoof scan. One way is to give a different source IP. If you are on a broadcast Ethernet segment it is possible to specify a non-existent IP address and to sniff the network for the packets being sent as reply to the address.
Another way of keeping the identity obscure is to use the decoy option. Scans are spoofed as originating from decoy machine. The real scan from the user's machine is interspersed in-between. This is a slow scan and obscurity gets better with more number of decoys. The idea here is to confuse the target host's administrator regarding the real scan. The host used as decoys should be up or the scan might accidentally SYN flood the target.
The ident scan option can be used only if the target has the port 113/auth open. It only works with TCP connect scan. This will reveal the owner of the daemon which is listening on the port if the site is running identd. This scan requires the complete TCP three way handshake and will be registered on the target.
The fragmentation option allows the user to fragment the packet into small IP fragments. This makes it harder for packet filters to detect the scan unless they queue up all IP fragments (which are rare). However sometimes this can cause unexpected behavior in the target system.

Port Scanning Tools (3) : SuperScan

SuperScan is a powerful connect-based TCP port scanner, pinger and hostname resolver. Released by Foundstone . SuperScan 4 can be downloaded from http://www.foundstone.com/us/resources/proddesc/superscan4.htm
The visual interface allows the attacker to view response from connected hosts. The built in editor allows manipulation of port list and port descriptions. The advantage is that certain ports can be skipped as the ping results can be analyzed before hand to make the scan faster. The tool can be used to connect to any discovered open port using user-specified "helper" applications and then assign a custom helper application to any port. The attacker can also choose to save the scan list to a text file for future reference. The scan can be done slowly as well by controlling the transmission speed.
On the windows platform, SuperScan does a very good job of swiftly looking for open ports. However, it does not give additional information such as if the port is close, open, or filtered. Nmap is the better scanner for more detailed information, or when the attacker wants to use more advanced scanning techniques.

Port Scanning Tools (2) : NetScanTools

NetScanTools consist of many network function. Most of functions are designed to run in separate thread so several tabs can be used simultaneously. The communication is primarily based on TCP/IP protocol at the Winsock level. NetScanTools does not rely on remote agents to gather information. Instead, it use active probing and passive listening for gathering information.
Active probing means that NetScanTools initiate packet of information called datagram and listens for response to those packets. The response are normally formatted into specific response which are on a level above that of the transport level, such as a TCP or UDP. An excample would be a name server response containing the IP address of a host.
NetScanTools Pro has a scanner tab called Port Prober. Port Prober is an essential tool in determining the services or daemons running on a target machine. This prober is multithreaded, configurable and it allows running four different types of probing patterns. The user can build lists of target IP addresses and list of ports to probe, specifying timeout and the protocol to connect with. Besides, any data that is received from the target port upon connection is saved for viewing. The results are presented in a treeview and are colorcoded with different types of images for easy location of information at a glance.
The type of port connection supported are:

• TCP Full Connection. This mode take full connection to the target, it is the most accurate way to determine TCP services, but it is also easily detected by IDS.
• UDP ICMP Port Unreachable Connect. This mode sends a short UDP packet to the target's UDP ports and looks for an ICMP Port Unreachable message in return. The absence of the message imply either the port is used or the target does not return the ICMP message which can lead to false postive. This mode is easily recognized by IDS.
• TCP Full/UDP ICMP Combined. This mode combine the previous two modes into one operation.
• TCP SYN Half Open. For Windows XP/2000 only. This mode sends out a SYN packet to the target port and listens for the appropriate response. Open ports respond with SYN|ACK and closed ports respond ACK|RST or RST. This mode is less likely to be noted by IDS, but since the connection is never fully completed, it cannot gather data or banner information. However, the attacker has full control over TTL, Source Port, MTU, Sequence number and Window parameters in the SYN packet.
• TCP Other. Windows XP/2000 only. This mode sends out a TCP packet with any combination of the SYN, FIN, ACK, RST, PSH, URG flags set to the target port and listens for the response. The attacker can have full control over TTL, Source Port, MTU, Sequence number and Window parameters in the custom TCP packet. Each operating system response differently to these special combination. The tool includes presets for XMAS, NULL, FIN and ACK flag setting.

Type of probe patterns are:

• Sequential Probe. This method scan a linear set of ports as defined by the start/end port numbers over a linear set of IP addresses as defined by the IP address range settings
• Probe Port List. This mode probes only the ports listed in the Port List. This mode probes either a signle host or a range of IP addresses based on the selection made in the Probe Single Host/Probe IP Rage radio button group. It probes each host sequentially, that is the first, then the second etc., using the list of port numbers show in the Port List.
• Sequential Port Probe Using the Target List. This mode probes every port using the Starting through ending port range on every computer in the target list.
• Probe a List of Ports on a List of Targets. This mode is the most stealthy mode and uses the least amount of CPU time and bandwidth because scanning is restricted to only the target ports on the target machines.

Port Scanning Tools (1) : ipEye, IPSecScan

ipEye
ipEye is a command-line driven port scanner written by Arne Vidstrom. It is a lightweight powerful tool, but only Windows-based. It can be downloaded from http://www.ntsecurity.nu/toolbox/ipeye/

Usage for ipEye is:

ipEye -p [optional parameters]

where scantype can take value of: -syn = SCAN scan, -fin = FIN scan, -null = NULL scan, -xmas = Xmas scan


IPSecScan
IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for system that are IPSec enabled. It can be downloaded from http://www.ntsecurity.nu/toolbox/ipsecscan/
IPSec is show for IP security. It is a set of protocol developed by the IETF to support secure exchange of packets at the IP layer.
IPSec = AH + ESP + IPcomp + IKE

• Authentication Header (AH) provides authenticity guarantee for packets, by attaching strong crypto checksum to packets. If a packet is received with AH and the checksum operation is successful, it indicates that the packet was originated by the expected peer (the packet was not generated by impersonator) and that the packet was not modified in transit. Unlike other protocols, AH covers the whole packet, from the IP header to the end of the packet.
• Encapsulating Security Payload (ESP) provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms. If a packet is received with ESP and successfully decrypted, it indicates that the packet was not known by third party other than the sender and receiver.
• ESP provide encryption service to the packets. However, encryption tends to give negative impact to compression on the wire (such as ppp compression). IP Compression (IPcomp) provides a way to compress packet before encryption by ESP.
• AH and ESP need to share secret key between peers. To negotiation keys in secrecy, Internet Key Exchange (IKE) make this possible.

IPSec has been deployed widely in VPN. IPSec support two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each packet, but leaves the header unchanged. The more secure Tunnel mode encrypt both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet.
For IPSec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Managment Protocol/Oakley (ISAKMP/Oakley), which allow the receiver to obtain a public key and authenticate the sender using digital certificates.
Security of IPSec protocols rely on the secrecy of secret keys. If secret keys are compromised, IPSec protocols is no longer be secure.
Reference for reader: Old IPSec suite - RFC1825, New IPSec suite - RFC2401.