Operating System Detection and Fingerprinting Part 1 - NM
7 hours 1 minute
Welcome to the end map lesson on operating system detection and fingerprinting.
Always detection and fingerprinting is one of the most powerful features of end map. And just like application and service version detection, there's a lot to cover in this lesson. So let's get right to it.
Here are the learning objectives for this lesson.
First, we'll talk about what operating system detection and fingerprinting is an end map.
Second will discuss why it is both relevant and important.
Third, we'll talk about when and how to use it, including the most important command line option. You need to know
they don't provide a couple other command line options that are really helpful,
and we'll finish up this lesson with a lab on operating system detection and fingerprinting. Let's get started.
Os detection is exactly as it sounds, and map sends up to 16 DCP,
UDP and ICMP probes against the target, then evaluates responses in order to determine the operating system that the target is running.
There are several ways to perform OS detection and map, which will go over later, but fundamentally it can be performed with a single command line switch, and that is dash capital o
the combination of all responses received by N map. Make up the devices fingerprint.
So OS detection tells us what operating system the target is running.
But fingerprinting provides us with details about that system that make up a more unique identification.
In General OS detection and fingerprinting is much more accurate and informative on a local network than on a remote network,
but it provides extremely valuable information. In both cases,
the Last bullet point is a reference to a great entry point into discovering all of end maps. Capabilities regarding OS detection in fingerprinting,
OS detection and fingerprinting offers many of the same benefits is application and service version detection and provides answers to key questions that interest both network admin, DS and information security professionals.
It's include I T Asset Management,
Licensing and Compliance, among others.
For network admin, DS and security operations teams. It is vital to know
what operating systems were running on your network,
and map can either be your primary source for learning this information quickly, or it could be a secondary source to compare against your IittIe asset management software.
One obvious benefit to having multiple sources of this information is that any differences in the 2 may indicate unknown or rogue devices.
In this case, OS detection and figure bringing in N map may lead to further investigation of a potential breach
for penetration testers. Learning the operating system of your target is Justus important as learning app in service versions.
The vulnerabilities that exist in older and unpatched operating systems provide low hanging fruit for exploitation.
Once a machine on the inside of the network perimeter has been breached, pivoting to other machines is much easier.
So OS detection is a great way to quickly find Target Machine's.
So far, we've discussed a lot about how N map discovers devices on a network thin skins for open ports than attempts to determine what service is an application versions Air running on Target hosts.
In the last lesson, I suggested that this is the normal flow of N map scanning, and I truly believe that is a great way to structure approach to scanning.
I've placed OS detection in fingerprinting on the end of this module for one reason alone, and that is because of the complexity of what end map is performing during an OS detection scan
With that said. I'd suggest one possible alteration to your scanning of a network.
Consider performing device Discovery first, then OS detection and fingerprinting, followed by port scanning and service. An application version detection
have placed a graphic at the top of this slide to represent the flow.
Obviously, how you structure your scanning is completely up to you and depending on your objective, this flow may not always be appropriate
for your use of time. But I think you'll agree that this flow makes sense because your skin results in each phase will become more and more granular,
and the end result will be an extreme amount of detail of your target network and its hosts.
The basic command for performing OS detection and fingerprinting is simple.
It is an map space dash capital O.
In my experience, and especially on a network with a lot of Windows hosts, an enhancement to this scan is in map space. Dash Capital O Space dash Dash script equals SMB Dash O s Dash Discovery
Space Dash V, then the target host.
We've discovered we've covered NSC in several past lessons and we'll go over it more detail of the next one, but
the use of SMB Dash O s Dash Discovery script will be very helpful and informative when performing os detection. So I simply couldn't justify leaving it out of this lesson.
I'll demonstrate it in the lab.
Additionally, I suggest that you use the dash V to increase the verbosity of your scan results.
Not only will you get instant gratification of each scanning phase, but will also get some detail that you wouldn't normally obtain.
The last bullet point on this slide simply shows you the command as it is typed out in its entirety against the host 1 92.1 68 that 1.10
Here are some other command line options that you can add to your OS detection scan along with the dash Capital O,
with the exception of the last one, which is dash Capital A.
I've shown you Aah! Dash Capital A in the past and I've told you how powerful it is.
The difference between the 1st 3 options and the dash capital A is that the 1st 3 will complement dash capital O, whereas the dash capital A can be used as a replacement for dash capital O
Dash os can dish limit is said toe limit OS detection, too. Promising targets. In other words, if you're trying to perform OS detection against an entire sub net and wanted to be accurate yet go quickly at the dash Dash O s scan dash limit option
as you'll see when you run OS detection scans. And Matt will tell you that OS detection is most effective if at least one open and one closed TCP ports are found.
Dash dash O s scan dash limit causes the dash o
dash capital O or dash capital A toe on lee be performed when these conditions are met.
Dash dash O s scan dash guests or dash dash fuzzy for short are the same thing. And well, guess Os detection results
when you run a normal dash capital. Oh, and map will only provide you with a guest of the target OS. It is very confident in its results
when you use this option
and map will give you its best guess. And we'll add a confidence level for each guests
again. You'll see this in the lab
Dash dash max, Dash O s dash tries
followed by a space and a number will set the maximum number of OS detection tries against the target.
When an unmapped dash, capital O or Dash Capital A has performed and fails to find a perfect match, it will repeat the attempt five times until it provides you with the result.
The Dash Dash Max OS tries allows you to find, tune and map in such a way that you can essentially increase the speed or increase the possibility of accuracy of the OS detection scan.
Finally, dash capital A.
I considered Platt placing Dash A in the lesson on service inversion detection, but decided not to. It's simply to reduce redundancy and save you time
Dash capital A Stands for advanced and aggressive. Well, at least that's what I decided. The creators of N map haven't decided what which it stands for, so I decided to make it stand for both.
If you walk away from this course remembering little about the command line switches I provided, I urge you to remember Dash Capital A.
It is somewhat slow and noisy, but it provides a lot of bang for the buck.
Essentially, it performs detailed port scanning, OS detection and application inversion detection, all in one.
Additionally, it runs NSC script scans against the target hosts.
I think that the unmapped creators decided not to make it stand for aggressive because of their timing option. Dash Capital T four
Capital T four. Adjust the timing oven End maps can too aggressive
the dash Capital A does not do that by default.
However, From an idea standpoint, all of the things that the dash capital a option performs will certainly look aggressive and even somewhat hostile.
So use it carefully.
In some cases, it may even appear to be a denial of service attack
now into the lab, and this lab will run through the steps mentioned in earlier slide.
First, we'll do a host Discovery scan. Then we'll do simple OS detection and finger burning scan.
Then we'll add some additional options and finally will perform an advanced and aggressive scan using the dash capital A Let's do it