操作系统识别
2016-06-10 本文已影响187人
曼路x_x
title: 操作系统识别
date: 2016-06-04 12:16
tags: kali渗透测试 主动信息收集
OS的识别技术多种多样,有简单的也有复杂的,最简单的就是用TTL值去识别。不同类型的OS默认的起始TTL值是不同的,比如,windows的默认是128,然后每经过一个路由,TTL值减一。Linux/Unix的值是64,但有些特殊的Unix会是255。
0x00 Python识别TTL值
#!/usr/bin/python
from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
import sys
if len(sys.argv) != 2:
print("Usage --/ttl_os.py [IP Address]")
print("Example --/ttl_os.py 192.168.0.1")
print("Example will preform ttl analysis to attempt to determine whether the system is windows or linux/unix")
sys.exit()
ip = sys.argv[1]
ans = sr1(IP(dst=str(ip))/ICMP(), timeout=1, verbose=0)
if ans == None:
print("NO response was returned")
elif int(ans[IP].ttl)<=64:
print("Host is Linux/Unix")
else:
print("Host is Windows")
0x01 NMAP识别OS
由于自身脚本的局限性,Python扫描的结果过于简单。
NMAP的-O参数同样可以进行OS的识别
➜ Python nmap -O 192.168.0.1
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-04 16:06 CST
Nmap scan report for 192.168.0.1
Host is up (0.00077s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: C8:3A:35:4E:4B:B0 (Tenda Technology)
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds
使用__namp -O __对所在的网关进行OS识别扫描。
0x02 被动识别OS
基于网络监听的工作原理,Windows和Linux发送出来的包是有很大区别的。被动式的扫描可以部署在网络进出口的地方,目的是让所经过的流量通过我的流量分析器。
同样在Kali中也存在这般的工具p0f,他会监听凡是通过本地网卡的流量。
➜ ~ p0f
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---
[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.
.-[ 192.168.0.109/52188 -> 106.2.189.18/80 (syn) ]-
|
| client = 192.168.0.109/52188
| os = Linux 3.11 and newer
| dist = 0
| params = none
| raw_sig = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----
p0f不但会探测OS类型,同时也会对目标上面所运行的应用程序进行探测。