kail linux

操作系统识别

2016-06-10  本文已影响187人  曼路x_x

title: 操作系统识别
date: 2016-06-04 12:16
tags: kali渗透测试 主动信息收集


OS的识别技术多种多样,有简单的也有复杂的,最简单的就是用TTL值去识别。不同类型的OS默认的起始TTL值是不同的,比如,windows的默认是128,然后每经过一个路由,TTL值减一。Linux/Unix的值是64,但有些特殊的Unix会是255。

0x00 Python识别TTL值

#!/usr/bin/python 
from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
import sys

if len(sys.argv) != 2:
    print("Usage --/ttl_os.py [IP Address]")
    print("Example --/ttl_os.py 192.168.0.1")
    print("Example will preform ttl analysis to attempt to determine whether the system is windows or linux/unix")
    sys.exit()
    
ip = sys.argv[1]

ans = sr1(IP(dst=str(ip))/ICMP(), timeout=1, verbose=0)
if ans == None:
    print("NO response was returned")
elif int(ans[IP].ttl)<=64:
    print("Host is Linux/Unix")
else:
    print("Host is Windows")

0x01 NMAP识别OS

由于自身脚本的局限性,Python扫描的结果过于简单。
NMAP的-O参数同样可以进行OS的识别

➜  Python nmap -O 192.168.0.1  

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-04 16:06 CST
Nmap scan report for 192.168.0.1
Host is up (0.00077s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
80/tcp open  http
MAC Address: C8:3A:35:4E:4B:B0 (Tenda Technology)
Device type: general purpose
Running: Wind River VxWorks
OS CPE: cpe:/o:windriver:vxworks
OS details: VxWorks
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.07 seconds

使用__namp -O __对所在的网关进行OS识别扫描。


0x02 被动识别OS

基于网络监听的工作原理,Windows和Linux发送出来的包是有很大区别的。被动式的扫描可以部署在网络进出口的地方,目的是让所经过的流量通过我的流量分析器。

同样在Kali中也存在这般的工具p0f,他会监听凡是通过本地网卡的流量。

➜  ~ p0f
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from 'p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Entered main event loop.

.-[ 192.168.0.109/52188 -> 106.2.189.18/80 (syn) ]-
|
| client   = 192.168.0.109/52188
| os       = Linux 3.11 and newer
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0
|
`----

p0f不但会探测OS类型,同时也会对目标上面所运行的应用程序进行探测。

上一篇 下一篇

猜你喜欢

热点阅读