[REVS] Host Fingerprinting and Firewalking With hping

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Host Fingerprinting and Firewalking With hping
------------------------------------------------------------------------


SUMMARY

The purpose of the paper presented here, is to discuss some techniques
that can be effectively used in remote host fingerprinting. The paper will
specially cover the cases where network hosts are behind firewalls.

DETAILS

Introduction:
Remote host fingerprinting is the process of identifying the opened
service ports and operating system of a machine over the network. This is
usually achieved by various kinds of active and passive scanning
techniques, by sending several packets to the remote machine and reviewing
the responses. The generally available tools including nmap do a fairly
good job in scanning and guessing the remote operating system. Where a
host is fire walled these tools do not help much, either producing
ambiguous or incorrect results. This is especially true for machines which
are heavily fire walled and only allow very small number of packets to be
forwarded and replied. In those cases we require another methods to
correctly determine the state of a remote machine. We will examine some
alternative methods including RING scan and ICMP scans. The first section
describes various port scanning techniques while the next section throws
some light on OS fingerprinting.

Note: In this paper we will explain the techniques with various tools but
the majority of the work is based on a simple and powerful utility named
hping. This paper assumes that reader has a basic understanding of remote
host fingerprinting and Transmission Control Protocol/Internet Protocol
(TCP/IP). We will review both;
Service port fingerprinting and OS fingerprinting in certain fire walled
environments and will try to analyze the methods in detail that brings us
the advantages and disadvantages of some techniques. Familiarity with
hping and nmap will be useful for understanding the methods.

Port Knocking:
We start with general port scanning techniques with certain tools
including nmap and hping. We will discuss the common SYN, SYNACK scanning
first and the behavior of various hosts upon reception of these TCP
packets. Then we will see how the results may vary with the machines that
are fire walled with those ones, which are not. Afterwards some advanced
techniques will be discussed including the FIN scans and UDP scans on
firewalled hosts.

Hping:
Hping is described as one of the tools that can be effectively used for
scanning, fingerprinting and firewall testing. Some of its powerful
features include the ability to send custom crafted packets with several
protocols and performing remote scanning. This is very handy for examining
the response of various custom created packets.

Nmap:
Network Mapper (nmap) is a famous network-auditing tool that can be used
for advanced port scanning and OS detection. It has a powerful set of
features available including passive scanning and idle scanning, though it
does not have the ability to send custom packets like hping.

Testing with half open scan (SYN):
The idea of half open scanning (also referred as SYN scanning) is simple.
Without completing the TCP three way handshake, send an initial SYN packet
and wait for the response, if the SYN ACK is received it means the remote
port is opened, otherwise you will receive a packet with RST flag set that
is an indication of closed port.

The full document can be founs at:
<http://bsdpakistan.org/downloads/HostFingerprinting.pdf>
http://bsdpakistan.org/downloads/HostFingerprinting.pdf


ADDITIONAL INFORMATION

The information has been provided by <mailto:naveedafzal@xxxxxxxxx>
naveed.
The original article can be found at:
<http://bsdpakistan.org/downloads/HostFingerprinting.pdf>
http://bsdpakistan.org/downloads/HostFingerprinting.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages