ETHICAL HACKING - Fingerprinting
Fingerprinting in Ethical Hacking means a method used for determining the current running operating system on a remote computer.
Fingerprinting can be Active or Passive.
- Active Fingerprinting – By Active fingerprinting, special crafted packets are being sent to a target computer and the responses are noted and the information is analyzed to determine the OS.
- Passive Fingerprinting – Based on the sniffer traces (such as Wireshark) of the packets, the operating system of the remote host can be determined by Passive Fingerprinting.
Important elements to determine the operating system
- TTL − What the operating system sets the Time-To-Live on the outbound packet.
- Window Size − What the operating system sets the Window Size at.
- DF − Does the operating system set the Don't Fragment bit.
- TOS − Does the operating system set the Type of Service, and if so, at what.
The remote operating system can be determined by analyzing these four factors of a packet. This is not cent percent accurate and may be better for some operating systems and not to others.
Initially get the information about the details of the operating system hosted by a website. Then determine the vulnerabilities present to exploit the target system.
Below is a simple nmap command which is used to identify the operating system of a website and the ports opened which are associated with domain name i.e., the IP address.
$nmap -O -v wisdomjobs.com
The following sensitive information about the given domain name or IP address appears−
Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-04 09:57 CDT Initiating Parallel DNS resolution of 1 host. at 09:57 Completed Parallel DNS resolution of 1 host. at 09:57, 0.00s elapsed Initiating SYN Stealth Scan at 09:57 Scanning wisdomjobs.com (18.104.22.168) [1000 ports] Discovered open port 22/tcp on 22.214.171.124 Discovered open port 3306/tcp on 126.96.36.199 Discovered open port 80/tcp on 188.8.131.52 Discovered open port 443/tcp on 184.108.40.206 Completed SYN Stealth Scan at 09:57, 0.04s elapsed (1000 total ports) Initiating OS detection (try #1) against wisdomjobs.com (220.127.116.11) Retrying OS detection (try #2) against wisdomjobs..com (18.104.22.168) Retrying OS detection (try #3) against wisdomjobs.com (22.214.171.124) Retrying OS detection (try #4) against wisdomjobs..com (126.96.36.199) Retrying OS detection (try #5) against wisdomjobs.com (188.8.131.52) Nmap scan report for wisdomjobs.com (184.108.40.206) Host is up (0.000038s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql TCP/IP fingerprint: OS:SCAN(V=5.51%D=10/4%OT=22%CT=1%CU=40379%PV=N%DS=0%DC=L%G=Y%TM=56113E6D%P= OS:x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFF OS:D7ST11NW7%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)
nmap command can be installed in the Linux system using yum command by:
$yum install nmap
The main system can be made hidden behind VPN or Secure proxy server so that the identity and the main system are safe.
nmap command provides information about the list of ports opened on a given server.
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
The following command can also be used to check if a particular port is opened:
$nmap -sT -p 443 wisdomjobs.com
The output result appears as:
Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-04 10:19 CDT
Nmap scan report forwisdomjobs.com (220.127.116.11)
Host is up (0.000067s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Information about the open ports makes the hacker plan for different techniques to attack through the ports which are open.
- Quick Fix - To protect the system from malicious attacks, check and close all the ports which are unwanted.
To determine IP address from a range of IP addresses which maps the live hosts, a network scanning technique is used, known as Ping Sweep, also known as ICMP sweep.
fping command is used for ping sweep. To determine whether a host is up, Internet Control Message Protocol (ICMP) echo request is used by fping.
fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. If a host does not respond within a certain time limit and/or retry limit, it will be considered unreachable.
- Quick Fix - By blocking the ICMP ECHO requests from outside sources, ping sweeps can be disabled on a network. This is done by the following code, which will create a firewall rule in iptable.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
Domain Name Server (DNS) is like a map or an address book. To translate an IP address 18.104.22.168 to a name www.example.com and vice versa, DNS Enumeration is used.
All the DNS servers and the corresponding records of an organization are located by the process of DNS enumeration. By this process, much more information is gathered about the target before hacking.
nslookup command is used to get DNS and other host-related information
Quick Fix - DNS Enumeration prevention is a big challenge as it does not have a quick fix.
Sensitive information about the network and organization can go outside, if DNS is not configured in a secure way. There are possibilities of untrusted internet user performing a DNS zone transfer.