FINGERPRINTING | INFORMATION GATHERING | ETHICAL HACKING

FINGERPRINTING


OS Fingerprinting - is the term used in ethical hacking basically refers to any method used to determine what operating system is running on a remote computer. This could be-
  •  Active Fingerprinting - is accomplished by sending specially crafted packets to a target machine and then nothing down its response and analysing the gathered information to determine the target OS. We can use NMAP tool to detect the OS of a target domain.
  • Passive Fingerprinting - is based on  sniffer traces from the remote system. Based on the sniffer traces (such as wireshark) of the packets, you can determine the OS of the remote host.
We have the following four important elements that we will look at to determine the operating system-

TTL - What the operating system sets the Time-To-Live on the outbound packet.

WINDOW SIZE - What the operating system sets the window size at.

DF - Does the operating system set the Don't Fragment bit.

TOS - Does the operating system set the Type of Service, and if so, at what

By analysing these factors of a packet, we may be able to determine the remote operating system. This system is not 100% accurate, and works better for some operating systems than others.

BASIC STEPS

Before attacking a system, it is required to know that you know what operating system is hosting a website. Once a target OS is known, then it beconmes easy to determine which vulnerablities might be present to exploit the target system.

Let's look at some basic commands on NMAP tool


If nmap was not installed in your linux system use the command 

$ sudo apt-get install nmap

command to identify the operating system serving a website and all the opened ports associated with the domain name that is the IP address.

$ nmap -v nptel.ac.in

It gives the result as this 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 18:36 IST
Initiating Ping Scan at 18:36
Scanning nptel.ac.in (14.139.160.71) [4 ports]
Completed Ping Scan at 18:36, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:36
Completed Parallel DNS resolution of 1 host. at 18:36, 0.17s elapsed
Initiating SYN Stealth Scan at 18:36
Scanning nptel.ac.in (14.139.160.71) [1000 ports]
Discovered open port 443/tcp on 14.139.160.71
Discovered open port 8080/tcp on 14.139.160.71
Discovered open port 80/tcp on 14.139.160.71
Completed SYN Stealth Scan at 18:36, 5.56s elapsed (1000 total ports)
Nmap scan report for nptel.ac.in (14.139.160.71)
Host is up (0.016s latency).
Other addresses for nptel.ac.in (not scanned): 64:ff9b::e8b:a047
Not shown: 996 filtered ports
PORT     STATE  SERVICE
80/tcp   open   http
113/tcp  closed ident
443/tcp  open   https
8080/tcp open   http-proxy

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.00 seconds
           Raw packets sent: 2004 (88.136KB) | Rcvd: 9 (372B)

PORT SCAN

In the above nmap command we see a coloumn 

PORT     STATE  SERVICE
80/tcp   open   http
113/tcp  closed ident
443/tcp  open   https
8080/tcp open   http-proxy

You can also check whether a particular port is open by the command below

$ nmap -sT -p 443 nptel.ac.in

It will producce the following output 

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 18:44 IST
Nmap scan report for nptel.ac.in (14.139.160.71)
Host is up (0.033s latency).
Other addresses for nptel.ac.in (not scanned): 64:ff9b::e8b:a047

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

PING SWEEP


A ping sweep is a network scanning technique that you can use to determine which IP address from a range of IP addresses map to live hosts. It is also known as ICMP sweep.

We can use fping command for ping sweep. This command is a ping like program which uses the Internet control Message Protocol (ICMP) echo requests to determine if a host is up.

Normal ping command, only sends ICMP echo request to a single IP or host, at a time. However fping can be used to send ICMP echo request to a large number of hosts. It does not work like ping, because it sends an echo request to a host, and move on to the next host, not waiting for the echo reply. This is done in a round robin fashion.

Command to perform ping sweep

$ nmap -sP 192.168.0.1-245

It will produce the following output

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-12 18:54 IST
Nmap scan report for 192.168.0.1
Host is up (0.0026s latency).
Nmap scan report for 192.168.0.2
Host is up (0.0031s latency).
Nmap scan report for 192.168.0.3
Host is up (0.011s latency).
Nmap scan report for 192.168.0.4
Host is up (0.0029s latency).
Nmap scan report for 192.168.0.5
Host is up (0.0022s latency).
.
Nmap done: 245 IP addresses (245 hosts up) scanned in 50.02 seconds

DNS ENUMERATION


DNS Enumeration is the process of locating all the DNS servers and their corresponding records for an organization. The idea is to gather as much interesting details as possible about your target before initiating an attack.

Domain Name System (DNS) is like a map or an address book. In fact, it is like a distributed database which is used to translate an IP address 192.168.xxx.xxx.to a name www.xxxxx.com and vice versa.

Tools -
We can use nslookup command available on linux to get DNS and host-related info. 
we DNSenum script toget detailed information about a domain.


nslookup - It can be performed in two modes interactive and non-interactive. 
  • Interactive - It allows to print the list of hosts in a domain.
  • non-Interactive - It allows to just print the name and requested information for a host or domain.
$ nslookup

It produces the output > Enter the website address here.

> nptel.ac.in
Server: 192.168.55.1
Address: 192.168.55.1#53

Non-authoritative answer:
Name: nptel.ac.in
Address: 14.139.160.71
Name: nptel.ac.in
Address: 64:ff9b::e8b:a047

Keep following for more articles on Ethical Hacking.

Thankyou 

Post a Comment

0 Comments