xprobeの使い心地
ICMPの応答時間や返し方などを計って、対象ホストのOSを推測するツールね。
それの使い心地というか、結果がどんな感じで表示されるかの備忘。
ICMPを使って対象サイトのOSを特定する「Xprobe」 | 日経 xTECH(クロステック)
記事によれば、「Xprobe では,5種類のパケットを送信し,返信された ICMP パケットの IP ヘッダーを基に OS を特定するのである。」とのことφ(・_・
・明らかに閉じられていると思われるポートに対する UDP パケット
・ICMP Echo Request(Type:8)
・ICMP Timestamp Request(Type:13)
・ICMP Information Request(Type:15)
・ICMP Netmask Request(Type:17)
ふーん。1番目の明らかに閉じられていると思われるポートってなんなんだろ。
まあいいや。使ってみるか。
使ってみた
●パケットフィルタリング制御をかけなかった場合の結果
[+] Target is 192.168.104.230 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.104.230. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.104.230. Module test failed [-] No distance calculation. 192.168.104.230 appears to be dead or no ports known [+] Host: 192.168.104.230 is up (Guess probability: 50%) [+] Target: 192.168.104.230 is alive. Round-Trip Time: 0.50847 sec [+] Selected safe Round-Trip Time value is: 1.01693 sec [-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known) [-] fingerprint:smb need either TCP port 139 or 445 to run [-] fingerprint:snmp: need UDP port 161 open [+] Primary guess: [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Other guesses: [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Host 192.168.104.230 Running OS: LOV (Guess probability: 100%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
サーバのOSを100%特定できてるね、よくわかんないけど...。
●パケットフィルタリング制御をかけた場合の結果
[+] Target is 192.168.104.230 [+] Loading modules. [+] Following modules are loaded: [x] [1] ping:icmp_ping - ICMP echo discovery module [x] [2] ping:tcp_ping - TCP-based ping discovery module [x] [3] ping:udp_ping - UDP-based ping discovery module [x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation [x] [5] infogather:portscan - TCP and UDP PortScanner [x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module [x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module [x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module [x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module [x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module [x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module [x] [12] fingerprint:smb - SMB fingerprinting module [x] [13] fingerprint:snmp - SNMPv2c fingerprinting module [+] 13 modules registered [+] Initializing scan engine [+] Running scan engine [-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.104.230. Module test failed [-] ping:udp_ping module: no closed/open UDP ports known on 192.168.104.230. Module test failed [-] No distance calculation. 192.168.104.230 appears to be dead or no ports known [+] Host: 192.168.104.230 is down (Guess probability: 0%) [+] Cleaning up scan engine [+] Modules deinitialized [+] Execution completed.
サーバのOSを特定できなかった。すごい!ファイアーウォールって大事!!我ながら小学生みたいな感想!笑
このときはICMPtimestampをDROPする処理をして、応答がないことを確かめたかったの。だからこのツールはちょっと使い勝手が悪かった(結局hping3を使った)けど、わたしがいつかクラッカーになったら使うわ。というかそんときくらいしか使う機会なくないか??笑