When exploring a network for security purposes, you usually want to know more than the bare IP addresses . Sometimes you may find a printer or sometimes a router ,telephone PBX,Windows Destop or Linux Server.If you know the version of OS or other details then it may be useful for determining vulnerabilities with respect to that OS and then finding exploits for those vulnerabilities.
While some benefits of discovering the underlying OS and device types on a network are obvious, others are more obscure.
It is sometimes very difficult to determine remotely whether an available service is susceptible or patched for a certain vulnerability. Even obtaining the application version number doesn't always help, since OS distributors often back-port security fixes without changing the version number. The surest way to verify that a vulnerability is real is to exploit it, but that risks crashing the service and can lead to wasted hours or even days of frustrating exploitation efforts if the service turns out to be patched.OS detection can help reduce these false positives.
Even after you discover a vulnerability in a target system, OS detection can be helpful in exploiting it. Buffer overflows, format-string exploits, and many other vulnerabilities often require custom-tailored shellcode with offsets and assembly payloads generated to match the target OS and hardware architecture. In some cases, you only get one try because the service crashes if you get the shellcode wrong. Use OS detection first or you may end up sending Linux shellcode to a FreeBSD server.
With the ubiquity of mobile devices and cheap commodity networking equipment, companies are increasingly finding that employees are extending their networks in undesirable ways. They may install a $20 wireless access point (WAP) in their cubicle without realizing (or caring) that they just opened up the protected corporate network to potential attackers in the parking lot or nearby buildings. WAPs can be so dangerous that Nmap has a special category for detecting them. Users may also cause sysadmins grief by connecting insecure and/or worm-infected laptops to the corporate network. Regular scanning can detect unauthorized devices for investigation and containment.
Another possible use is social engineering. Lets say that you are scanning a target company and Nmap reports a “Win XP Machine”. You could call up the target pretending to be from Microsoft WinXP support and discuss some issues with their administrator. Tell them you are about to announce a big security hole, but are first providing the patch to valued customers. Some naive administrators might assume that only an authorized engineer from Microsoft would know so much about their system. Of course the patch you send them is a Trojan horse that gives you remote access to sniff and traipse through their network.
Top OS FingerPrinting Tools
Nmap- Nmap is one of the top hacking and security tool. Its one of the features include OS Fingerprinting.
#nmap -v -O www.yoursite.com (-O stands for OS Fingerprinting and -v stands for verbose)
Starting Nmap ( http://nmap.org )
Interesting ports on yoursite.com (64.13.134.52):
Not shown: 994 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp closed smtp
53/tcp open domain
70/tcp closed gopher
80/tcp open http
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.20-1 (Fedora Core 5)
Uptime guess: 11.433 days (since Thu Sep 18 13:13:01 2008)
TCP Sequence Prediction: Difficulty=204 (Good luck!)
IP ID Sequence Generation: All zeros
Nmap done: 1 IP address (1 host up) scanned in 6.21 seconds
Raw packets sent: 2021 (90.526KB) | Rcvd: 23 (1326B)
2.P0f :- A passive OS fingerprinting tool. P0f is able to identify the operating system of a target host simply by examining captured packets even when the device in question is behind an overzealous packet firewall.P0f can detect firewall presence, NAT use, existence of load balancers, and more!
3.XProbe – It is a tool for determining the operating system of a remote host. They do this using some of the same techniques as Nmap as well as some of their own ideas. Xprobe has always emphasized the ICMP protocol in its fingerprinting approach.
