"Deep
in the sea are riches beyond compare.
But if you seek safety, it is on the shore."
Remote
OS Detection
Detecting
OS (operating system) is another most important step towards hacking
into a system. We can even say that after tracing the IP of the
system it is the most prior thing that should be done to get the
root on a system cause without having knowledge about the OS running
by the target system you cannot execute any system commands on
the target system and thus your mission wont be accomplished.
In here I have figure out the basics of detecting OS remotely
without having physical access to the system. There are various
method of detecting OS like by trace routing the victim's IP ,
by pinging the IP , by using telnet and also by using a terminal.
But from my research I have concluded that detecting OS through
ping or tracerout is the most simplest but effective way of determining
the operating system running in the remote computer without having
physical access to the system. Since my aim of writing articles
is to make things clear for beginners and intermediate so I will
explain remote os detecting through ping method which is very
easy to understand even for peoples totally new to computers..
yeah yeah.. I know you call them newbies..right ?? J J J
REMOTE OS
DETECTION USING PING METHOD
What is PING
and what is its utility ?
Ping is an
MSDOS utility provided for windows version of DOS and for Unix
and operating systems having UNIX as the core kernel. It runs
in dos box in windows and directly in UNIX platform. In this manual
I will give more stress on the MSDOS version of ping.
Ping is an
utility used for sending and receiving packets of data to a target
system using its IP and thus from the outputs you can figure out
many information about the target system.
In remote os detection we are mainly concerned with the TTL values
of the received data packets.
Note: When
you send or receive a file over the internet it is not send at
once. Instead it is broken down at the source system and these
broken fragments of data know as data packets are send through
the internet and these data packets are gathered together by the
target system according to an algorithm constructed by the source
system.
For example if I send a picture of size 400 KB to my girl friend
(hey girls out there remember I don't yet have a gf in reality)
then what actually happens is that my system breaks the data into
data packets, say the file of 400 KB has been broken down into
4 data packets each having a size of 100 KB and having a name.
These data packets are assigned a code known as the TTL value
of the data packets by my operating system. Then these data packets
are gathered and the original file is formed from these data packets
at the target system.
Example:
C:\windows>ping/?
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count]
[-s count] [[-j host-list] | [-k host-list]]
[-w timeout]
target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
there are various switches available for ping. Above I have given
a list of all the switches available in the DOS version of ping.
Using the -t switch you can continuously ping a target until it
is crashed down. I am sure you are probably wondering how will
it crash down the remote system. The answer is quite simple. If
you ping the remote system continuously then what happens is that
slowly the RAM of the target system is overloaded with these stack
data and compels the system to restart or crashes it. You can
also use the -l switch to specify the amount of data packet to
be send at a time.
But in this
article I am not concerned with crashing down a remote system
cause its not that easy as it seems to be, there are many other
tricks for it and its not possible to crash down a system of present
technology just by simple ping. I am concerned with the TTL values
of the output that you will get after pinging a system. You can
use -n switch with ping to specify the number of echo (ie data
packets) to be send to the target system. The default number is
4.
Example:
C:\windows>
ping -n 10 127.0.0.1
This command
will ping 127.0.0.1 with 10 packets of data and after that will
give you an output.
Now I think
its time for a real example which I have executed on my system.
C:\windows>ping
127.0.0.1
Pinging 127.0.0.1
with 32 bytes of data:
Reply from
127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics
for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum =
0ms, Maximum = 0ms, Average = 0ms
Here I have
pinged the IP 127.0.0.1 (offline ip of any system) with default
ping. Here I am getting TTL value as 128. This is the thing what
we need for remote os detection.
What is TTL
value ?
TTL value
is nothing but a simple code assigned to the out going data packets
by the operating system of a computer. The TTL value assigned
to the out going data packets depends on the operating system
and it is the same for a particular operating system. As for example
if you ping a system running windows 98 or earlier versions of
windows NT with service packs (I don't know exactly about the
TTL values of recent versions of Windows NT but from my research
I think it's the same as previous versions cause the TTL value
even in Windows XP is 128) you will get the TTL value as 128,
thus from this TTL value you can easily say that the target system
is running Microsoft Windows.
TTL values
of commonly used Operating Systems
OS VERSION
PLATFORM TTL
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Sparc 64
Solaris 2.x Intel/Sparc 255
Well these
are not all. There are many more TTL values of many other operating
systems. But generally most systems lies within this list.
Now lets try
this manual practically and find out the operating system running
by the IP 202.178.64.19.
C:\windows>ping
202.178.64.19
Pinging 202.178.64.19
with 32 bytes of data:
Reply from
202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Ping statistics
for 202.178.64.19:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Well from
the output you can figure out many informations. First 4 packets
of data each of 32 bytes has been send to 202.178.64.19. In response
the target system has responded with data packets of TTL value
as 128.
Now we can easily say that the system 202.178.64.19 is running
windows.
ERROR CORRECTION
IN SOME CASES
There is a
possibility of error in TTL values that you receive. Even though
the source system send a TTL value of 128 you may receive the
TTL value as 120. Well nothing to worry cause its due to the fact
that routers reduce the TTL value by 1.
Don't worry I'll explain and made things much clearer for you.
It's a fact
that some times routers may reduce the TTL value assigned to the
data packets by the source OS by 1.
In that case you have to find out how many routers are there in
between your system and the target system and then simply add
the number of routers to the received TTL values and you will
get the original TTL value.
To find out
how many routers there are in between your system and the target
system just perform a normal and simple tracert to that IP.
For more information about tracing an IP read my article 'TRACING
IP" in http://hackersclub.focusindia.com
After tracing the IP using tracert tool of dos suppose you find
that there are 10 routers between you and the target system then
just simply add 10 to the TTL value that you have received and
you will get the original TTL value.
And once you
get the original TTL value then its as simple as changing girl
friend to find out the operating system running by the remote
computer. Just match the TTL value with the above chart and you
will find out the operating system info.
Well dear
readers, that's it for now. But I'll BE BACK with many more exciting
and important articles.
Please mail
me at abhisek@programmer.net and let me know about your comments
about this article cause that's the only thing I am getting and
I want for my hard work.
- Abhisek
Datta |