Detecting OS (operating system) is another most important step towards hacking into a system. We can even say that after tracing the IP of the
system it is the most prior thing that should be done to get the root
on a system cause without having knowledge about the OS running by the
target system you cannot execute any system commands on the target system
and thus your mission wont be accomplished. In here I have figure out
the basics of detecting OS remotely without having physical access to
the system. There are various method of detecting OS like by trace routing
the victim's IP , by pinging the IP , by using telnet and also by using
a terminal. But from my research I have concluded that detecting OS through
ping or tracerout is the most simplest but effective way of determining
the operating system running in the remote computer without having physical
access to the system. Since my aim of writing articles is to make things
clear for beginners and intermediate so I will explain remote os detecting
through ping method which is very easy to understand even for peoples
totally new to computers.. yeah yeah.. I know you call them newbies..right
?? J J J
REMOTE OS DETECTION USING PING METHOD
What is PING and what is its utility ?
Ping is an MSDOS utility provided for windows version of DOS and for
Unix and operating systems having UNIX as the core kernel. It runs in
dos box in windows and directly in UNIX platform. In this manual I will
give more stress on the MSDOS version of ping.
Ping is an utility used for sending and receiving packets of data to
a target system using its IP and thus from the outputs you can figure
out many information about the target system.
In remote os detection we are mainly concerned with the TTL values of
the received data packets.
Note: When you send or receive a file over the internet it is not send
at once. Instead it is broken down at the source system and these broken
fragments of data know as data packets are send through the internet and
these data packets are gathered together by the target system according
to an algorithm constructed by the source system.
For example if I send a picture of size 400 KB to my girl friend (hey
girls out there remember I don't yet have a gf in reality) then what actually
happens is that my system breaks the data into data packets, say the file
of 400 KB has been broken down into 4 data packets each having a size
of 100 KB and having a name. These data packets are assigned a code known
as the TTL value of the data packets by my operating system. Then these
data packets are gathered and the original file is formed from these data
packets at the target system.
Example:
C:\windows>ping/?
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
there are various switches available for ping. Above I have given a list
of all the switches available in the DOS version of ping. Using the -t
switch you can continuously ping a target until it is crashed down. I
am sure you are probably wondering how will it crash down the remote system.
The answer is quite simple. If you ping the remote system continuously
then what happens is that slowly the RAM of the target system is overloaded
with these stack data and compels the system to restart or crashes it.
You can also use the -l switch to specify the amount of data packet to
be send at a time.
But in this article I am not concerned with crashing down a remote system
cause its not that easy as it seems to be, there are many other tricks
for it and its not possible to crash down a system of present technology
just by simple ping. I am concerned with the TTL values of the output
that you will get after pinging a system. You can use -n switch with ping
to specify the number of echo (ie data packets) to be send to the target
system. The default number is 4.
Example:
C:\windows> ping -n 10 127.0.0.1
This command will ping 127.0.0.1 with 10 packets of data and after that
will give you an output.
Now I think its time for a real example which I have executed on my system.
C:\windows>ping 127.0.0.1
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Here I have pinged the IP 127.0.0.1 (offline ip of any system) with default
ping. Here I am getting TTL value as 128. This is the thing what we need
for remote os detection.
What is TTL value ?
TTL value is nothing but a simple code assigned to the out going data
packets by the operating system of a computer. The TTL value assigned
to the out going data packets depends on the operating system and it is
the same for a particular operating system. As for example if you ping
a system running windows 98 or earlier versions of windows NT with service
packs (I don't know exactly about the TTL values of recent versions of
Windows NT but from my research I think it's the same as previous versions
cause the TTL value even in Windows XP is 128) you will get the TTL value
as 128, thus from this TTL value you can easily say that the target system
is running Microsoft Windows.
TTL values of commonly used Operating Systems
OS VERSION PLATFORM TTL
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Sparc 64
Solaris 2.x Intel/Sparc 255
Well these are not all. There are many more TTL values of many other operating
systems. But generally most systems lies within this list.
Now lets try this manual practically and find out the operating system
running by the IP 202.178.64.19.
C:\windows>ping 202.178.64.19
Pinging 202.178.64.19 with 32 bytes of data:
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Reply from 202.178.64.19: bytes=32 time<1ms TTL=128
Ping statistics for 202.178.64.19:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Well from the output you can figure out many informations. First 4 packets
of data each of 32 bytes has been send to 202.178.64.19. In response the
target system has responded with data packets of TTL value as 128.
Now we can easily say that the system 202.178.64.19 is running windows.
ERROR CORRECTION IN SOME CASES
There is a possibility of error in TTL values that you receive. Even
though the source system send a TTL value of 128 you may receive the TTL
value as 120. Well nothing to worry cause its due to the fact that routers
reduce the TTL value by 1.
Don't worry I'll explain and made things much clearer for you.
It's a fact that some times routers may reduce the TTL value assigned
to the data packets by the source OS by 1.
In that case you have to find out how many routers are there in between
your system and the target system and then simply add the number of routers
to the received TTL values and you will get the original TTL value.
To find out how many routers there are in between your system and the
target system just perform a normal and simple tracert to that IP.
For more information about tracing an IP read my article 'TRACING IP"
in http://hackersclub.focusindia.com
After tracing the IP using tracert tool of dos suppose you find that there
are 10 routers between you and the target system then just simply add
10 to the TTL value that you have received and you will get the original
TTL value.
And once you get the original TTL value then its as simple as changing
girl friend to find out the operating system running by the remote computer.
Just match the TTL value with the above chart and you will find out the
operating system info.
Well dear readers, that's it for now. But I'll BE BACK with many more
exciting and important articles.
Please mail me at abhisek@programmer.net and let me know about your comments
about this article cause that's the only thing I am getting and I want
for my hard work.
Abhisek Datta
abhisek@programmer.net
http://hackersclub.focusindia.com
http://abhisek.8m.net
************** HACKERS MANIFESTO *****************
By ABHISEK DATTA
"ANOTHER ONE GOT CAUGHT TODAY" , "TEENAGERS ARRESTED IN
COMPUTER CRIME", "STATE BANK SUPER COMPUTER HACKED BY A 14 YEAR
OLD KID".
Well ever seen this kind of headline in your newspaper. Probably not in
India. But I guess the techno revolution has not left India and it won't
take long for this kind of headlines.
First of all let me explain to you what is the need of hacking. In the
hacking world Hackers are of two types. Ethical Hacker and Criminal Hacker.
But probably in our existing world there is no differentiation and all
the hackers fall in the class of Criminal Hackers. But let me explain
you the difference between the two classes of hackers. Ethical hackers
hack for knowledge and those who consider themselves to lie in this class
never destroy any system. They never keep anything secret. They are always
eager to tell their methods to everybody so that others can desist the
criminal ones from accomplishing their mission. But criminal hackers do
it for money and also in some cases they become psychic.
They hack to get essential information of say a particular company and
sell it to the other.
Before you prepare yourself to be a hacker you must first decide in which
class you lie. Let me tell you something.Criminal hackers may be brilliant,they
may be genius,they may be 100 times better than peoples like me.But their
knowledge is limited.An ethical hacker have unlimited knowledge cause
their knowledge is as a result of curiosity,their knowledge is as a result
of trial and error,their knowledge is as a result of constructive attitude
rather than aims of destruction.
Well I don't wanna make you bore by all these sentimental stuffs cause
even I don't like sentiments much cause I am a very practical minded boy.
All I wanna say is that This is our world now... the world of the electron
and the switch, the beauty of the baud. We make use of a service already
existing without paying for what could be dirt-cheap if it wasn't run
by profiteering gluttons, and you call us criminals.
We explore... and you call us criminals. We seek after knowledge... and
you call us criminals. We exist without skin color, without nationality,
without religious bias...and you call us criminals. You build atomic bombs,
you wage wars, you murder, cheat, and lie to us and try to make us believe
it's for our own good, yet we're the criminals. Yes, I am a criminal.
My crime is that of curiosity. My crime is that of judging people by what
they say and think, not what they look like. My crime is that of outsmarting
you, something that you will never forgive me for.
I am a hacker, and this is my manifesto. You may stop this individual,
but you can't stop
us all. After all, we're all alike and we will never STOP !!
by Abhisek Datta
http://hackersclub.focusindia.com
abhisek@programmer.net
|