How OS Fingerprinting Works // NMAP Tutorial

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right guys so in this video we're going to  talk about something that's super cool about   nmap if you haven't used it before and that's  the operating system fingerprinting or os   detection absolutely for studying for  cyber security certification you got   to know how this worked now it almost seems  like magic we can just run a scan and find   out what kind of operating system is  on the target now why is that useful   well if we're going to find a vulnerability that  we can use to compromise that device or machine   then we got to know what kind of operating  system's running so in this video we're going to   talk about how this type of scan works and how  we can interpret it with nmap so stick around all right so nmap operating system fingerprinting  i get super nerdy about this i think it's the   coolest feature something that's super fun to  look at and learn how it works so on my kali   linux tool what i'm going to do is i'm going  to run two different operating system tests   one is going to be toward a linux server and the  other is going to be toward a windows machine   now i know these operating systems but i want to  see is nmap able to accurately fingerprint them   so let's find out here if we take a look at our  command line so we're going to come over there   now if we're going to run the operating system  fingerprint this is a privileged thing so we do   have to do sudo first okay now before i run my  test i'm first going to come over to my command   line and this time i'm going to capture this trace  file and make sure that i share this with you guys   so let's go ahead and write this out just going  to say dump cap going to give it the interface   and there i'm going to give it the name of the  capture file and i added dash yes so i know that   this is the server that i'm fingerprinting so  i'm going to go ahead and get that running on   the background and you're going to start to see  packets come in as the nmap test begins to run   so let's go ahead and go over to our other  command line and let's go ahead and hit enter   so this test can take a few seconds to run under  the hood we're not just running a tcp scan but   we're also doing some extra stuff with udp also  icmp probes so we're going to go ahead and see how   that looks on the wire now here we can see with  the results right here we were able to identify   this operating system here we've got a linux and  we got a version there so that gives us some of   those os details now before i do anything else i'm  going to come over here and just stop that pcap   all right so we were able to scan the server now  let's go ahead and scan windows all right so i'm   going to come over here and i'm just going to  run another pcap and this time i'm going to do   dash client so or this time i'm going to do dash  w so that's for windows okay so just gonna get   that to run and i come back over to my command  line prompt i'm going to go ahead and hit that   windows box alright so now that that test  is finished i'm going to stop that capture   now if we come back over here we can see that the  test was successful we were able to identify that   this is microsoft windows 10. okay so we have  those two p caps i went ahead and included those   in the description down below so you can download  them and follow right along if you'd prefer   i'm going to go ahead and start with the windows  10 pcap so let's go ahead and open that up in   wireshark okay so in os fingerprinting basically  what nmap is doing is looking at these little   values that come back from an operating system  stack to try to determine what os it is all right   so all os's have slightly different behaviors  in the way that they respond so things like iptl   starting sequence number in tcp or even the way  that they respond to a null or a christmas scan or   other strange flags that we throw at it that can  help us to determine the type of operating system   so to help us learn that let's go ahead and go  to our display filter up here let's set a filter   for port 135. everybody remember how to do that  tcp port 135 so let's do tcp dot port and we're   going to do equals equals 135 okay so we're going  to focus on this port because that's one of the   ports that was open once the os fingerprinting  scan finds an open port it starts to poke at it   a little bit more to try to further determine what  type of operating system it is okay so here we can   see that there's several different sins that went  toward this os now the first one let's just take a   look at this in fact let's just focus on only the  sins let's see what was different about each one   of these probes that we sent to this operating  system all right so what i want to do is i only   want to focus on tcp sends there's a handful of  ways that we can filter on only sins here's one   of them if we come over here we're just going  to do and and we're going to do tcp dot flags equals equals 0x so hexadecimal 0 zero two  okay and that will filter on only the flags   that go out and you might be thinking chris how  did you remember zero zero two well basically   if you select a sin and you come down to tcp open  that up go down to flags you see flag zero zero so   i don't want just all packets with sin i want the  ones with sin and not ack if i said tcp.flags.sin   equals one well that would show me the sins and  the synax i don't want that i just want these sins   so here i can see i've got seven  packets that were sent to this open port   and notice that most of them were 100 milliseconds  apart that's also a part of the test but more on   that maybe on another video okay so let's take a  look at this first sin you notice up here in the   information i'm just gonna blow this up a little  bit for you guys all right just re-orient myself   here all right so let's go ahead and see what was  different about all these sins now the first one   this was basically just the stealth scan probe it  was just us knocking on the door and just finding   out is anybody home okay so here we found that  there was a response to the sin if i filtered on   this i'd see a synac but after that what happens  about a second and a half later i start to probe   with a bit more detail here so if i come to the  second packet you can join me on packet 2107   let's see what was different about this packet  see that first one i just have an mss of 1460   window size of 1024 but check this out packet  2107 here already i start to see some interesting   things all right my time to live is 43. that's  kind of random right so i'm sending this out   right in the normal system my outgoing  ttl is going to be a full count ttl   and it certainly won't be different  like it was in the first packet okay   that was 37 in the first packet if i come to the  tcp stuff let's go ahead and open up that part of   the header if i come down here let's see what we  find here so first of all i'm sending in the sin   i'm sending an acknowledgement number okay so  my sequence number is here my acknowledgement   number is this 345 959 256. okay that's super  weird first of all i don't have an ak flag at   all so i'm not even indicating that i'm using  this act number but really this is strange that i   even have it here in fact even wireshark's kind of  weirded out by it it's like hey wait a second this   acknowledgement number field is non-zero so  what's this all about that's kind of weird   well really what i'm interested in is how does  this device respond when i throw it a weird act   number also window size check that out one okay  if i come down here to options i'm sending 20   bytes of options sending a pretty large window  scale my maximum segment size 1460 i'm sending   timestamps i'm sending sac permitted okay so my  goal here is to see how does this device respond   now each sin is going to be slightly different in  its behavior in fact check this out just look at   the different window sizes that i'm sending 63  4 4 16 512. if i come over here to my options i   send different mss sizes a sac permitted okay so  the question is how does the device respond to   all these well let's go ahead and add our synapses  now for this i'm just going to say tcp.flags now i   want to see what those responses are so oops let's  go to syn and we're going to do equals equals one   all right okay now in these responses every little  value that that operating system come back with   matters to me from top to bottom because this  is how i can fingerprint that operating system   all right so let me go up and start with our ip  i'm going to go ahead and go to packet 2108 you   can join me there all right so first of all  he's coming back he's saying don't fragment   his ttl is 128. if i come down to tcp how does  he respond well he's starting with this level   of or this range of sequence number you see that  raw number there that's something that i'm going   to note the acknowledgement number he should do  plus one on the sequence number that i sent him   but really the window size so the starting  window size is going to be interesting to me   okay then i come down here to the options okay so  the mss size is going to be something interesting   to me the window scale that he uses uh the sac  permitted do we have select acknowledgement or not   and also notice what's not here see when i  sent the sin over there i asked hey do you   want to do time stamps and in 2108 we see that  come back and there was not a timestamp option   okay so all of these things are things i'm going  to note how did he respond to that value how   did he respond to this or that or what was the  these little things that he comes back with all   these little values and then those values are  compared against an operating system database   that nmap has now i'm going to show you this  now this is not light reading in fact i went   ahead and linked it down below in the description  you can go down there and hit it if you'd like to   i'm going to show you what that looks like so  let me bring in this operating system database   so right here i went down to the microsoft windows  area of this very very large file and you can see   all the different types of operating systems that  nmap is able to enumerate or to identify so again   what it does is it takes those responses that it  gets from all of those different types of probes   and not just tcp 135 but it's also doing probes  with udp with icmp echoes we're checking out a   lot of things and determining how this operating  system is responding now it takes those responses   and it compares them against all these results  now i told you that this wasn't light reading   this is very detailed complex stuff that nmap  is looking at here very subtle things that it's   watching for in order to identify an operating  system now if you want the gory details i went   ahead and linked in the description down below  here we can see the tcyp fingerprinting methods   this is out on nmap and it shows all the messy  details of the different values that it goes to   to try to figure out what an operating system is  so if you ever have insomnia and you can't sleep   definitely recommend you read that but let's go  ahead and go back to our pcap and take a look at a   few other things okay so another thing that nmap's  going to do let's go ahead and take a look at icmp   all right so it also sends a few different icmp  requests now if you take a look at that first one   check this out now if we expand or if we minimize  ip here we can see ipa it's saying don't fragment   okay it's throwing that at it but here this  is yellow let's go and see why it's yellow   well it says no response seen that's interesting  because the packet below in packet 2126 isn't   a ping reply but let's take a look at why you  notice that this is icmp type 8 code 9. okay ccna   what is icmp type 8 code 9 now i don't know if  remember that one on your test or if you haven't   had that test in a while but basically the network  is administratively prohibited we can't get there   but an unusual one that we would see so part of  this probe is to see how does this device respond   to it do we get a normal ping reply or do we see  a different type of code that we should see coming   back but our point here is we want to see how does  that operating system reply if we keep going take   a look at the next request here this is just a  typical ping this is an icmp echo request with   a code zero if i come up here to our ip header  values this time we're not setting any flags our   time to live 54. so again we start adjusting  some of these values and we are interested in   every single bit and byte that comes back from  that operating system to try to fingerprint it   now we're not going to get these kind of results  in every single case sometimes we're going to   get an inconclusive response from nmap despite  all these tests and probes it's going to do its   best to try to fingerprint but it won't be able to  definitively determine which operating system it   was and this is because operating systems change  stacks get adjusted or maybe it just wasn't able   to get enough feedback on these different open  ports to make that determination but we can see   how much is actually going on under the hood when  it does have an open port lots of different probes   and different protocols to try to determine that  operating system all right so i hope that this   video helped you understand a little further how  nmap does os fingerprinting now there's a whole   lot more that we can say about this definitely  invite you to check out that nmap link that i have   in the description down below with all the gory  details go ahead and download that fingerprinting   database from nmap and of course stay tuned on  the channel as we go deeper and deeper into how   these nmap scans work so thanks for stopping  by and i'll see you guys on another video you
Info
Channel: Chris Greer
Views: 15,408
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, chris greer, free wireshark training, wireshark for beginners, wireshark tutorial, packet analysis, TCP/IP, ccna, comptia network+, CEH certification, penetration testing, pentest+, nmap tutorial, nmap tutorial for beginners, nmap kali linux, nmap TCP connect scan, nmap stealth scan, security+, CEH, stealth scan, nmap, nmap scan, network vulnerabilities, ocsp, nmap -O, nmap OS Fingerprinting, OS Fingerprinting, ethical hacking, kali linux
Id: dSgHEL-MO3I
Channel Id: undefined
Length: 13min 16sec (796 seconds)
Published: Wed Feb 16 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.