Vulnerability Scanner - OS Identification - TTL and Nmap methods

Enterprise 2023-05-05 17:34:21 views: null

1. Nmap recognizes the OS

The most common way to scan the operating system is the TCP/IP protocol stack fingerprint technology , which uses the characteristics of the TCP/IP protocol stack to identify an operating system.

This method finds the differences between different operating systems in processing network packets and combines these differences to form a fingerprint to accurately identify the operating system version information of the target device, including TTL, DF flag, Window, Size, ACK, sequence number, ICMP address masking request, response to FIN packet, falsely marked SYN packet, ISN (Initialization Sequence Number), etc.

The following figure is a partial screenshot of the Nmap fingerprint identification library:
Nmap Fingerprinting Library
the implementation of fingerprints based on the TCP/IP protocol stack is relatively complicated , by continuously constructing and sending eight different data packets to the host host and calculating the specific fields in the returned message , according to the calculation result and the fingerprint library to match, the detection result of this method is more accurate , and can detect more detailed operating system information.

This part is implemented by calling Nmap, and the implementation code is as follows:

# _*_  coding:utf-8 _*_
import nmap
import time

def os_scan_nmap(ip):
    
    # python-nmap模块类的实例化
    nm = nmap.PortScanner()
    
    try:
        # 调用nmap执行-O扫描操作系统
        result = nm.scan(hosts=ip,arguments='-O')
        # 从返回值里通过切片提取出操作系统版本
        # print(result)
        # print(ip)
        # print(result['scan'][ip])
        os = result['scan'][ip]['osmatch'][0]['name'] + " (accuracy: " + result['scan'][ip]['osmatch'][0]['accuracy'] + "%)"
        time.sleep(0.1)
        # print(ip)
        # print(os)
        return os

    except:
        print(ip)
        # print("Warning: test conditions non-ideal. we could not find at least 1 open and 1 closed port")
        return "Warning: test conditions non-ideal. we could not find at least 1 open and 1 closed port"
        pass

def os_scan_nmap_list(iplist):
    for ip in iplist:
        os_scan_nmap(ip)

if __name__ == '__main__': 
    ip = "36.152.147.7"
    print(os_scan_nmap(ip))

    # iplist = ["192.168.1.108", "www.baidu.com"]
    # os_scan_nmap_list(iplist)

The running result is shown in the figure:
insert image description here

2. The TTL field identifies the OS

Compared with the Nmap detection method, the TTL detection method is simpler and faster .

TTL (Time To Live) is the "time to live" of a data packet, indicating how many hops (Hop) a data packet can pass before being discarded.

The default TTL values ​​of different operating systems are often different. The TTL values ​​of common operating systems are shown in the following table:

operating system TTL
Windows 2000 108
Windows NT 107
Windows 9x 127/128
Windows 7 64
Windows 95/98 32
Linux 64
Solaris 252
IRIX 240
Cisco 12.0 2514 255
AIX 247

The implementation code of this part is as follows:

# _*_  coding:utf-8 _*_

import sys
import importlib
importlib.reload(sys)

from scapy.all import *
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

'''
操作系统的探测利用ttl进行判断

win2000---->108 
winNT------>107 
win9x------>128 or 127 
WIN7------->64
WINDOWS 95/98 --> 32
solaris---->252 
IRIX------->240 
AIX------->247 
Linux----->64
'''

def os_scan_ttl(ip):

    ans = sr1(IP(dst=ip)/ICMP(id=RandShort()), timeout=1, retry=2, verbose=0)

    print(ip)
    
    if not ans:
        ip_for_os = "操作系统类型:" + "None"
    elif ans[IP].ttl <= 64:
        ip_for_os = "操作系统类型:" + "Linux or Unix"
        # print("Linux or Unix!")
    elif ans[IP].ttl == 108:
        ip_for_os = "操作系统类型:" + "Window2000"
        # print("Window2000!")
    elif ans[IP].ttl == 107:
        ip_for_os = "操作系统类型:" + "win NT"
        # print("win NT!")
    elif ans[IP].ttl == 127:
        ip_for_os = "操作系统类型:" + "win9x"
        # print("win9x")
    elif ans[IP].ttl == 252:
        ip_for_os = "操作系统类型:" + "solaris"
        # print("solaris")
    elif ans[IP].ttl == 128:
        ip_for_os = "操作系统类型:" + "Windows XP"
        # print("Windows XP")
    else:
        ip_for_os = "操作系统类型:" + "Unix"
        # print("Unix!")

    return ip_for_os

def os_scan_ttl_list(iplist):
    for ip in iplist:
        print(os_scan_ttl(ip))

if __name__ == '__main__': 
    print(os_scan_ttl("www.baidu.com"))
    
    # iplist = ["192.168.1.108", "www.aliyun.com"]
    # os_scan_ttl_list(iplist)

The running result is shown in the figure below:
insert image description here

Guess you like

Origin blog.csdn.net/qq_43619058/article/details/125123146
Recommended
Ranking
2019 JD pen questions - Choir
Grafana installation & basic configuration
How to solve the high gas fee of Filecoin? The official attitude is bright!
Informatization development 59
Date,DateFormat,Calendar,
Introduction to MySQL - Understanding MySQL
win10 conexão de área de trabalho remota ubuntu20 (RDP)
52. Customize generics on methods
Detailed explanation of CAP, ACID, BASE theory and NWR practice strategy
UnknownHostException:XXX:Name or service not know
Daily
More
2024-08-01(0)
2024-07-31(0)
2024-07-30(0)
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)

Code World

© 2018 codetd.com