Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
JohnP

Still Checking the Forum Out
Registered:
Posts: 3
Reply with quote  #1 

SUMMARY:
This is just a quick little script that I pieced together. The goal is to use pure powershell to run through a list of computers and try and determine what OS they have.

To do this I am using test-connection and pulling back the ResponseTimeToLive, most of the time the TTL is a default value set by the OS, they can vary by a few digits from time to time depending on network connectivity.

To compensate for the network, on the switch in the code we are using less than or equal and then ordering them ascending, which will create an acceptable range criteria: 0-60 = AIX, 61-64 = Linux, 65-128 = Windows etc.

Obviously my range does not account for everything, this is crafted for my environment and specifically what I know we have, for instance TTL 32 is used for very old versions of Windows (95,98, etc.) I don't care about these so I'm assuming 0-60 is AIX, because its the lowest value that's applicable to our environment.

The only thing I know of that could make this more accurate would be if we had a way to get the TCP/IP Window Size this is usually an OS dependent default value which we could combine with TTL and be much more accurate.

REFERENCES:

http://subinsb.com/default-device-ttl-values

https://www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/

 Time To LiveTCP Window Size
Linux (Kernel 2.4 and 2.6)645840
Google Linux645720
FreeBSD6465535
Windows XP12865535
Windows Vista and 7 (Server 2008)1288192
iOS 12.4 (Cisco Routers)255412



Code:

$NAMES =  Get-Content "$ENV:USERPROFILE\desktop\servers.txt"
$REPORT = @()

foreach ($NAME in $NAMES){
$T2L = Test-Connection $NAME -Count 1 -ErrorAction SilentlyContinue | select -exp ResponseTimeToLive
$HTTL= Switch($T2L)
{
 {$_ -le 60} {"AIX"; break}
 {$_ -le 64} {"Linux"; break}
 {$_ -le 128} {"Windows"; break}
 {$_ -le 255} {"UNIX"; break}

$REPORT += New-Object psobject -Property @{OS=$HTTL;TTL=$T2L;SERVER=$NAME}

$REPORT | Export-CSV $ENV:USERPROFILE\desktop\TTL_RESULTS.csv -NoTypeInformation -Append

0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #2 
Don't forget nmap.  The -A or -O enables OS fingerprinting.
Read the man page for more info 
man nmap
0
jsclmedave

Administrator
Registered:
Posts: 463
Reply with quote  #3 
Quote:
Originally Posted by donoli
Don't forget nmap.  The -A or -O enables OS fingerprinting.
Read the man page for more info 
man nmap


NMAP..???   Were not even supposed to say that out loud...   <If you say NMAP three times into a mirror you will see the F()#&$ disaster your network is>    : )

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #4 
I know that you guys don't like to step outside of the world of MS & you don't like to mention anything that might even have a hint of hacking but sometimes it's good to think outside the box.  For example, I finally switched to a non-stick frying pan.  I was a stainless steel die hard.  Now that I'm going to save money on olive oil, I feel better.


Salute,
Donoli
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #5 
Quote:
Originally Posted by donoli
I know that you guys don't like to step outside of the world of MS & you don't like to mention anything that might even have a hint of hacking ...



Unfortunately while we accept that Nmap is a tool and only does what we ask.
The paranoid non security, security people will sack you for saying it.

I thought it was interesting at the European Powershell conference most of the White Hats and MS people all spoke about being hacked along the lines of
"You've been hacked. Its a matter of when you find out."





__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #6 
John

Interesting project. And I was curious as to what it would look like...
So I have a device on .200 so I tried a simple test-connection

PS-TestConnectionNoise.JPG 
Quite noisy and would kick off a IDPS or variant.

You option (was it intentional) is less noisy
PS-TestConnectionLessNoise.JPG 
So then I wondered about Nmap.
-Pn scan - assume host is up, no ping....notice the size of the scroll bar.

NMap- -PN scan - Nosiy.JPG 
Stealth scan, no better
Nmap- -sS Scan - noisy.JPG 
And a bog standard Nmap scan just as noisy.


I suppose next version has ability to look for ports (21, 22, 25, 80, 135, 389, 443, 1433, 3389, 4443, 5985 and 8080)
Which, if you can make is as noiseless as the ttl probe, will greatly reduce the footprint.
PS-TestConnection and Port.JPG 



__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #7 
The OP was about OS fingerprinting not about being noisy or causing an alert.   None of your nmap tests used the used OS fingerprinting switches.  A stealth scan just runs the queries more slowly.  The size of the scroll bar will stay the same.  All your tests used a syn scan.  We didn't even talk about a ack scan.  Either way, all that digresses from the OP.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #8 
donoli

Still don't know your name...

While yes the original was about fingerprinting the OS, I was curious...hence why I did the looking.
I don't think, and I did pose the question, that the original project was not expected to be so damn quiet.
2 packets
From that we have an alive client and its OS type
Thats impressive.

I did pose another question
Quote:


I suppose next version has ability to look for ports (21, 22, 25, 80, 135, 389, 443, 1433, 3389, 4443, 5985 and 8080)


Which I'm also looking at myself.


Now donoli a question for you, what nmap scan should I use?


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #9 
Quote:
what nmap scan should I use?


I don't know why you are asking since I doubt that you intend to you use it but the answer is that it really depends on your goal.  Nmap is very versatile.   To scan for the ports that you mentioned the command could be
nmap  -PS21, 22, 25, 80, 135, 389, 443, 1433, 3389, 4443, 5985, 8080 target_IP -o output_file

or

-p 21, 22, 25, 80, 135, 389, 443, 1433, 3389, 4443, 5985, 8080 target_IP -o output_file


To scan all ports nmap -p-  target_IP -o output_file.  A scan like that would take hours since it would scan all 65535 ports

0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #10 
Quote:
Originally Posted by donoli


I don't know why you are asking .....



What I'm asking is what Nmap scan can I run that will 
Confirm its a live host
The live hosts OS flavour


With a single packet sent.

As per the OP's project.

Needed a few minutes to do the scan...

ps scan.JPG 

Technical term - "noisy as a white house press secretary"


__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #11 
I understand what you are saying now.  Nmap can't fingerprint an OS with a single packet. I found a .pdf that discusses that concept.  However, I haven't read it.  I'll read it sooner or later but not right now.

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.499.3411&rep=rep1&type=pdf

That's it if you want to take the time to read it.
0
jsclmedave

Administrator
Registered:
Posts: 463
Reply with quote  #12 
Quote:
Originally Posted by donoli
I know that you guys don't like to step outside of the world of MS & you don't like to mention anything that might even have a hint of hacking but sometimes it's good to think outside the box.  For example, I finally switched to a non-stick frying pan.  I was a stainless steel die hard.  Now that I'm going to save money on olive oil, I feel better.


Salute, Donoli


Not sure that we have ever met.  I am positive you have not met John and this IS the PowerShell forum so your assumptions are a bit off as well as the rest of your comments.

You've literally left us scratching our heads asking "what is he talking about...?"



__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
jsclmedave

Administrator
Registered:
Posts: 463
Reply with quote  #13 
Quote:
Originally Posted by donoli
The OP was about OS fingerprinting not about being noisy or causing an alert.   None of your nmap tests used the used OS fingerprinting switches.  A stealth scan just runs the queries more slowly.  The size of the scroll bar will stay the same.  All your tests used a syn scan.  We didn't even talk about a ack scan.  Either way, all that digresses from the OP.


The OP was literally a proof of concept to see if TTL OS Discovery was plausible using pure PowerShell (no modules or 3rd party tools) and honestly this was just an experiment.

We have several list that we are testing against and this was just an additional sanity check.

We were not even aware of the subtly of the scan we were using.  That was a pure accidental plus!  : )





__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #14 
I never said that the OP was wrong.  I just mentioned another option.  That's all.
0
wobble_wobble

Avatar / Picture

Associate Troublemaker Apprentice
Registered:
Posts: 896
Reply with quote  #15 
Quote:
Originally Posted by jsclmedave


The OP was literally a proof of concept to see if TTL OS Discovery was plausible using pure PowerShell (no modules or 3rd party tools) and honestly this was just an experiment.

We have several list that we are testing against and this was just an additional sanity check.

We were not even aware of the subtly of the scan we were using.  That was a pure accidental plus!  : )



Then I claim it as mine! Ahaaaarrrr said the pirate

__________________
Have you tried turning it off and walking away? The next person can fix it!

New to the forum? Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.