Today I was tasked with doing some passive OS detection on a network where I actually had to be somewhat stealthy. I had gotten into the gateway, but I actually needed one of the other boxes on the network in order to get to the file server due to firewalling/routing. I knew they were running IDS on a few different boxes on this subnet and I didn’t want to trip them, so I had to ponder for a bit and came up with this…

Because I was on the gateway, I could see traffic on the network. By running p0f, I could sit there and monitor and, eventually, find out the OS’s of each box. This would have taken far too long, though. I needed to speed things up.

I wrote a quick and dirty script to execute p0f and sanitize the output:

1
2
3
4
5
6
7
8
9
10
11

#!/usr/bin/perl
 
open(F, "p0f -i eth1 -q -N -R|") || die "$!";
while(<F>) {
  if(/^(.*?):\d+.*?\-\s+(.*)/ && $disc{$1} eq "") {
    print "$1 - $2\n";
    $disc{$1}++;
  } else {
    next;
  }
}

(Like I said, quick and dirty.. )

What this does, is it listens for RST+ACK packets being sent and is able to fingerprint the OS sending the RST+ACK. Now, what I needed to do is generate the RST+ACK packets without giving myself away.

I had a few choices. RST+ACK packets are generated when sending a SYN packet to a closed port on a machine. I could easily write something to do this…

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

#!/usr/bin/perl
use Net::RawIP;
 
sub randip() {
  $ip = join(".", map int rand 256, 1 .. 4);
  return("$ip");
}
 
$syn = new Net::RawIP;
 
die "Usage: $0 network port source port\nExample: $0 10.0.0 123 80\n"
unless ($ARGV[0] && $ARGV[1] && $ARGV[2]);
 
print "Firing packets...\n";
 
while($i <= 254) {
  $i++;
  $dest = join(".", $ARGV[0], $i);
  print "$dest\n";
  $syn->set({
    ip => {
        daddr => $dest,
        saddr => &randip,
        },
 
    tcp => {
        dest => $ARGV[1],
        source => $ARGV[2],
        syn => 1,
      }
    });
  $syn->send;
}

But it would require me to (probably) install the Net::RawIP perl module, plus I’d have to actually write it, yadda yadda.. so I decided to use nmap, my trusty old friend that is pretty much installed by default on all Linux distros these days.

$ ./0day nmap -sS -S 128.8.5.2 -p123 -g 53 -e eth1 -PN 10.0.0.* -T2

This is telling nmap to send SYN packets from 128.8.5.2 (a root nameserver) to port 123 (ntp) from port 53 (dns) over interface eth1, don’t send pings, to the 10.0.0.* subnet, with a sane timing. Because of timing, and that each box will only receive one packet, and the ports used, I expect that this packet will go unnoticed. I needed to spoof the source, because it would have been obvious that something was up if the gateway all of a sudden was firing off these packets to the network.

My little script shows me this:

$ ./0day ./sniff.pl
10.0.0.x – Linux recent 2.4 (dropped)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – FreeBSD 4.8 (refused) (firewall!)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – FreeBSD 4.8 (refused)
10.0.0.x – FreeBSD 4.8 (refused) (firewall!)
10.0.0.x – FreeBSD 4.8 (refused) (firewall!)
10.0.0.x – FreeBSD 4.8 (refused) (firewall!)
10.0.0.x – Linux recent 2.4 (refused)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – Windows XP/2000 (refused)
10.0.0.x – Windows XP/2000 (refused)

I know that the workstations are running XP, so those are the ones that I want to target. Once I’m able to gain access to a workstation, I will have access to the subnet that the file server resides on. Additionally, I could look for any SQL databases running and attempt to access the subnet through that, or a web server, or, or, or, but workstations are generally the easiest to compromise, so I always start with them when possible.

Related posts:

1. Port Activity and HoneyPots
2. Botnet Command and Control Methods
3. Firewall fun with Scapy
4. Spoofing UDP flooder. Kickin’ it old school.
5. Man in the Middle Attack using Airbase-ng