Xprobe2

From aldeid
Jump to navigation Jump to search

Description

Xprobe2 is a remote active operating system fingerprinting tool. It should be replaced with Xprobe-ng soon. 

Xprobe ----> Xprobe2 ----> Xprobe-ng (aka Xprobe2++)
(2001)       (2005)         (2009)

Installation

Prerequisites

You will need libpcap: 

$ sudo apt-get install libpcap0.8-dev

You will also need g++-4.1 since Xprobe will only compile with version 4.1 of GCC: 

$ sudo apt-get install g++-4.1

Installation of Xprobe2

$ cd /data/src/
$ wget http://downloads.sourceforge.net/project/xprobe/xprobe2/Xprobe2%200.3/xprobe2-0.3.tar.gz
$ tar xzvf xprobe2-0.3.tar.gz
$ cd xprobe2-0.3/
$ ./configure CC=gcc-4.1 CXX=g++-4.1
$ make
$ sudo make install

Usage

Basic syntax

$ xprobe2 [options] target

Options

-v
Be verbose
-r
Show route to target(traceroute-like output)
-p <proto:portnum:state>
Specify portnumber (1-65535), protocol (tcp|udp) and state (closed|open).
Example: tcp:23:open, UDP:53:CLOSED
-c <configfile>
Specify config file to use.
-h
Print this help.
-o <fname>
Use logfile to log everything.
-t <time_sec>
Set receive timeout to receive_timeout in seconds
(default: 10 seconds)
-s <send_delay>
Set packsending delay (milseconds).
-d <debuglv>
Specify debugging level.
-D <modnum>
Disable module number <modnum>.
-M <modnum>
Enable module number <modnum>.
-L
Display modules.
-m <numofmatches>
Specify number of matches to print.
-T <portspec>
Enable TCP portscan for specified port(s).
Example: -T21-23,53,110
-U <portspec>
Enable UDP portscan for specified port(s).
-f
Force fixed round-trip time (-t opt).
-F
Generate signature (use -o to save to a file).
-X
Generate XML output and save it to logfile specified with -o.
-B
Options forces TCP handshake module to try to guess open TCP port
-A
Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections).
Use with -T.

Examples

Fingerprinting of a Linux machine

$ sudo xprobe2 -v 192.168.100.1
sudo: cannot get working directory

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 192.168.100.1
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 192.168.100.1. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 192.168.100.1. Module test failed
[-] No distance calculation. 192.168.100.1 appears to be dead or no ports known
[+] Host: 192.168.100.1 is up (Guess probability: 50%)
[+] Target: 192.168.100.1 is alive. Round-Trip Time: 0.00224 sec
[+] Selected safe Round-Trip Time value is: 0.00448 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.22" (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.23" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.21" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.20" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.19" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.24" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.25" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.26" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.27" (Guess probability: 100%)
[+] Host 192.168.100.1 Running OS: "Linux Kernel 2.4.28" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

On the target (192.168.100.1), the version is different than the one provided (with an excellent probability) by Xprobe2: 

$ uname -a
Linux aldeid 2.6.26-2-686 #1 SMP Thu Nov 25 01:53:57 UTC 2010 i686 GNU/Linux

Fingerprinting of a Windows machine

Following scan is run against a WIN XP SP3 box: 

$ sudo xprobe2 -v 10.1.1.2
sudo: cannot get working directory

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 10.1.1.2
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 10.1.1.2. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 10.1.1.2. Module test failed
[-] No distance calculation. 10.1.1.2 appears to be dead or no ports known
[+] Host: 10.1.1.2 is up (Guess probability: 50%)
[+] Target: 10.1.1.2 is alive. Round-Trip Time: 0.00039 sec
[+] Selected safe Round-Trip Time value is: 0.00079 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%)
[+] Other guesses:
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Workstation SP1" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Workstation SP3" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

Port scan

$ sudo xprobe2 -T 21-25,137,139,445,80,3128,8080 10.1.1.2
sudo: cannot get working directory

Xprobe2 v.0.3 Copyright (c) 2002-2005 [email protected], [email protected], [email protected]

[+] Target is 10.1.1.2
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping  -  ICMP echo discovery module
[x] [2] ping:tcp_ping  -  TCP-based ping discovery module
[x] [3] ping:udp_ping  -  UDP-based ping discovery module
[x] [4] infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan  -  TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x] [12] fingerprint:smb  -  SMB fingerprinting module
[x] [13] fingerprint:snmp  -  SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 10.1.1.2. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 10.1.1.2. Module test failed
[-] No distance calculation. 10.1.1.2 appears to be dead or no ports known
[+] Host: 10.1.1.2 is up (Guess probability: 50%)
[+] Target: 10.1.1.2 is alive. Round-Trip Time: 0.00081 sec
[+] Selected safe Round-Trip Time value is: 0.00161 sec

[+] Portscan results for 10.1.1.2:
[+]  Stats:
[+]   TCP: 3 - open, 2 - closed, 6 - filtered
[+]   UDP: 0 - open, 0 - closed, 0 - filtered
[+]   Portscan took 78.76 seconds.
[+]  Details:
[+]   Proto     Port Num.       State           Serv. Name
[+]   TCP       80              open            www
[+]   TCP       139             open            netbios-ssn
[+]   TCP       445             open            microsoft-ds
[+]   TCP       3128            closed          N/A
[+]   TCP       8080            closed          http-alt
[+]  Other TCP ports are in filtered state.
[+] SMB [Native OS: Windows 5.1] [Native Lanman: Windows 2000 LAN Manager] [Domain: WORKGROUP]
[+] SMB [Called name: OOPS-4604F61946] [MAC: 08:00:27:79:76:40]
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 10.1.1.2 Running OS: "Microsoft Windows XP SP2" (Guess probability: 97%)
[+] Other guesses:
[+] Host 10.1.1.2 Running OS: "Microsoft Windows XP SP1" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows XP" (Guess probability: 100%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server Service Pack 4" (Guess probability: 97%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server Service Pack 3" (Guess probability: 97%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 95%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 95%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server Service Pack 2" (Guess probability: 95%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 95%)
[+] Host 10.1.1.2 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 95%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

Comments

Talk:Xprobe2

Retrieved from "https://www.aldeid.com/w/index.php?title=Xprobe2&oldid=22334"