- "Do I Know This Already?" Quiz
- Foundation Topics: Overview of the Seven-Step Information-Gathering Process
- Information Gathering
- Determining the Network Range
- Identifying Active Machines
- Finding Open Ports and Access Points
- OS Fingerprinting
- Fingerprinting Services
- Mapping the Network Attack Surface
- Summary
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Exercises
- Review Questions
- Suggested Reading and Resources
This chapter is from the book
This chapter is from the book
This chapter is from the book
Fingerprinting Services
If there is any doubt left as to what a particular system is running, this next step of information gathering should serve to answer those questions. Knowing what services are running on specific ports allows the hacker to formulate and launch application-specific attacks. Knowing the common default ports and services and using tools such as Telnet and Netcat is one way to ensure success at this pre-attack stage.
Default Ports and Services
A certain amount of default information and behavior can be gleaned from any system. For example, if a hacker discovers a Windows 2012 server with port 80 open, he can assume that the system is running IIS 8.0, just as a Linux system with port 25 open is likely to be running Sendmail. Although it’s possible that the Windows 2012 machine might be running another version or type of web server, that most likely is not a common occurrence.
Keep in mind that at this point, the attacker is making assumptions. Just because a particular port is active or a known banner is returned, you cannot be certain that information is correct. Ports and banners can be changed, and assumptions by themselves can be dangerous. Additional work will need to be done to verify what services are truly being served up by any open ports.
Finding Open Services
The scanning performed earlier in the chapter might have uncovered other ports that were open. Most scanning programs, such as Nmap and SuperScan, report what common services are associated with those open ports. This easiest way to determine what services are associated with the open ports that were discovered is by banner grabbing.
Banner grabbing takes nothing more than the Telnet and FTP client built in to the Windows and Linux platforms. Banner grabbing provides important information about what type and version of software is running. Many servers can be exploited with just a few simple steps if the web server is not properly patched. Telnet is an easy way to do this banner grabbing for FTP, SMTP, HTTP, and others. The command issued to banner grab with Telnet would contain the following syntax: telnet IP_Address port. An example of this is shown here. This banner-grabbing attempt was targeted against a web server:
C:\ >telnet 192.168.1.102 80 HTTP/1.1 400 Bad Request Server: Microsoft-IIS/7.5 Date: Fri, 07 Oct 2012 22:22:04 GMT Content-Type: text/html Content-Length: 87 <html><head><title>Error</title></head><body>The parameter is incorrect. </body> </html> Connection to host lost.
After the command was entered, telnet 192.168.1.102 80, the Return key was pressed a couple of times to generate a response. As noted in the Telnet response, this banner indicates that the web server is IIS 7.5.
The Microsoft IIS web server’s default behavior is to return a banner after two carriage returns. This can be used to pinpoint the existence of an IIS server.
Telnet isn’t your only option for grabbing banners; HTTPrint is another choice. It is available for both Windows and Linux distributions. It is not a typical banner-grabbing application, in that it can probe services to determine the version of services running. Its main fingerprinting technique has to do with the semantic differences in how web servers/applications respond to various types of probes. Here is an example of a scan:
./httprint -h 192.168.1.175 -s signatures.txt httprint - web server fingerprinting tool Finger Printing on http://192.168.1.175:80/ Finger Printing Completed on http://192.168.1.175:80/ -------------------------------------------------- Host: 192.168.1.175 Derived Signature: Apache/2.2.0 (Fedora RedHat) 9E431BC86ED3C295811C9DC5811C9DC5050C5D32505FCFE84276E4BB811C9DC5 0D7645B5811C9DC5811C9DC5CD37187C11DDC7D7811C9DC5811C9DC58A91CF57FCCC5 35B6ED3C295FCCC535B811C9DC5E2CE6927050C5D336ED3C2959E431BC86ED3C295 E2CE69262A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923E2CE69236ED 3C295811C9DC5E2CE6927E2CE6923 Banner Reported: Apache/2.2.0 (Fedora RedHat) Banner Deduced: Apache/2.0.x Score: 140 Confidence: 84.31------------------------
Netcat can also be used for banner grabbing. Netcat is shown here to introduce you to its versatility. Netcat is called the “Swiss-army knife of hacking tools” because of its many uses. To banner grab with Netcat, you issue the following command from the command line:
nc -v -n IP_Address Port
This command gives you the banner of the port you asked to check. Netcat is available for Windows and Linux. If you haven’t downloaded Netcat, don’t feel totally left behind; FTP is another choice for banner grabbing. Just FTP to the target server and review the returned banner.
Most all port scanners, including those discussed in this chapter, also perform banner grabbing. However, there are lots of tools for the security professional to use to analyze open ports and banners. Some of the more notable ones you may want to review include the following:
ID Serve: https://www.grc.com/id/idserve.htm
NetworkMiner: http://www.netresec.com/?page=NetworkMiner
Satori: http://chatteronthewire.org/
Netcraft: http://toolbar.netcraft.com/site_report
Although changing banner information is not an adequate defense by itself, it might help to slow a hacker. In the Linux environment, you can change the ServerSignature line in the httpd.conf file to ServerSignature off. In the Windows environment, you can install the UrlScan security tool. UrlScan contains the RemoveServer-Header feature, which removes or alters the identity of the server from the “Server” response header in response to the client’s request.
