Fingerprinting in Ethical Hacking means a method used for determining the current running operating system on a remote computer.
The remote operating system can be determined by analyzing these four factors of a packet. This is not cent percent accurate and may be better for some operating systems and not to others.
Initially get the information about the details of the operating system hosted by a website. Then determine the vulnerabilities present to exploit the target system.
Below is a simple nmap command which is used to identify the operating system of a website and the ports opened which are associated with domain name i.e., the IP address.
$nmap -O -v wisdomjobs.com
The following sensitive information about the given domain name or IP address appears−
Starting Nmap 5.51 ( https://nmap.org ) at 2015-10-04 09:57 CDT Initiating Parallel DNS resolution of 1 host. at 09:57 Completed Parallel DNS resolution of 1 host. at 09:57, 0.00s elapsed Initiating SYN Stealth Scan at 09:57 Scanning wisdomjobs.com (22.214.171.124) [1000 ports] Discovered open port 22/tcp on 126.96.36.199 Discovered open port 3306/tcp on 188.8.131.52 Discovered open port 80/tcp on 184.108.40.206 Discovered open port 443/tcp on 220.127.116.11 Completed SYN Stealth Scan at 09:57, 0.04s elapsed (1000 total ports) Initiating OS detection (try #1) against wisdomjobs.com (18.104.22.168) Retrying OS detection (try #2) against wisdomjobs..com (22.214.171.124) Retrying OS detection (try #3) against wisdomjobs.com (126.96.36.199) Retrying OS detection (try #4) against wisdomjobs..com (188.8.131.52) Retrying OS detection (try #5) against wisdomjobs.com (184.108.40.206) Nmap scan report for wisdomjobs.com (220.127.116.11) Host is up (0.000038s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 3306/tcp open mysql TCP/IP fingerprint: OS:SCAN(V=5.51%D=10/4%OT=22%CT=1%CU=40379%PV=N%DS=0%DC=L%G=Y%TM=56113E6D%P= OS:x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFF OS:D7ST11NW7%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)
nmap command can be installed in the Linux system using yum command by:
$yum install nmap
The main system can be made hidden behind VPN or Secure proxy server so that the identity and the main system are safe.
nmap command provides information about the list of ports opened on a given server.
The following command can also be used to check if a particular port is opened:
$nmap -sT -p 443 wisdomjobs.com
The output result appears as:
Starting Nmap 5.51 ( https://nmap.org ) at 2015-10-04 10:19 CDT Nmap scan report forwisdomjobs.com (18.104.22.168) Host is up (0.000067s latency). PORT STATE SERVICE 443/tcp open https Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds
Information about the open ports makes the hacker plan for different techniques to attack through the ports which are open.
To determine IP address from a range of IP addresses which maps the live hosts, a network scanning technique is used, known as Ping Sweep, also known as ICMP sweep.
fping command is used for ping sweep. To determine whether a host is up, Internet Control Message Protocol (ICMP) echo request is used by fping.
fping is different from ping in that you can specify any number of hosts on the command line, or specify a file containing the lists of hosts to ping. If a host does not respond within a certain time limit and/or retry limit, it will be considered unreachable.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
Domain Name Server (DNS) is like a map or an address book. To translate an IP address 22.214.171.124 to a name www.example.com and vice versa, DNS Enumeration is used.
All the DNS servers and the corresponding records of an organization are located by the process of DNS enumeration. By this process, much more information is gathered about the target before hacking.
nslookup command is used to get DNS and other host-related information
NOTE : Sensitive information about the network and organization can go outside, if DNS is not configured in a secure way. There are possibilities of untrusted internet user performing a DNS zone transfer.