Detecting iOS and Android operating systems with metasploit or armitage

[ChopperCharles]

So far the only reliable way I've found to detect iOS operating systems (on ipod/iphone) is to run a "Comprehensive" scan in Armitage. The metasploit command for that is:

db_nmap --min-hostgroup 06 -sS -n -sU -T4 -A -v -PE -PP -PS80, 443 -PA3389 -PU40125 -PY -g 53 192.168.1.113

That works, but it takes forever and a day to complete. Is there a faster way to detect iOS?

Note that the above scan does not work to detect my android devices on my network, so I need something else entirely for that.

An ARP scan shows me my nook color (android tablet) as "192.168.1.103 appears to be up (BARNES&NOBLE.COM)", which is more information than an nmap scan of that IP address gives.

Any ideas how to accomplish faster iOS detect, and any kind of android OS detect at all? Thanks!

Charles.

[digip]

pings and arp scans work since they give away the mac address and can be matched to the OEM, but if you have control of the network, simple javascript detection via injecting to web pages and pulling user agents work too unless they use an app to fake their device.

For me, I use things like nmap -sC -sV -PN --open --reason -A for service fingerprinting. Thing to note though, most devices will arp roughly every 15 minutes, so eventually, monitoring the network, will yield discovery with enough ping traffic going around, if they don't forcibly reply to a ping, they will usually spit an arp when pinged even if the ping times out, afterwards an arp -a will show their IP and MAC address unless the router has Wifi AP Isolation on, which is where waiting the 15 minutes or longer usually gives up the ghost at some point. There is also the nmap -sO --send-eth for an IP protocol scan. That usually shows ports open that arent and false positives, but ends up making a device reply. Last resort, xmas tree scan, or firewalk, and sends a ton of packet types at the target, usually yielding results. With iPhones and Androids though, try the -PN switch with just about every scan though, since they tend to not reply to pings at all.

nmap -PN --traceroute --script firewalk --script-args firewalk.max-probed-ports=-1

[ChopperCharles]

Unfortunately, that didn't work at all for my android (Nook Color) device.

Charles.

[murder_face]

As always digip is like that guy you spend 300 days climbing mountains in the Himalayas to ask the meaning of life. I have just started getting familiar with actual "nmap" options, as I have always used zenmap. Before everything was like a 3 pronged attack. Scan the network, MAC vendor lookup, then how many devices does that vendor make.

[digip]

Just keep trying different scans. At some point, the device is going to arp, no matter what, if it wants to be on the network. It can't talk to the router if it doesn't respond to ARP. Its the basic underlying protocol for layer 2, and all devices have to be able to speak it to communicate with whatever they are connected to, so try harder is all I can tell you. I tried MITM'ing my HP Touchpad, and for the life of me, wouldn't show up under CAIN. Eventually, it showed up on the network though, and was able to be seen by cain, but it took a good 20 minutes of sweeping for it to see it. Also helps when the wifi device is actively surfing the net and generating traffic too. I even knew the IP of my Touchpad and was pining it directly and getting no response, but under arp -a, it would show and disappear after a while since it wasn't a static entry. Try sending a continuous ping to the device from the console or cmd if windows and in another, keep checking for arp replies, should see it eventually. You HAVE to be on the same subnet to see the arp reply though, since this is all layer 2 stuff to get the mac address. Not something you can get across the internet and over NAT but assuming its your android tablet, then going to assume you're on the same network.