Jump to content

Difficulties to recover target operating system


pierre
 Share

Recommended Posts

Hello,

I have difficulties to recover the target operating system.

Basically, I though a nmap might be all I need, but no.

Here is my offline network topology :

I run this nmap syntax scan :

post-52247-0-64828700-1461672906_thumb.p

root@osboxes:~# nmap -T4 -A -v 192.168.0.2

Starting Nmap 7.01 ( https://nmap.org) at 2016-04-26 08:08 EDT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Initiating ARP Ping Scan at 08:08
Scanning 192.168.0.2 [1 port]
Completed ARP Ping Scan at 08:08, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:08
Completed Parallel DNS resolution of 1 host. at 08:08, 13.00s elapsed
Initiating SYN Stealth Scan at 08:08
Scanning 192.168.0.2 [1000 ports]
Completed SYN Stealth Scan at 08:08, 21.21s elapsed (1000 total ports)
Initiating Service scan at 08:08
Initiating OS detection (try #1) against 192.168.0.2
Retrying OS detection (try #2) against 192.168.0.2
NSE: Script scanning 192.168.0.2.
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Nmap scan report for 192.168.0.2
Host is up (0.0015s latency).
All 1000 scanned ports on 192.168.0.2 are filtered
MAC Address: 08:00:27:3B:98:9D (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 1.52 ms 192.168.0.2

NSE: Script Post-scanning.
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Initiating NSE at 08:08
Completed NSE at 08:08, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.16 seconds
Raw packets sent: 2049 (94.700KB) | Rcvd: 1 (28B)

Nothing probant... If a turn off the windows firewall and I run the same scan :

root@osboxes:~# nmap -T4 -A -v 192.168.0.2

Starting Nmap 7.01 ( https://nmap.org) at 2016-04-26 08:10 EDT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
Initiating ARP Ping Scan at 08:10
Scanning 192.168.0.2 [1 port]
Completed ARP Ping Scan at 08:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:10
Completed Parallel DNS resolution of 1 host. at 08:10, 13.00s elapsed
Initiating SYN Stealth Scan at 08:10
Scanning 192.168.0.2 [1000 ports]
Discovered open port 139/tcp on 192.168.0.2
Discovered open port 135/tcp on 192.168.0.2
Discovered open port 3389/tcp on 192.168.0.2
Discovered open port 49157/tcp on 192.168.0.2
Discovered open port 49155/tcp on 192.168.0.2
Discovered open port 49153/tcp on 192.168.0.2
Discovered open port 445/tcp on 192.168.0.2
Discovered open port 49156/tcp on 192.168.0.2
Discovered open port 49152/tcp on 192.168.0.2
Discovered open port 49154/tcp on 192.168.0.2
Completed SYN Stealth Scan at 08:10, 1.34s elapsed (1000 total ports)
Initiating Service scan at 08:10
Scanning 10 services on 192.168.0.2
Service scan Timing: About 50.00% done; ETC: 08:12 (0:00:53 remaining)
Completed Service scan at 08:11, 58.59s elapsed (10 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.2
NSE: Script scanning 192.168.0.2.
Initiating NSE at 08:11
Completed NSE at 08:11, 6.71s elapsed
Initiating NSE at 08:11
Completed NSE at 08:11, 0.01s elapsed
Nmap scan report for 192.168.0.2
Host is up (0.00072s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 10 microsoft-ds
3389/tcp open ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=IE10Win7
| Issuer: commonName=IE10Win7
| Public Key type: rsa
|_SHA-1: 005b cc4b 4154 6ddc 6b7e 22f2 05d5 fcb8 c7a4 27d2
|_ssl-date: 2016-04-26T12:11:36+00:00; 0s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:3B:98:9D (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Microsoft Windows 7|2008|8.1
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1
Uptime guess: 0.005 days (since Tue Apr 26 08:04:02 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OSs: Windows, Windows 98, Windows 10; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_10

Host script results:
| nbstat: NetBIOS name: IE10WIN7, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3b:98:9d (Oracle VirtualBox virtual NIC)
| Names:
| IE10WIN7<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| IE10WIN7<20> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: IE10Win7
| NetBIOS computer name: IE10WIN7
| Workgroup: WORKGROUP
|_ System time: 2016-04-26T05:11:36-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT ADDRESS
1 0.72 ms 192.168.0.2

NSE: Script Post-scanning.
Initiating NSE at 08:11
Completed NSE at 08:11, 0.00s elapsed
Initiating NSE at 08:11
Completed NSE at 08:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.07 seconds
Raw packets sent: 1055 (47.118KB) | Rcvd: 1018 (41.450KB)

Here is much more result. So how can I have at least OS recovering without having to turn off the firewall ?

Thks

Link to comment
Share on other sites

The point in the firewall is to restrict access so it is doing its job and limiting what you can see. As no ports are open when it is enabled you are not likely to be able to work out what OS is running.

nmap usually prefers to have at least one open and one closed port to do proper OS detection.

Link to comment
Share on other sites

Consider using an ARP packet fingerprinting tool?

# apt-get install arp-scan

# arp-fingerprint 192.168.0.2

is more limited because its just using arp packets, but as long as your on the same subnet you shoule be able to read something. And no port information :(

Link to comment
Share on other sites

The point in the firewall is to restrict access so it is doing its job and limiting what you can see. As no ports are open when it is enabled you are not likely to be able to work out what OS is running.

nmap usually prefers to have at least one open and one closed port to do proper OS detection.

Yes and because it is virtual machine, MAC resolution isn't effective..

Consider using an ARP packet fingerprinting tool?

# apt-get install arp-scan
# arp-fingerprint 192.168.0.2
is more limited because its just using arp packets, but as long as your on the same subnet you shoule be able to read something. And no port information :(

Yes it is like netdiscover command but thanks however :)

Link to comment
Share on other sites

From what I understand about windows firewall, it does a great job at ingress filtering of data packets coming in, but you might be able to get some data about the OS from the packets leaving the vm. p0f will fingerprint the OS if you can look at the TCP-SYN packets leaving the computer. There are probably several ways you can get some traffic from it to start sniffing for a syn packet. arpspoof is what first comes to mind. you could do dns spoofing, and because your on the same subnet, dhcp spoofing would be really easy. I'm sure there are other ways too, those were just off the top of my head.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...