The understanding of the operating system is very important for everyone engaged in the computing industry. To become a hacker, you must have an in-depth and profound understanding of the operating system. Let’s discuss this issue with you below.
Let’s first look at the basic process of a hacker invasion: 1. Judge the operating system of the invasion object—> 2. Scan the port to determine which services are opened (these two steps may be carried out at the same time)—> 3. Follow the operating system and the open service to choose the invasion method, there are usually two methods: “overflow” and “weak guess”—> 4. Obtain the highest power of the system—> 5. Place the back door and clear the log and leave (maybe there are those who leave).
From the above, we can see that the judgment and identification of operating system types in the entire process is a basic and very relevant step. It can be imagined that if you don’t even know what the other party’s operating system is, you have no way to talk about it if you want to invade.
Perhaps few people have asked themselves, why should we understand the other party’s operating system first? In fact, the reason why we understand the operating system is because we need to understand the working conditions of the system memory, understand how it is used to control the memory, and how it processes the input and output data. Nothing in the world can be perfect (of course, this is also the driving force that we humans continue to pursue). This is even more so as a complex computer system. It can always make mistakes in the process of controlling memory and processing data (especially after installing other applications), and the system itself will also have various weaknesses and shortcomings. The reason why hackers can invade is to take advantage of these weaknesses and mistakes. The various intrusion tools that are popular on the Internet are written by hackers after analyzing the weaknesses of the system and their existing mistakes. (Of course, "buffer overflow" is the most common)
As ordinary hackers, as long as we are good at using ready-made intrusion tools, we can achieve our intrusion purpose. However, because different systems work differently, different intrusion tools can only target the corresponding operating system. Therefore, identification of operating systems is essential, which requires us to have a considerable understanding of the operating system and have a certain basic knowledge of the network (it is not so easy to be a hacker). There are piles of articles on the Internet, and you can check it out by yourself.
Here is a simple operating system recognition method for everyone, hoping it will be useful to everyone.
1. Use ping to identify the operating system
C:\>ping 10.1.1.2
Pinging 10.1.1.2 with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Reply from 10.1.1.2: bytes=32 time<10ms TTL=128
Ping statistics for 10.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\>
C:\>ping 10.1.1.6
Pinging 10.1.1.6 with 32 bytes of data:
Request timed out.
Reply from 10.1.1.6: bytes=32 time=250ms TTL=237
Reply from 10.1.1.6: bytes=32 time=234ms TTL=237
Reply from 10.1.1.6: bytes=32 time=234ms TTL=237
Ping statistics for 10.1.1.6:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 234ms, Maximum = 250ms, Average = 179ms
We can roughly know the type of the host according to the TTL value of the ICMP message. For example: the host with TTL=125 should be a Windows series machine, and the host with TTL=235 should be a UINX series machine. As in the above two examples, 10.1.1.2 is the win2000 machine, while 10.1.1.6 is the UINX (Sunos 5.8) machine. This is because the processing and response of ICMP messages by machines of different operating systems is different, and the TTL value will be reduced by 1 for each router. This causes the difference in the TTL reply value. The correspondence between TTL values and operating system types depends on everyone's attention to observation and accumulation.
2. Directly through the connection port to follow the information returned
This method should be said to be the most commonly used method. Let’s take a look at a few examples below.
1. If the machine has port 80, we can telnet (of course, if there is NC, it is best to use NC, it doesn’t need to blindly type) its port 80.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1998 Microsoft Corp.
C:\>telnet 10.1.1.2 80
Enter get Enter (note that this is blind call)
If returned,
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Fri, 11 Jul 2003 02:31:55 GMT
Content-Type: text/html
Content-Length: 87
The parameter is incorrect.
Lost connection to the host.
C:\>
Then this is definitely a Windows machine.
If returned,
Method Not Implemented
get to / not
supported.
Invalid method in request get
Apache/1.3.27 Server at Port 80
Lost connection to the host.
C:\>
Then most of them are UINX system machines.
2. If the machine has port 21, we can directly FTP
C:\>ftp 10.1.1.2
If returned,
Connected to 10.1.1.2.
220 sgyyq-c43s950 Microsoft FTP Service (Version 5.0).
User (10.1.1.2none)):
Then this is definitely a win2000 machine. We can also know the host name, which is sgyyq-c43s950. This FTP is an FTP server built by Windows IIS.
If returned,
Connected to 10.1.1.3.
220 Serv-U FTP Server v4.0 for WinSock ready...
User (10.1.1.3none)):
It is also certain that it is a Windows machine, because Serv-U FTP is an FTP server specially developed for the Windows platform.
If returned,
Connected to 10.1.1.3.
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
User (10.1.1.3none)):
Then this is a UINX machine.
3. If you open port 23, this is simple, just telnet.
If returned,
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service
Telnet Server Build 5.00.99201.1
login:
Then this must be a Windows machine
If returned,
SunOS 5.8
login:
Needless to say, this is of course a UINX machine, and the version is SunOS 5.8.
3. Use special software to identify
Most of this kind of software that has the function of identifying the operating system uses operating system protocol stack recognition technology. This is because when different manufacturers write their own operating systems, although the TCP/IP protocol is unified, there is no unified regulation on the TCP/IP protocol stack. The manufacturers can write the TCP/IP protocol stack according to their own requirements, resulting in differences in the protocol stack between operating systems. Therefore, we can distinguish different operating systems by analyzing the differences in protocol stacks. As long as we establish a database corresponding to the protocol stack and the operating system, we can accurately identify the operating system. At present, using this technology to identify operating systems is the most accurate and scientific. Therefore, it is also called the "fingerprint technology" that recognizes operating systems. Of course, the ability and accuracy of identification depends on the database establishment of each software.
The following is a brief introduction to two software with recognition functions.
1. The famous nmap uses active detection. During detection, it will actively send detection packets to the target system. According to the data packets responded by the target machine, it will break the operating system of the opponent's machine. The usage is as follows:
F:\nmap>nmap -vv -sS -O 10.1.1.5
Starting nmap V. 3.00
Host IS~123456ADCD (10.1.1.5) appears to be up ... good.
Initiating SYN Stealth Scan against IS~123456ADCD (10.1.1.5)
Adding open port 139/tcp
Adding open port 7070/tcp
Adding open port 554/tcp
Adding open port 23/tcp
Adding open port 1025/tcp
Adding open port 8080/tcp
Adding open port 21/tcp
Adding open port 5050/tcp
Adding open port 9090/tcp
Adding open port 443/tcp
Adding open port 135/tcp
Adding open port 1031/tcp
Adding open port 3372/tcp
Adding open port 25/tcp
Adding open port 1433/tcp
Adding open port 3389/tcp
Adding open port 445/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 1 second to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither ar
rewalled
Interesting ports on IS~123456ADCD (10.1.1.5):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1031/tcp open iad2
1433/tcp open ms-sql-s
3372/tcp open msdtc
3389/tcp open ms-term-serv
5050/tcp open mmcc
7070/tcp open realserver
8080/tcp open http-proxy
9090/tcp open zeus-admin
Remote operating system guess: Windows 2000/XP/ME
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=21F8%IPID=I%TS=0)
T1(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=38%RIPTL=148%RIPCK=E%UCK=E%ULEN=134%DAT=E)
TCP Sequence Prediction: Class=random positive increments
Difficulty=8696 (Worthy challenge)
TCP ISN Seq. Numbers: 5B9022E2 5B914E12 5B92A495 5B93915A 5B94A9B5 5B95CC64
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
Among them, Remote operating system guess: Windows 2000/XP/ME This line is NMAP's judgment of operating system type. A lot of information has been returned, and NMAP is worthy of being the king of scanning.
2. The sky eye adopts a passive detection method. It does not send data packets to the target system, but passively detects communication data on the network and judges the type of operating system by analyzing these data. It is very good to use with supersan.
The specific usage method will not be introduced here. Friends who are interested can search online for articles about how to use the Sky Eye, and there will be many.
The above explains some basic methods for identifying operating systems. Because my level is limited, if there is any inappropriateness, please ask the expert to correct me!