• Home »
  • Security »
  • Backtrack 5: Information Gathering: Network Analysis: OS Fingerprinting: xprobe2

Backtrack 5: Information Gathering: Network Analysis: OS Fingerprinting: xprobe2

The xprobe2 application was built specifically for OS Fingerprinting or being able to accurately guess a servers Operating System. The unfortunate part about xprobe2 is that is extremely outdated and doesn’t even include Windows 7 in its list of OS’s that it can identify. Even though nmap is pretty much the staple for people to use it is still worth discussing xprobe2 because the items it can guess it does a great job at doing so. It may also be possible that you are assessing a network with some really old servers and updated apps don’t include those operating systems anymore so you may get lucky and find the old operating system using xprobe2.

Basic xprobe2 Functionality:

bash

  1. root@bt:~/xprobe# xprobe2 -v 192.168.1.248
  2.  
  3. Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor at o0o dot nu, ofir at sys-security dot com, meder at o0o dot nu
  4.  
  5. [+] Target is 192.168.1.248
  6. [+] Loading modules.
  7. [+] Following modules are loaded:
  8. [x]  ping:icmp_ping  -  ICMP echo discovery module
  9. [x]  ping:tcp_ping  -  TCP-based ping discovery module
  10. [x]  ping:udp_ping  -  UDP-based ping discovery module
  11. [x]  infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
  12. [x]  infogather:portscan  -  TCP and UDP PortScanner
  13. [x]  fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
  14. [x]  fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
  15. [x]  fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
  16. [x]  fingerprint:icmp_info  -  ICMP Information request fingerprinting module
  17. [x]  fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
  18. [x]  fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
  19. [x]  fingerprint:tcp_rst  -  TCP RST fingerprinting module
  20. [x]  app:smb  -  SMB fingerprinting module
  21. [x]  app:snmp  -  SNMPv2c fingerprinting module
  22. [x]  app:ftp  -  FTP fingerprinting tests
  23. [x]  app:http  -  HTTP fingerprinting tests
  24. [+] 16 modules registered
  25. [+] Initializing scan engine
  26. [+] Running scan engine
  27. fingerprint:icmp_tstamp has not enough data
  28. Executing ping:icmp_ping
  29. Executing fingerprint:icmp_port_unreach
  30. fingerprint:tcp_hshake has not enough data
  31. Executing fingerprint:tcp_rst
  32. Executing fingerprint:icmp_echo
  33. Executing fingerprint:icmp_amask
  34. Executing fingerprint:icmp_info
  35. Executing fingerprint:icmp_tstamp
  36. app:smb has not enough data
  37. Executing app:snmp
  38. Recv() error: Connection refused
  39. ping:tcp_ping has not enough data
  40. Executing ping:udp_ping
  41. Executing infogather:ttl_calc
  42. Executing infogather:portscan
  43. Executing app:ftp
  44. Executing app:http
  45. [+] Primary Network guess:
  46. [+] Host 192.168.1.248 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%)
  47. [+] Other guesses:
  48. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%)
  49. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%)
  50. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 100%)
  51. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 100%)
  52. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 100%)
  53. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP3" (Guess probability: 100%)
  54. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%)
  55. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP1" (Guess probability: 100%)
  56. [+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%)
  57. [+] Cleaning up scan engine
  58. [+] Modules deinitialized
  59. [+] Execution completed.
  60. root@bt:~/xprobe#

Using the -v switch you get a verbose output so you can see what xprobe is actually doing. The first guess of Microsoft Windows XP SP2 is actually correct on the server that was queried on my home network. On another example query below I thought it was pretty cool that xprobe2 properly guessed the correct Foundry load balancer which definitely could come in handy as some of these devices in the wild are not updated on a regular basis. The firmware revision is pretty far off but xprobe2 is accurate on the device type.

xprobe2 Fingerprinting Foundry Networks Load Balancer:

bash

  1. root@bt:~/xprobe# xprobe2 -v 192.168.1.93
  2.  
  3. Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
  4.  
  5. [+] Target is 192.168.1.93
  6. [+] Loading modules.
  7. [+] Following modules are loaded:
  8. [x]  ping:icmp_ping  -  ICMP echo discovery module
  9. [x]  ping:tcp_ping  -  TCP-based ping discovery module
  10. [x]  ping:udp_ping  -  UDP-based ping discovery module
  11. [x]  infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
  12. [x]  infogather:portscan  -  TCP and UDP PortScanner
  13. [x]  fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
  14. [x]  fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
  15. [x]  fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
  16. [x]  fingerprint:icmp_info  -  ICMP Information request fingerprinting module
  17. [x]  fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
  18. [x]  fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
  19. [x]  fingerprint:tcp_rst  -  TCP RST fingerprinting module
  20. [x]  app:smb  -  SMB fingerprinting module
  21. [x]  app:snmp  -  SNMPv2c fingerprinting module
  22. [x]  app:ftp  -  FTP fingerprinting tests
  23. [x]  app:http  -  HTTP fingerprinting tests
  24. [+] 16 modules registered
  25. [+] Initializing scan engine
  26. [+] Running scan engine
  27. fingerprint:icmp_tstamp has not enough data
  28. Executing ping:icmp_ping
  29. Executing fingerprint:icmp_port_unreach
  30. fingerprint:tcp_hshake has not enough data
  31. Executing fingerprint:tcp_rst
  32. Executing fingerprint:icmp_echo
  33. Executing fingerprint:icmp_amask
  34. Executing fingerprint:icmp_info
  35. Executing fingerprint:icmp_tstamp
  36. app:smb has not enough data
  37. Executing app:snmp
  38. ping:tcp_ping has not enough data
  39. ping:udp_ping has not enough data
  40. infogather:ttl_calc has not enough data
  41. Executing infogather:portscan
  42. Executing app:ftp
  43. Executing app:http
  44. [+] Primary Network guess:
  45. [+] Host 192.168.1.93 Running OS: "Foundry Networks IronWare Version 03.0.01eTc1" (Guess probability: 100%)
  46. [+] Other guesses:
  47. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.08.03" (Guess probability: 96%)
  48. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.08.04" (Guess probability: 96%)
  49. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.08 EEPROM F.08.05" (Guess probability: 96%)
  50. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.07.17" (Guess probability: 96%)
  51. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.06.00 EEPROM G.06.00" (Guess probability: 96%)
  52. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.08 EEPROM F.08.20" (Guess probability: 96%)
  53. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.07.20" (Guess probability: 96%)
  54. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.01 EEPROM F.08.05" (Guess probability: 96%)
  55. [+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.07.20" (Guess probability: 96%)
  56. [+] Cleaning up scan engine
  57. [+] Modules deinitialized
  58. [+] Execution completed.
  59. root@bt:~/xprobe#

There are a bunch of other switches available with xprobe2 as shown in the below help out from xprobe2 -h.

xprobe2 Help Output:

bash

  1. root@bt:~/xprobe# xprobe2 -v
  2.  
  3. Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
  4.  
  5. usage: xprobe2 [options] target
  6. Options:
  7.           -v                       Be verbose
  8.           -r                       Show route to target(traceroute)
  9.           -p  Specify portnumber, protocol and state.
  10.                                    Example: tcp:23:open, UDP:53:CLOSED
  11.           -c           Specify config file to use.
  12.           -h                       Print this help.
  13.           -o                Use logfile to log everything.
  14.           -t             Set initial receive timeout or roundtrip time.
  15.           -s           Set packsending delay (milseconds).
  16.           -d              Specify debugging level.
  17.           -D               Disable module number .
  18.           -M               Enable module number .
  19.           -L                       Display modules.
  20.           -m         Specify number of matches to print.
  21.           -T             Enable TCP portscan for specified port(s).
  22.                                    Example: -T21-23,53,110
  23.           -U             Enable UDP portscan for specified port(s).
  24.           -f                       force fixed round-trip time (-t opt).
  25.           -F                       Generate signature (use -o to save to a file).
  26.           -X                       Generate XML output and save it to logfile specified with -o.
  27.           -B                       Options forces TCP handshake module to try to guess open TCP port
  28.           -A                       Perform analysis of sample packets gathered during portscan in
  29.                                    order to detect suspicious traffic (i.e. transparent proxies,
  30.                                    firewalls/NIDSs resetting connections). Use with -T.
  31. root@bt:~/xprobe#

Again though since it is outdated its not useful in many areas except for maybe old OS’s that other OS fingerprinting services might not locate or might not locate accurately. The most beneficial details I figured that could be put in this article is the list of Operating Systems that are supported thus giving you a list to check against to see if the old services you are attempting to fingerprint are in the list.

List Of xprobe2 Supported Operating Systems: 

  • AIX 5.1
  • AIX 4.3.3
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X 10.3.7
  • Apple Mac OS X 10.3.8
  • Apple Mac OS X 10.3.9
  • Apple Mac OS X 10.4.0
  • Apple Mac OS X 10.4.1
  • Apple Mac OS X 10.5
  • Cisco IOS 12.3
  • Cisco IOS 12.2
  • Cisco IOS 12.0
  • Cisco IOS 11.3
  • Cisco IOS 11.2
  • Cisco IOS 11.1
  • Foundry Networks IronWare Version 03.0.01eTc1
  • Foundry Networks IronWare Version 07.5.04T53
  • Foundry Networks IronWare Version 07.5.05KT53
  • Foundry Networks IronWare 07.6.01BT51
  • Foundry Networks IronWare 07.6.04aT51
  • Foundry Networks IronWare 07.7.01eT53
  • FreeBSD 5.4
  • FreeBSD 5.3
  • FreeBSD 5.2.1
  • FreeBSD 5.2
  • FreeBSD 5.1
  • FreeBSD 5.0
  • FreeBSD 4.11
  • FreeBSD 4.10
  • FreeBSD 4.9
  • FreeBSD 4.8
  • FreeBSD 4.7
  • FreeBSD 4.6.2
  • FreeBSD 4.6
  • FreeBSD 4.5
  • FreeBSD 4.4
  • FreeBSD 4.3
  • FreeBSD 4.2
  • FreeBSD 4.1.1
  • FreeBSD 4.0
  • FreeBSD 3.5.1
  • FreeBSD 3.4
  • FreeBSD 3.3
  • FreeBSD 3.2
  • FreeBSD 3.1
  • FreeBSD 2.2.8
  • FreeBSD 2.2.7
  • HP UX 11.0x
  • HP UX 11.0
  • HP JetDirect ROM A.03.17 EEPROM A.04.09
  • HP JetDirect ROM A.05.03 EEPROM A.05.05
  • HP JetDirect ROM F.08.01 EEPROM F.08.05
  • HP JetDirect ROM F.08.08 EEPROM F.08.05
  • HP JetDirect ROM F.08.08 EEPROM F.08.20
  • HP JetDirect ROM G.05.34 EEPROM G.05.35
  • HP JetDirect ROM G.06.00 EEPROM G.06.00
  • HP JetDirect ROM G.07.02 EEPROM G.07.17
  • HP JetDirect ROM G.07.02 EEPROM G.07.20
  • HP JetDirect ROM G.07.02 EEPROM G.08.04
  • HP JetDirect ROM G.07.19 EEPROM G.07.20
  • HP JetDirect ROM G.07.19 EEPROM G.08.03
  • HP JetDirect ROM G.07.19 EEPROM G.08.04
  • HP JetDirect ROM G.08.08 EEPROM G.08.04
  • HP JetDirect ROM G.08.21 EEPROM G.08.21
  • HP JetDirect ROM H.07.15 EEPROM H.08.20
  • HP JetDirect ROM L.20.07 EEPROM L.20.24
  • HP JetDirect ROM R.22.01 EEPROM L.24.08
  • Linux Kernel 2.6.11
  • Linux Kernel 2.6.10
  • Linux Kernel 2.6.9
  • Linux Kernel 2.6.8
  • Linux Kernel 2.6.7
  • Linux Kernel 2.6.6
  • Linux Kernel 2.6.5
  • Linux Kernel 2.6.4
  • Linux Kernel 2.6.3
  • Linux Kernel 2.6.2
  • Linux Kernel 2.6.1
  • Linux Kernel 2.6.0
  • Linux Kernel 2.4.30
  • Linux Kernel 2.4.29
  • Linux Kernel 2.4.28
  • Linux Kernel 2.4.27
  • Linux Kernel 2.4.26
  • Linux Kernel 2.4.25
  • Linux Kernel 2.4.24
  • Linux Kernel 2.4.23
  • Linux Kernel 2.4.22
  • Linux Kernel 2.4.21
  • Linux Kernel 2.4.20
  • Linux Kernel 2.4.19
  • Linux Kernel 2.4.18
  • Linux Kernel 2.4.17
  • Linux Kernel 2.4.16
  • Linux Kernel 2.4.15
  • Linux Kernel 2.4.14
  • Linux Kernel 2.4.13
  • Linux Kernel 2.4.12
  • Linux Kernel 2.4.11
  • Linux Kernel 2.4.10
  • Linux Kernel 2.4.9
  • Linux Kernel 2.4.8
  • Linux Kernel 2.4.7
  • Linux Kernel 2.4.6
  • Linux Kernel 2.4.5
  • Linux Kernel 2.4.4 (I)
  • Linux Kernel 2.4.4
  • Linux Kernel 2.4.3
  • Linux Kernel 2.4.2
  • Linux Kernel 2.4.1
  • Linux Kernel 2.4.0
  • Linux Kernel 2.2.26
  • Linux Kernel 2.2.25
  • Linux Kernel 2.2.24
  • Linux Kernel 2.2.23
  • Linux Kernel 2.2.22
  • Linux Kernel 2.2.21
  • Linux Kernel 2.2.20
  • Linux Kernel 2.2.19
  • Linux Kernel 2.2.18
  • Linux Kernel 2.2.17
  • Linux Kernel 2.2.16
  • Linux Kernel 2.2.15
  • Linux Kernel 2.2.14
  • Linux Kernel 2.2.13
  • Linux Kernel 2.2.12
  • Linux Kernel 2.2.11
  • Linux Kernel 2.2.10
  • Linux Kernel 2.2.9
  • Linux Kernel 2.2.8
  • Linux Kernel 2.2.7
  • Linux Kernel 2.2.6
  • Linux Kernel 2.2.5
  • Linux Kernel 2.2.4
  • Linux Kernel 2.2.3
  • Linux Kernel 2.2.2
  • Linux Kernel 2.2.1
  • Linux Kernel 2.2.0
  • Linux Kernel 2.0.36
  • Linux Kernel 2.0.34
  • Linux Kernel 2.0.30
  • Microsoft Windows 2003 Server Enterprise Edition
  • Microsoft Windows 2003 Server Standard Edition
  • Microsoft Windows XP SP2
  • Microsoft Windows XP SP1
  • Microsoft Windows XP
  • Microsoft Windows 2000 Server Service Pack 4
  • Microsoft Windows 2000 Server Service Pack 3
  • Microsoft Windows 2000 Server Service Pack 2
  • Microsoft Windows 2000 Server Service Pack 1
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Workstation SP4
  • Microsoft Windows 2000 Workstation SP3
  • Microsoft Windows 2000 Workstation SP2
  • Microsoft Windows 2000 Workstation SP1
  • Microsoft Windows 2000 Workstation
  • Microsoft Windows Millennium Edition (ME)
  • Microsoft Windows NT 4 Server Service Pack 6a
  • Microsoft Windows NT 4 Server Service Pack 5
  • Microsoft Windows NT 4 Server Service Pack 4
  • Microsoft Windows NT 4 Server Service Pack 3
  • Microsoft Windows NT 4 Server Service Pack 2
  • Microsoft Windows NT 4 Server Service Pack 1
  • Microsoft Windows NT 4 Server
  • Microsoft Windows NT 4 Workstation Service Pack 6a
  • Microsoft Windows NT 4 Workstation Service Pack 5
  • Microsoft Windows NT 4 Workstation Service Pack 4
  • Microsoft Windows NT 4 Workstation Service Pack 3
  • Microsoft Windows NT 4 Workstation Service Pack 2
  • Microsoft Windows NT 4 Workstation Service Pack 1
  • Microsoft Windows NT 4 Workstation
  • Microsoft Windows 98 Second Edition (SE)
  • Microsoft Windows 98
  • Microsoft Windows 95
  • NetBSD 2.0
  • NetBSD 1.6.2
  • NetBSD 1.6.1
  • NetBSD 1.6
  • NetBSD 1.5.3
  • NetBSD 1.5.2
  • NetBSD 1.5.1
  • NetBSD 1.5
  • NetBSD 1.4.3
  • NetBSD 1.4.2
  • NetBSD 1.4.1
  • NetBSD 1.4
  • NetBSD 1.3.3
  • NetBSD 1.3.2
  • NetBSD 1.3.1
  • NetBSD 1.3
  • OpenBSD 3.7
  • OpenBSD 3.6
  • OpenBSD 3.5
  • OpenBSD 3.4
  • OpenBSD 3.3
  • OpenBSD 3.2
  • OpenBSD 3.1
  • OpenBSD 3.0
  • OpenBSD 2.9
  • OpenBSD 2.8
  • OpenBSD 2.7
  • OpenBSD 2.6
  • OpenBSD 2.5
  • OpenBSD 2.4
  • Sun Solaris 10 (SunOS 5.10)
  • Sun Solaris 9 (SunOS 5.9)
  • Sun Solaris 8 (SunOS 2.8)
  • Sun Solaris 7 (SunOS 2.7)
  • Sun Solaris 6 (SunOS 2.6)
  • Sun Solaris 2.5.1
  • Linux 2.6.*
If you happen to need to fingerprint an older OS hopefully you can find it in the list above.

Network Security Assessment: Know Your Network (Paperback)


List Price: $49.99 USD
New From: $26.18 USD In Stock
Used from: $4.10 USD In Stock

Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide (Paperback)


List Price: $99.95
New From: $65.19 USD In Stock
Used from: $2.95 USD In Stock

Share