• Home »
  • Security »
  • Backtrack 5: Information Gathering: Network Analysis: OS Fingerprinting: xprobe2

Backtrack 5: Information Gathering: Network Analysis: OS Fingerprinting: xprobe2

The xprobe2 application was built specifically for OS Fingerprinting or being able to accurately guess a servers Operating System. The unfortunate part about xprobe2 is that is extremely outdated and doesn’t even include Windows 7 in its list of OS’s that it can identify. Even though nmap is pretty much the staple for people to use it is still worth discussing xprobe2 because the items it can guess it does a great job at doing so. It may also be possible that you are assessing a network with some really old servers and updated apps don’t include those operating systems anymore so you may get lucky and find the old operating system using xprobe2.

Basic xprobe2 Functionality:

root@bt:~/xprobe# xprobe2 -v 192.168.1.248

Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor at o0o dot nu, ofir at sys-security dot com, meder at o0o dot nu

[+] Target is 192.168.1.248
[+] Loading modules.
[+] Following modules are loaded:
[x]  ping:icmp_ping  -  ICMP echo discovery module
[x]  ping:tcp_ping  -  TCP-based ping discovery module
[x]  ping:udp_ping  -  UDP-based ping discovery module
[x]  infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x]  infogather:portscan  -  TCP and UDP PortScanner
[x]  fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x]  fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x]  fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x]  fingerprint:icmp_info  -  ICMP Information request fingerprinting module
[x]  fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x]  fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x]  fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x]  app:smb  -  SMB fingerprinting module
[x]  app:snmp  -  SNMPv2c fingerprinting module
[x]  app:ftp  -  FTP fingerprinting tests
[x]  app:http  -  HTTP fingerprinting tests
[+] 16 modules registered
[+] Initializing scan engine
[+] Running scan engine
fingerprint:icmp_tstamp has not enough data
Executing ping:icmp_ping
Executing fingerprint:icmp_port_unreach
fingerprint:tcp_hshake has not enough data
Executing fingerprint:tcp_rst
Executing fingerprint:icmp_echo
Executing fingerprint:icmp_amask
Executing fingerprint:icmp_info
Executing fingerprint:icmp_tstamp
app:smb has not enough data
Executing app:snmp
Recv() error: Connection refused
ping:tcp_ping has not enough data
Executing ping:udp_ping
Executing infogather:ttl_calc
Executing infogather:portscan
Executing app:ftp
Executing app:http
[+] Primary Network guess:
[+] Host 192.168.1.248 Running OS: "Microsoft Windows XP SP2" (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2003 Server Enterprise Edition" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2003 Server Standard Edition" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Server Service Pack 1" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Server" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP4" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP3" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP2" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation SP1" (Guess probability: 100%)
[+] Host 192.168.1.248 Running OS: "Microsoft Windows 2000 Workstation" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
root@bt:~/xprobe#

Using the -v switch you get a verbose output so you can see what xprobe is actually doing. The first guess of Microsoft Windows XP SP2 is actually correct on the server that was queried on my home network. On another example query below I thought it was pretty cool that xprobe2 properly guessed the correct Foundry load balancer which definitely could come in handy as some of these devices in the wild are not updated on a regular basis. The firmware revision is pretty far off but xprobe2 is accurate on the device type.

xprobe2 Fingerprinting Foundry Networks Load Balancer:

root@bt:~/xprobe# xprobe2 -v 192.168.1.93

Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

[+] Target is 192.168.1.93
[+] Loading modules.
[+] Following modules are loaded:
[x]  ping:icmp_ping  -  ICMP echo discovery module
[x]  ping:tcp_ping  -  TCP-based ping discovery module
[x]  ping:udp_ping  -  UDP-based ping discovery module
[x]  infogather:ttl_calc  -  TCP and UDP based TTL distance calculation
[x]  infogather:portscan  -  TCP and UDP PortScanner
[x]  fingerprint:icmp_echo  -  ICMP Echo request fingerprinting module
[x]  fingerprint:icmp_tstamp  -  ICMP Timestamp request fingerprinting module
[x]  fingerprint:icmp_amask  -  ICMP Address mask request fingerprinting module
[x]  fingerprint:icmp_info  -  ICMP Information request fingerprinting module
[x]  fingerprint:icmp_port_unreach  -  ICMP port unreachable fingerprinting module
[x]  fingerprint:tcp_hshake  -  TCP Handshake fingerprinting module
[x]  fingerprint:tcp_rst  -  TCP RST fingerprinting module
[x]  app:smb  -  SMB fingerprinting module
[x]  app:snmp  -  SNMPv2c fingerprinting module
[x]  app:ftp  -  FTP fingerprinting tests
[x]  app:http  -  HTTP fingerprinting tests
[+] 16 modules registered
[+] Initializing scan engine
[+] Running scan engine
fingerprint:icmp_tstamp has not enough data
Executing ping:icmp_ping
Executing fingerprint:icmp_port_unreach
fingerprint:tcp_hshake has not enough data
Executing fingerprint:tcp_rst
Executing fingerprint:icmp_echo
Executing fingerprint:icmp_amask
Executing fingerprint:icmp_info
Executing fingerprint:icmp_tstamp
app:smb has not enough data
Executing app:snmp
ping:tcp_ping has not enough data
ping:udp_ping has not enough data
infogather:ttl_calc has not enough data
Executing infogather:portscan
Executing app:ftp
Executing app:http
[+] Primary Network guess:
[+] Host 192.168.1.93 Running OS: "Foundry Networks IronWare Version 03.0.01eTc1" (Guess probability: 100%)
[+] Other guesses:
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.08.03" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.08.04" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.08 EEPROM F.08.05" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.07.17" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.06.00 EEPROM G.06.00" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.08 EEPROM F.08.20" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.02 EEPROM G.07.20" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM F.08.01 EEPROM F.08.05" (Guess probability: 96%)
[+] Host 192.168.1.93 Running OS: "HP JetDirect ROM G.07.19 EEPROM G.07.20" (Guess probability: 96%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.
root@bt:~/xprobe#

There are a bunch of other switches available with xprobe2 as shown in the below help out from xprobe2 -h.

xprobe2 Help Output:

root@bt:~/xprobe# xprobe2 -v

Xprobe-ng v.2.1 Copyright (c) 2002-2009 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu

usage: xprobe2 [options] target
Options:
          -v                       Be verbose
          -r                       Show route to target(traceroute)
          -p  Specify portnumber, protocol and state.
                                   Example: tcp:23:open, UDP:53:CLOSED
          -c           Specify config file to use.
          -h                       Print this help.
          -o                Use logfile to log everything.
          -t             Set initial receive timeout or roundtrip time.
          -s           Set packsending delay (milseconds).
          -d              Specify debugging level.
          -D               Disable module number .
          -M               Enable module number .
          -L                       Display modules.
          -m         Specify number of matches to print.
          -T             Enable TCP portscan for specified port(s).
                                   Example: -T21-23,53,110
          -U             Enable UDP portscan for specified port(s).
          -f                       force fixed round-trip time (-t opt).
          -F                       Generate signature (use -o to save to a file).
          -X                       Generate XML output and save it to logfile specified with -o.
          -B                       Options forces TCP handshake module to try to guess open TCP port
          -A                       Perform analysis of sample packets gathered during portscan in
                                   order to detect suspicious traffic (i.e. transparent proxies,
                                   firewalls/NIDSs resetting connections). Use with -T.
root@bt:~/xprobe#

Again though since it is outdated its not useful in many areas except for maybe old OS’s that other OS fingerprinting services might not locate or might not locate accurately. The most beneficial details I figured that could be put in this article is the list of Operating Systems that are supported thus giving you a list to check against to see if the old services you are attempting to fingerprint are in the list.

List Of xprobe2 Supported Operating Systems: 

  • AIX 5.1
  • AIX 4.3.3
  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X 10.3.7
  • Apple Mac OS X 10.3.8
  • Apple Mac OS X 10.3.9
  • Apple Mac OS X 10.4.0
  • Apple Mac OS X 10.4.1
  • Apple Mac OS X 10.5
  • Cisco IOS 12.3
  • Cisco IOS 12.2
  • Cisco IOS 12.0
  • Cisco IOS 11.3
  • Cisco IOS 11.2
  • Cisco IOS 11.1
  • Foundry Networks IronWare Version 03.0.01eTc1
  • Foundry Networks IronWare Version 07.5.04T53
  • Foundry Networks IronWare Version 07.5.05KT53
  • Foundry Networks IronWare 07.6.01BT51
  • Foundry Networks IronWare 07.6.04aT51
  • Foundry Networks IronWare 07.7.01eT53
  • FreeBSD 5.4
  • FreeBSD 5.3
  • FreeBSD 5.2.1
  • FreeBSD 5.2
  • FreeBSD 5.1
  • FreeBSD 5.0
  • FreeBSD 4.11
  • FreeBSD 4.10
  • FreeBSD 4.9
  • FreeBSD 4.8
  • FreeBSD 4.7
  • FreeBSD 4.6.2
  • FreeBSD 4.6
  • FreeBSD 4.5
  • FreeBSD 4.4
  • FreeBSD 4.3
  • FreeBSD 4.2
  • FreeBSD 4.1.1
  • FreeBSD 4.0
  • FreeBSD 3.5.1
  • FreeBSD 3.4
  • FreeBSD 3.3
  • FreeBSD 3.2
  • FreeBSD 3.1
  • FreeBSD 2.2.8
  • FreeBSD 2.2.7
  • HP UX 11.0x
  • HP UX 11.0
  • HP JetDirect ROM A.03.17 EEPROM A.04.09
  • HP JetDirect ROM A.05.03 EEPROM A.05.05
  • HP JetDirect ROM F.08.01 EEPROM F.08.05
  • HP JetDirect ROM F.08.08 EEPROM F.08.05
  • HP JetDirect ROM F.08.08 EEPROM F.08.20
  • HP JetDirect ROM G.05.34 EEPROM G.05.35
  • HP JetDirect ROM G.06.00 EEPROM G.06.00
  • HP JetDirect ROM G.07.02 EEPROM G.07.17
  • HP JetDirect ROM G.07.02 EEPROM G.07.20
  • HP JetDirect ROM G.07.02 EEPROM G.08.04
  • HP JetDirect ROM G.07.19 EEPROM G.07.20
  • HP JetDirect ROM G.07.19 EEPROM G.08.03
  • HP JetDirect ROM G.07.19 EEPROM G.08.04
  • HP JetDirect ROM G.08.08 EEPROM G.08.04
  • HP JetDirect ROM G.08.21 EEPROM G.08.21
  • HP JetDirect ROM H.07.15 EEPROM H.08.20
  • HP JetDirect ROM L.20.07 EEPROM L.20.24
  • HP JetDirect ROM R.22.01 EEPROM L.24.08
  • Linux Kernel 2.6.11
  • Linux Kernel 2.6.10
  • Linux Kernel 2.6.9
  • Linux Kernel 2.6.8
  • Linux Kernel 2.6.7
  • Linux Kernel 2.6.6
  • Linux Kernel 2.6.5
  • Linux Kernel 2.6.4
  • Linux Kernel 2.6.3
  • Linux Kernel 2.6.2
  • Linux Kernel 2.6.1
  • Linux Kernel 2.6.0
  • Linux Kernel 2.4.30
  • Linux Kernel 2.4.29
  • Linux Kernel 2.4.28
  • Linux Kernel 2.4.27
  • Linux Kernel 2.4.26
  • Linux Kernel 2.4.25
  • Linux Kernel 2.4.24
  • Linux Kernel 2.4.23
  • Linux Kernel 2.4.22
  • Linux Kernel 2.4.21
  • Linux Kernel 2.4.20
  • Linux Kernel 2.4.19
  • Linux Kernel 2.4.18
  • Linux Kernel 2.4.17
  • Linux Kernel 2.4.16
  • Linux Kernel 2.4.15
  • Linux Kernel 2.4.14
  • Linux Kernel 2.4.13
  • Linux Kernel 2.4.12
  • Linux Kernel 2.4.11
  • Linux Kernel 2.4.10
  • Linux Kernel 2.4.9
  • Linux Kernel 2.4.8
  • Linux Kernel 2.4.7
  • Linux Kernel 2.4.6
  • Linux Kernel 2.4.5
  • Linux Kernel 2.4.4 (I)
  • Linux Kernel 2.4.4
  • Linux Kernel 2.4.3
  • Linux Kernel 2.4.2
  • Linux Kernel 2.4.1
  • Linux Kernel 2.4.0
  • Linux Kernel 2.2.26
  • Linux Kernel 2.2.25
  • Linux Kernel 2.2.24
  • Linux Kernel 2.2.23
  • Linux Kernel 2.2.22
  • Linux Kernel 2.2.21
  • Linux Kernel 2.2.20
  • Linux Kernel 2.2.19
  • Linux Kernel 2.2.18
  • Linux Kernel 2.2.17
  • Linux Kernel 2.2.16
  • Linux Kernel 2.2.15
  • Linux Kernel 2.2.14
  • Linux Kernel 2.2.13
  • Linux Kernel 2.2.12
  • Linux Kernel 2.2.11
  • Linux Kernel 2.2.10
  • Linux Kernel 2.2.9
  • Linux Kernel 2.2.8
  • Linux Kernel 2.2.7
  • Linux Kernel 2.2.6
  • Linux Kernel 2.2.5
  • Linux Kernel 2.2.4
  • Linux Kernel 2.2.3
  • Linux Kernel 2.2.2
  • Linux Kernel 2.2.1
  • Linux Kernel 2.2.0
  • Linux Kernel 2.0.36
  • Linux Kernel 2.0.34
  • Linux Kernel 2.0.30
  • Microsoft Windows 2003 Server Enterprise Edition
  • Microsoft Windows 2003 Server Standard Edition
  • Microsoft Windows XP SP2
  • Microsoft Windows XP SP1
  • Microsoft Windows XP
  • Microsoft Windows 2000 Server Service Pack 4
  • Microsoft Windows 2000 Server Service Pack 3
  • Microsoft Windows 2000 Server Service Pack 2
  • Microsoft Windows 2000 Server Service Pack 1
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Workstation SP4
  • Microsoft Windows 2000 Workstation SP3
  • Microsoft Windows 2000 Workstation SP2
  • Microsoft Windows 2000 Workstation SP1
  • Microsoft Windows 2000 Workstation
  • Microsoft Windows Millennium Edition (ME)
  • Microsoft Windows NT 4 Server Service Pack 6a
  • Microsoft Windows NT 4 Server Service Pack 5
  • Microsoft Windows NT 4 Server Service Pack 4
  • Microsoft Windows NT 4 Server Service Pack 3
  • Microsoft Windows NT 4 Server Service Pack 2
  • Microsoft Windows NT 4 Server Service Pack 1
  • Microsoft Windows NT 4 Server
  • Microsoft Windows NT 4 Workstation Service Pack 6a
  • Microsoft Windows NT 4 Workstation Service Pack 5
  • Microsoft Windows NT 4 Workstation Service Pack 4
  • Microsoft Windows NT 4 Workstation Service Pack 3
  • Microsoft Windows NT 4 Workstation Service Pack 2
  • Microsoft Windows NT 4 Workstation Service Pack 1
  • Microsoft Windows NT 4 Workstation
  • Microsoft Windows 98 Second Edition (SE)
  • Microsoft Windows 98
  • Microsoft Windows 95
  • NetBSD 2.0
  • NetBSD 1.6.2
  • NetBSD 1.6.1
  • NetBSD 1.6
  • NetBSD 1.5.3
  • NetBSD 1.5.2
  • NetBSD 1.5.1
  • NetBSD 1.5
  • NetBSD 1.4.3
  • NetBSD 1.4.2
  • NetBSD 1.4.1
  • NetBSD 1.4
  • NetBSD 1.3.3
  • NetBSD 1.3.2
  • NetBSD 1.3.1
  • NetBSD 1.3
  • OpenBSD 3.7
  • OpenBSD 3.6
  • OpenBSD 3.5
  • OpenBSD 3.4
  • OpenBSD 3.3
  • OpenBSD 3.2
  • OpenBSD 3.1
  • OpenBSD 3.0
  • OpenBSD 2.9
  • OpenBSD 2.8
  • OpenBSD 2.7
  • OpenBSD 2.6
  • OpenBSD 2.5
  • OpenBSD 2.4
  • Sun Solaris 10 (SunOS 5.10)
  • Sun Solaris 9 (SunOS 5.9)
  • Sun Solaris 8 (SunOS 2.8)
  • Sun Solaris 7 (SunOS 2.7)
  • Sun Solaris 6 (SunOS 2.6)
  • Sun Solaris 2.5.1
  • Linux 2.6.*
If you happen to need to fingerprint an older OS hopefully you can find it in the list above.


List Price: $49.99 USD
New From: $17.22 USD In Stock
Used from: $1.04 USD In Stock


List Price: $99.95 USD
New From: $367.92 USD In Stock
Used from: $80.83 USD In Stock

Share