Active Fingerprinting − Active fingerprinting is accomplished by sending specially crafted packets to a target machine then noting down its response and analysing the gathered information to work out the target OS. within the following section, we’ve given an example to elucidate how you’ll use NMAP tool to detect the OS of a target domain.
Passive Fingerprinting − Passive fingerprinting is predicated on sniffer traces from the remote system. supported the sniffer traces (such as Wireshark) of the packets, you’ll determine the OS of the remote host.

We have the subsequent four important elements that we’ll check out to work out the OS −

TTL − What the OS sets the Time-To-Live on the outbound packet.
Window Size − What the OS sets the Window Size at.
DF − Does the OS set the Don’t Fragment bit.
TOS − Does the OS set the sort of Service, and if so, at what.

By analyzing these factors of a packet, you’ll be ready to determine the remote OS . this technique isn’t 100% accurate, and works better for a few operating systems than others.

Basic Steps

Before attacking a system, it’s required that you simply know what OS is hosting an internet site . Once a target OS is understood , then it becomes easy to work out which vulnerabilities could be present to take advantage of the target system.

Below may be a simple nmap command which may be wont to identify the OS serving an internet site and every one the opened ports related to the name , i.e., the IP address.

$nmap -O -v tecklearn.com

It will show you the subsequent sensitive information about the given name or IP address −

Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-04 09:57 CDT
Initiating Parallel DNS resolution of 1 host. at 09:57
Completed Parallel DNS resolution of 1 host. at 09:57, 0.00s elapsed
Initiating SYN Stealth Scan at 09:57
Scanning tecklearn.com (66.135.33.172) [1000 ports]
Discovered open port 22/tcp on 66.135.33.172
Discovered open port 3306/tcp on 66.135.33.172
Discovered open port 80/tcp on 66.135.33.172
Discovered open port 443/tcp on 66.135.33.172
Completed SYN Stealth Scan at 09:57, 0.04s elapsed (1000 total ports)
Initiating OS detection (try #1) against tecklearn.com (66.135.33.172)
Retrying OS detection (try #2) against tecklearn.com (66.135.33.172)
Retrying OS detection (try #3) against tecklearn.com (66.135.33.172)
Retrying OS detection (try #4) against tecklearn.com (66.135.33.172)
Retrying OS detection (try #5) against tecklearn.com (66.135.33.172)
Nmap scan report for tecklearn.com (66.135.33.172)
Host is up (0.000038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

TCP/IP fingerprint:

OS:SCAN(V=5.51%D=10/4%OT=22%CT=1%CU=40379%PV=N%DS=0Ü=L%G=Y%TM=56113E6D%P=
OS:x86_64-redhat-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5=MFF
OS:D7ST11NW7%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF
OS:CB)ECN(R=Yß=Y%T=40%W=FFD7%O=MFFD7NNSNW7Ì=Y%Q=)T1(R=Yß=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Yß=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Yß=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Yß=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Yß=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Yß=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=YßI=N%
OS:T=40Í=S)

If you are doing not have nmap command installed on your Linux system, then you’ll install it using the subsequent yum command −

$yum install nmap

You can undergo nmap command intimately to see and understand the various features related to a system and secure it against malicious attacks.

Quick Fix

You can hide your main system behind a secure proxy server or a VPN in order that your complete identity is safe and ultimately your main system remains safe.

Port Scanning

We have just seen information given by nmap command. This command lists down all the open ports on a given server.

PORT STATE SERVICE

22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql

You can also check if a specific port is opened or not using the subsequent command −

$nmap -sT -p 443 tecklearn.com
It will produce the subsequent result −
Starting Nmap 5.51 ( http://nmap.org ) at 2015-10-04 10:19 CDT
Nmap scan report for tecklearn.com (66.135.33.172)
Host is up (0.000067s latency).
PORT STATE SERVICE
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

Once a hacker knows about open ports, then he can plan different attack techniques through the open ports.

Quick Fix

It is always recommended to see and shut all the unwanted ports to safeguard the system from malicious attacks.

Ping Sweep

A ping sweep may be a network scanning technique that you simply can use to work out which IP address from a variety of IP addresses map to measure hosts. Ping Sweep is additionally referred to as ICMP sweep.

You can use fping command for ping sweep. This command may be a ping-like program which uses the web Control Message Protocol (ICMP) echo request to work out if a number is up.

fping is different from ping therein you’ll specify any number of hosts on the instruction , or specify a file containing the lists of hosts to ping. If a number doesn’t respond within a particular deadline and/or retry limit, it’ll be considered unreachable.

Quick Fix

To disable ping sweeps on a network, you’ll block ICMP ECHO requests from outside sources. this will be done using the subsequent command which can create a firewall rule out iptable.

$iptables -A OUTPUT -p icmp –icmp-type echo-request -j DROP

DNS Enumeration

Domain Name Server (DNS) is sort of a map or an address book. In fact, it’s sort of a distributed database which is employed to translate an IP address 192.111.1.120 to a reputation www.example.com and the other way around.

DNS enumeration is that the process of locating all the DNS servers and their corresponding records for a corporation. the thought is to collect the maximum amount interesting details as possible about your target before initiating an attack.

You can use nslookup command available on Linux to urge DNS and host-related information. additionally , you’ll use the subsequent DNSenum script to urge detailed information a few domain −

DNSenum.pl

DNSenum script can perform the subsequent important operations −

Get the host’s addresses
Get the nameservers
Get the MX record
Perform axfr queries on nameservers
Get extra names and subdomains via Google scraping
Brute force subdomains from file also can perform recursion on subdomain that has NS records
Calculate C class domain network ranges and perform whois queries on them
Perform reverse lookups on netranges

Quick Fix

DNS Enumeration doesn’t have a fast fix and it’s really beyond the scope of this tutorial. Preventing DNS Enumeration may be a big challenge.

If your DNS isn’t configured during a secure way, it’s possible that many sensitive information about the network and organization can go outside and an untrusted Internet user can perform a DNS zone transfer.

So, this brings us to the end of blog. This Tecklearn ‘Fingerprinting in Ethical Hacking’ blog helps you with commonly asked questions if you are looking out for a job in Cyber Security. If you wish to learn Ethical Hacking and build a career in Cyber Security domain, then check out our interactive, Certified Ethical Hacker Training, that comes with 24*7 support to guide you throughout your learning period. Please find the link for course details:

https://www.tecklearn.com/course/certified-ethical-hacker-training/

Certified Ethical Hacker Training

About the Course

Tecklearn’s CEH certification training course provides you the hands-on training required to master the techniques hackers use to penetrate network systems and fortify your system against it. In this training, you will master how to identify security vulnerabilities by inspecting network infrastructures and defend the malicious hacker with essential tools and techniques, advanced network packet analysis and system penetration testing techniques to build your network security skill-set and prevent hackers. We will train you on the advanced step-by-step methodologies that hackers actually use such as writing virus codes and reverse engineering so you can better protect corporate infrastructure from data breaches.

Why Should you take Certified Ethical Hacker Training?

The average salary for a Cybersecurity Specialist is $110,881 per year in the United States and INR 900,000 per year in India – Indeed.com
Global Cybersecurity industry is estimated to cross US$ 220 billion by 2021.
Today cyber security is one of the most important aspects for any organization. In today’s digitally-driven world every organization needs professionals who can keep the hackers at bay. Hence the salaries for certified ethical hackers are among the best in the industry.

What you will Learn in this Course?

Introduction to Ethical hacking

Scope of ethical hacking
Enterprise information security architecture
Introduction and PCI Data Security Standard Overview
Role of Security and Penetration Testers
Vulnerability assessment
Various cyber security laws
Penetration testing

Various aspects of Information Security

Information security attacks
OS attacks
Application-level attacks
Phases and Concepts of Hacking
Information Security Law and Standards

System Hacking

What is System Hacking
Goals of System Hacking
Understanding the certified ethical hacker methodology
About Kali Linux
Hands On

Technology Standards

Introduction to F5 Technology and Terms
POS (Point of Sale) , mPoS
What is GLBA Compliance
OWASP
Site monitoring Tools
Introduction to PCI DSS Standard

Semantics and Introduction to Footprinting

What is Semantics
Fuzzy Logic
Footprinting

Threats

Types of Threats
Threats against the Application
Threat modelling
Hands on

Threat modelling

Threat modelling with STRIDE model
Ways to Find Security Issues
Penetration Testing Tools
Modelling Models – Whiteboard Diagrams, Brainstorming, Structured Diagrams etc.
Trust Boundaries
Threat Trees
DREAD Model

Example of Attack

Vulnerability Scanning Tools

OpenVAS
Wapiti
Burp Suite Community
Metasploit

Threat Modelling with Different models

Various Threat Models
PASTA Model in Depth

Advanced concepts like network packet analysis

Network scanning
How to scan the network, overview of scanning
WireShark
Sniffing attacks
File Signature

Got a question for us? Please mention it in the comments section and we will get back to you.

550