RE: Determining Operating System or Hardware via the Internet -- MIDRANGE-L

HA!  You know what? I didn't even think about the fact that people would try
to hide their OS to prevent hacking.  DUH! I was just curious in a more
academic way about what OS's different sites were running.

As always Scott, you provided an answer that contained not only the answer
to the question, but so much more that we wouldn't even have ever
considered, but which is really good information regardless and gets a
person to thinking about things in a different way. 

Thanks! 


Shannon O'Donnell

 


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Scott Klement
Sent: Sunday, May 09, 2004 2:24 PM
To: Midrange Systems Technical Discussion
Subject: RE: Determining Operating System or Hardware via the Internet


Hi Shannon,

> Thanks for the responses.  I wasn't clear in what I was trying to do.  
> I would like to know if there is some way that I can tell what OS or 
> hardware a website is running on if all I know is the URL or the IP 
> address.  Maybe a command like TRACERT or PING or something?  Or a port
scanner possibly?

Most of the time people try to make sure you CAN'T find out what OS or
platform they're running!!  Almost all published security holes rely on you
running a particular operating system-- therefore the very first thing a
hacker will do is try to detect what operating system and platform you're
running.  Once they've determined that, they can see what the known security
holes are for that operating system and look for one that is exploitable on
your system.

You might try something like Nmap or Queso (if Queso is still around??
it's homepage appears to be gone...)
More about Nmap is here: http://www.insecure.org/nmap/

They use a technique known as "TCP/IP fingerprinting" which relies on quirks
in the OS to determine which OS it's running.  For example, you might send
an invalid sequence of IP packets that make no sense. (such as SYN, SYN+ACK,
FIN, FIN+ACK, SYN+FIN, PSH, SYN+XXX+YYY where XXX and YYY
are unused flags)   Since the standards don't define what should be done
in response, different OSes do different things.   By using a table of
which OSes give which types of responses, they try to detect what the OS
must be.

If you click on the "OS Detection" link on the Nmap web site (above) you'll
get more details on why OS detection is important for security, and how it
works, etc.

Naturally, a well designed firewall will prevent this sort of thing.  And
NAT may very well change the behavior, so it's not completely reliable.


> I'm just trying to guess what some websites are using as a web server.  
> It's not that important, really.  It just occurred to me to wonder 
> what places like Ebay and YAHOO were using for OS software and computing
hardware.

I can tell you that Yahoo! runs FreeBSD.  Here's an article about it:
http://www.ictp.trieste.it/~cfonda/sudan/OSs/references/freeBSD/Yahoo_and_Fr
eeBSD.html

Ebay runs Windows -- which was well known a few years ago when they had a
lot of problems with the systems going down and having to be restored from
backups :)  Nowadays they've enlisted IBM's help in making it stay up.
http://pages.ebay.com/ebay_IBM.html

Also, the server-string reported by the HTTP servers on the large sites may
give away what operating system they're running.  Netcraft.com allows you to
look this sort of thing up.  Especially for the large sites.
http://www.netcraft.com/whats

_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.