WEBVTT 00:00.730 --> 00:05.110 Chapter 14 remote identification of the operating system 00:08.280 --> 00:14.790 the unauthorized reproduction in whole or in part of this publication in any form is prohibited. 00:25.320 --> 00:29.880 This lesson describes the ways to remotely identify the operation system version. 00:29.880 --> 00:32.700 We will begin the demonstration with the simplest solutions 00:35.580 --> 00:37.230 using the telnet program. 00:37.230 --> 00:40.770 It is possible to check the version of the service working on the server. 00:40.920 --> 00:43.440 The first parameter is the hostname. 00:43.440 --> 00:52.460 The second is the port. 00:52.560 --> 01:00.110 We will not always manage to guess what version of the remote operating system with this method. 01:00.140 --> 01:03.080 In this case it is necessary to use additional tools. 01:03.080 --> 01:19.340 Let's copy them. 01:19.570 --> 01:25.480 After equipping ourselves with the right tools it is time to unpack them compile them and install in 01:25.480 --> 01:27.350 the system. 01:27.510 --> 01:36.790 The compiling process can take some time depending on the hardware resources available to us. 01:36.800 --> 01:41.390 Let's focus on the compilation and installation of the popular map scanner 03:46.380 --> 03:48.040 after the installation of map. 03:48.060 --> 03:52.910 It's time for the ex-pro to application the set of installation commands is identical 06:23.030 --> 06:25.760 Finally we compile the program 06:46.430 --> 06:51.090 having a complete environment we can start the test using the end map program. 06:51.110 --> 06:52.820 We perform an example of scanning 07:00.160 --> 07:02.020 using the minus 0 option. 07:02.080 --> 07:04.540 We can obtain the version of the operating system 07:19.720 --> 07:24.140 as we can see in the answer we can see discrepancies in regard to the real version. 07:29.670 --> 07:35.610 The application to determine the system version performs a series of tests which compares with the signatures 07:35.640 --> 07:36.590 it possesses. 07:36.690 --> 07:38.500 Let's take a closer look at them. 07:50.880 --> 08:05.300 As we can see the signature in the example on the first glance seems slightly eligible. 08:05.390 --> 08:56.470 The reader can find detailed descriptions on each field of the signature database in the handbook. 08:56.500 --> 09:00.130 Let's now test the function of the next program X probe to 09:04.770 --> 09:09.470 as we can see the standard setup of the program didn't return 100 percent of the information 09:12.590 --> 09:18.470 we can improve the results slightly by defying the open and closed ports of the server under investigation. 09:57.770 --> 10:00.760 This time the basic result is close to perfect. 10:00.770 --> 10:08.480 We obtained 97 percent probability each of the programs presented so far belongs to the active scanners. 10:08.480 --> 10:12.430 This means that to obtain the result it generates the data itself. 10:15.290 --> 10:20.890 Next we will have a closer look at the POS program in contrast to the previous programs. 10:20.900 --> 10:22.080 It is a passive scanner 10:28.230 --> 10:32.910 for the program to bring results on the network an exchange of packet's has to take place. 10:33.030 --> 10:36.300 In our case it will generate traffic on an additional con. 10:40.570 --> 10:46.330 as we can see the attempt to analyze the Y in packets didn't produce any results. 10:46.330 --> 11:45.080 Let's try to use the A C K and R S T packets for our test. 11:45.130 --> 11:50.350 Finally scanning with the use of the r s t packets only brought near perfect results. 12:12.490 --> 12:18.680 All the program signatures are located in the files PLF FP POS A. 12:18.860 --> 12:24.510 F p p f o f p and p f r FP. 12:24.520 --> 12:26.310 Let's take a look at one of them. 12:46.200 --> 12:50.970 As we can see the program database also contains records regarding and map. 12:50.970 --> 13:20.000 In this way it is possible to intercept the scanning which we can demonstrate immediately. 13:20.160 --> 13:23.210 The PLF application is a universal tool. 13:23.250 --> 13:28.620 It can help us to identify the version of the operating system as well as to intercept a potential attack.