Passive (and not only) fingerprinting
In this article I present the second part of port scanning. Today I will write about a passive fingerprinting and not only. Nmap does not allow for a closer examination of the remote application. Of course, you can get information about running services, their version of and operation system. Generally, the greatest level of detail can be achieved using "-Sv" option. Of course, we prohibit our Apache so comprehensive "presentation in the network". We can read about it on the Apache website (link). However, besides Nmap, there are more specialized applications. They are used for example to scan Web servers. One of them is httprint, however this tool is not available in Debian repository. Httprint has its own database of fingerprints (signatures). Whereby, it is able to indicate the type of Web server based on very carefully analysis of HTTP protocol. It cannot be simple substitutions, cheat or excluding banner. Httprint run as follows: ./httprint -h host:80 -s singn.txt -P0.
“-PO” option allows us to non-pinging a host. Please also note that httprint requires specify IP address, not domain name! Option “-s” is an indication of the file with collection of signatures (fingerprints). It is in the same directory where the program starts by default. Another interesting application for fingerprinting Web Server is nikto. This program is available in the Debian repository. After starting it performs several types of tests, which can search for errors in CGI and PHP scripts. This is very an interesting and an useful tool. Additionally, nikto offers "bypassing" of system detection intrusion. It encodes urls or divided into sessions for a part. Basically, nikto is run as: nikto -h localhost. If you would like to encode url randomally, you must use “-e 1” option. If the program has to fragment session and change case sensitive (to confuse IDS`a, even such as snort) then add “-e 789” argument. It is also possible to put port manifestly (if server listens on the other than the default) and put the interesting paths to directories. All these applications generate large traffic and they work quite invasive. If we scan our server by nmap, we can notice in the logs a large number of additional connections on different ports. However, there are methods of passive fingerprinting. Using these techniques, we do not send to the remote system any packages, but we only we analyze it - what comes to us and what we can overhear without sending anything beyond the router. Of course you can also "provoke" the remote machine to send some innocent TCP/IP packets. When scanner analyzes the content and the structure of these packages, then it can learn a lot about their source. One of the best applications for passive fingeprintingu is p0f. This application has such an extensive database of signatures, that it can even identify network-connected video game consoles. As you can see possibilities of "recognition" of the remote system and applications are a lot. It should also be burned in the mind that updated signature databases and the fingerprinting tools themselves are the key to success.