There are a couple of ways to read a packet capture .cap file from the command line. I’ll show you how!

tcpdump

The tack r filename option for tcpdump will display a capture file onto the . . . → Read More: How to Read a Packet Capture .cap File from Command Line]]>

There are a couple of ways to read a packet capture .cap file from the command line. I’ll show you how!

tcpdump

The tack r filename option for tcpdump will display a capture file onto the screen. Pipe it to less to get something to scroll.

$ tcpdump -r mycapturefile.cap | less

$ tcpdump -r mycapturefile.cap | less
10:24:23.046221 IP 172.16.1.39.15256 > 172.16.1.41.http: Flags [S], seq 1183851371, win 8192, options [mss 1460], length 0
10:24:23.046720 IP 172.16.1.41.http > 172.16.1.39.15256: Flags [S.], seq 3014147598, ack 1183851372, win 5840, options [mss 1460], length 0
10:24:23.046758 IP 172.16.1.39.15256 > 172.16.1.41.http: Flags [R], seq 1183851372, win 0, length 0
10:24:23.062584 IP 172.16.1.39 > 172.16.1.41: ICMP echo request, id 45243, seq 45243, length 16
10:24:23.063028 IP 172.16.1.41 > 172.16.1.39: ICMP echo reply, id 45243, seq 45243, length 16
10:24:23.077375 IP 10.9.122.232.43482 > 192.168.1.16.domain: 58196+ PTR? 41.111.10.10.in-addr.arpa. (43)
10:24:23.078203 IP 192.168.1.16.domain > 10.9.122.232.43482: 58196* 1/9/9 PTR example.com. (491)
10:24:23.341400 IP 172.16.1.39.43482 > 172.16.1.41.solid-mux: UDP, length 1
10:24:23.341977 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port solid-mux unreachable, length 37
10:24:23.363537 IP 172.16.1.39.43482 > 172.16.1.41.1024: UDP, length 1
10:24:23.533573 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port 1024 unreachable, length 37
10:24:23.533591 IP 172.16.1.39.43482 > 172.16.1.41.12346: UDP, length 1
10:24:23.533600 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port 12346 unreachable, length 37
10:24:23.533610 IP 172.16.1.39.43482 > 172.16.1.41.sapv1: UDP, length 1
10:24:23.533619 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port sapv1 unreachable, length 37
10:24:23.533628 IP 172.16.1.39.43482 > 172.16.1.41.sitaradir: UDP, length 1
10:24:23.533637 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port sitaradir unreachable, length 37
10:24:23.534566 IP 172.16.1.39.43482 > 172.16.1.41.tcp-id-port: UDP, length 1
10:24:23.535087 IP 172.16.1.41 > 172.16.1.39: ICMP 172.16.1.41 udp port tcp-id-port unreachable, length 37
10:24:23.560403 IP 172.16.1.39.43482 > 172.16.1.41.net-assistant: UDP, length 2
10:24:23.689303 IP 172.16.1.39.35243 > 172.16.1.41.https: Flags [.], ack 469674834, win 4096, length 0
10:24:23.689940 IP 172.16.1.41.https > 172.16.1.39.35243: Flags [R], seq 469674834, win 0, length 0
10:24:23.698834 IP 172.16.1.39.7710 > 172.16.1.41.tcpmux: UDP, length 0
10:24:23.698911 IP 172.16.1.39.7710 > 172.16.1.41.20096: UDP, length 0
10:24:23.698958 IP 172.16.1.39.7710 > 172.16.1.41.http: Flags [S], seq 505290270, win 1400, length 0
10:24:23.699016 IP 172.16.1.39 > 172.16.1.41: ICMP echo request, id 7710, seq 7710, length 20
10:24:23.699451 IP 172.16.1.41.http > 172.16.1.39.7710: Flags [S.], seq 3029656434, ack 505290271, win 5840, options [mss 1460], length 0
10:24:23.699484 IP 172.16.1.39.7710 > 172.16.1.41.http: Flags [R], seq 505290271, win 0, length 0
:

tshark, the command line utility that comes with Wireshark also uses tack r filename to open a .cap file.

$ tshark -r mycapturefile.cap | less

$ tshark -r mycapturefile.cap | less
  1   0.000000 172.16.1.39 -> 172.16.1.41 TCP 58 15256 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1460
  2   0.000499 172.16.1.41 -> 172.16.1.39 TCP 60 http > 15256 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
  3   0.000537 172.16.1.39 -> 172.16.1.41 TCP 54 15256 > http [RST] Seq=1 Win=0 Len=0
  4   0.016363 172.16.1.39 -> 172.16.1.41 ICMP 50 Echo (ping) request  id=0xb0bb, seq=45243/48048, ttl=64
  5   0.016807 172.16.1.41 -> 172.16.1.39 ICMP 60 Echo (ping) reply    id=0xb0bb, seq=45243/48048, ttl=61
  6   0.031154 10.9.122.232 -> 192.168.1.16 DNS 85 Standard query PTR 41.111.10.10.in-addr.arpa
  7   0.031982 192.168.1.16 -> 10.9.122.232 DNS 533 Standard query response PTR example.com
  8   0.295179 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: solid-mux
  9   0.295756 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 10   0.317316 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: 1024
 11   0.487352 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 12   0.487370 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: 12346
 13   0.487379 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 14   0.487389 172.16.1.39 -> 172.16.1.41 SAP/SDP 43 Announcement (v0), with session description
 15   0.487398 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 16   0.487407 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: sitaradir
 17   0.487416 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 18   0.488345 172.16.1.39 -> 172.16.1.41 UDP 43 Source port: 43482  Destination port: tcp-id-port
 19   0.488866 172.16.1.41 -> 172.16.1.39 ICMP 71 Destination unreachable (Port unreachable)
 20   0.514182 172.16.1.39 -> 172.16.1.41 UDP 44 Source port: 43482  Destination port: net-assistant
 21   0.643082 172.16.1.39 -> 172.16.1.41 TCP 54 35243 > https [ACK] Seq=1 Ack=1 Win=4096 Len=0
 22   0.643719 172.16.1.41 -> 172.16.1.39 TCP 60 https > 35243 [RST] Seq=1 Win=0 Len=0
 23   0.652613 172.16.1.39 -> 172.16.1.41 UDP 42 Source port: 7710  Destination port: tcpmux
 24   0.652690 172.16.1.39 -> 172.16.1.41 UDP 42 Source port: 7710  Destination port: 20096
 25   0.652737 172.16.1.39 -> 172.16.1.41 TCP 54 7710 > http [SYN] Seq=0 Win=1400 Len=0
 26   0.652795 172.16.1.39 -> 172.16.1.41 ICMP 54 Echo (ping) request  id=0x1e1e, seq=7710/7710, ttl=30
 27   0.653230 172.16.1.41 -> 172.16.1.39 TCP 60 http > 7710 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
 28   0.653263 172.16.1.39 -> 172.16.1.41 TCP 54 7710 > http [RST] Seq=1 Win=0 Len=0
 29   0.653272 172.16.1.41 -> 172.16.1.39 ICMP 60 Echo (ping) reply    id=0x1e1e, seq=7710/7710, ttl=61
 30   0.654492 172.16.1.39 -> 172.16.1.41 TCP 58 4564 > ftp-data [SYN] Seq=0 Win=4096 Len=0 MSS=1460
:

Cool!

To ignore any ssl certificate warnings with curl, use the tack k option.

If you get this message attempting to ssh in or su’ing as another user, there is no valid shell set for this user.

You can quickly inspect this by looking at . . . → Read More: This account is currently not available]]>

This account is currently not available

If you get this message attempting to ssh in or su’ing as another user, there is no valid shell set for this user.

You can quickly inspect this by looking at the /etc/passwd file.

Check for an entry that has something like ‘/bin/false’ or ‘/bin/nologin’ for the shell:

userdude:x:111:113::/home/userdude:/bin/false

or

userdude:x:111:113::/home/userdude:/bin/nologin

or

userdude:x:111:113::/home/userdude:/usr/sbin/nologin

How to fix

To fix this, give the user a valid shell like bash (/bin/bash)

The command chsh can be used to change a shell for a user. This changes the shell to bash:

$ sudo chsh -s /bin/bash username

To see a list of available shells on your machine, check out the file /etc/shells:

$ cat /etc/shells
# /etc/shells: valid login shells
/bin/csh
/bin/sh
/usr/bin/es
/usr/bin/ksh
/bin/ksh
/usr/bin/rc
/usr/bin/tcsh
/bin/tcsh
/usr/bin/esh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/screen
/bin/zsh
/usr/bin/zsh

Cool!

Q. How can I access my computer or family’s computer remotely without having to open up ports in the firewall? A. Using a [free] third party app is the solution

Here are a few free* solutions to . . . → Read More: Remote Access Without Opening Ports]]>

Q. How can I access my computer or family’s computer remotely without having to open up ports in the firewall?


A. Using a [free] third party app is the solution

Here are a few free* solutions to connect remotely and keep your home ip ‘stealth’. (*Free for non-commercial use.)

These work with Mac OS X, Windows, or Linux and likewise can remotely access any of those platforms. These work by having a ‘middle man’ central third-party server that the two clients talk to as an intermediary. No port forwarding is required from either connecting party.

TeamViewer

TeamViewer is more widely known as a technical support remote access app, though it can be used to access your own home or family’s PC as well. TeamViewer has great iOS and Android versions as well. I recommend TeamViewer for something easy to just install, run, and connect. You can create an account to easily manage multiple remote computers as well.

http://www.teamviewer.com/en/download/index.aspx

Hamachi

Hamachi is a long time favorite in the Linux world, and in fact many interfaces have been written to take further advantage of Hamachi in Linux. Hamachi has an arm Linux version as well. If you are primarily a Linux user, or want something like ssh through a VPN, you should use Hamachi.

https://secure.logmein.com/products/hamachi/download.aspx

https://secure.logmein.com/labs/

Here is Hamachi after a default install. You must first create your own mini-’network’.

Remobo

Remobo is another easy to use remote access app, though the free version is more limited that other above choices. Remobo offers a ‘pro’ version with more features that a geek may need.

http://www.remobo.com/download

Sweet!

A common question I hear is ‘Why are there so many different versions of Linux?‘ Especially when there is simply ‘Windows’, or ‘OS X’, it seems logical that there could be a single ‘Linux’, but for various . . . → Read More: Which Linux to Use]]>

A common question I hear is ‘Why are there so many different versions of Linux?‘ Especially when there is simply ‘Windows’, or ‘OS X’, it seems logical that there could be a single ‘Linux’, but for various reasons that is not the case.

Linux is a multi-purpose operating system used for everything from powering Android phones, Linksys routers, Amazon Kindles, to running large corporation server infrastructures, to simply a nice desktop operating system.

Because of these varied purposes, there are many, many different versions of Linux. There are also many different versions because Linux is free to use and modify by anyone. Different versions of Linux packaged together for use are called distributions, or distros for short.

Major differences in Linux distributions to note are:

- Release cycle / Support cycle (When are new versions released? How long is a release supported with security updates?)

- Packages available (How many software choices and also what kinds of software is available?)

- Corporate Support ($$$) or Community Support (aka on-your-own) models (Linux is free, but companies offer paid support if needed.)

Corporations / Academic / Research / Mission Critical

If you are looking for Linux to run for your company’s mission critical servers, these are versions you should consider.

The following versions have tested, stable versions of software which is typically behind the bleeding edge so to be more stable and reliable. These versions of Linux are generally tested and developed for two years or more before being released. Linux server versions are generally run ‘headless’ with no graphical interface, though it is possible to install and use a graphical environment with these versions as well. Support cycles are often 5-10 years. Note that ‘enterprise’ is only a buzz word and does not have any official meaning in the Linux world other than a marketing term.

If your boss or C-level exec asked for recommendations on ‘Linux’ for your company servers, these are versions you should consider. Or if you are looking to deploy Linux desktops for a company, these versions are a good choice due to the long support cycle and stability of software.

If you “need” Red Hat, your company must use Red Hat. If you want Red Hat without the subscription or support, use CentOS which is Red Hat without the subscription or logos (free).

I recommend Ubuntu Server LTS because of the ease of administration, large number of packages, and long support cycle. Ubuntu offers paid support if that makes the boss or decision makers happy as well.

Desktop Linux / Non-Mission Critical / General Use

There are a ton of varied Linux distributions for desktop use. These versions generally have more bleeding edge and current software but also a shorter support cycles of security updates. It is common to have a ~6 month release cycle for desktop releases. If you want to try out Linux on your desktop, use one of these versions though keep in mind you will be frequently updating to the newer release.

Below are the more common distros for desktop use:

If you are new to Linux and want to try Linux on your desktop for the first time, use Linux Mint. If you are old to Linux, I also suggest Linux Mint!

More advanced versions which are popular:

Gentoo

Arch Linux

Slackware

Linux Mint Debian Edition

Cool!

Killing zombie processes in Linux or Unix cannot be done, as they are already dead. :) Often the only solution is to restart your machine. However, it is sometimes possible to kill or restart the parent process . . . → Read More: How to Kill Zombie Processes]]>

Killing zombie processes in Linux or Unix cannot be done, as they are already dead. :) Often the only solution is to restart your machine. However, it is sometimes possible to kill or restart the parent process which will then often clear out zombie child processes.

To show parent/child process hierarchy, use the following command:

$ ps auxwwf

You will see output similar to the following. If any child process show up as zombies, you can either kill or restart the parent process. ($ sudo kill -9 PID) Otherwise, your only option may be a reboot.

Cool!

Ubuntu Server 12.04 will be released on 26 April 2012. Ubuntu 12.04 is supported with security updates until 2017 which makes Ubuntu LTS an attractive choice for use as a server. At the time of this blog . . . → Read More: What’s New in Ubuntu Server 12.04 LTS]]>

Ubuntu Server 12.04 will be released on 26 April 2012. Ubuntu 12.04 is supported with security updates until 2017 which makes Ubuntu LTS an attractive choice for use as a server.


At the time of this blog post, 12.04 is still in Alpha 1 so many changes are still occurring. However, I will give you the scottlinux quick peek to see what you can expect with this upcoming release!

http://cdimage.ubuntu.com/ubuntu-server/daily/current/

Packages

With the exception being the Linux kernel, Ubuntu pulls packages from Debian unstable.

Package version highlights for 12.04 server:

Linux kernel 3.2.0.7.7 (i386 server install defaults to PAE kernel)

apache2 (2.2.21-3ubuntu2)

mysql-server (5.5.17-4ubuntu6) MySQL database server

mysql-server-5.1 (5.1.58-1ubuntu3)

postgresql (9.1+128)

php5 (5.3.8.0-1ubuntu3)

postfix (2.8.5-2~build3)

exim4 (4.76-3ubuntu3)

clamav (0.97.3+dfsg-2ubuntu1)

roundcube (0.6+dfsg-1)

samba4 (4.0.0~alpha17.dfsg2-1)

samba (2:3.6.1-3ubuntu2)

bind9 (1:9.7.3.dfsg-1ubuntu5)

drupal6 (6.22-1ubuntu1)

drupal7 (7.9-1)

wordpress (3.3+dfsg-1)

tomcat6 (6.0.35-1)

tomcat7 (7.0.23-1)

openvpn (2.2.1-3ubuntu1)

gcc (4:4.6.2-2ubuntu1)

perl (5.14.2-6ubuntu1)

python (2.7.2-9ubuntu2) default

python3.2 (3.2.2-2ubuntu3)

ruby (4.8) Transitional package for ruby1.8 (why so old)

openssl (1.0.0e-2ubuntu4)

openssh-server (1:5.9p1-2ubuntu1)

iptables (1.4.12-1ubuntu4)

mod-security-common (2.5.12-1)

zsh (4.3.11-4ubuntu2.is.3ubuntu2)

vim (2:7.3.346-1ubuntu1)

Default Open Port Configuration

Ubuntu (both server and desktop) has a no open ports policy by default.

Optionally, during the server install you can manually choose which services you want installed. Note that installing these will then enable those services running by default.

Ex. if you choose to install OpenSSH during the install, port 22 will be open for ssh on the first reboot:

$ nc 10.112.12.40 22
SSH-2.0-OpenSSH_5.9p1 Debian-2ubuntu1

Networking

Significant networking changes are in Ubuntu 12.04, especially for more complex situations.

The best resource is this blog post which outlines some of the features:

http://www.stgraber.org/2012/01/04/networking-in-ubuntu-12-04-lts/

Also good to note is that IPv6 is enabled by default in a large part to be forward-thinking for the next five years of this release.

File system

The default file system for Ubuntu 12.04 is Ext4.

(Read about file system changes in Linux 3.2 here.)

Available file systems from the partitioner include:

Ext4
Ext3
ReiserFS
btrfs
JFS
XFS
FAT16
FAT32

So Yay or meh?


Ubuntu Server 12.04 is definitely a yay. The updated 3.2 Linux kernel with improved file system and virtualization support as well as a substantial jump in package versions for the server make this one a go. MySQL 5.5 has some welcomed new features as well the fancy new Samba4 if you use Ubuntu as a file server.

Ubuntu 12.04 is of course still alpha at this point so it is not for production. Also there is no rush to get off of existing 10.04 deployments as 10.04 is supported until April 2015. However if you are looking to upgrade to the newer packages or looking to make new Ubuntu server deployments in the near future, it is well worth it to test ahead with 12.04 which looks to be a solid release.

ssh has a built in debug mode from the client side to provide information in troubleshooting a connection. This will provide information such as mismatch in client/server configuration options, key conflicts, permission problems, and various other useful . . . → Read More: Troubleshoot ssh Authentication Failure]]>

ssh has a built in debug mode from the client side to provide information in troubleshooting a connection. This will provide information such as mismatch in client/server configuration options, key conflicts, permission problems, and various other useful tidbits.

To connect in debug mode, simply add -vvv to the end. You can use up to three tack v’s for the most debugging.

$ ssh user@host -vvv

Key based auth looks like this:

$ ssh stmiller@10.112.12.34 -vvv
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.112.12.34 [10.112.12.34] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /Users/smiller/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/smiller/.ssh/id_rsa type 1
debug1: identity file /Users/smiller/.ssh/id_rsa-cert type -1
debug1: identity file /Users/smiller/.ssh/id_dsa type -1
debug1: identity file /Users/smiller/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 503/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host 10.112.12.34 filename /Users/smiller/.ssh/known_hosts
debug3: check_host_in_hostfile: host 10.112.12.34 filename /Users/smiller/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 10
debug1: Host '10.112.12.34' is known and matches the RSA host key.
debug1: Found key in /Users/smiller/.ssh/known_hosts:10
debug2: bits set: 516/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/smiller/.ssh/id_rsa (0xxxxxxxxxxxxxxx)
debug2: key: /Users/smiller/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/smiller/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug3: sign_and_send_pubkey: RSA xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 10.112.12.34 ([10.112.12.34]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_MONETARY = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env TMPDIR
debug3: Ignored env Apple_PubSub_Socket_Render
debug1: Sending env LC_NUMERIC = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env USER
debug3: Ignored env COMMAND_MODE
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env PATH
debug1: Sending env LC_MESSAGES = en_US.utf-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_COLLATE = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug1: Sending env LC_CTYPE = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DISPLAY
debug1: Sending env LC_TIME = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Wed Jan  4 06:14:35 2012 from 10.112.12.42
[stmiller@centos ~]$

Password based auth looks like this:

$ ssh stmiller@10.112.12.34 -vvv
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.112.12.34 [10.112.12.34] port 22.
debug1: Connection established.
debug3: Not a RSA1 key file /Users/smiller/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /Users/smiller/.ssh/id_rsa type 1
debug1: identity file /Users/smiller/.ssh/id_rsa-cert type -1
debug1: identity file /Users/smiller/.ssh/id_dsa type -1
debug1: identity file /Users/smiller/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.6
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 498/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: host 10.112.12.34 filename /Users/smiller/.ssh/known_hosts
debug3: check_host_in_hostfile: host 10.112.12.34 filename /Users/smiller/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 10
debug1: Host '10.112.12.34' is known and matches the RSA host key.
debug1: Found key in /Users/smiller/.ssh/known_hosts:10
debug2: bits set: 518/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/smiller/.ssh/id_rsa (0xxxxxxxxxxxxxx)
debug2: key: /Users/smiller/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/smiller/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/smiller/.ssh/id_dsa
debug3: no such identity: /Users/smiller/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
stmiller@10.112.12.34's password:
debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to 10.112.12.34 ([10.112.12.34]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LC_MONETARY = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env GPG_AGENT_INFO
debug3: Ignored env TERM
debug3: Ignored env SHELL
debug3: Ignored env TMPDIR
debug3: Ignored env Apple_PubSub_Socket_Render
debug1: Sending env LC_NUMERIC = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env USER
debug3: Ignored env COMMAND_MODE
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env PATH
debug1: Sending env LC_MESSAGES = en_US.utf-8
debug2: channel 0: request env confirm 0
debug1: Sending env LC_COLLATE = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SHLVL
debug3: Ignored env COLORFGBG
debug3: Ignored env HOME
debug3: Ignored env LOGNAME
debug1: Sending env LC_CTYPE = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env DISPLAY
debug1: Sending env LC_TIME = en_US.utf-8
debug2: channel 0: request env confirm 0
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Wed Jan  4 06:12:07 2012
[stmiller@centos ~]$

The following URL can be used to check a site for malware:

The diagnostic url works to check any site, replacing the domain at the end with the site you wish to check.

BlindElephant is a nifty python app that fingerprints web applications such as wordpress, drupal, mediawiki, phpbb, joomla, and many others to determine the version of the web application.

BlindElephant works via a new trendy technique of fetching . . . → Read More: BlindElephant – Web Application Fingerprinting]]>

BlindElephant is a nifty python app that fingerprints web applications such as wordpress, drupal, mediawiki, phpbb, joomla, and many others to determine the version of the web application.

BlindElephant works via a new trendy technique of fetching static elements of the web app such as .js, .css, and other core files then running a checksum to compare sizes of those files from released versions.

BlindElephant is available via SVN here:

http://blindelephant.sourceforge.net/

$ BlindElephant.py http://example.com drupal
Loaded /Library/Python/2.7/site-packages/blindelephant/dbs/drupal.pkl with 127 versions, 469 differentiating paths, and 376 version groups.
Starting BlindElephant fingerprint for version of drupal at http://example.com 

Hit http://example.com/CHANGELOG.txt
Possible versions based on result: 6.20

Hit http://example.com/INSTALL.txt
Possible versions based on result: 6.20

Hit http://example.com/misc/drupal.js
Possible versions based on result: 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/themes/garland/style.css
Possible versions based on result: 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/database/updates.inc
File produced no match. Error: Error code: 404 (Not Found) 

Hit http://example.com/MAINTAINERS.txt
Possible versions based on result: 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/database/database.pgsql
File produced no match. Error: Error code: 404 (Not Found) 

Hit http://example.com/misc/drupal.css
File produced no match. Error: Error code: 404 (Not Found) 

Hit http://example.com/misc/autocomplete.js
Possible versions based on result: 6.0, 6.0-rc2, 6.0-rc3, 6.0-rc4, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/themes/pushbutton/style.css
Possible versions based on result: 6.0, 6.0-rc2, 6.0-rc3, 6.0-rc4, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/UPGRADE.txt
Possible versions based on result: 6.17, 6.18, 6.19, 6.20

Hit http://example.com/database/database.mysql
File produced no match. Error: Error code: 404 (Not Found) 

Hit http://example.com/misc/textarea.js
Possible versions based on result: 6.0, 6.0-rc3, 6.0-rc4, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/misc/collapse.js
Possible versions based on result: 6.0, 6.0-rc3, 6.0-rc4, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Hit http://example.com/themes/bluemarine/style.css
Possible versions based on result: 6.0, 6.0-rc1, 6.0-rc2, 6.0-rc3, 6.0-rc4, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 6.10, 6.11, 6.12, 6.13, 6.14, 6.15, 6.16, 6.17, 6.18, 6.19, 6.20, 6.x-dev

Fingerprinting resulted in:
6.20

Best Guess: 6.20
$

Cool!

To empty / clear / delete the Postfix mail queue, simply issue this command:

The output will look similar to this:

netcat can be used to quickly grab a service banner, as well as trusty nmap. I’ll show you some tips!

Add tack v to get more verbosity.

The particular way an operating system or device sends and receives TCP packets provides a unique fingerprint. TCP header information such as the window size, TTL, overall SYN packet size, MSS, MTU and so forth can help . . . → Read More: TCP/OS Fingerprinting Tools – p0f and nmap]]>

The particular way an operating system or device sends and receives TCP packets provides a unique fingerprint. TCP header information such as the window size, TTL, overall SYN packet size, MSS, MTU and so forth can help identify the OS. This is known as OS fingerprinting. The best known passive TCP fingerprint tool is p0f, while an example of an active fingerprinter is nmap.

I’ll show you some quick tips on using p0f and also nmap!

Fingerprinting with p0f

Note: p0f has unfortunately been abandoned. So it can be used to passively collect fingerprinting information, but it does not have a current database of operating systems or devices to resolve and identify.

Edit! ( p0f is back. The new version is a complete re-write. Updated blog post to come shortly.)

For p0f to work, you must either contact the outside host with a normal action such as web browsing, or have the outside host contact you. Alternatively, p0f can read from a pcap file as well.


Because of the use of inspecting and capturing packets, p0f needs to be run with sudo.



Step 1: In one terminal, issue the following command to start p0f listening, and leave that command running:

$ sudo p0f -A
[sudo] password for user:
p0f - passive os fingerprinting utility, version 2.0.8
(C) M. Zalewski , W. Stearns 
p0f: listening (SYN+ACK) on 'eth0', 61 sigs (1 generic, cksum B253FA88), rule: 'all'.

Step 2: In another window, browse to a website as an example target.

Output looks like the following. Notice the ‘UNKNOWN’ results as this project has been unfortunately abandoned. You can however use the data provided as information gathered for TCP fingerprinting.

173.230.156.66:80 - UNKNOWN [S10:64:1:48:M1460,N,N,S:ZA:?:?]
  -> 98.126.63.202:3037 (link: ethernet/modem)
206.12.19.7:80 - UNKNOWN [5792:55:1:60:M1460,S,T,N,W7:ZAT:?:?] (up: 4395 hrs)
  -> 173.230.156.66:32928 (link: ethernet/modem)
128.31.0.51:80 - UNKNOWN [5792:52:1:60:M1460,S,T,N,W6:ZAT:?:?] (up: 1559 hrs)
  -> 173.230.156.66:58958 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34013 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34014 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34015 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34016 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34017 (link: ethernet/modem)
173.230.156.66:80 - UNKNOWN [14480:64:1:60:M1460,S,T,N,W4:ZAT:?:?] (up: 5906 hrs)
  -> 151.63.225.212:34018 (link: ethernet/modem)

Fingerprinting with nmap

nmap has fingerprinting capabilities but note this is an active tool which can potentially be detected by the target host or IDS/IPS. While this can get more accurate results, packet-altering devices such as firewalls or other devices can be problematic for active fingerprinting with nmap. Often results will say ‘OS: Cisco IOS’ or similar, where the firewall or network device is responding on behalf of the host you are trying to target.

As such, using nmap for fingerprinting is perhaps best for internal network troubleshooting and auditing with no firewalls in between you and the target host.

To detect the operating system with nmap, use tack capital O. (Note: nmap likewise requires sudo to run properly.)

$ sudo nmap -O targethost

Here is an example for scottlinux.com which is running Ubuntu Linux (unfortunately a poor example it appears):

$ sudo nmap -O 173.230.156.66
Password:

Starting Nmap 5.51 ( http://nmap.org ) at 2011-12-22 08:03 EST
Nmap scan report for li166-66.members.linode.com (173.230.156.66)
Host is up (0.033s latency).
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: IBM OS/400 V5R2M0 (93%), Linux 2.6.18 (92%), Raritan Dominion KX II KVM switch (92%), Bay Networks BayStack 450 switch (software version 3.1.0.22) (90%), Bay Networks BayStack 450 switch (software version 4.2.0.16) (90%), Apple iPhone 4 mobile phone (iOS 4.1) (90%), ASUS RT-N11 EZ or D-Link DI-524 WAP (89%), Dell Remote Access Controller (DRAC 5) (89%), Yamaha RX-V3900 audio receiver (89%), Canon PIXMA MP620, MX860, or MX870 printer (88%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.45 seconds

If desired, use tack v3 to increase verbosity:

$ sudo nmap -O -v3 173.230.156.66

Starting Nmap 5.51 ( http://nmap.org ) at 2011-12-22 08:16 EST
Initiating Ping Scan at 08:16
Scanning 173.230.156.66 [4 ports]
Completed Ping Scan at 08:16, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:16
Completed Parallel DNS resolution of 1 host. at 08:16, 0.09s elapsed
DNS resolution of 1 IPs took 0.09s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 08:16
Scanning li166-66.members.linode.com (173.230.156.66) [1000 ports]
Discovered open port 80/tcp on 173.230.156.66
Discovered open port 22/tcp on 173.230.156.66
Discovered open port 25/tcp on 173.230.156.66
Discovered open port 443/tcp on 173.230.156.66
Completed SYN Stealth Scan at 08:16, 13.52s elapsed (1000 total ports)
Initiating OS detection (try #1) against li166-66.members.linode.com (173.230.156.66)
Retrying OS detection (try #2) against li166-66.members.linode.com (173.230.156.66)
Nmap scan report for li166-66.members.linode.com (173.230.156.66)
Host is up (0.042s latency).
Scanned at 2011-12-22 08:16:12 EST for 22s
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
443/tcp open  https
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: IBM OS/400 V5R2M0 (94%), Linux 2.6.18 (93%), Raritan Dominion KX II KVM switch (93%), Bay Networks BayStack 450 switch (software version 3.1.0.22) (92%), Bay Networks BayStack 450 switch (software version 4.2.0.16) (92%), Apple iPhone 4 mobile phone (iOS 4.1) (91%), ASUS RT-N11 EZ or D-Link DI-524 WAP (91%), Sagem My du@l radio 700 Internet radio (91%), Dell Remote Access Controller (DRAC 5) (91%), Yamaha RX-V3900 audio receiver (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=5.51%D=12/22%OT=22%CT=%CU=%PV=N%G=N%TM=4EF32DB2%P=x86_64-apple-darwin11.2.0)
SEQ(CI=RI)
ECN(R=N)
T1(R=N)
T1(R=Y%DF=N%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%TG=40%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=N%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T4(R=Y%DF=N%TG=40%W=0%S=A%A=S%F=R%O=%RD=0%Q=)
T6(R=Y%DF=N%TG=40%W=0%S=A%A=S%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=N)
IE(R=N)
IE(R=Y%DFI=N%TG=40%CD=S)

Read data files from: /opt/local/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.66 seconds
           Raw packets sent: 3118 (142.366KB) | Rcvd: 50 (2.862KB)

Or I like to use the following options [sudo nmap -O -sV -T4 -d target] which provides the exact TCP/IP Fingerprint output at the bottom:

$ sudo nmap -O -sV -T4 -d 173.230.156.66
[sudo] password for user: 

Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-22 05:38 PST
PORTS: Using top 1000 ports found open (TCP:1000, UDP:0, SCTP:0)
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 500, min 100, max 1250
  max-scan-delay: TCP 10, UDP 1000, SCTP 10
  parallelism: min 0, max 0
  max-retries: 6, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
NSE: Loaded 3 scripts for scanning.
mass_rdns: Using DNS server 74.207.242.5
mass_rdns: Using DNS server 74.207.241.5
Initiating SYN Stealth Scan at 05:38
Scanning li166-66.members.linode.com (173.230.156.66) [1000 ports]
Packet capture filter (device lo): dst host 173.230.156.66 and (icmp or ((tcp or udp or sctp) and (src host 173.230.156.66)))
Discovered open port 25/tcp on 173.230.156.66
Discovered open port 443/tcp on 173.230.156.66
Discovered open port 80/tcp on 173.230.156.66
Discovered open port 587/tcp on 173.230.156.66
Discovered open port 22/tcp on 173.230.156.66
Discovered open port 465/tcp on 173.230.156.66
Discovered open port 4242/tcp on 173.230.156.66
Completed SYN Stealth Scan at 05:38, 0.06s elapsed (1000 total ports)
Overall sending rates: 16963.24 packets / s, 746382.59 bytes / s.
Initiating Service scan at 05:38
Scanning 7 services on li166-66.members.linode.com (173.230.156.66)
Completed Service scan at 05:39, 44.57s elapsed (7 services on 1 host)
Packet capture filter (device lo): dst host 173.230.156.66 and (icmp or (tcp and (src host 173.230.156.66)))
Initiating OS detection (try #1) against li166-66.members.linode.com (173.230.156.66)
OS detection timingRatio() == (1324561142.611 - 1324561142.111) * 1000 / 500 == 1.000
Retrying OS detection (try #2) against li166-66.members.linode.com (173.230.156.66)
OS detection timingRatio() == (1324561144.862 - 1324561144.362) * 1000 / 500 == 1.000
Retrying OS detection (try #3) against li166-66.members.linode.com (173.230.156.66)
OS detection timingRatio() == (1324561147.119 - 1324561146.619) * 1000 / 500 == 1.002
Retrying OS detection (try #4) against li166-66.members.linode.com (173.230.156.66)
OS detection timingRatio() == (1324561150.851 - 1324561150.350) * 1000 / 500 == 1.000
Retrying OS detection (try #5) against li166-66.members.linode.com (173.230.156.66)
OS detection timingRatio() == (1324561153.087 - 1324561152.587) * 1000 / 500 == 1.002
Starting RPC scan against li166-66.members.linode.com (173.230.156.66)
NSE: Script scanning 173.230.156.66.
NSE: Starting runlevel 1 scan
Initiating NSE at 05:39
NSE: NSE Script Threads (1) running:
NSE: Starting skypev2-version against 173.230.156.66:4242.
NSE: Finished skypev2-version against 173.230.156.66:4242.
Completed NSE at 05:39, 0.01s elapsed
NSE: Script Scanning completed.
Host li166-66.members.linode.com (173.230.156.66) is up, received localhost-response (0.000048s latency).
Scanned at 2011-12-22 05:38:17 PST for 57s
Interesting ports on li166-66.members.linode.com (173.230.156.66):
Not shown: 993 closed ports
Reason: 993 resets
PORT     STATE SERVICE  REASON  VERSION
22/tcp   open  ssh      syn-ack OpenSSH 5.3p1 (protocol 2.0)
25/tcp   open  smtp     syn-ack Postfix smtpd
80/tcp   open  http     syn-ack Apache httpd
443/tcp  open  ssl/http syn-ack Apache httpd
465/tcp  open  ssl/smtp syn-ack Postfix smtpd
587/tcp  open  smtp     syn-ack Postfix smtpd
4242/tcp open  unknown  syn-ack
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port4242-TCP:V=5.00%I=7%D=12/22%Time=4EF332CF%P=i686-pc-linux-gnu%r(NUL
SF:L,124,"\x80c\0\0\x00622996\|com\.code42\.messaging\.security\.DHPublicK
SF:eyMessageY\xd4\0\0\0\xe20\x81\xdf0\x81\x97\x06\t\*\x86H\x86\xf7\r\x01\x
SF:03\x010\x81\x89\x02A\0\x91\xe9FAA\xd8G\xb6\xb5\x1fw#hmX\x12%\x90x\xda4\
SF:x9a5\x14EYk_KQ\xf5\x11s\\\xc8\x0b\xd5\xa6\x9e9EC\xc7\xeb\rM\x81\x12\xf8
SF:Th\x1c:\t\xba\xc1\xbe=\xaa\xec\xc0G\x17!\x02@Sf\xd0\x88\x91\"s\xafdY\x7
SF:f\xd5\^\x81\r%nB\x1e&_\x93\x82\xfc\xe3\xd9\x9fZ\x96<\xd0'T\x04\x13\xe5\
SF:$\xf5>\x7f\xbeud\xc2p\xae\x89U\xaa\xcf\x06ERm\xfa\xf6S\xd2\xf9\xaf\xe5\
SF:x02n\(\x02\x02\x01\xff\x03C\0\x02@\"\xc8\x81\x9c\x94&\x05i\xdf\x20\x89#
SF:w\xcd\xd0\[\xd7\xf0\xea\x1f`S\xd9B\xc6\x1d\r\xea\xad\)}\x02S\xd6ne\xa2\
SF:xd9\xe3\x88c\?aDk\xf3\xde\x17\x91\x11\xb7\\\x82'uvnA\xfa\xe5\xc2\xe2\xd
SF:8\xfe")%r(GenericLines,124,"\x80c\0\0\x00622996\|com\.code42\.messaging
SF:\.security\.DHPublicKeyMessageY\xd4\0\0\0\xe20\x81\xdf0\x81\x97\x06\t\*
SF:\x86H\x86\xf7\r\x01\x03\x010\x81\x89\x02A\0\x91\xe9FAA\xd8G\xb6\xb5\x1f
SF:w#hmX\x12%\x90x\xda4\x9a5\x14EYk_KQ\xf5\x11s\\\xc8\x0b\xd5\xa6\x9e9EC\x
SF:c7\xeb\rM\x81\x12\xf8Th\x1c:\t\xba\xc1\xbe=\xaa\xec\xc0G\x17!\x02@Sf\xd
SF:0\x88\x91\"s\xafdY\x7f\xd5\^\x81\r%nB\x1e&_\x93\x82\xfc\xe3\xd9\x9fZ\x9
SF:6<\xd0'T\x04\x13\xe5\$\xf5>\x7f\xbeud\xc2p\xae\x89U\xaa\xcf\x06ERm\xfa\
SF:xf6S\xd2\xf9\xaf\xe5\x02n\(\x02\x02\x01\xff\x03C\0\x02@\"\xc8\x81\x9c\x
SF:94&\x05i\xdf\x20\x89#w\xcd\xd0\[\xd7\xf0\xea\x1f`S\xd9B\xc6\x1d\r\xea\x
SF:ad\)}\x02S\xd6ne\xa2\xd9\xe3\x88c\?aDk\xf3\xde\x17\x91\x11\xb7\\\x82'uv
SF:nA\xfa\xe5\xc2\xe2\xd8\xfe")%r(GetRequest,125,"\x80c\0\0\x00622996\|com
SF:\.code42\.messaging\.security\.DHPublicKeyMessageY\xd4\0\0\0\xe30\x81\x
SF:e00\x81\x97\x06\t\*\x86H\x86\xf7\r\x01\x03\x010\x81\x89\x02A\0\x91\xe9F
SF:AA\xd8G\xb6\xb5\x1fw#hmX\x12%\x90x\xda4\x9a5\x14EYk_KQ\xf5\x11s\\\xc8\x
SF:0b\xd5\xa6\x9e9EC\xc7\xeb\rM\x81\x12\xf8Th\x1c:\t\xba\xc1\xbe=\xaa\xec\
SF:xc0G\x17!\x02@Sf\xd0\x88\x91\"s\xafdY\x7f\xd5\^\x81\r%nB\x1e&_\x93\x82\
SF:xfc\xe3\xd9\x9fZ\x96<\xd0'T\x04\x13\xe5\$\xf5>\x7f\xbeud\xc2p\xae\x89U\
SF:xaa\xcf\x06ERm\xfa\xf6S\xd2\xf9\xaf\xe5\x02n\(\x02\x02\x01\xff\x03D\0\x
SF:02A\0\x8d\|\xe6\x81\x9c`\xe7\x82\x86r\xf7\xb8\xa7\xb4\xc2L\xe1\xdc\xf0\
SF:xb5\xb4\t\x063B\xf7\xacG\xf5\xbe\xa1\$\xaa\xa7NRlh-\x02\x94\xdd\xb2<\xa
SF:a\xb26d\x0fO\xbey\xca\xbb\x96\xfc\xbd\xeb\x06E\xeb\xd1U`")%r(Help,124,"
SF:\x80c\0\0\x00622996\|com\.code42\.messaging\.security\.DHPublicKeyMessa
SF:geY\xd4\0\0\0\xe20\x81\xdf0\x81\x97\x06\t\*\x86H\x86\xf7\r\x01\x03\x010
SF:\x81\x89\x02A\0\x91\xe9FAA\xd8G\xb6\xb5\x1fw#hmX\x12%\x90x\xda4\x9a5\x1
SF:4EYk_KQ\xf5\x11s\\\xc8\x0b\xd5\xa6\x9e9EC\xc7\xeb\rM\x81\x12\xf8Th\x1c:
SF:\t\xba\xc1\xbe=\xaa\xec\xc0G\x17!\x02@Sf\xd0\x88\x91\"s\xafdY\x7f\xd5\^
SF:\x81\r%nB\x1e&_\x93\x82\xfc\xe3\xd9\x9fZ\x96<\xd0'T\x04\x13\xe5\$\xf5>\
SF:x7f\xbeud\xc2p\xae\x89U\xaa\xcf\x06ERm\xfa\xf6S\xd2\xf9\xaf\xe5\x02n\(\
SF:x02\x02\x01\xff\x03C\0\x02@WMP\?`\x12\x0bG;\xbc\xa3\xda\xfe5\xbcJVa\+N\
SF:x87UQ\xd9\*\x1b3}\x90\xb3ku\xa2\x94}\xa2\xda\xae\x960\r\x97\x83\x9d!1Ut
SF:\xbdZ\x85\x1cS\xf9\x8f\xe4\xa5\.\xde\xfe\xe2\xa1\xe4\xc3");
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=12/22%OT=22%CT=1%CU=39769%PV=N%DS=0%G=Y%TM=4EF33302%P=i686
OS:-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M400CS
OS:T11NW4%O2=M400CST11NW4%O3=M400CNNT11NW4%O4=M400CST11NW4%O5=M400CST11NW4%
OS:O6=M400CST11)WIN(W1=8000%W2=8000%W3=8000%W4=8000%W5=8000%W6=8000)ECN(R=Y
OS:%DF=Y%T=40%W=8018%O=M400CNNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=8000%S=O%A=S+%F=AS%O=M400CST11NW4%RD=0%
OS:Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%
OS:DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIP
OS:L=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 25.542 days (since Sat Nov 26 16:38:31 2011)
Network Distance: 0 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Final times for host: srtt: 48 rttvar: 3  to: 100000

Read from /usr/share/nmap: nmap-os-db nmap-rpc nmap-service-probes nmap-services.
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.09 seconds
           Raw packets sent: 1095 (51.990KB) | Rcvd: 2212 (98.808KB)

Note: You can submit OS fingerprints to the nmap database to contribute.



Also check out the nmap doc on OS detection which has more information. It’s always good to RTFM.

OS Detection with ping

And a good trick to know: a simple ping command can often help determine a target OS. Though if a firewall is responding on behalf of the host, results may vary and be skewed.

The TTL for Linux is typically 64 or 255.

The TTL for Windows is 128.

Linux host, see the ttl=64 results:

$ ping 192.168.1.215
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.041 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.029 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.049 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.040 ms
^C
--- localhost ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.029/0.043/0.056/0.009 ms

Windows host, see the ttl=128 results:

$ ping 10.112.12.30
PING 10.112.12.30 (10.112.12.30): 56 data bytes
64 bytes from 10.112.12.30: icmp_seq=0 ttl=128 time=0.622 ms
64 bytes from 10.112.12.30: icmp_seq=1 ttl=128 time=0.786 ms
64 bytes from 10.112.12.30: icmp_seq=2 ttl=128 time=0.704 ms
64 bytes from 10.112.12.30: icmp_seq=3 ttl=128 time=0.510 ms
64 bytes from 10.112.12.30: icmp_seq=4 ttl=128 time=0.913 ms
^C
--- 10.112.12.30 ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.510/0.707/0.913/0.138 ms

Cool!