OS Discovery and Countermeasures


Banner Grabbing or OS fingerprinting is a method to determine the OS running on a remote target system. An attacker uses banner grabbing to identify the OS used on the target host and thus determine the system vulnerabilities and exploits that might work on that system to carry out further attacks. 


Active Banner Grabbing

The idea behind Active Banner Grabbing is that each operating system's IP stack responds differently to TCP packets that are specifically designed for it. This occurs as a result of the different interpretations used by vendors when putting the TCP/IP stack into practice on a certain operating system. 


Active banner grabbing involves the attacker sending the remote host a range of altered packets, and then comparing the responses with a database. Different Os respond differently due to variations in how the TCP/IP stack is implemented.

 

Passive Banner Grabbing

Passive banner grabbing is dependent on the OS's response to the packet, just like active banner grabbing. Instead of scanning to look for obvious signs that can reveal an OS, passive fingerprinting uses sniffing to collect packets from the target host. Passive banner grabbing includes Error Messages that provide information, such as the type of server, type of OS, and SSL tools used or looking for an Extension in the URL may help in determining the application version. For example, .aspx means IIS server and Windows Platform. 

The four areas that typically determine the OS are:
  • TTL (time to live): What does the OS set the TTL on the outbound packet?
  • Window Size: What is the Window size set by the OS?
  • Whether the DF (Don't Fragment) bit is set: Does the OS set the DF bit?
  • TOS (type of service): Does the OS set the TOS, and if so, what settings is it?

Using the information obtained from the packet, specifically the TTL and the window size, one can compare the results with the database of signatures and determine the OS with some degree of confidence. 

Countermeasures

Disabling or Changing the Banner

  • Deploy fake banners to trick or mislead adversaries.
  • You can modify or disable banner information using the ServerMask tools.
  • Turn off unnecessary services on the network host to limit the disclosure of information.
  • Apache 2.x with mod_headers module - use a directive in httpd.conf file to change banner information Header set Server "New Server Name".
  • Alternatively, change the ServerSignature line to ServerSignature Off in httpd.conf file.

Hiding File Extensions from Web Pages

  • File extensions reveal information about the underlying server technology that an attacker can utilize to launch attacks. 
  • You can hide web technologies by hiding file extensions.
  • IIS users manage the file extensions with programs like PageXchanger.
  • Change application mappings such as .asp with .htm or .foo, etc. to disguise the identity of servers.
  • Apache users can use mod_negotiation directives. 
  • It is better if the file extensions are not used at all. 

You might be interested in, 

We hope this helps. If you have any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment