Ofir Arkin’s Xprobe2 utility performs OS fingerprinting by primarily analyzing responses to ICMP probes. See the Sys-Security Group web site ( http://www.sys-security.com) for further details, including white papers and presentations that describe the Xprobe2 fingerprinting technology and approach. Example 4-4 shows Xprobe2 being used to fingerprint a remote host.
Example 4-4. Operating system fingerprinting using Xprobe 2
Accessible TCP ports can be identified by port scanning target IP addresses. The following nine different types of TCP port scanning are used in the wild by both attackers and security consultants:
Standard scanning methods Vanillaconnect()scanning Half-open SYN flag scanning
Stealth TCP scanning methods Inverse TCP flag scanning ACK flag probe scanning TCP fragmentation scanning
Third-party and spoofed TCP scanning methods FTP bounce scanning Proxy bounce scanning Sniffer-based spoofed scanning IP ID header scanning
What follows is a technical breakdown for each TCP port scanning type, along with details of Windows- and Unix-based tools that can perform scanning.