Hey Guys,
I’m a complete newbie, so sorry in advanced if the answers seems to obvious, but I could need a hint into the right direction. Currently I am working on the NETWORK ENUMERATION WITH NMAP module, and I’m stuck literally on the first module.
The Question is: “Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.”
I tried several commands for example like:
sudo nmap 10.129.2.80 -p 10001 -O -D RND:5 --disable-arp-ping -Pn -e tun0
as the Answer I got Linux, but if I type it into the answer field, I just get an Error (I tried every port and also the -S but this also does not bring me very far)
Already saying thanks in advanced for everyone taking his time to read and answer this
My Answer is Ubuntu
sudo nmap ip -S -A
under:
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
most of operating system has different time to live, base on the previous result the ttl is 128 ( ```
RCVD (0.0152s) ICMP [10.129.2.18 > 10.10.14.2 Echo reply (type=0/code=0) id=13607 seq=0] IP [ttl=128 id=40622 iplen=28 ]): ttl=128 most the case is windows
Hi. My solution involved looking at the open ports of my target system. Then look at the --help info to see what you can add to the nmap command to scan for the OS.
Hi. I suggest you see the section common protocols of the Introduction to Networking module (which I think is Tier0/free). I don’t know the rules exactly, but if you don’t have boxes to spare (even though is a great module that you even read from your phone), reply again and I will reply with the common ttl for the OS. Probably if you searched in google you have seen the wrong OS for the ttl
as the comment before me said , the past comment section has the method and answer but I will still try to simplify ,
but first you could literally spam each commonly known OS and still get the answer right , without help.
The intentioned approach though I think - using this hint
We have already mentioned in the “Learning Process,” and at the beginning of this module, it is essential to pay attention to details. An ICMP echo request can help us determine if our target is alive and identify its system. More strategies about host discovery can be found at: Putting It All Together: Host Discovery Strategies | Nmap Network Scanning
you could reach the conclusion that something lies inside those requests , the SNT one is from your device which we don’t need cause why would we care or look for the OS of our device , the other request; the RCVD comes from the target OS which we want to discover therefore something in the request is the clue and the TTL comes in mind for many reasons , one is that it is brought up in the link above , second that the networking module in the Information security fundamentals brought it up , thirdly , 128 is a super clean number 2^7 not a random one which begs the question if it is some sort of default configuration or something , which it is indeed .