Lab 3 - OS Discovery

Module 03 - Scanning Networks
Perform OS Discovery
Banner grabbing, or OS fingerprinting, is used to determine the OS running on a remote target
system.
Lab Scenario
As a professional ethical hacker or a pen tester, the next step after discovering the open ports
and services running on the target range of IP addresses is to perform OS discovery. Identifying
the OS used on the target system allows you to assess the system’s vulnerabilities and the
exploits that might work on the system to perform additional attacks.
Lab Objectives
= Identify the target system’s OS with Time-to-Live (TTL) and TCP window sizes using
Wireshark
= Perform OS discovery using Nmap Script Engine (NSE)
= Perform OS discovery using Unicornscan
Lab Environment
To carry out this lab, you need:
= Windows 11 virtual machine

= Windows Server 2022 virtual machine
= Parrot Security virtual machine
= Ubuntu virtual machine
= Web browsers with an Internet connection
= Administrator privileges to run the tools
Lab Duration
Time: 15 Minutes
CEH Lab Manual Page 268 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Overview of OS Discovery/ Banner Grabbing

Banner grabbing, or OS fingerprinting, is a method used to determine the OS that is running on
a remote target system.
There are two types of OS discovery or banner grabbing techniques:
= Active Banner Grabbing: Specially crafted packets are sent to the remote OS, and the
responses are noted, which are then compared with a database to determine the OS.
Responses from different OSes vary, because of differences in the TCP/IP stack
implementation.
= Passive Banner Grabbing: This depends on the differential implementation of the stack
and the various ways an OS responds to packets. Passive banner grabbing includes
banner grabbing from error messages, sniffing the network traffic, and banner grabbing
from page extensions.
Parameters such as TTL and TCP window size in the IP header of the first packet in a TCP session
plays an important role in identifying the OS running on the target machine. The TTL field
determines the maximum time a packet can remain in a network, and the TCP window size
determines the length of the packet reported. These values differ for different OSes: you can
refer to the following table to learn the TTL values and TCP window size associated with various
OSes.
Operating System Time To Live TCP Window Size
Linux 64 5840
FreeBSD 64 65535
OpenBSD 255 16384
Windows 128 65,535 bytes to 1 Gigabyte
Cisco Routers 255 4128
Solaris 255 8760
AIX 255 16384
Lab Tasks
Task 1: Identify the Target System’s OS with Time-to-Live (TTL) and
TCP Window Sizes using Wireshark
Wireshark is a network protocol analyzer that allows capturing and interactively browsing the
traffic running on a computer network. It is used to identify the target OS through
sniffing/capturing the response generated from the target machine to the request-originated
machine. Further, you can observe the TTL and TCP window size fields in the captured TCP
packet. Using these values, the target OS can be determined.
Here, we will use the Wireshark tool to perform OS discovery on the target host(s).
1. Turn on the Windows 11, Windows Server 2022 and Ubuntu virtual machines.
2. Switch to the Windows 11 virtual machine. By default, Admin user profile is selected,
type Pa$$wOrd in the Password field and press Enter to login.
Note: If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.
3. Click Search icon [2], on the Desktop. Type wireshark in the search field, the
Wireshark appears in the results, click Open to launch it.
2D wireshark
All Apps Documents Web More
Best match
la Wireshark
y |
Apps Wireshark
App
A Wireshark-win6
4-3.6.3.exe
Search the web loge
Fe) Wireshark - See web results Run as administrator
Open fle location
p Wireshark
Pin to Start
OD wireshark download Pin to taskbar
Fe) wireshark oui Uninstall
Fe) wireshark tutorial
p wireshark filters
chat
EEE eee
mOr@oses
CEH Lab Manual Page 270 Ethical Hacking and Countermeasures Copyright © by EC-Council
4. The Wireshark Network Analyzer main window appears; double-click the available
ethernet or interface (here, Ethernet) to start the packet capture, as shown in the
screenshot.
Note: If Software Update window appears, click Remind me later.
[Wi Whe Wereshard Network Analyzer o a |
File Edit View Go Capture Analyze Statistics Telephony Wir
4 ou x a =
f i -)+
Welcome
to Wireshark
pes Gk =] Alinterfaes shown ™

l Ethemet
Adapter for loopback traffic capture A
User's Guide ~ Wiki ~ Questions and Answers Maing Lists

You are ring Wireshark 3.6.3 (/3:6.30-964348e4611e2, You recive automatic undoes
Ready toledo captre NoPadets Profle: Def
L gon m@ouwegaa Si % sass @ |
5. Open the Command Prompt, type ping 10.10.1.22 and press Enter.
Note: 10.10.1.22 is the IP address of the Windows Server 2022 machine.
All Rights Reserved. Reproduction is Strictly Prohibited
Module
03 - Scanning Networks
6. Observe the packets captured by Wireshark.

Capturing fom Ethemet
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
REQCeeSBFHsebaaanw
Source Destination Protea! Length Info

475 97.537233fe8ass15:Sdff:fers:..£¥02::4 MONS 371 Standard query response @x0000 TXT, cache Flush PTR ad. tep.u f
476 88.107472_Nicrosof01: Broadcast ane 42 lho has 10.20.1.22? Tell 20,10.1.21
477 88.108065_‘Microsof_01 Nicrosof_o1:80:00 ARP 42 10,10.1.22 is at
478 88.108101 _10,10.1.11 E 1p 74 Echo (ping) request id=ox0001,
479 68.10855510,10.1.22 i Io! 74 Echo (ping) reply id=oxo001,
48 89.120177 10.10.1.11 10. TCHP 74 Echo (ping) request id=exe001,
481 69.120710 19.10.1.22 e 10P 74 Echo (ping) reply id=0x0001, S12, ttl-128 (request in
402 09.539860 10.10.1. 0.0. MONS 417 Standard query response ex0000 TxT, ca he flush PTR _adb._tep..-
493 29.539864 MONS 437 Standard query response ex00e0 TXT, cache flush PTR ~adb. tcp.
494 69.529905 : MONS 371 Standard query response @x0000 TXT, cache flush PTR adb
485 90.13591510.10.1.11, 10.10.1.22 74 Echo (ping) request id=0x0001, seq=3/768, ttl=128 (reply in 4.
486 .90.136418 _10.10.1.22 10.10,1.11 10P 74 Echo (ping) reply id=0x0001, 768, tt1=128 (request ins
Frame 478: 74 bytes on wire (582 bits), 74 bytes captured ($82 bits) on interface \Device\NPF_{5A983588-F693-4023-B9B6-DCCZSADB1I14}, id @
Ethernet IZ, Src: Microsof_61:80:2 (@0:15:5d:@1:80:02), Dst: Microsof_@1:80:00 (00:15:5d:01:60:00)
Internet Protocol Version 4, Src: 10.10.1.22, Dst: 10.10.1.12
Internet Control Message Protocol
0 15 Sd 01 60 00 0015 sdols0e2es004500 =] 4] ©
00 3c 45 17 00 00 80 01 df 75 a da C1 16 daa -<E u
@1 Gb 00 8 55 Sa 00 21 00 01 61 62 63 64 65 66 Uz-» --abedef
67 68 69 Ga Gb Gc Gd Ge GF 70 71 72 73 74 75 76 ghijklan opqrstuv
77 61 62 63 68 65 56 67 63 69 wabcdefg hi
@ 7 in progress>
Ethemet: <ive capture Packets: 12289 « Displayed: 12289 (100.0%) Profile: Default
B@OouG@owe@ada ewe)
7. Choose any packet of the ICMP reply from the Windows Server 2022 (10.10.1.22) to
Windows 11 (10.10.1.11) machines and expand the Internet Protocol Version 4 node in
the Packet Details pane.
8. The TTL value is recorded as 128, which means that the ICMP reply possibly came from a
Windows-based machine.
CEH Lab Manual Page 272 Ethical Hacking and Countermeasures Copyright © by EC-Cot
fe
Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help
“BAO UDRECeoSTssBaaan
[soir diay ter <cui> eiJ+
Te Source Destnaten Protocol Length Info
475 87.537233 Fe00::15:5dFF:Fe19:_. #F02::fb ONS «371 Standard query response 0x0000 TXT, cache flush PTR _adb._tep..
476 8.107472 _Microsof @1:80:00 Broadcast ARP 42 iho has 10.10.1.22? Tell 10.10.1.11
477 8.108065 Microsof_@1:80:62 _Microsof_01:80:00 42 10.10.1.22 is at 00:15:5d:01:80:02
478 38.108101 _10.10.1.11 30.10.1.22 ‘74 Echo (ping) request ide@x0001, seqn1/256, tt1=128 (reply in 4.
479 88.108655 1010.12, 10.10.1.12 ‘TA Echo (ping) reply id-0x0001, seqr1/256, tt1=128 (request i
439 89.120177 10.1. 10.10.1.22 74 Echo (ping) request id-dx00@i, seq=2/512, ttl=128 (reply in 4.
431 89.120710 He 10.10.1.11 74 Echo (ping) reply id-@xo0ai, seqe2/512, tt1=128 (request in
482 89.539860 : 224.0.0.251 427 Standard query cesponse @x0000 TXT, cache flush PTR _adb. tcp.
483 99.539864 :18b38:ed47:262.. #F02::fb 437 Standard query response 0x0000 TXT, cache flush PTR ~adb. tcp.
488 89.539905 371 Standard query response @x0000 TXT, cache flush PTR _adb. tcp.m
435 90.135915 10,10.1.13 10.10.1.22 74 Echo (ping) request id-0xo0ei, seqe3/768, ttl=128 (reply in 4.
10,10.1.22 30.10.1.31 74 Echo (ping) reply id-Oxo0ei, seq~3/768, ttl=128 (request in.
Frame 479: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{SA983568-F693-4023-B9B6-DCC29ADB1114), id ©
Ethernet II, Src: Microsof_@1:80:02 (00:15:5d:01:80:02), Dst: Microsof_01:80:00 (| '5d:01:80:00)
Internet Protocol Version 4, Src: 1.10.1.22, Dst: 1@.10.1.21
0100 .... = Version: 4
sees @1@1 = Header Length: 20 bytes (5)
Differentiated Services Field: @xe@ (DSCP: CS®, ECN: Not-ECT)
Total Length: 60
Identification: @x4517 (17687)
Flags: 6x00
++-8 088 0000 0000 = Fragnent Offset: 0
‘Time to Live: 128
Protocol: ICMP (1)
Header Checksum: @xdf75 [validation disabled]
[Header checksum status: Unverified]
0 15 5d @1 80 00 00 15 Sd e1 80 O2 08 00 48 yo J
08 3c 45 17 00 00 GE 01 df 75 Ga Ga 01 16 03 EB ou
@1 @b 00 00 55 Sa 08 1 00 G1 61 62 63 64 65. Uz". --abedef
67 68 69 6a 6b Gc 6d Ge GF 70 71 72 73 74 75 ghijklmn opqrstuv
77 61 62 63 64 65 66 67 68 69 wabedefg hi
@ 7 Tmetoive (o.tt), rbyte | Packets: 12365 Displayed: 12365 (100.0%) | Profle:Def
B®OuGowe@ada kes)
toolbar.
Capture Analyze Statistics Telephony Wireless Tools Help

BRE QCesSeFas QQaan
S-j+
Destination Protocol Length nfo
475 67.537233 sdf: fer8:. #F023:%0 MONS 371 Standard query response @x0000 TXT, cache flush PTR _adb._ tcp.
476 8.107872 Nicrosof 61:80:08 Broadcast 42 iho has 10.10.1.22? Tell 10.10.1.11
477 8.108065 icrosof_@1:80:02 _Microsof_01:80:00 42 10.10.1.22 is at 00:15:5d:01:80:02
478 88.108101 _10.10.1.11 10.10.1.22 74 Echo (ping) request id-x00@1, seq=1/256, ttl=128 (reply in 4.
479 8.108655 10.10.1.22 10.10.1.11 ‘74 Echo (ping) reply — id-@x0001, seq=1/256, ttl=128 (request in.
490 89.1207 10.10.1.11 10.10.1.22 74 Echo (ping) request id=@x0001, seq=2/512, ttl-126 (reply in 4
481 89.120710—10,10.1.22 10.10.1.11 74 Echo (ping) ceply id-0x0002, s0q-2/512, tt1e128 (request in.
432 89.539860 10.10.1.3 224,0.0.252 437 Standard query response @x0000 TAT, cache flush PTR _adb._tcp.m
433 39.539864 _e80::8638:ed47:281. #02: 437 Standard query response @x®@00 TAT, cache flush PTA _adb._tcp.m
484 89.539905 fe80::15:54FF:Fe18:. Ff02:: 371 Standard query response @x000@ TXT, cache flush PTR _adb. tcp.
485 90.135915 10.10.1.11 i 74 Echo (ping) request id-xo0ai, seq-3/768, ttl=128 (reply in 4.
436 90.136818 _10.10.1.22 0.10.1. 74 Echo (ping) reply _id-exe0at, seqr3/768, tt1+128 (request ine
> Frame 479: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{5A903588-F693-4073-6986-DCCZ9ADBI114), id @
> Ethernet II, Src: Microsof_@1:80:@2 (0@:15:5d:01:80:02), Ost: Microsof_@1:80:00 (@0:: 101:80:00)
Internet Protocol Version 4, Src: 10.10.1.22, Dst: 10.20,1.11
e100 . = Version: 4
= @101 = Header Length: 20 bytes (5)
Differentiated Services Field: @x0@ (DSCP: CSO, ECM: Not-ECT)
Total Length: 69
Identification: Ox4517 (17687)
Flags: 0x00
0 0000 0000 0000 = Fragnent Offset: @
Tine to Live: 128
Protocol: CHP (2)
Header Checksum: Oxdf75 [validation disabled]
didcns : 10-10-21
00 15 5d 01 80 00 00 15 B
00 3c 45 17 09 00 Hel Bo
01 0 00 00 55 5a 00 61 00 61 61 62 63 64 6 uz --abedet
67 68 69 Ga 6b Gc 64 Ge GF 70 71 72 73 74 75 76 ghijklan opqrstuv
77 61 62 63 64 65 66 67 68 69 wabedefg hi
10. Now, click the Start capturing packets button from the toolbar. Ifan Unsaved packets
pop-up appears, click Continue without Saving.
Wii a. |
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools. Help
‘ @uBRE XSF S2aaan
he. Destination Protocol Length Info |:

#F02::4 ONS 371 Standard quer} @ TXT, cache flush PTR _adb._ I
476 88.107472 Broadcast ARP 42 Who has 10.10.1.22? Tell 1@.10.2.11
477 38.108065 Microsof_01:80:00 ARP 42 10,10.1.22
@.10.1.22
10.1.4
Standard qui
8b38:0d47:21 Standard query
séff:feis:. # Standard qu:
aaa 10.10.1.22 ng)
on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_(SA9BISG8-F693-4023-B986-DCC29ADBI116), id @
crosef_01:80:@2 (0@:15:5d:01:80:02), 0: 2:00)
Y Internet Protocol Version 4, Src: 10.10.1.22, Dst: 10.10.1.11
e100 .... = Version
e101 = Header Li 5)
Differentiated Servic : @x@ (DSCP: CSB, ECN: Not-ECT)
Total Length: 60
Identification: 0x4527 (37687)
Flags
© 0008 2000 0000 = Fragnent Offset: 0
Time to Live: 128
Protocol: ICMP (1)
Header Checksum: Oxdf75 [validation disabled]
[Header checksum unverified]
Li Souecm dines ia 10122 . =|
11. Wireshark will start capturing the new packets.
12. In the Command Prompt window, type ping 10.10.1.9 and press Enter.
Note: 10.10.1.9 is the IP address of the Ubuntu machine.
[Bi Command Prompe
from 10.
from 10.
Maximum
10.10.
from 1
om 10.
from 10.
Module
03 - Scanning Networks
13. Observe the packets captured by Wireshark.

14. Choose any packet of ICMP reply from the Ubuntu (10.10.1.9) to Windows 11
(10.10.1.11) machine and expand the Internet Protocol Version 4 node in the Packet
Details pane.
15. The TTL value is recorded as 64, which means the ICMP reply possibly came from a
Linux-based machine.
Capturing from Ethemet
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help
a+
Protea! Length Info
61 15.757689 feb: Wons 371 Standard query response ex0000 Txt, cache flush PTR _adb._tep.
62 17.759212 0d47:263.- 497 Standard query response @x0000 TAT, cache flush PTR
63 17.759261 _10.10.1.. . 417 Standard query response 0000 TX, cache flush PTR
64 17.759279 fel: 371 Standard query response @0000 TXT, cache flush PTR
65 21.764189 . 4417 Standard query response @x0000 TXT, cache flush PTR
66 21.764190 feb: 371 Standard query response @x0000 TXT, cache flush PTR
67 21.764189 261 2 cache flush PTR
69 21.985381 _Microzof_01:90:00 Broadcast
69 21.985935 nicrorof 15d:182
70 21.985957 10.10.11 seq-5/1280, tt1-128 (reply in =
nn n.sese2 fi 19.10.1.11 cH 74 Echo (ping) reply id=0x0001, seqe5/1280, tel=64 (request in
72 22.993079__10.10.1.11 10.10.1.9 IOP _ 74 Echo (ping) request _ide0x0001, seqe6/1536, tt1=126 (reply in.
Frane 71: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{5A9#3588-F693-4023-B986-DCC29ADB1114}, id @
> Ethernet IZ, Sre: MS-NLB-PhysServer-21_54:18:27:eb (02:15:5d:18:27:eb), Ost: Microsof_01:80:00 (@0:15:5d:01:80:00)
I internet Protocol Version 4, Src: 10.10.1.9, Dst: 10.10,1.12
0100 .... = Version: 4
1+ @101 = Header Length: 20 bytes (5)
> Differentiated Services Field: @x00 (OSCP: CSO, EC: Not-ECT)
Total Length: 60
Identification: Oxabo (17593)
Flags: &x0
+8 0900 0000 0000 = Fragnent Offset: @
Tine to Live: 64
Protocol: ICMP (2)
Header Checksum: @x1fel [validation disabled]
Source Addeacs: 10 101-9.
00 15 5d 01 80 00 02 15 5d 18 27 eb
00 3c 44 69 09 00 Mol if el on os 0: feDeBe T veces
01 @ 00 00 55 56 00 e1 a abedet
67 68 69 6a 6b 6c 6d Ge ghijklan opgrstuv
77 61 62 63 64 65 66 67 wabedefg hi
16. Stop the capture in the Wireshark window by clicking on the Stop button.
17. This concludes the demonstration of identifying the OS of the target system using
Wireshark.
18. Close all open windows and document all the acquired information.
19. Turn off the Windows 11 and Ubuntu virtual machines.
Task 2: Perform OS Discovery using Nmap Script Engine (NSE)
Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information
from the target system. In addition to Nmap commands, NSE provides scripts that reveal all
sorts of useful information from the target system. Using NSE, you may obtain information such
as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain
name, workgroup, system time of a target system, etc.
Here, we will use Nmap to perform OS discovery using -A parameter, -O parameter, and NSE.
Note: Ensure that the Windows Server 2022 virtual machine is running.
1. Turn on the Parrot Security virtual machine.
2. In the login page, the attacker username will be selected by default. Enter password as
toor in the Password field and press Enter to log in to the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
3. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
5. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. In the terminal window, type the command nmap -A [Target IP Address] (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: -A: to perform an aggressive scan.

Note: The scan takes approximately 10 minutes to complete.
7. The scan results appear, displaying the open ports and running services along with their
versions and target details such as OS, computer name, NetBIOS computer name, etc.
under the Host script results section.
NetBIOS MAC
tandard 6.3
0749s, median: 6h
RACEROUTE
OP RTT ADDRESS
s 10.10,.1.2
8. In the terminal window, type the command nmap -O [Target IP Address] (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: -O: performs the OS discovery.
9. The scan results appear, displaying information about open ports, respective services
running on the open ports, and the name of the OS running on the target system.
an r
up
Not shown
ORT T
3/tep op
@/tcp
8/tcp
msmq-mgnt
globalcatl
globalcatL
f bt-server
NAC Addre 12:D9:10:BD (Unknown)
xact ns es for host (If you know what
IP fingerprin
AN(V=7 . 92%E=44D=6/6
629ECA27%P=x86_64-pc-Lir
TS=A) OPS (01=MSB4NW8
=P.
10. In the terminal window, type the command nmap --script smb-os-discovery.nse [Target
IP Address] (here, the target machine is Windows Server 2022 [10.10.1.22]) and press
Enter.
Note: --script: specifies the customized script and smb-os-discovery.nse: attempts to
determine the OS, computer name, domain, workgroup, and current time over the SMB
protocol (ports 445 or 139).
11. The scan results appear, displaying the target OS, computer name, NetBIOS computer
name, etc. details under the Host script results section.
12. This concludes the demonstration of discovering the OS running on the target system
using Nmap.
Task 3: Perform OS Discovery using Unicornscan
Unicornscan is a Linux-based command line-oriented network information-gathering and

reconnaissance tool. It is an asynchronous TCP and UDP port scanner and banner grabber that
enab| les you to discover open ports, services, TTL values, etc. running on the target machine. In
Unicornscan, the OS of the target machine can be identified by observing the TTL values in the
acquired scan result.
Here, we will use the Unicornscan tool to perform OS discovery on the target system.
Note : Ensure that the Windows Server 2022 virtual machine is running.
1. Turn on the Ubuntu virtual machine.

2. Switch to the Parrot Security virtual machine and click the MATE Terminal icon at the
top of the Desktop to open a Terminal window.
A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
In the [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
Now, type cd and press Enter to jump to the root directory.
In the terminal window, type unicornscan [Target IP Address] -Iv (here, the target
machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: In this command, -I specifies an immediate mode and v specifies a verbose mode.
The scan results appear, displaying the open TCP ports along with the obtained TTL
value of 128. As shown in the screenshot, the ttl values acquired after the scan are 128;
hence, the OS is possibly Microsoft Windows (Windows 8/8.1/10/11 or Windows Server
16/19/22).
Note: Here, the target machine is Windows Server 2022 (10.10.1.22).
2 42 0
38, 100,185 139,143 150, 161-164, 174, 177-179, 191 102
206,209,210 422,443 445, 487 ,500,512-514,517,518,520,525,533
8, 548,554 52,765,779, 808, 873,901 923,941
992-995, 1¢
1646, 164
78, 7000-7609,
10081, 1016
3178
54321,5 11, 60008 , 60006 , 6100
06 , 65:
aning 1.00e+00 t ittle longer than 8 Second

P open 10.10.1
P open 10.10.1
P 9.10.1
P 10.1
us 10.1
P 10.1.2
cP 18 1
p 10.10
Pp 18.10 1
P 10.16 1
ender statisti 8 packets sent tota
istener s 676 packet eved © packets droped and @ interface drops
doma m 10.10.1 2. ttl 128
8. In the Parrot Terminal window, type unicornscan [Target IP Address] -Iv (here, the
target machine is Ubuntu [10.10.1.9]) and press Enter.
9. The scan results appear, displaying the open TCP ports along with a TTL value of 64. As
shown in the screenshot, the ttl value acquired after the scan is 64; hence, the OS is
possibly a Linux-based machine (Google Linux, Ubuntu, Parrot, or Kali). Using this
information, attackers can formulate an attack strategy based on the OS of the target
system.
ing 10.10.1.9/32 mode ‘TCPscan’ p.

8,100, 105-107, 109-111, 113,118,119, 1
10 0,345
4,563, 587 , 610-6
3-1030
/1719,1
5556, 56 6907, 63 5 909, 7028, 7100,

787 , 8879, 9090 , 9101-9103, 9325 ] 26,1 7, 19080, 10081, 10167, 19498
303, 18753, 20011, 20012, 21554, 27 74, 274 4 , 27573, 31335-31338, 1
0, 47262, 493 2 6
aning 1.00e+00 tot ts w ts, s take a Little Longer than

P open 10.10.1.9:22
P open 10.10.1.9
nder statistics
tener statistic ed © packets droped and @ interface drops
from 10.10.1.9 ttl 64
m 10.10.1.9 ttl 64
10. This concludes the demonstration of discovering the OS of the target machine using
Unicornscan.
12. Turn off the Parrot Security, Windows Server 2022 and Ubuntu virtual machines.
Lab Analysis
Analyze and document the results of this lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
O Yes MINo
Platform Supported
1 Classroom CyberQ

Lab 3 - OS Discovery

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lab 3 - OS Discovery

Uploaded by

Copyright:

Available Formats

Module 03 - Scanning Networks

= Windows 11 virtual machine

Overview of OS Discovery/ Banner Grabbing

Operating System Time To Live TCP Window Size

OpenBSD 255 16384

Windows 128 65,535 bytes to 1 Gigabyte

Cisco Routers 255 4128

Solaris 255 8760

AIX 255 16384

All Apps Documents Web More

pes Gk =] Alinterfaes shown ™

User's Guide ~ Wiki ~ Questions and Answers Maing Lists

Note: 10.10.1.22 is the IP address of the Windows Server 2022 machine.

6. Observe the packets captured by Wireshark.

Source Destination Protea! Length Info

@ 7 Tmetoive (o.tt), rbyte | Packets: 12365 Displayed: 12365 (100.0%) | Profle:Def

Capture Analyze Statistics Telephony Wireless Tools Help

he. Destination Protocol Length Info |:

11. Wireshark will start capturing the new packets.

13. Observe the packets captured by Wireshark.

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Note: -A: to perform an aggressive scan.

Note: -O: performs the OS discovery.

Task 3: Perform OS Discovery using Unicornscan

Unicornscan is a Linux-based command line-oriented network information-gathering and

1. Turn on the Ubuntu virtual machine.

aning 1.00e+00 t ittle longer than 8 Second

ing 10.10.1.9/32 mode ‘TCPscan’ p.

5556, 56 6907, 63 5 909, 7028, 7100,

aning 1.00e+00 tot ts w ts, s take a Little Longer than

You might also like