Professional Documents
Culture Documents
Lab 3 - OS Discovery
Lab 3 - OS Discovery
Perform OS Discovery
Banner grabbing, or OS fingerprinting, is used to determine the OS running on a remote target
system.
Lab Scenario
As a professional ethical hacker or a pen tester, the next step after discovering the open ports
and services running on the target range of IP addresses is to perform OS discovery. Identifying
the OS used on the target system allows you to assess the system’s vulnerabilities and the
exploits that might work on the system to perform additional attacks.
Lab Objectives
= Identify the target system’s OS with Time-to-Live (TTL) and TCP window sizes using
Wireshark
= Perform OS discovery using Nmap Script Engine (NSE)
= Perform OS discovery using Unicornscan
Lab Environment
To carry out this lab, you need:
Lab Duration
Time: 15 Minutes
CEH Lab Manual Page 268 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
Linux 64 5840
FreeBSD 64 65535
Lab Tasks
Task 1: Identify the Target System’s OS with Time-to-Live (TTL) and
TCP Window Sizes using Wireshark
Wireshark is a network protocol analyzer that allows capturing and interactively browsing the
traffic running on a computer network. It is used to identify the target OS through
sniffing/capturing the response generated from the target machine to the request-originated
machine. Further, you can observe the TTL and TCP window size fields in the captured TCP
packet. Using these values, the target OS can be determined.
Here, we will use the Wireshark tool to perform OS discovery on the target host(s).
CEH Lab Manual Page 269 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
1. Turn on the Windows 11, Windows Server 2022 and Ubuntu virtual machines.
2. Switch to the Windows 11 virtual machine. By default, Admin user profile is selected,
type Pa$$wOrd in the Password field and press Enter to login.
Note: If Welcome to Windows wizard appears, click Continue and in Sign in with
Microsoft wizard, click Cancel.
Note: Networks screen appears, click Yes to allow your PC to be discoverable by other
PCs and devices on the network.
3. Click Search icon [2], on the Desktop. Type wireshark in the search field, the
Wireshark appears in the results, click Open to launch it.
2D wireshark
Best match
la Wireshark
y |
Apps Wireshark
App
A Wireshark-win6
4-3.6.3.exe
Search the web loge
Fe) Wireshark - See web results Run as administrator
Open fle location
p Wireshark
Pin to Start
OD wireshark download Pin to taskbar
Fe) wireshark oui Uninstall
Fe) wireshark tutorial
p wireshark filters
chat
EEE eee
mOr@oses
CEH Lab Manual Page 270 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
4. The Wireshark Network Analyzer main window appears; double-click the available
ethernet or interface (here, Ethernet) to start the packet capture, as shown in the
screenshot.
Note: If Software Update window appears, click Remind me later.
[Wi Whe Wereshard Network Analyzer o a |
File Edit View Go Capture Analyze Statistics Telephony Wir
4 ou x a =
f i -)+
Welcome
to Wireshark
CEH Lab Manual Page 271 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module
03 - Scanning Networks
0 15 Sd 01 60 00 0015 sdols0e2es004500 =] 4] ©
00 3c 45 17 00 00 80 01 df 75 a da C1 16 daa -<E u
@1 Gb 00 8 55 Sa 00 21 00 01 61 62 63 64 65 66 Uz-» --abedef
67 68 69 Ga Gb Gc Gd Ge GF 70 71 72 73 74 75 76 ghijklan opqrstuv
77 61 62 63 68 65 56 67 63 69 wabcdefg hi
@ 7 in progress>
Ethemet: <ive capture Packets: 12289 « Displayed: 12289 (100.0%) Profile: Default
B@OouG@owe@ada ewe)
7. Choose any packet of the ICMP reply from the Windows Server 2022 (10.10.1.22) to
Windows 11 (10.10.1.11) machines and expand the Internet Protocol Version 4 node in
the Packet Details pane.
8. The TTL value is recorded as 128, which means that the ICMP reply possibly came from a
Windows-based machine.
CEH Lab Manual Page 272 Ethical Hacking and Countermeasures Copyright © by EC-Cot
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
fe
Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help
“BAO UDRECeoSTssBaaan
[soir diay ter <cui> eiJ+
Te Source Destnaten Protocol Length Info
475 87.537233 Fe00::15:5dFF:Fe19:_. #F02::fb ONS «371 Standard query response 0x0000 TXT, cache flush PTR _adb._tep..
476 8.107472 _Microsof @1:80:00 Broadcast ARP 42 iho has 10.10.1.22? Tell 10.10.1.11
477 8.108065 Microsof_@1:80:62 _Microsof_01:80:00 42 10.10.1.22 is at 00:15:5d:01:80:02
478 38.108101 _10.10.1.11 30.10.1.22 ‘74 Echo (ping) request ide@x0001, seqn1/256, tt1=128 (reply in 4.
479 88.108655 1010.12, 10.10.1.12 ‘TA Echo (ping) reply id-0x0001, seqr1/256, tt1=128 (request i
439 89.120177 10.1. 10.10.1.22 74 Echo (ping) request id-dx00@i, seq=2/512, ttl=128 (reply in 4.
431 89.120710 He 10.10.1.11 74 Echo (ping) reply id-@xo0ai, seqe2/512, tt1=128 (request in
482 89.539860 : 224.0.0.251 427 Standard query cesponse @x0000 TXT, cache flush PTR _adb. tcp.
483 99.539864 :18b38:ed47:262.. #F02::fb 437 Standard query response 0x0000 TXT, cache flush PTR ~adb. tcp.
488 89.539905 371 Standard query response @x0000 TXT, cache flush PTR _adb. tcp.m
435 90.135915 10,10.1.13 10.10.1.22 74 Echo (ping) request id-0xo0ei, seqe3/768, ttl=128 (reply in 4.
10,10.1.22 30.10.1.31 74 Echo (ping) reply id-Oxo0ei, seq~3/768, ttl=128 (request in.
Frame 479: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{SA983568-F693-4023-B9B6-DCC29ADB1114), id ©
Ethernet II, Src: Microsof_@1:80:02 (00:15:5d:01:80:02), Dst: Microsof_01:80:00 (| '5d:01:80:00)
Internet Protocol Version 4, Src: 1.10.1.22, Dst: 1@.10.1.21
0100 .... = Version: 4
sees @1@1 = Header Length: 20 bytes (5)
Differentiated Services Field: @xe@ (DSCP: CS®, ECN: Not-ECT)
Total Length: 60
Identification: @x4517 (17687)
Flags: 6x00
++-8 088 0000 0000 = Fragnent Offset: 0
‘Time to Live: 128
Protocol: ICMP (1)
Header Checksum: @xdf75 [validation disabled]
[Header checksum status: Unverified]
0 15 5d @1 80 00 00 15 Sd e1 80 O2 08 00 48 yo J
08 3c 45 17 00 00 GE 01 df 75 Ga Ga 01 16 03 EB ou
@1 @b 00 00 55 Sa 08 1 00 G1 61 62 63 64 65. Uz". --abedef
67 68 69 6a 6b Gc 6d Ge GF 70 71 72 73 74 75 ghijklmn opqrstuv
77 61 62 63 64 65 66 67 68 69 wabedefg hi
B®OuGowe@ada kes)
toolbar.
CEH Lab Manual Page 273 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
10. Now, click the Start capturing packets button from the toolbar. Ifan Unsaved packets
pop-up appears, click Continue without Saving.
Wii a. |
File Edit View Go Capture Analyze Statistics Telephony Wireless Tools. Help
‘ @uBRE XSF S2aaan
Standard qui
8b38:0d47:21 Standard query
séff:feis:. # Standard qu:
aaa 10.10.1.22 ng)
on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_(SA9BISG8-F693-4023-B986-DCC29ADBI116), id @
crosef_01:80:@2 (0@:15:5d:01:80:02), 0: 2:00)
Y Internet Protocol Version 4, Src: 10.10.1.22, Dst: 10.10.1.11
e100 .... = Version
e101 = Header Li 5)
Differentiated Servic : @x@ (DSCP: CSB, ECN: Not-ECT)
Total Length: 60
Identification: 0x4527 (37687)
Flags
© 0008 2000 0000 = Fragnent Offset: 0
Time to Live: 128
Protocol: ICMP (1)
Header Checksum: Oxdf75 [validation disabled]
[Header checksum unverified]
Li Souecm dines ia 10122 . =|
12. In the Command Prompt window, type ping 10.10.1.9 and press Enter.
Note: 10.10.1.9 is the IP address of the Ubuntu machine.
[Bi Command Prompe
from 10.
from 10.
Maximum
10.10.
from 1
om 10.
from 10.
CEH Lab Manual Page 274 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module
03 - Scanning Networks
a+
Protea! Length Info
61 15.757689 feb: Wons 371 Standard query response ex0000 Txt, cache flush PTR _adb._tep.
62 17.759212 0d47:263.- 497 Standard query response @x0000 TAT, cache flush PTR
63 17.759261 _10.10.1.. . 417 Standard query response 0000 TX, cache flush PTR
64 17.759279 fel: 371 Standard query response @0000 TXT, cache flush PTR
65 21.764189 . 4417 Standard query response @x0000 TXT, cache flush PTR
66 21.764190 feb: 371 Standard query response @x0000 TXT, cache flush PTR
67 21.764189 261 2 cache flush PTR
69 21.985381 _Microzof_01:90:00 Broadcast
69 21.985935 nicrorof 15d:182
70 21.985957 10.10.11 seq-5/1280, tt1-128 (reply in =
nn n.sese2 fi 19.10.1.11 cH 74 Echo (ping) reply id=0x0001, seqe5/1280, tel=64 (request in
72 22.993079__10.10.1.11 10.10.1.9 IOP _ 74 Echo (ping) request _ide0x0001, seqe6/1536, tt1=126 (reply in.
Frane 71: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{5A9#3588-F693-4023-B986-DCC29ADB1114}, id @
> Ethernet IZ, Sre: MS-NLB-PhysServer-21_54:18:27:eb (02:15:5d:18:27:eb), Ost: Microsof_01:80:00 (@0:15:5d:01:80:00)
I internet Protocol Version 4, Src: 10.10.1.9, Dst: 10.10,1.12
0100 .... = Version: 4
1+ @101 = Header Length: 20 bytes (5)
> Differentiated Services Field: @x00 (OSCP: CSO, EC: Not-ECT)
Total Length: 60
Identification: Oxabo (17593)
Flags: &x0
+8 0900 0000 0000 = Fragnent Offset: @
Tine to Live: 64
Protocol: ICMP (2)
Header Checksum: @x1fel [validation disabled]
[Header checksum status: Unverified]
Source Addeacs: 10 101-9.
00 15 5d 01 80 00 02 15 5d 18 27 eb
00 3c 44 69 09 00 Mol if el on os 0: feDeBe T veces
01 @ 00 00 55 56 00 e1 a abedet
67 68 69 6a 6b 6c 6d Ge ghijklan opgrstuv
77 61 62 63 64 65 66 67 wabedefg hi
16. Stop the capture in the Wireshark window by clicking on the Stop button.
17. This concludes the demonstration of identifying the OS of the target system using
Wireshark.
18. Close all open windows and document all the acquired information.
19. Turn off the Windows 11 and Ubuntu virtual machines.
Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information
from the target system. In addition to Nmap commands, NSE provides scripts that reveal all
sorts of useful information from the target system. Using NSE, you may obtain information such
as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain
name, workgroup, system time of a target system, etc.
Here, we will use Nmap to perform OS discovery using -A parameter, -O parameter, and NSE.
CEH Lab Manual Page 275 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
Note: Ensure that the Windows Server 2022 virtual machine is running.
1. Turn on the Parrot Security virtual machine.
2. In the login page, the attacker username will be selected by default. Enter password as
toor in the Password field and press Enter to log in to the machine.
Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and
close it.
Note: If a Question pop-up window appears asking you to update the machine, click No
to close the window.
3. Click the MATE Terminal icon at the top of the Desktop to open a Terminal window.
4. A Parrot Terminal window appears. In the terminal window, type sudo su and press
Enter to run the programs as a root user.
5. Inthe [sudo] password for attacker field, type toor as a password and press Enter.
Note: The password that you type will not be visible.
6. In the terminal window, type the command nmap -A [Target IP Address] (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
7. The scan results appear, displaying the open ports and running services along with their
versions and target details such as OS, computer name, NetBIOS computer name, etc.
under the Host script results section.
NetBIOS MAC
tandard 6.3
0749s, median: 6h
RACEROUTE
OP RTT ADDRESS
s 10.10,.1.2
CEH Lab Manual Page 276 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
8. In the terminal window, type the command nmap -O [Target IP Address] (here, the
target machine is Windows Server 2022 [10.10.1.22]) and press Enter.
9. The scan results appear, displaying information about open ports, respective services
running on the open ports, and the name of the OS running on the target system.
an r
up
Not shown
ORT T
3/tep op
@/tcp
8/tcp
msmq-mgnt
globalcatl
globalcatL
f bt-server
NAC Addre 12:D9:10:BD (Unknown)
xact ns es for host (If you know what
IP fingerprin
AN(V=7 . 92%E=44D=6/6
629ECA27%P=x86_64-pc-Lir
TS=A) OPS (01=MSB4NW8
=P.
10. In the terminal window, type the command nmap --script smb-os-discovery.nse [Target
IP Address] (here, the target machine is Windows Server 2022 [10.10.1.22]) and press
Enter.
Note: --script: specifies the customized script and smb-os-discovery.nse: attempts to
determine the OS, computer name, domain, workgroup, and current time over the SMB
protocol (ports 445 or 139).
11. The scan results appear, displaying the target OS, computer name, NetBIOS computer
name, etc. details under the Host script results section.
CEH Lab Manual Page 277 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
12. This concludes the demonstration of discovering the OS running on the target system
using Nmap.
13. Close all open windows and document all the acquired information.
CEH Lab Manual Page 278 Ethical Hacking and Countermeasures Copyright © by E6-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 03 - Scanning Networks
In the terminal window, type unicornscan [Target IP Address] -Iv (here, the target
machine is Windows Server 2022 [10.10.1.22]) and press Enter.
Note: In this command, -I specifies an immediate mode and v specifies a verbose mode.
The scan results appear, displaying the open TCP ports along with the obtained TTL
value of 128. As shown in the screenshot, the ttl values acquired after the scan are 128;
hence, the OS is possibly Microsoft Windows (Windows 8/8.1/10/11 or Windows Server
16/19/22).
Note: Here, the target machine is Windows Server 2022 (10.10.1.22).
CEH Lab Manual Page 279 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
2 42 0
38, 100,185 139,143 150, 161-164, 174, 177-179, 191 102
206,209,210 422,443 445, 487 ,500,512-514,517,518,520,525,533
8, 548,554 52,765,779, 808, 873,901 923,941
992-995, 1¢
1646, 164
78, 7000-7609,
10081, 1016
3178
54321,5 11, 60008 , 60006 , 6100
06 , 65:
8. In the Parrot Terminal window, type unicornscan [Target IP Address] -Iv (here, the
target machine is Ubuntu [10.10.1.9]) and press Enter.
9. The scan results appear, displaying the open TCP ports along with a TTL value of 64. As
shown in the screenshot, the ttl value acquired after the scan is 64; hence, the OS is
possibly a Linux-based machine (Google Linux, Ubuntu, Parrot, or Kali). Using this
information, attackers can formulate an attack strategy based on the OS of the target
system.
CEH Lab Manual Page 280 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module 03 - Scanning Networks
10. This concludes the demonstration of discovering the OS of the target machine using
Unicornscan.
11. Close all open windows and document all the acquired information.
12. Turn off the Parrot Security, Windows Server 2022 and Ubuntu virtual machines.
Lab Analysis
Analyze and document the results of this lab exercise.
PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB.
O Yes MINo
Platform Supported
1 Classroom CyberQ
CEH Lab Manual Page 281 Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited