1
2
3XPROBE2($Id:XxPpRrOoBbEe22(.$1I,dv: 1x.p1r8ob2e020.51/,0v7/12.618122:04085:/5097/m2e6de1r2c:h4i8k:5E9xpme$d)erchik Exp $)
4
5
6

NAME

8       xprobe2 - A Remote active operating system fingerprinting tool.
9

SYNOPSIS

11       xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o
12       logfile ] [ -p port ] [ -t receive_timeout ] [ -m numberofmatches ] [
13       -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec
14       ] host
15

DESCRIPTION

17       xprobe2 is an active operating system fingerprinting tool with  a  dif‐
18       ferent  approach  to operating system fingerprinting. xprobe2 relies on
19       fuzzy  signature  matching,  probabilistic  guesses,  multiple  matches
20       simultaneously, and a signature database.
21
22       The  operation  of  xprobe2 is described in a paper titled "xprobe2 - A
23       ´Fuzzy´ Approach to Remote  Active  Operating  System  Fingerprinting",
24       which        is        available        from       http://www.sys-secu
25       rity.com/html/projects/X.html.
26
27       As xprobe2 uses raw sockets to send probes, you must have  root  privi‐
28       leges in order for xprobe2 to be able to use them.
29

OPTIONS

31       -v     be verbose.
32
33       -r     display route to target (traceroute-like output).
34
35       -c     use  configfile  to  read  the configuration file, xprobe2.conf,
36              from a non-default location.
37
38       -D     disable module number modnum.
39
40       -m     set number of results to display to numofmatches.
41
42       -o     use logfile to log everything (default output is stderr).
43
44       -p     specify port number (portnum), protocol (proto) and  it's  state
45              for  xprobe2  to  use during rechability/fingerprinting tests of
46              remote host. Possible values for proto are  tcp or  udp, portnum
47              can  only  take  values  from   1  to 65535, state can be either
48              closed (for  tcp that means that remote host  replies  with  RST
49              packet,  for   udp that means that remote host replies with ICMP
50              Port Unreachable packet) or  open  (for   tcp  that  means  that
51              remote  host replies with SYN ACK packet and for  udp that means
52              that remote host doesn't send any packet back).
53
54       -t     set receive timeout to receive_timeout in seconds  (the  default
55              is set to 10 seconds).
56
57       -F     generate  signature for specified target (use -o to save finger‐
58              print into file)
59
60       -X     write XML output to logfile specified with -o
61
62       -B     causes xprobe2 to be a bit more noisy, as -B makes TCP handshake
63              module  to try and blindly guess an open TCP port on the target,
64              by sending sequential probes to the following well-known  ports:
65              80, 443, 23, 21, 25, 22, 139, 445 and 6000 hoping to get SYN ACK
66              reply. If xprobe2 receives RST|ACK or SYN|ACK packets for a port
67              in  the list above, it will be saved in the target port database
68              to be later used by other modules (i.e. RST module).
69
70       -T, -U enable built-in portscanning module, which will attempt to  scan
71              TCP  and/or UDP ports respectively, which were specified in port
72              spec
73
74       -A     enable experimental support for detection of transparent proxies
75              and firewalls/NIDSs spoofing RST packets in portscanning module.
76              Option should be used in conjunction with -T. All responses from
77              target  gathered  during portscanning process are divided in two
78              classes (SYN|ACK and RST) and saved for analysis. During  analy‐
79              sis  module  will search for different packets, based on some of
80              the fields of TCP and IP headers, withing the same class and  if
81              such  packets  are found, message will be displayed showing dif‐
82              ferent packets withing the same class.
83

EXAMPLES

85              xprobe2 -v -D 1 -D 2 192.168.1.10
86
87              Will launch an OS fingerprinting attempt targeting 192.168.1.10.
88              Modules 1 and 2, which are reachability tests, will be disabled,
89              so probes will be sent even if target is down.  Output  will  be
90              verbose.
91
92              xprobe2 -v -p udp:53:closed 192.168.1.20
93
94              Will  launch  an  OS fingerprint attempt targeting 192.168.1.20.
95              The UDP destination port is set to 53, and the  output  will  be
96              verbose.
97
98              xprobe2 -M 11 -p tcp:80:open 192.168.1.1
99
100              Will  only  enable TCP handshake module (number 11) to probe the
101              target, very usefull when all ICMP traffic is filtered.
102
103              xprobe2 -B 192.168.1.1
104
105              Will cause TCP handshake module to try blindly guess  open  port
106              on  the  target  by sequentially sending TCP packets to the most
107              likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).
108
109              xprobe2 -T 1-1024 127.0.0.1
110
111              Will enable portscanning  module,  which  will  scan  TCP  ports
112              starting from 1 to 1024 on 127.0.0.1
113
114              xprobe2 -p tcp:139:open 192.168.1.2
115
116              If  remote  target has TCP port 139 open, the command line above
117              will enable application level SMB module (if remote  target  has
118              TCP port 445 open, substitue 139 in the command line with 445).
119
120              xprobe2 -p udp:161:open 192.168.1.10
121
122              Will  enable SNMPv2c application level module, which will try to
123              retrieve sysDescr.0  OID  using  community  strings  taken  from
124              xprobe2.conf file.
125
126
127

NOTES

129       xprobe2  fingerprints  remote operating system by analyzing the replies
130       from the target, so to get the most out of xprobe2 you need  to  supply
131       xprobe2  with  as  much  information  as  possible, in particular it is
132       important to supply at least one open TCP port and one closed UDP port.
133       Open  TCP  port  can  either be provided in command line (-p), obtained
134       through built-in portscanner (-T) or -B option can  be  used  to  cause
135       xprobe2 to try to blindly guess open TCP port. UDP port can be supplied
136       via command line (-p) or through built-in portscanner (-U).
137
138

HISTORY

140       xprobe has been developed in 2001 based  on research performed by  Ofir
141       Arkin <ofir@sys-security.com>. The code has been officially released at
142       the BlackHat Briefings in Las-Vegas in 2001. xprobe2 is a logical  evo‐
143       lution  of  xprobe code. Signature based fuzzy fingerprinting logic was
144       embedded.
145

SEE ALSO

147       nmap(1) queso(1) pcap(3)
148

AUTHORS

150       Fyodor Yarochkin <fyodor@o0o.nu>, Ofir  Arkin  <ofir@sys-security.com>,
151       Meder Kydyraliev <meder@o0o.nu>
152
153       (see also CREDITS in distro tarball).
154

AVAILABILITY

156       The  current  version and relevant documentation is available from fol‐
157       lowing urls:
158       http://www.sys-security.com/html/projects/X.html
159       http://xprobe.sourceforge.net
160       http://www.notlsd.net/xprobe/
161

BUGS

163       None known (please report).
164
165
166
167
168
169            XPROBE2($Id: xprobe2.1,v 1.18 2005/07/26 12:48:59 mederchik Exp $)
Impressum