topic Re: scan in Operating System - HP-UX

scan

Nobody's Hero — Thu, 21 Dec 2006 08:12:53 GMT

When scanning for rogue devices on the network its easy to identify a windows machine because they all use a specific port.

Is there anyway to easily identify a UNIX system on the network while scanning?

Thanks.

Re: scan

Simon Hargrave — Thu, 21 Dec 2006 08:16:53 GMT

The thing is because of the way unix is, each individual service may be turned on or off, so it's perfectly possible in extreme cases to have a box running no telnet, ssh or ftp, and only running a "custom app" e.g. oracle - tcpwrappers etc can further stop and checks. The best you can do is telnet to lots of ports and look for clues, e.g. telnet banners, ftp banners etc. Or work in reverse. e.g. deduce it's NOT a windows machine by checking that you can't eg run "nbtstat -A" on it, so it's "more than likely" a UNIX/Linux device.

But ultimately if someone is being "rogue" on your network and wants to be undetectable, they can just lock down their incoming traffic and you'll pick up no clues.

Re: scan

Nobody's Hero — Thu, 21 Dec 2006 08:19:30 GMT

Yes, the gov't locks down ftp, telnet and all other non-secure methods of transmission. very tight.

still trying to figure how I can identify without using conventional connection commands. thanks for the reply, it helps.

Re: scan

Steven E. Protter — Thu, 21 Dec 2006 08:22:40 GMT

Shalom,

When scanning for rogue devices on the network its easy to identify a windows machine because they all use a specific port.

Not true. Windows boxes are almost as flexible and an use any port or service the network permits.

In a high scurity environment you may wish to limit what ports your routers permit traffic on.

Note that the linux port scanner nmap will identify machines on any port on the network if the service is open. In combination with tcpdump, you can spot any mac address that does not belong.

Linux is pretty handy for security, though nmap is available for HP-UX.

SEP

Re: scan

Simon Hargrave — Thu, 21 Dec 2006 08:31:30 GMT

Good point about MAC addresses. One thing you can do, if you have the mac address of a "suspect" device (eg in your arp cache), then you can run it through a MAC-address decoder such as this: -

http://www.techzoom.net/nettools-macdecode.asp

This will show you the manufacturer of the card (the first few digits of a mac address are specific to manufacturers). From this you may be able to determine the machine, for example if it's Sun it's pretty certain to be UNIX, if it's Compaq it's likely to be either Windows or Linux (which you can determine by elimination). If it's eg Cisco, Belkin etc you'll see it's a network device.

Not conclusive, but another piece of information - you need to use many such pieces of information to build a picture of what you're dealing with.

Re: scan

Bill Hassell — Thu, 21 Dec 2006 08:35:53 GMT

Not reliably. A good system administrator will shutoff all network ports except those required for system operation -- which might be a single ssh port, and even then, that same sysadmin will use a non-standard port for ssh.

On the other hand, out of the box, most Unix systems have dozens of ports activated. Those unique to Unix systems would be (archaic) ports for:

echo 7/tcp
echo 7/udp
discard 9/tcp
discard 9/udp
daytime 13/tcp
daytime 13/udp
chargen 19/tcp
chargen 19/udp
time 37/tcp
finger 79/tcp
who 513/udp
talk 517/udp
ntalk 518/udp

Depending on whether the rogue machine is just an experiment or a possible stealth attack on your network, these services may or may not be running. Looking for telnet (port 23) is also a possibility -- PCs usually don't listen on that port.

Re: scan

George Liu_4 — Thu, 21 Dec 2006 08:59:09 GMT

At this time, almost every OS has firewall enabled in default and shouldn't allow the remote scan as old days. Even can't scan XP to get the OS information.

Of cause you can still try nmap -O option to activate remote host identification via tcp/tp fingerprinting.

Re: scan

Fred K. Abell Jr._1 — Thu, 23 Aug 2007 09:31:20 GMT

Instead of looking at ports, look at the packets the machines send.

If you are scanning, nmap should have an active finger print detection.

If you are quietly monitoring the network, check out p0f, passive finger printing. Most operating systems have signatures on how they craft ip packets. SAN.org has a paper on this at http://www.sans.org/resources/idfaq/p0f.php.