HPE Community
Operating System - HP-UX
1832950 Members
2590 Online
110048 Solutions
New Discussion

Re: scan

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎12-21-2006 12:12 AM

‎12-21-2006 12:12 AM

scan

When scanning for rogue devices on the network its easy to identify a windows machine because they all use a specific port.

Is there anyway to easily identify a UNIX system on the network while scanning?

Thanks.
UNIX IS GOOD
0 Kudos
Reply
7 REPLIES 7
Simon Hargrave
Honored Contributor

‎12-21-2006 12:16 AM

‎12-21-2006 12:16 AM

Re: scan

The thing is because of the way unix is, each individual service may be turned on or off, so it's perfectly possible in extreme cases to have a box running no telnet, ssh or ftp, and only running a "custom app" e.g. oracle - tcpwrappers etc can further stop and checks. The best you can do is telnet to lots of ports and look for clues, e.g. telnet banners, ftp banners etc. Or work in reverse. e.g. deduce it's NOT a windows machine by checking that you can't eg run "nbtstat -A" on it, so it's "more than likely" a UNIX/Linux device.

But ultimately if someone is being "rogue" on your network and wants to be undetectable, they can just lock down their incoming traffic and you'll pick up no clues.
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎12-21-2006 12:19 AM

‎12-21-2006 12:19 AM

Re: scan

Yes, the gov't locks down ftp, telnet and all other non-secure methods of transmission. very tight.

still trying to figure how I can identify without using conventional connection commands. thanks for the reply, it helps.
UNIX IS GOOD
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎12-21-2006 12:22 AM

‎12-21-2006 12:22 AM

Re: scan

Shalom,

When scanning for rogue devices on the network its easy to identify a windows machine because they all use a specific port.

Not true. Windows boxes are almost as flexible and an use any port or service the network permits.

In a high scurity environment you may wish to limit what ports your routers permit traffic on.

Note that the linux port scanner nmap will identify machines on any port on the network if the service is open. In combination with tcpdump, you can spot any mac address that does not belong.

Linux is pretty handy for security, though nmap is available for HP-UX.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Simon Hargrave
Honored Contributor

‎12-21-2006 12:31 AM

‎12-21-2006 12:31 AM

Re: scan

Good point about MAC addresses. One thing you can do, if you have the mac address of a "suspect" device (eg in your arp cache), then you can run it through a MAC-address decoder such as this: -

http://www.techzoom.net/nettools-macdecode.asp

This will show you the manufacturer of the card (the first few digits of a mac address are specific to manufacturers). From this you may be able to determine the machine, for example if it's Sun it's pretty certain to be UNIX, if it's Compaq it's likely to be either Windows or Linux (which you can determine by elimination). If it's eg Cisco, Belkin etc you'll see it's a network device.

Not conclusive, but another piece of information - you need to use many such pieces of information to build a picture of what you're dealing with.
Reply
Bill Hassell
Honored Contributor

‎12-21-2006 12:35 AM

‎12-21-2006 12:35 AM

Re: scan

Not reliably. A good system administrator will shutoff all network ports except those required for system operation -- which might be a single ssh port, and even then, that same sysadmin will use a non-standard port for ssh.

On the other hand, out of the box, most Unix systems have dozens of ports activated. Those unique to Unix systems would be (archaic) ports for:

echo 7/tcp
echo 7/udp
discard 9/tcp
discard 9/udp
daytime 13/tcp
daytime 13/udp
chargen 19/tcp
chargen 19/udp
time 37/tcp
finger 79/tcp
who 513/udp
talk 517/udp
ntalk 518/udp

Depending on whether the rogue machine is just an experiment or a possible stealth attack on your network, these services may or may not be running. Looking for telnet (port 23) is also a possibility -- PCs usually don't listen on that port.


Bill Hassell, sysadmin
Reply
George Liu_4
Trusted Contributor

‎12-21-2006 12:59 AM

‎12-21-2006 12:59 AM

Re: scan

At this time, almost every OS has firewall enabled in default and shouldn't allow the remote scan as old days. Even can't scan XP to get the OS information.

Of cause you can still try nmap -O option to activate remote host identification via tcp/tp fingerprinting.
0 Kudos
Reply
Fred K. Abell Jr._1
Regular Advisor

‎08-23-2007 02:31 AM

‎08-23-2007 02:31 AM

Solution

Re: scan

Instead of looking at ports, look at the packets the machines send.

If you are scanning, nmap should have an active finger print detection.

If you are quietly monitoring the network, check out p0f, passive finger printing. Most operating systems have signatures on how they craft ip packets. SAN.org has a paper on this at http://www.sans.org/resources/idfaq/p0f.php.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.