Enhanced Operating System Identification with Nessus
(Note: This Blog was originally released in 2007 and was updated in March of 2009 to reflect an additional form of OS detection based on HTTP banners.)
Tenable's Research group recently introduced a highly accurate form of operating system identification. This new method combines input from various other plugins that perform separate techniques to guess or identify a remote operating system. This blog entry describes this new process and shows some example results .
Why a new process?
First, although we feel that TCP/IP fingerprinting to guess a remote network stack is useful, there are too many variables and limitations involved to be considered 100% reliable. TCP/IP fingerprinting techniques send specially crafted packets which trigger a different reaction from one OS to another. These different reactions are used to identify if the host is Windows, Linux, Cisco IOS and so on. Many variables on the network and on the host can influence how a stack behaves and cause unmatched or inaccurate guesses as to what exactly the remote OS actually is. And even when TCP/IP stack fingerprinting works 100%, it often can only guess the remote kernel, but not the specific Linux, Windows or other types of distributions.
Second, many Nessus users perform full credentialed scans and in-depth analysis of various applications. While logged into a UNIX or Windows system, or performing certain types of application queries, it is trivial to accurately determine the remote operating system. This information was previously reported, but contained in the results of many separate plugins. This type of information is extremely accurate compared to TCP/IP fingerprinting techniques. For example, Mac OS X systems can be accurately identified through their network time protocol (ntp) daemon without credentials. Running commands like "uname" on UNIX or looking up certain registry settings for Windows can yield highly accurate results.
This new process elegantly combines the best of each of these approaches, plus adds many new techniques which contribute to Nessus's guess of what a remote operating system really is.
How the new process works
Plugin #11936 (OS Identification) is still the main ID Nessus users should use to perform OS enumeration of their scanned systems. Prior to the recent change, this NASL script performed TCP/IP fingerprinting of OS stacks and also targeted a few Windows and Mac OS X protocols to increase the accuracy of the reported OS. The new process now takes input from the following other NASL scripts, which each reports their own OS guessing:
- os_fingerprint_ftp.nasl Uses the remote FTP banner to attempt to identify the underlying operating system. (Note, this functionality was added in Feb 2009)
- os_fingerprint_html.nasl Uses the HTML content returned by certain HTTP requests to fingerprint the remote OS. (note, this functionality was add in Feb 2009)
- os_fingerprint_http.nasl Uses the remote web server signature to infer the version of Windows or the Linux distribution running on the remote host.
- os_fingerprint_mdns.nasl If an mDNS server is present, will perform a highly accurate identification of Apple OS X systems.
- os_fingerprint_msrprc.nasl Identifies the remote version and service pack of Windows by making certain MSRPC requests against the remote Windows box.
- os_fingerprint_ntp.nasl Queries the Network Time Protocol daemon to perform a highly accurate OS guess.
- os_fingerprint_sinfp.nasl Implements the SinFP TCP/IP fingerprinting algorithm. Only requires one open port to fingerprint an OS. (Note this script does not work on Nessus 2.)
- os_fingerprint_smb.nasl Identifies the remote Windows OS based on a query to SMB.
- os_fingerprint_snmp.nasl If credentials are available to perform an SNMP query, data from the 'sysDesc' parameter is reported.
- os_fingerprint_ssh.nasl Attempts to identify the remote OS by the SSH banner.
- os_fingerprint_telnet.nasl Attempts to identify the remote OS by the Telnet banner.
- os_fingerprint_uname.nasl If SSH credentials of the remote UNIX hosts is provided, the results of 'uname -a' are obtained.
- os_fingerprint_linux_distro.nasl If SSH credentials of the remote Linux host is provided, the specific release will be obtained.
- os_fingerprint_xprobe.nasl This script attempts to identify the OS type and version by sending more or less incorrect ICMP requests using the techniques outlined in Ofir Arkin's paper 'ICMP Usage In Scanning'.
More OS fingerprinting modules will be added in the future.
Each of these plugins will report a confidence level for their scan results. For example, "real" OS detects through direct interaction with the operating system such as SNMP probes, running the 'uname' command or performing certain types of Windows registry queries all have a 100% confidence level. Other types of queries such as performing TCP or ICMP fingerprints, or trying to fingerprint an application, have been labeled with a value less than 100%. The result with the highest confidence level is used to guess the remote operating system.
Nessus users should either enable dependencies while scanning (which is the default value) or manually select which of these new plugins (available in the "General" plugin family) they wish to be launched.
Several of the plugins will report 'unknown' fingerprints for devices that do not have an existing match. Please email these signatures to firstname.lastname@example.org to be incorporated into future plugin updates.
All Nessus users benefit from these plugin submissions. The more fingerprints that are submitted, the more accurate future Nessus scans will be.
No discussion of accurate remote OS identification is complete without understanding how this process can be evaded.
Several years ago, it was considered that TCP/IP stack fingerprinting was the most reliable method of OS identification because application banners could be easily modified. It is fairly trivial to make an Apache web server look like it is an IIS web server or place an Exchange email banner on your Postfix mail server.
Today though, with the presence of technologies like /proc on Linux, sysctl on FreeBSD or the registry on Windows, modifying how your network stack behaves is also very easy.
The bottom line is that if someone wants to be fingerprinted like a different type of operating system, they can configure their system like this. By using many different application and fingerprint methods, and then weighting the results, Nessus will always be able to report something that can be used for auditing.
Example Scan Output
Here is some example text OS IDs from a Nessus 3 scan that included credentials for some systems:
The remote host is running Linux Kernel 2.4
Confidence Level : 70
Method : SinFP
The remote host is running Linux Kernel 2.6.9-5.EL
Confidence Level : 100
Method : uname
The remote host is running Microsoft Windows Server 2003, Enterprise Edition (English)
Confidence Level : 100
Method : SMB
The remote host is running Microsoft Windows XP Service Pack 2
Confidence Level : 99
Method : MSRPC
The remote host is running Linux Kernel 2.6
Confidence Level : 60
Method : ICMP
The remote host is running Mac OS X 10.4.9 (intel)
Confidence Level : 100
Method : NTP
Notice that many of these "confidence levels are 100%. This is because the UNIX check used the 'uname' command and the Windows host had port 445 open. Both of these checks are 100% accurate and there is no room for interpretation.
Plugin Availability and Updates
This new type of detection is available to all Nessus users who have updated their plugins recently with either the Professional or Home Feeds. Security Center users also benefit from the accuracy of these updated methods. The ability to accurately classify an OS is vital for automatic asset discovery and classification.