File: xprobe2.1

package info (click to toggle)
xprobe 0.3-4
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 2,588 kB
  • sloc: cpp: 12,317; sh: 2,858; makefile: 692; ansic: 7
file content (208 lines) | stat: -rw-r--r-- 7,334 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
.\" $Id: xprobe2.1,v 1.18 2005/07/26 12:48:59 mederchik Exp $ */
.\"
.\" Copyright (C) 2001-2002 Fyodor Yarochkin <fygrave@tigerteam.net>,
.\"                    	    Ofir Arkin       <ofir@sys-security.com>
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
.\"

.\" Generate man page: groff -man -Tascii xprobe.1 

.TH XPROBE2 1
.SH NAME
xprobe2 \- A Remote active operating system fingerprinting tool.
.SH SYNOPSIS
.na
.B xprobe2
[
.B \-v
] [
.B \-r
] [
.B \-p
.I proto:portnum:state
] [
.B \-c
.I configfile
] [
.B \-o
.I logfile
] [
.B \-p
.I port
] [
.B \-t
.I receive\_timeout
] [
.B \-m
.I numberofmatches
] [
.B \-D
.I modnum
] [
.B \-F
] [
.B \-X
] [
.B \-B
] [
.B \-A
] [
.B \-T
.I port spec
] [
.B \-U
.I port spec
]
.I host
.br
.ad
.SH DESCRIPTION
.LP
\fIxprobe2\fP is an active operating system fingerprinting tool with a 
different approach to operating system fingerprinting. xprobe2 relies on
fuzzy signature matching, probabilistic guesses, multiple matches
simultaneously, and a signature database.
.LP
The operation of \fIxprobe2\fP is described in a paper titled "xprobe2 - A 
\'Fuzzy\' Approach to Remote Active Operating System Fingerprinting", which is
available from http://www.sys-security.com/html/projects/X.html. 
.LP
As \fIxprobe2\fP uses raw sockets to send probes, you must have
.B root
privileges in order for \fIxprobe2\fP to be able to use them.
.SH OPTIONS
.TP
.B \-v
be verbose.
.TP
.B \-r
display route to target (traceroute-like output).
.TP
.B -c
use \fIconfigfile\fP to read the configuration file, xprobe2.conf, from a 
non-default location.
.TP
.B -D
disable module number \fImodnum\fP.
.TP
.B -m
set number of results to display to \fInumofmatches\fP.
.TP
.B -o
use \fIlogfile\fP to log everything (default output is stderr).
.TP
.B -p
specify port number (\fIportnum\fP), protocol (\fIproto\fP) and it's \fIstate\fP for \fIxprobe2\fP to use during rechability/fingerprinting tests of remote host. Possible values for \fIproto\fP are \fB tcp\fP or \fB udp\fP, \fIportnum\fP can only take values from \fB 1\fP to \fB65535\fP, \fIstate\fP can be either \fBclosed\fP (for \fB tcp\fP that means that remote host replies with RST packet, for \fB udp\fP that means that remote host replies with ICMP Port Unreachable packet) or \fBopen\fP (for \fB tcp\fP that means that remote host replies with SYN ACK packet and for \fB udp\fP that means that remote host doesn't send any packet back). 
.TP
.B -t
set receive timeout to \fIreceive\_timeout\fP in seconds (the default is set to 10 seconds).
.TP
.B -F
generate signature for specified target (use -o to save fingerprint into file)
.TP
.B -X
write XML output to logfile specified with \fB-o\fP
.TP
.B -B
causes \fIxprobe2\fP to be a bit more noisy, as \fB-B\fP makes TCP handshake module to try and blindly guess an open TCP port on the target, by sending sequential probes to the following well-known ports: 80, 443, 23, 21, 25, 22, 139, 445 and 6000 hoping to get SYN ACK reply. If \fIxprobe2\fP receives RST|ACK or SYN|ACK packets for a port in the list above, it will be saved in the target port database to be later used by other modules (i.e. RST module).
.TP
.B -T, -U
enable built-in portscanning module, which will attempt to scan TCP and/or UDP ports respectively, which were specified in \fIport spec\fP
.TP
.B -A
enable experimental support for detection of transparent proxies and firewalls/NIDSs spoofing RST packets in portscanning module. Option should be used in conjunction with -T. All responses from target gathered during portscanning process are divided in two classes (SYN|ACK and RST) and saved for analysis. During analysis module will search for different packets, based on some of the fields of TCP and IP headers, within the same class and if such packets are found, message will be displayed showing different packets within the same class.
.SH EXAMPLES
.LP
.RS
.nf
\fBxprobe2 -v -D 1 -D 2 192.168.1.10\fP
.fi

Will launch an OS fingerprinting attempt targeting 192.168.1.10. Modules 1 and 2, which are reachability tests, will be disabled, so probes will be sent even if target is down. Output will be verbose.

.RE
.RS
.nf
\fBxprobe2 -v -p udp:53:closed 192.168.1.20\fP
.fi

Will launch an OS fingerprint attempt targeting 192.168.1.20. The UDP destination port is set to 53, and the output will be verbose.

.RE
.RS
.nf 
\fBxprobe2 -M 11 -p tcp:80:open 192.168.1.1\fP
.fi

Will only enable TCP handshake module (number 11) to probe the target, very useful when all ICMP traffic is filtered.
.RE
.RS

.nf
\fBxprobe2 -B 192.168.1.1\fP
.fi

Will cause TCP handshake module to try blindly guess open port on the target by sequentially sending TCP packets to the most likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).
.RE

.RS
.nf
\fBxprobe2 -T 1-1024 127.0.0.1\fP
.fi

Will enable portscanning module, which will scan TCP ports starting from 1 to 1024 on 127.0.0.1
.RE

.RS
.nf
\fBxprobe2 -p tcp:139:open 192.168.1.2\fP
.fi

If remote target has TCP port 139 open, the command line above will enable application level SMB module (if remote target has TCP port 445 open, substitue 139 in the command line with 445).
.RE

.RS
.nf
\fBxprobe2 -p udp:161:open 192.168.1.10\fP
.fi

Will enable SNMPv2c application level module, which will try to retrieve sysDescr.0 OID using community strings taken from xprobe2.conf file.
.RE


.SH NOTES
\fIxprobe2\fP fingerprints remote operating system by analyzing the replies from the target, so to get the most out of \fIxprobe2\fP you need to supply \fIxprobe2\fP with as much information as possible, in particular it is important to supply at least one open TCP port and one closed UDP port. Open TCP port can either be provided in command line (\fB-p\fP), obtained through built-in portscanner (\fB-T\fP) or \fB-B\fP option can be used to cause \fIxprobe2\fP to try to blindly guess open TCP port. UDP port can be supplied via command line (\fB-p\fP) or through built-in portscanner (\fB-U\fP).

.SH HISTORY
xprobe has been developed in 2001 based  on research performed by Ofir
Arkin <ofir@sys-security.com>. The code has been officially released at the
BlackHat Briefings in Las-Vegas in 2001. xprobe2 is a logical evolution of
xprobe code. Signature based fuzzy fingerprinting logic was embedded.
.SH "SEE ALSO"
nmap(1) queso(1) pcap(3)
.SH AUTHORS
Fyodor Yarochkin <fyodor@o0o.nu>, Ofir Arkin <ofir@sys-security.com>, Meder Kydyraliev <meder@o0o.nu>
.PP
(see also CREDITS in distro tarball).
.SH AVAILABILITY
The current version and relevant documentation is available from following url:
.br
.I https://sourceforge.net/projects/xprobe/
.SH BUGS
None known (please report).