Writing an Operating System Fingerprinting Module for MSF
Assuming
an
exploit works, the key factors for
successful exploitation are the PAYLOAD
and
TARGET
settings. If the
target host
is behind a well-configured firewall, a bind socket payload
won’t allow you to access the host. Also, if you
don’t know the remote operating system, using an
OS-specific target is useless; a return address for Windows NT
typically won’t work against a Windows XP machine.
Usually the application level can aid in the targeting process. For
instance, if an HTTP request returns Apache/1.3.22
(Win32)
, you probably aren’t
using FreeBSD targets. But what if the service yields no obvious clue
regarding its underlying operating system? In this case we would use
a technique called operating system
fingerprinting to narrow the scope of possible targets and
increase the likelihood of success. This is vital for so-called
“one-shot” exploits in which the
service crashes or becomes unexploitable after failed attempts.
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.