In this article the reader will learn how to utilize tools for passive operating system identification, what passive operating system identification is and how it can be accomplished.

 

Give The Server The Finger

 

Finger is an old utility for finding information about users. Unfortunately if remote locations are running the, finger daemon, what can happen is you, too can unearth information in regard to what users are on the remote box.

 

This can be run in one of 3 ways. You can use a dictionary attack type approach. In this approach you can hunt down every name imaginable under the sun, and load it into a program to help generate a shell script. We will create a windows, and Linux utility that will help in this case to sort you out user names. This way, no one can hide if the service / daemon is running, or open. Figure 1.0 demonstrates the information that can be extrapolated from servers utilizing the finger daemon.

These examples cover information that can be contained within a web location source code that an attacker can utilize to his or her advantage.

This document discusses the methods utilized by attackers to map web locations on a windows machine. Please note that while this information is dated (and you can also utilize wget on windows for the same thing) some of these methods have been depreciated. If you are utilizing a windows XP or windows 7 VM for attacking, you may read this article to familiarize yourself with older legacy tools.

 This process as well as all HTTP mapping or source view web sites operate by downloading the web site on a local box and then reviewing the code or how it works off-line. This document helps you understand the process with teleport pro. Although it's an older tool, and may not be used anymore. It's still worth the mention. 

A quick article that covers the usage of wget to map, or download all content from a web site so an attacker can crawl the location off-line. This has a few benefits that can expand on regex to find information that can be utilized for an attack later on.

This article walks you through utilizing some form "key features" to isolate user names, or accounts. It can also extend to e-mail addresses if in the event the administrators or developers included the feature to "check if available." However, this can also extend to the forgotten password link to see if a given e-mail is associated with a domain or page. Please keep in mind that this may not work with all locations.

 

SMTP User Isolation

 

Again, the administrators fall victim to the finger pointing game. However, it shouldn't be only the administrators whom get the majority of the blame. In the security landscape, especially said for the given fact that – if you have an information security division use it! SMTP has it's own issues where it serves up information. As we've seen from banner grabbing, this section deals specifically with the extraction of user names, and verifying who and what is on the target.

 

So how do we do this? Where do we look? Let us show you ;-)