Xprobe2：主动操作系统指纹工具

XProbe是一款远程主机操作系统探查工具。开发者基于和Nmap相同的一些技术（same techniques），并加入了自己的创新。Xprobe通过ICMP协议来获得指纹。最新版本是Xprobe2.0.3版本,Xprobe2通过模糊矩阵统计分析主动探测数据报对应的ICMP数据报特征,进而探测得到远端操作系统的类型。注:经过本人测试,对比较老的操作系统,识别效果非常高,对新内核系统则识别效果不太准确。

下载链接：http://down.51cto.com/data/153234

>>去网络安全工具百宝箱看看其它安全工具

安装步骤：

#tar -zxvf xprobe2-0.3.tar.gz
#./configure --prefix=/usr/loca/
# make
#make install

用法:

#/usr/local/xprobe/bin/xprobe2 -h
Options:
 -v Be verbose
 -r Show route to target(traceroute)
 -p Specify portnumber, protocol and state.
 Example: tcp:23:open, UDP:53:CLOSED
 -c Specify config file to use.
 -h Print this help.
 -o Use logfile to log everything.
 -t Set initial receive timeout or roundtrip time.
 -s Set packsending delay (milseconds).
 -d Specify debugging level.
 -D Disable module number .
 -M Enable module number .
 -L Display modules.
 -m Specify number of matches to print.
 -T Enable TCP portscan for specified port(s).
 Example: -T21-23,53,110
 -U Enable UDP portscan for specified port(s).
 -f force fixed round-trip time (-t opt).
 -F Generate signature (use -o to save to a file).
 -X Generate XML output and save it to logfile specified with -o.
 -B Options forces TCP handshake module to try to guess open TCP port
 -A Perform analysis of sample packets gathered during portscan in
 order to detect suspicious traffic (i.e. transparent proxies,
 firewalls/NIDSs resetting connections). Use with -T.

以上个选项,读者可自己去测试。本人给出一个简单的测试，假设当前目录在/usr/local/xprobe/bin/下

#./xprobe2 www.163.com
Xprobe2 v.0.3 Copyright (c) 2002-2005 fyodor@o0o.nu, ofir@sys-security.com, meder@o0o.nu
[+] Target is www.163.com
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[x] [3] ping:udp_ping - UDP-based ping discovery module
[x] [4] infogather:ttl_calc - TCP and UDP based TTL distance calculation
[x] [5] infogather:portscan - TCP and UDP PortScanner
[x] [6] fingerprint:icmp_echo - ICMP Echo request fingerprinting module
[x] [7] fingerprint:icmp_tstamp - ICMP Timestamp request fingerprinting module
[x] [8] fingerprint:icmp_amask - ICMP Address mask request fingerprinting module
[x] [9] fingerprint:icmp_port_unreach - ICMP port unreachable fingerprinting module
[x] [10] fingerprint:tcp_hshake - TCP Handshake fingerprinting module
[x] [11] fingerprint:tcp_rst - TCP RST fingerprinting module
[x] [12] fingerprint:smb - SMB fingerprinting module
[x] [13] fingerprint:snmp - SNMPv2c fingerprinting module
[+] 13 modules registered
[+] Initializing scan engine
[+] Running scan engine
[-] ping:tcp_ping module: no closed/open TCP ports known on 220.181.28.51. Module test failed
[-] ping:udp_ping module: no closed/open UDP ports known on 220.181.28.51. Module test failed
[-] No distance calculation. 220.181.28.51 appears to be dead or no ports known
[+] Host: 220.181.28.51 is up (Guess probability: 50%)
[+] Target: 220.181.28.51 is alive. Round-Trip Time: 0.02320 sec
[+] Selected safe Round-Trip Time value is: 0.04640 sec
[-] fingerprint:tcp_hshake Module execution aborted (no open TCP ports known)
[-] fingerprint:smb need either TCP port 139 or 445 to run
[-] fingerprint:snmp: need UDP port 161 open
[+] Primary guess:
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.6" (Guess probability: 100%)
[+] Other guesses:
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.7" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.8" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.9" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.10" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.11" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.5" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.4" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.0" (Guess probability: 100%)
[+] Host 220.181.28.51 Running OS: "Linux Kernel 2.6.1" (Guess probability: 100%)
[+] Cleaning up scan engine
[+] Modules deinitialized
[+] Execution completed.

探测出上海(本人测试地点IP)这边访问网易的系统IP为220.181.28.51的机器系统为linux系统 ,并且内核版本在2.6.1—2.6.11之间,也有可能是更高内核版本,主要是xprobe目前支持探测系统指纹的系统版本有限,经过我多次对不同系统freebsd,debian,centos,solaris,aix,windows xp,2000,2003的探测结果,发现越老的系统探测结果越准确,笔者支持该软件作者继续此工作!