Network Penetration Methods Empoloyed

a hacker to identify the operating system and the services running on the target system . Ability to run stealth configured scans unreported here can be tested using tcp syn (half-open) and FIN, XMAS, NULL scans. A closed port would return an RST packet, although Microsoft TCP/IP stack does not follow the RFC 793 for FIN,XMAS or NULL and make this type of scan irrelevant. UDP as defined by RFC 768. ICMP port unreachable response means that the port is not active for most operating systems. This eliminates the closed ports effectively from the scan. Different types of response define different operating systems. This is reliable on local network segments when it is undertaken from compromised hosts. Secret signatures may be required to produce an open port response from a port controlled by a Trojan. so the os identification is important to a hacker to identify which types of buffer overflow attack he can try in order to compromise a host.

Active OS identification methods vulnerability testing

Methods used would be logon banner existence, FTP download binary content which would include compiler type information. Simple analysis of the pots that are open will identify the OS . IE port tcp udp 137 138 139 open indicate Windows Netbios, NT and W2k indicated by small services tcp 79 (finger) which does not appear on a windows 9x box. The identification and removal of these services are paramount to improving the security of these boxes. Linux can be seen by a handful of ports above 1024 and linuxconf on tcp 98. Sun may be listening on TCP / UDP 111 (RPC). Other Unix by syslog on UDP 514 although this can be shown by add-on utilities on windows machines. SYN and FIN scan results comparisons can determine RFC compliance .. if SYN and FIN results are similar then it is RFC compliant and not a Microsoft stack. Obviously this would not apply to a Windows firewall especially if it