March 19, 2001, 9:34 AM —
One of the things hackers most want to know about a site they're planning to break into is the operating system that's being used on exposed systems. The more a hacker knows about a particular system (e.g., the OS, the hardware architecture, and services that are running), the greater are his or her chances of launching a successful attack. By knowing the operating system and system type, a hacker can do a little research and come up with a list of known vulnerabilities. Add to that a list of services you're running (see last month's column), and he's ready to go.
Let's look at a seasonal analogy. You've just drawn a name from a tub in your company's Secret Santa solution game. You want to give a gift that the recipient will enjoy, but the name isn't familiar. What pieces of information might help you select a gift that's likely to be well received? You might want to know if the recipient is a new employee, a recent college graduate, or a company veteran about to retire and sail around the world. You might like to know if the individual has any obvious interests. You'd probably like to avoid buying chocolates if the recipient is a diabetic or fine wine if he or she is an AA member.
Once you have a few pieces of information about the person for whom you're shopping, your chances of buying a gift that's neither offensive nor wasteful are considerably improved. Similarly, a hacker, once he or she knows the operating system your server is running, can select an attack with a much higher chance of success. He might learn, for example, that he can subvert IIS on your Windows 2000 system by sending malformed
HTTP GET requests and retrieving files that should be off limits.
OS identification in the good old days
When I was a mere babe in the ways of Unix, identifying the operating system that a particular system was running wasn't that hard. I would first try to telnet to the system in question, and most systems would offer up some insights.
boson% telnet 220.127.116.11 Trying 18.104.22.168... Connected to stovepipe. Escape character is '^]'.
The banner, by itself, might have told me what I wanted to know. The system in question was running SunOS. If the target system didn't respond with a login prompt, I would ping it and determine from the new entry in my arp cache (provided the system was on the local network) what type of network adaptor it contained. That would tell me the manufacturer of the card and, in most cases, the type of system as well.