Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   9211 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

XPROBE2(1)							    XPROBE2(1)

NAME
       xprobe2 - A Remote active operating system fingerprinting tool.

SYNOPSIS
       xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o
       logfile ] [ -p port ] [ -t receive_timeout ] [ -m numberofmatches ] [
       -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec
       ] host

DESCRIPTION
       xprobe2 is an active operating system fingerprinting tool with  a  dif‐
       ferent  approach	 to operating system fingerprinting. xprobe2 relies on
       fuzzy  signature	 matching,  probabilistic  guesses,  multiple  matches
       simultaneously, and a signature database.

       The  operation  of  xprobe2 is described in a paper titled "xprobe2 - A
       ´Fuzzy´ Approach to Remote  Active  Operating  System  Fingerprinting",
       which	    is	      available	       from	  http://www.sys-secu‐
       rity.com/html/projects/X.html.

       As xprobe2 uses raw sockets to send probes, you must have  root	privi‐
       leges in order for xprobe2 to be able to use them.

OPTIONS
       -v     be verbose.

       -r     display route to target (traceroute-like output).

       -c     use  configfile  to  read	 the configuration file, xprobe2.conf,
	      from a non-default location.

       -D     disable module number modnum.

       -m     set number of results to display to numofmatches.

       -o     use logfile to log everything (default output is stderr).

       -p     specify port number (portnum), protocol (proto) and  it's	 state
	      for  xprobe2  to	use during rechability/fingerprinting tests of
	      remote host. Possible values for proto are  tcp or  udp, portnum
	      can  only	 take  values  from   1	 to 65535, state can be either
	      closed (for  tcp that means that remote host  replies  with  RST
	      packet,  for   udp that means that remote host replies with ICMP
	      Port Unreachable packet) or  open	 (for	tcp  that  means  that
	      remote  host replies with SYN ACK packet and for	udp that means
	      that remote host doesn't send any packet back).

       -t     set receive timeout to receive_timeout in seconds	 (the  default
	      is set to 10 seconds).

       -F     generate	signature for specified target (use -o to save finger‐
	      print into file)

       -X     write XML output to logfile specified with -o

       -B     causes xprobe2 to be a bit more noisy, as -B makes TCP handshake
	      module  to try and blindly guess an open TCP port on the target,
	      by sending sequential probes to the following well-known	ports:
	      80, 443, 23, 21, 25, 22, 139, 445 and 6000 hoping to get SYN ACK
	      reply. If xprobe2 receives RST|ACK or SYN|ACK packets for a port
	      in  the list above, it will be saved in the target port database
	      to be later used by other modules (i.e. RST module).

       -T, -U enable built-in portscanning module, which will attempt to  scan
	      TCP  and/or UDP ports respectively, which were specified in port
	      spec

       -A     enable experimental support for detection of transparent proxies
	      and firewalls/NIDSs spoofing RST packets in portscanning module.
	      Option should be used in conjunction with -T. All responses from
	      target  gathered	during portscanning process are divided in two
	      classes (SYN|ACK and RST) and saved for analysis. During	analy‐
	      sis  module  will search for different packets, based on some of
	      the fields of TCP and IP headers, within the same class  and  if
	      such  packets  are found, message will be displayed showing dif‐
	      ferent packets within the same class.

EXAMPLES
	      xprobe2 -v -D 1 -D 2 192.168.1.10

	      Will launch an OS fingerprinting attempt targeting 192.168.1.10.
	      Modules 1 and 2, which are reachability tests, will be disabled,
	      so probes will be sent even if target is down.  Output  will  be
	      verbose.

	      xprobe2 -v -p udp:53:closed 192.168.1.20

	      Will  launch  an	OS fingerprint attempt targeting 192.168.1.20.
	      The UDP destination port is set to 53, and the  output  will  be
	      verbose.

	      xprobe2 -M 11 -p tcp:80:open 192.168.1.1

	      Will  only  enable TCP handshake module (number 11) to probe the
	      target, very useful when all ICMP traffic is filtered.

	      xprobe2 -B 192.168.1.1

	      Will cause TCP handshake module to try blindly guess  open  port
	      on  the  target  by sequentially sending TCP packets to the most
	      likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).

	      xprobe2 -T 1-1024 127.0.0.1

	      Will enable portscanning	module,	 which	will  scan  TCP	 ports
	      starting from 1 to 1024 on 127.0.0.1

	      xprobe2 -p tcp:139:open 192.168.1.2

	      If  remote  target has TCP port 139 open, the command line above
	      will enable application level SMB module (if remote  target  has
	      TCP port 445 open, substitue 139 in the command line with 445).

	      xprobe2 -p udp:161:open 192.168.1.10

	      Will  enable SNMPv2c application level module, which will try to
	      retrieve sysDescr.0  OID	using  community  strings  taken  from
	      xprobe2.conf file.

NOTES
       xprobe2	fingerprints  remote operating system by analyzing the replies
       from the target, so to get the most out of xprobe2 you need  to	supply
       xprobe2	with  as  much	information  as	 possible, in particular it is
       important to supply at least one open TCP port and one closed UDP port.
       Open  TCP  port	can  either be provided in command line (-p), obtained
       through built-in portscanner (-T) or -B option can  be  used  to	 cause
       xprobe2 to try to blindly guess open TCP port. UDP port can be supplied
       via command line (-p) or through built-in portscanner (-U).

HISTORY
       xprobe has been developed in 2001 based	on research performed by  Ofir
       Arkin <ofir@sys-security.com>. The code has been officially released at
       the BlackHat Briefings in Las-Vegas in 2001. xprobe2 is a logical  evo‐
       lution  of  xprobe code. Signature based fuzzy fingerprinting logic was
       embedded.

SEE ALSO
       nmap(1) queso(1) pcap(3)

AUTHORS
       Fyodor Yarochkin <fyodor@o0o.nu>, Ofir  Arkin  <ofir@sys-security.com>,
       Meder Kydyraliev <meder@o0o.nu>

       (see also CREDITS in distro tarball).

AVAILABILITY
       The  current  version and relevant documentation is available from fol‐
       lowing url:
       https://sourceforge.net/projects/xprobe/

BUGS
       None known (please report).

								    XPROBE2(1)

Vote for polarhome