Els Apostols - Projects and Programas

QueSO Documentation.txt

INTRODUCTION TO QueSO			 by savage@apostols.org
===============================================================

When it comes down to computer-related information security audits,
having the right tools to detect active IPs, ports or OSes becomes 
an important issue. On this last point (OS identification) is where
free software is clearly scarce, and the presently used methods are
brute-force based (to say the least):

        rpcinfo 
        snmp
        telnet
        SendMail version
        download binaries from the public-ftp (analyzing its format)
        and another slow and suspicious stuff..

Seeing the problem, I started writing a program a year ago (Abr.97) 
with the ability of differentiating between a Linux and a Windows box
sending TCP packets to a listen port. A full featured TCP connection
is never really established, so it's more of a fine-tuned thing than the 
other methods previously exposed. On April '98 I re-took this theme, and
the result is QueSO (wos), which you can get at:

        http://www.apostols.org/projectz/queso/

How we can determine the remote OS using simple tcp packets? Well,
it's easy, they're packets that don't make any sense, so the RFCs
don't clearly state what to answer in these kind of situations.
Facing this ambiguous, each TCP/IP stack takes a different approach
to the problem, and this way, we get a different response. In some
cases (like Linux, to name one) some programming mistakes make the OS
detectable.

What packets does QueSO send?

        0 SYN           * THIS IS VALID, used to verify LISTEN
        1 SYN+ACK       
        2 FIN
        3 FIN+ACK
        4 SYN+FIN
        5 PSH
 	6 SYN+XXX+YYY   * XXX & YYY are unused TCP flags

All packets have a random seq_num and a 0x0 ack_num.

On response to to packet 0 (SYN), any LISTEN port must answer a
SYN+ACK with a nonzero ack_num, seq_num and window, or, in case
of not being LISTEN, it'll send back a RST+ACK with the valid
ack_num. Here finishes the standard, and we get into QueSO-terrain :)

As it would be way too long to explain every test done and its results,
I think the best will be to explain QueSO's configuration file format. 
The file queso.conf is formed by blocks of lines, delimited by the name 
of the OS (starting with a *)  and a trailing (white-spaced) line:  

Start> * Linux 1.x, 2.0 (by savage@Apostols.Org)
        0 1 1 1 SA
        1 0 0 0 R
        2 - - - -       /* pkt#2 == Doesn't give any answer whatsoever */
        3 0 0 0 R
        4 1 1 1 SFA     /* pkt#4 == seqnum, acknum, window, SYN+FIN+ACK */ 
        5 - - - -       
	6 1 1 1 SAXY
End>
        * blah, blah ...

As I've stated previously, it sends 7 packets (0-6), and compares
the responses with the config file, where the different OSes are
described, in a response-based way to each packet (differentiated
by the dst port -my port).

 - First column is, thus, the pakcet number. 
 - Second one is seq_num ( 1/0/- )  
 - Third, ack_num ( 1/0/- )
 - The Fourth is the window ( 1/0/-/hex_value )
 - Fifth  is flags ( S=SYN, F=FIN, R=RST, A=ACK, P=PSH, U=URG, X, Y )

i.e. a Linux:
        2 - - - -       -=> pkt#2 == No response 
        4 1 1 1 SFA     -=> pkt#4 == seqnum, acknum, window, SYN+FIN+ACK
        
If in a block we don't include any of the 7 packets, it means we don't care
 at all about its contents to pin down what OS we're dealing with.

Implementation:
---------------

If we run queso w/o args, it shows off "usage()"

[root@apostols queso]# ./queso
QueSO (c) 1998 savage@apostols.org
Usage: queso [-v] [-d] [-w] [-f srcIP] [-c file] [-t seconds] host.com[:port]
       -v         Version
       -d         Debug mode, print received PKTs.
       -w         Update queso.conf when new OS is found.
       -f srcIP   Select correct In/Out IP.
       -c file    Alternate config file.
       -t seconds Set reception timeout. (default=3)
       -n times   How many times PKTs are sent. (default=1)


I think its self-explaining..

Salut,          < savage@apostols.org >

---- 8< ----------------------------------------------------------
CVS: $Id: Documentation.txt,v 1.3 1998/09/15 21:34:37 savage Exp $
---------------------------------------------------------- >8 ----

Current cmdline and version

queso@apostols.org $ queso -v /www/apostols.org/projectz/queso/index.cgi: /sbin/queso: No such file or directory queso@apostols.org $ queso -h /www/apostols.org/projectz/queso/index.cgi: /sbin/queso: No such file or directory

Current list of OS identified ( 100 )

Dead Host, Firewalled Port or Unassigned IP
Not Listen, try another port
Not Listen, DTC Hewlett Packard LAN Driver
Not Listen, USR/3COM Netserver
Not Listen, Windoze 95/98/NT
Not Listen, Windoze 95/98/NT (sleeped)
Not Listen HP/JETdirect
Not Listen IGEL Etherminal 2C (by wh@hillerzentri.de)
Not Listen Wollongong DOS TCP/IP, 3COM Office/Switch
Not Listen (SCO/Unix)
Not Listen Unknown (may be loss of pkts) ?
Firewall drops SYN pakets.
Firewalled Solaris 2.x
Firewalled host/port or network congestion
Firewalled host/port or network congestion
Linux 2.0.35 to 2.0.9999 :)
Linux 2.0.xx -sendmail??-
Linux 1.2.xx
Linux 1.3.xx, 2.0.0 to 2.0.34
Linux 2.1.xx
Linux 2.1.xx
MacOS-8 (or unusual Solaris)
MacTCP
Solaris 2.x
Solaris 2.x
Solaris 2.x firewalled (like www.apple.com)
NetBSD 1.3.x
Standard: Solaris 2.x, Linux 2.1.???, MacOS
HP/JETdirect Printer
HP/JETdirect Printer (old model)
Berkeley: HP/JETdirect Printer (by jay@gnu.org)
Berkeley: VAX/VMS, OpenVMS AXP
Berkeley: VAX/VMS (by bem@cmc.net)
Berkeley: DECserver (terminal server).
Berkeley: HP-UX B.10.20
Berkeley: usually Digital Unix, OSF/1 V3.0, HP-UX 10.x
Berkeley: DG/UX 5.4R3 (by biafra@pulhas.org)
Berkeley: usually SunOS 4.x, NexT, Annex
Berkeley: usually HP/UX 9.x, OS/2 Warp 4 Merlin (fix#6)
Berkeley: IRIX 5.x
Berkeley: Digital, HPUX, SunOs4, AIX3, OS/2 WARP-4, others...
Windoze NT firewalled (like *.microsoft.com)
Windoze NT firewalled (like www.compaq.com)
Windoze NT firewalled (like www.compaq.com)
Windoze 95/98/NT
Windoze NT with RaptorFirewall (by stuart@ins.com)
Wollongong TCP/IP for MSDOS
IBM AIX 4
IBM AIX 4
Plan9, CISCO-IOS 11.2(8)
CISCO-IOS 11.0
Cisco IOS 11.0 syn.flooded
3COM Office Connect Switch
3COM Netbuilder (by wait_man@linux.apostols.org)
SCO/Unix like www.sco.com
SCO/Unix or SCO/Openserver
Novell Netware TCP/IP
FreeBSD
FreeBSD, NetBSD, OpenBSD
ClamIP Nautica Router by Bay Networks
Reliant Unix from Siemens-Nixdorf
IRIX 6.x?
IRIX 6.x
BSDi 3.0, IBM S/390
BSDi or IRIX
Digital VMS 5x/6x or Ultrix
CISCO-IGS (by joaop@promisc.net)
IBM 8237 Hub model 2 (by pmsac@toxyn.org)
Minix v.??? (by eepr0m@toxyn.org)
NotListen Livingston PortMaster (by eepr0m@toxyn.org)
Livingston PortMaster ComOS 3.5L (by eepr0m@toxyn.org)
HP/3000 DTC (VTLS TCP/IP frontend)
Cisco 11.2(11)P
Cisco 11.2(10a), HP/3000 DTC, BayStack Switch
USR/3COM Netserver.
Livingston Portmaster (by bem@cmc.net)
Windoze with Firewall ?
Chamaleon TCP/IP 4 Windoze (by fermin@eup.udl.es)
Cyclades PathRAS (by Cyril.Chaboisseau@obs.coe.int)
Sinix (by adulau@befree.be)
Novell Netware 5.0 (by rzm@icm.edu.pl)
IBM AS/400
Novell TCP/IP - DOS LanWorkPlace 4.12 (by adulau@befree.be)
IBM XStation 1x0 (by Stefan.Eilemann@dlr.de)
Vircom Major TCP/IP (by leighk@cybercomm.net)
Computone Intelliserver (by leighk@cybercomm.net)
Specialix Jetstream 6000 Terminal Server (by wh@hillerzentri.de)
SEH GmbH Printserver (by wh@hillerzentri.de)
Gandalf router (by aland@striker.ottawa.on.ca)
Gandalf Xpressway/XpressStack (by aland@striker.ottawa.on.ca)
HP-UX B.11.00 (by gqueri@mail.dotcom.fr)
Ascend Pipeline Firmware 4.6 (by c.mock@xsoft.co.at)
Shiva flooded
Shiva (accessport/isdn-router) (by adria@dns1.i-b-s.net)
Shiva (accessport/isdn-router) flooded
Lantronix LPS1 Version V3.5 (by biafra@pulhas.org)
Equinox ELS-8 4.12
HP3000 MPE/iX 5.5 (by rodneybrown@pmsc.com)
UnixWare 2.1.1 (by rodneybrown@pmsc.com)
AS/400 OS/400 V4R2 (by rodneybrown@pmsc.com)

Current snapshot available for download.

Watch the effectiveness of QueSO in The osi++ Counter, a survey of OS usage on the Internet.