Service Banner Fingerprinting in C _ _ | |_ ___ _ _ ___ ___ ___ _| |___ | _| _| | | | _| . | . | -_| |_| |_| |___|_|_|___|___|___|___| * truncode security development * http://www.truncode.org necrose 0x01 INTRODUCTION This paper is written as a supplement to modular's tcpscan series. This paper covers how to write C programs that will perform Banner Fingerprinting. This paper assumes that you have already understood the tcpscan series from modular, and that you possess knowledge of the following protocols: HTTP and FTP. The complete source code in this article consists of stand-alone functions with the intention to allow the reader to implement them easily into his own programs. All functions require the following minimal list of includes: #include #include #include #include #include #include #include #include 0x02 SSH/SMTP FINGERPRINTING Before we start coding, we will have a look at the subject of manual banner fingerprinting. Let uss start this one off with by far the easiest service to fingerprint: SSHD. This is because we actually only have two things to accomplish: connect to the SSH daemon at the target host and retrieve the banner that will be automatically presented to us. The process might be visually presented like so: ********************* *********************** ****************** * CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER * ********************* *********************** ****************** Start by connecting with telnet to a SSH daemon and retrieve the banner: snow:~# telnet truncode.org 22 Trying 207.44.194.142... Connected to truncode.org. Escape character is '^]'. SSH-1.99-OpenSSH_3.1p1 ^] telnet> quit Connection closed. snow:~# As you can see after connecting to the target host, the SSH daemon will automatically present the version banner: "SSH-1.99-OpenSSH_3.1p1". This process is relatively easy and can also be applied as well to the SMTP service banner. Now we connect to port 25 on the target host: snow:~# telnet euronet.nl 25 Trying 194.134.0.10... Connected to euronet.nl. Escape character is '^]'. 220 pop1.euronet.nl ESMTP Postfix ^] telnet> quit Connection closed. snow:~# Well there is not much to fingerprinting these two services. Since the process for fingerprinting these services is identical, I will only discuss the code for the SSH daemon fingerprint function. You can specify the port for SMTP. The following is an example of code that will fingerprint the SSH daemon: char *grab_sshb(char *t_addr, int t_port) { struct sockaddr_in rmtaddr; /* remote address structure */ char *buf_s; /* buffer string pointer */ char *bnr_s; /* banner string pointer */ int sockfd; /* socket file descriptor */ buf_s = (char *)malloc(250); sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); rmtaddr.sin_family = AF_INET; rmtaddr.sin_port = htons(t_port); rmtaddr.sin_addr.s_addr = inet_addr(t_addr); if(connect(sockfd, (struct sockaddr *)&rmtaddr, sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; } bnr_s = (char *)malloc(strlen(buf_s)-1); strncpy(bnr_s, buf_s, strlen(buf_s)-1); close(sockfd); free(buf_s); return bnr_s; } This source code is rather straight forward. We do exactly the same as presented in the former visual process: connect to the target host and receive the banner it sends, then copy the banner in question and close the connection. 0x03 HTTP/FTP FINGERPRINTING This technique is slightly more difficult than SSH and SMTP because we actually need to perform some interaction with the server. An obvious difference is that we need to incite some minor string magic for this technique to work. We begin with HTTP server fingerprinting. The server does not automatically present any banner on connect. A request to the server is needed by sending the: "HEAD / HTTP/1.0\n\n" command, where "\n\n" represents twice. We state this again visually: ********************* **************** *********************** * CONNECT TO SERVER * ===> * REQUEST HEAD * ===> * SERVER SENDS BANNER * ********************* **************** *********************** || \/ *************** ****************** * FILTER DATA * <=== * GET THE BANNER * *************** ****************** Connect with telnet and retreive the banner. The data filtering will only be done with the final code. Pay attention to the following process: snow:~# telnet www.euronet.nl 80 Trying 194.134.0.158... Connected to www.euronet.nl. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 302 Found Date: Fri, 21 Mar 2003 21:06:55 GMT Server: Apache/1.3.26 (Unix) Location: http://home.euronet.nl/ Connection: close Content-Type: text/html; charset=iso-8859-1 Connection closed by foreign host. snow:~# As you can see the server returns a lot of data after the HEAD / HTTP/1.0 command. Actually the only data we are interested in is the banner behind the "Server:". This is what our filter code will achieve. The code will perform the following: connect to the server at the target host, send the command, receive the server HEAD and filter the data: char *ltnet_httpb(char *t_addr, int t_port) { struct sockaddr_in rmtaddr; /* remote address structure */ char *buf_s; /* buffer string pointer */ char *bnr_s; /* banner string pointer */ char *str_p; /* pointer to Server: part */ int sockfd; /* socket file descriptor */ int itr_s0; /* string iterate integer */ int itr_s1; /* string iterate integer */ buf_s = (char *)malloc(1000); sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); rmtaddr.sin_family = AF_INET; rmtaddr.sin_port = htons(t_port); rmtaddr.sin_addr.s_addr = inet_addr(t_addr); if(connect(sockfd, (struct sockaddr *)&rmtaddr, sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; } if(send(sockfd, "HEAD / HTTP/1.0\n\n", 17, 0) <= 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; } if((str_p = strstr(buf_s, "Server:")) == NULL) { close(sockfd); return NULL; } for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) { if(str_p[itr_s0] == '\n') break; } bnr_s = (char *)malloc(itr_s0 - 8); for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) { if(str_p[itr_s1 + 8] == '\n') break; bnr_s[itr_s1] = str_p[itr_s1 + 8]; } close(sockfd); free(buf_s); return bnr_s; } Take a close look at the section that performs the actual filtering. First the code looks at the "Server:" line and returns a pointer to it: if((str_p = strstr(buf_s, "Server:")) == NULL) { close(sockfd); return NULL; } Now "str_p" points to where the "Server:" line starts in the buffer. The next thing we want to do is retrieve the actual banner without the "Server:" line in front of it and put it into "bnr_s". We start this process my allocating memory to "bnr_s" bnr_s = (char *)malloc(itr_s0 - 8); Please take a good look at this line. We allocate the amount of bytes on the "Server:" line, minus 8. The 8 bytes represent: "Server: " which we want to strip off. The next thing we do is iterate through the string and copy it to "bnr_s". Now "bnr_s" contains the stripped "Server: " string. We will move onto the FTP section now. We discuss two ways of fingerprinting the FTP server. The first one is easy, because it's just a mix of the SSH/SMTP and HTTP fingerprinting. Connect to to the target host, get the banner and then filter it. This can be visually presented like so: ********************* *********************** ****************** * CONNECT TO DAEMON * ===> * DAEMON SHOWS BANNER * ===> * GET THE BANNER * ********************* *********************** ****************** || \/ *************** * FILTER DATA * *************** If we emulate this process with telnet, it will look like the following: snow:~# telnet euronet.nl 21 Trying 194.134.0.10... Connected to euronet.nl. Escape character is '^]'. 220 gaia.euronet.nl FTP server (Version wu-2.4.2-academ (3) Fri Jun 23 20:47:26 MET DST 2000) ready. ^] telnet> quit Connection closed. snow:~# As you can see it will directly present the banner (this is not what happens in all cases) after the "220" and then it is possible to strip it down to the version only, just like what was done with the HTTP server. The code is actually just a mix of what we have done before: char *ltnet_ftpb(char *t_addr, int t_port) { struct sockaddr_in rmtaddr; /* remote address structure */ char *buf_s; /* buffer string pointer */ char *bnr_s; /* banner string pointer */ char *str_p; /* pointer to Server: part */ int sockfd; /* socket file descriptor */ int itr_s0; /* string iterate integer */ int itr_s1; /* string iterate integer */ buf_s = (char *)malloc(250); sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); rmtaddr.sin_family = AF_INET; rmtaddr.sin_port = htons(t_port); rmtaddr.sin_addr.s_addr = inet_addr(t_addr); if(connect(sockfd, (struct sockaddr *)&rmtaddr, sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 250, 0) <= 0) { close(sockfd); return NULL; } if((str_p = strstr(buf_s, "220")) == NULL) { close(sockfd); return NULL; } for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) { if(str_p[itr_s0] == '\n') break; } bnr_s = (char *)malloc(itr_s0 - 8); for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) { if(str_p[itr_s1 + 4] == '\n') break; bnr_s[itr_s1] = str_p[itr_s1 + 4]; } close(sockfd); free(buf_s); return bnr_s; } Although this way of FTP fingerprinting is fairly straight forward, it may not always be effective. But there is another way of fingerprinting the FTP server, a technique that requires us to login with the anonymous account. This method requires the server to have the anonymous login enabled. If we can succesfully log in as an anonymous user we can give the "SYST" command and the FTP server will send back the system type. The scheme that represents this method is presented visually like so: ********************* ******************* ****************** * CONNECT TO DAEMON * ===> * LOGIN TO SERVER * ===> * GET THE BANNER * ********************* ******************* ****************** || \/ *************** * FILTER DATA * *************** If we emulate this with telnet, it will look like the following: snow:~# telnet ftp.cdrom.com 21 Trying 208.217.74.248... Connected to cdrom.wip.digitalriver.com. Escape character is '^]'. 220 drftp.digitalriver.com NcFTPd Server (licensed copy) ready. USER anonymous 331 Guest login ok, send your complete e-mail address as password. PASS ghost@truncode.org 230-You are user #28 of 300 simultaneous users allowed. 230- 230 Logged in anonymously. SYST 215 UNIX Type: L8 Still this code does not show a lot of difference compared to what we have done before . The only difference is that we send multiple commands to the server ("USER", "PASS" and "SYST". After that process we just filter the data again. This is the code to achieve that: char *ltnet_ftps(char *t_addr, int t_port) { struct sockaddr_in rmtaddr; /* remote address structure */ char *buf_s; /* buffer string pointer */ char *bnr_s; /* banner string pointer */ char *str_p; /* pointer to Server: part */ int sockfd; /* socket file descriptor */ int itr_s0; /* string iterate integer */ int itr_s1; /* string iterate integer */ buf_s = (char *)malloc(1000); sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); rmtaddr.sin_family = AF_INET; rmtaddr.sin_port = htons(t_port); rmtaddr.sin_addr.s_addr = inet_addr(t_addr); if(connect(sockfd, (struct sockaddr *)&rmtaddr, sizeof(struct sockaddr)) != 0) { close(sockfd); return NULL; } if(send(sockfd, "USER anonymous\n", 15, 0) <= 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; } if(send(sockfd, "PASS libtrun@truncode.org\n", 26, 0) <= 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; } if(send(sockfd, "SYST\n", 5, 0) <= 0) { close(sockfd); return NULL; } if(recv(sockfd, buf_s, 1000, 0) <= 0) { close(sockfd); return NULL; } if((str_p = strstr(buf_s, "UNIX Type:")) == NULL) { close(sockfd); return NULL; } for(itr_s0 = 0; itr_s0 < strlen(str_p); itr_s0++) { if(str_p[itr_s0] == '\n') break; } bnr_s = (char *)malloc(itr_s0 - 8); for(itr_s1 = 0; itr_s1 < itr_s0; itr_s1++) { if(str_p[itr_s1 + 11] == '\n') break; bnr_s[itr_s1] = str_p[itr_s1 + 11]; } close(sockfd); free(buf_s); return bnr_s; } 0x04 WEAVE MORE CODE Of course there is a lot more you can fingerprint, but I hope this paper has helped to show you how you might begin. If you are going to implement the code in this paper, you might clean it up and add some error checking. copyright(c) 2003 truncode.org