Sys-Security.com - Because Security is not Trivial

Home: Projects: X (Official Home)

Sys-Security.com is a web site dedicated to computer security research. It is the home of the "ICMP Usage In Scanning" research project.

What is X?

X is a logic which combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the "ICMP Usage in Scanning" research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.

Xprobe is a tool written and maintained by Fyodor Yarochkin and Ofir Arkin that automates X.

Why X?

X is a very accurate logic.

Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows 2000 and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when ' using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example...

Documentation

You can download X White paper from the papers section. It is available in pdf format [321kb].

Phrack 57 article titled "ICMP based remote OS TCP/IP stack fingerprinting techniques". You can view the article here.

You can download Ofir Arkin's presentation [.ppt format] given at the Black Hat Briefings July 2001, from: http://www.sys-security.com/archive/conferences/blackhat/july2001/X-BH_July_01-Rev1.5-OfficeXP-FINAL.zip [~5.64mb]

You can download Ofir Arkin's presentation [.ppt format] given at Defcon 9 July 2001, from: http://www.sys-security.com/archive/conferences/defcon9/X-Defcon9-Rev1.0-OfficeXP.zip [~9.68mb]

License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

All material for nonprofit, educational use only.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Download

Latest version is 0.0.1p1.
New version has several new options including the ability to scan an IP range, the ability to specify the targeted UDP port, and a manual page.
The current tarball is the fixed one, now resolving correctly.

Xprobe 0.0.1p1 is aimed at identifying operating systems and some networking devices. When version 0.0.2 will be released we will be adding vast support for networking devices. If you have questions regarding "what does X identifies" please consult the documentation section of this page.

Additional requirements libpcap.

Additional Sites

SourceForge

CVS

Fyodor Yarochkin's Web Site

Navigation

	Articles Mentioned
	Bugtraq Posts
	Conferences
	Published Papers
	Upcoming Events

	Books
	Links
	News
	Pictures
	Tools

Projects

The ICMP Project
X

Navigate Sys-Security.com:

For corrections/additions/suggestions for this page, please send email to: ofir@sys-security.com