A pentester arsenal. Collecting utilities for detecting operations on a remote host.

A pentester arsenal. Collecting utilities for detecting operations on a remote host.

The first stage of the pentesta is known to be intelligence. Only once you’ve established which system is running on the remote host, you can start looking for loopholes in it. From this article you will learn about seven tools that help at this stage, and at the same time you will see how they calculate the operation.

Around the same historical period, when the monkey climbed down a tree and for some reason decided to become human, it learned to use tools. Since then, it has been so: each monkey earns its livelihood with its own tools, which distinguishes it from other representatives of the fauna. And one of the richest arsenals of tools among primates have, of course, pentesters and hackers.

It is not surprising: to study the remote systems and exploit the vulnerabilities found in them with bare hands – it’s like trying to scare the hedgehog with a naked gap and irrepressible enthusiasm. So it’s both impractical and largely useless. And even the hedgehogs understand that the first and most important stage of research of any system is the exploration and collection of information. That’s where our attention is focused.

If you regularly read “The Hacker”, you’ve probably already met mentioning many of these programs. Perhaps you are also familiar with the term TCP/IP stack fingerprinting, which marks the way they work.

Let’s take a wide view from a bird’s-eye view of the most relevant utilities suitable for this purpose, and try to evaluate their features and capabilities.

Smart word pair

Experienced pentesters, hackers and those who consider themselves as such can safely skip a couple of milkshakes and this section, for others we will hold a small theoretical tour. Obviously, at the initial stage of exploration the remote system is a “black box” for us, and at best we know only the IP address. As a minimum, it is necessary to find out what ports are open on the investigated host, under what operating system it works, what software is installed there and is able to interact with the network. And then, having collected the necessary information, we can look for vulnerabilities and think how to turn them for the benefit of humanity.

In the case of an ordinary computer or laptop, the easiest way to determine the operating system. If you look at the screen is a bit confused – it means there is a winde, you want to collect something from the source – definitely linux. With a remote host this trick will not work, so we can only assess the indirect signs. We can determine which operating system runs on the host by passive and active methods. In the first case, we usually use sniffing with the help of tools like Wireshark and subsequent traffic analysis. In the second case, the principle of patterns is used: each operating system has a characteristic set of open ports on which you can knock and evaluate their availability. And then, looking at this picturesque picture, make the appropriate conclusions. In both cases, we investigate the likeness of the operating system fingerprints, so the set of methods is called fingerprinting.

As a rule, all methods of passive traffic analysis are reduced to studying the TCP/IP stack on a remote machine. Packet headers contain fields whose values are typical for strictly defined OS. For example, the lifetime of a TTL (Time To Live) packet equal to 64 is most often found in Linux and FreeBSD. If the header does not contain a DF (Don’t Fragment) flag, this hints that we are dealing with OpenBSD. Other indirect indications are window size, maximum segment size (MSS), window scaling value, sackOK flag state. By the exclusion method, we can calculate the OS that is spinning on the host we are interested in. And the utilities that we are going to talk about will simplify this task.


  • Site: nmap.org
  • Platform: GNU/Linux, macOS, Windows (x86)

It is a very popular cross-platform tool with a rich history and a wide range of functionality. It can do a lot more than just finger-printing, but we are primarily interested in its “intelligence capabilities”.

The current version of Nmap 7.80 has an intuitive graphical interface, but for oldfags there is a command line mode. In this case you can use the command nmap -O -PN [URL], where the URL – address of the investigated site. Totally stubborn ones can compile a body from sources kindly published on the developers’ site.


The diagnosis of the operating system installed on the host is very approximate, but the probability of this or that variant can reach 90% or even more. In principle, it is quite enough to understand in which direction to dig further.

In addition, the program kindly shows information about the version of the server working there, about open ports, information obtained as a result of processing DNS-requests, IP- and IPv6-addresses, data Classless inter-domain routing (CIDR). The software can perform reverse DNS lookup and also outputs a large amount of other useful information. Nmap provides several scanning scenarios, the choice of which depends on the objectives of the researcher.

Working principles of the program are described in detail in the documentation on the official site. The utility is really very powerful: it even allows you to bypass firewalls, DoS and other types of attacks. In short, it is a useful tool if you know how to handle it.


NetworkMiner is a traffic analyzer that developers themselves categorize as Network Forensic Analysis Tool (NFAT). Tulsa uses a passive method of remote system analysis, which means that it leaves no traces and allows the researcher to act invisibly.

The utility can be downloaded from http://sourceforge.net/projects/networkminer, and on developer page source code is available.

NetworkMiner allows you to track established connections and analyze packets transmitted over the network, learning from them useful information about the hosts with which your computer is exchanging information. The source data for analysis is the TTL (packet life time), the size of the frames set in the packet headers of the flags.

With NetworkMiner, you can examine individual frames as well. The Frames tab is used for this purpose – here you can see data about the frame size, sender and destination IP addresses and ports, and other useful information. In addition, it is possible to analyze daemon banners. All this information allows you to recreate the structure of the network where the packets are intercepted: this is especially useful for wireless networks whose internal kitchen you are unfamiliar with.

This toolkit has another great feature: it knows how to extract files from FTP, TFTP, HTTP, HTTP/2, SMB, SMB2, SMTP, POP3 and IMAP traffic. That is, you can use it to intercept files transmitted by e-mail, FTP, locale or simply in the user’s browser. NetworkMiner can pull out X.509 certificates from encrypted traffic. Beauty, that’s all!

In general, we have in front of us quite a powerful sniffer, capable of creating magic in skilled hands. Well, finger-printing and OS definition is just one of its broadest capabilities.

p0f v3

This is not just a fairly well-known sniffer, but a program that combines a whole complex of mechanisms for analyzing intercepted packages and finger-printing. In this case, the definition of the OS type on the remote host (even in cases where Nmap failed, for example, due to the use of a firewall in the network) is declared by developers as one of the main functions.

There are several modes of the program, which can be used depending on the configuration of the network and the task faced by the researcher:

  • SYN mode, which implies investigation of incoming connections
  • SYN+ACK mode – outbound connection study;
  • RST+ mode implies investigation of traffic for the node behind the firewall that denies connections;
  • MiTM mode – explore connections between nodes whose traffic you can sniff without interference from you.

In addition, p0f can detect whether a NAT, shaper, or firewall is working in the network, track the packet trace to a given host, and calculate its uptime. In this case, the tool does not generate any of its own requests and other suspicious traffic, which in itself is an undeniable advantage if the researcher wants to remain on the network unnoticed.

The p0f v3 version was rewritten by the developers from scratch, so the “fingerprint database” is not the most complete there. According to the official website, the program lacks data on old versions of operating systems such as Windows 9x, IRIS and the like. But users can help the project by adding their own experiments with the program to the databases.



Free utility NetScanTools Basic appeared in 2009 and has undergone only minor changes since then. It is able to do a little: with its help you can get Whois data (and without it, probably, nothing), run traceroute (for those who do not know how to use the command line), send DNS queries and ping the remote hosts and so, and sit, and vsyadku, that is, managing the parameters of ping. It’s not easy.

But the commercial version of Pro boasts a wider range of features. It can work with various protocols, including ARP and SNMP, intercept and analyze packets, receive DNS records for given IP addresses, search for open TCP and UDP ports on the remote host, determine the supported versions of SMB, search for devices in the network, including SMTP-servers with open relays. On an Active Directory network, NetScanTools can find all the folders spread out, even hidden ones. The software includes a packet generator TCP, UDP, ICMP, CDP, RAW, where you can change various parameters, so NetScanTools easily and effortlessly turns into a flooder.

In general, we can say that NetScanTools Pro is quite an interesting project that includes tools for active and passive network research. Only here the price of $249 is a little bit cutter, especially if you take into account that quite free NetworkMiner and Nmap have almost the same set of basic functions. However, from the developers’ site you can download the 30-day trial version, which will help you decide whether to look for a crack a pack of bucks, or better to use the freeware software.

X probe

This is a Linux utility that uses active finger-printing methods based on the same techniques and scripts as Nmap. One of the most interesting features of X probe is its ability to detect hanypots (bait servers specifically designed to catch gullible hackers) and suspicious nodes with modified TCP/IP stack settings.

Using algorithms of fuzzy logic embedded in the software, X probe allows detecting services hidden by the firewall. In addition to detecting OS on the remote host using ICMP requests, the program’s capabilities include scanning TCP- and UDP-ports. Unfortunately, the latest version of the utility is dated 2014 and it seems that the project has hardly been developed since then.


Ettercap is a sniffer widely known in narrow circles and is often used for attacks like MiTM. It works in almost all Linux, except OpenSuSe, and on UNIX/BSD platforms except Solaris. It is said that especially mighty shamans have run Ettercap even on macOS, but there is no documented evidence to support these rumors, for those who succeeded died bursting with pride.

Like other sniffers, this one can work with protocols Telnet, FTP, IMAP, SMB, LDAP and a few others, but with Ettercap can be gutted and encrypted traffic transmitted over HTTPS and SSH. Although the toolkit was created with the MiTM scope, it can be used to identify remote operating systems by fingerprinting, along with routine procedures such as IP, open ports running on the service node under study, the type of adapter, and the MAC address of the network interface.

Once installed and started, Ettercap starts to sniff traffic on the network and collects the result in profiles created by the program, from where it can be extracted for analysis. This analysis allows to determine, in particular, such data as IP address, host name and type, assumed version of the operating system running there, open ports and running services. The startup set for any researcher is quite sufficient.


At https://github.com/vanhauser-thc/THC-Archive/ there is a rich archive of utilities and cohesives that can be a great help for a pentester. The whole software was long and painstakingly assembled by a team of like-minded malefactors called The Hacker’s Choice, founded in 1995 and, judging by Twitter activity, still feels good to this day.

Dudes offer a lot of interesting projects, but we are mostly interested in the aces from the section https://github.com/vanhauser-thc/THC-Archive/tree/master/Tools. Here, in particular, you can find an Amap scanner that allows you to track services running on non-standard ports.

Some naive sysadmins sincerely hope they can protect themselves from attack if they pick up an FTP server, SSH or Telnet on some non-standard port instead of the usual one. That’s what Amap is meant to fight against such cunning admins.

Usual scanners knock on standard ports, analyze received responses and if they do not meet expectations, break down. Amap instead polls the entire port range and checks the responses against its database for matches. In this way, a service running on a port is identified by its characteristics in the response.

To make your life easier, you can use Amap with any other scanner. The scanner identifies a list of open ports on the host of interest, and Amap then probes the range and finds out which services are linking these ports and what the researcher can learn from it. On The Hacker’s Choice page you can download Amap for both winds and Linux, all versions of the utility are available from the earliest versions.


It is customary for articles in the “Hacker” to end with a short final section, so let’s not make the editor angry to break a good tradition. As you may guess, most of the utilities described here have much more than just a definition of the OS type on the remote host. Therefore, it would be useful to try to familiarize yourself with each of them. It’s up to you to decide what you’re going to use in the end.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: