Fingerprinting is a technique for identifying the differ-
ences among implementations of the same networking soft-
ware specification, be it applications, operating systems or
TCP/IP stacks. It is well-known that even when the func-
tionality of a piece of software is detailed in a specification
or standard, different implementations of that same func-
tionality tend to differ in the interpretation of the specifica-
tion, by making assumptions or implementing only part of
the optional functionality. That automatically explores a set of candidate queries and ap-
plies machine learning techniques to identify the set of valid
queries.
By hiding out DNS server version number you can improve server security. fpdns is a program that remotely determines DNS server versions. It does this by sending a series of borderline DNS queries which are compared against a table of responses and server versions.
“fpdns” are used to identify hosts running a specific operating system.
There are also tools that can be used to identify different versions
of the same application such as fpdns , Nmap, and Nes-
sus . These tools help network administrators to find ver-
sion information leaked by a system, inventory the hosts in
a network, and check for the existence of hosts running ver-
sions with vulnerabilities, or versions that are not allowed
under the security policy of a network
Install fpdns
Debian / Ubuntu user, enter the following command:
$ sudo apt-get install fpdns
How to remotely determine DNS server version
To determine DNS server version for domain nixcraft.com, enter:
$ fpdns -D nixcraft.com
Output:
fingerprint (nixcraft.com, 64.202.165.116): bboy MyDNS fingerprint (nixcraft.com, 208.109.80.52): bboy MyDNS
You can easily find out if recursion enabled or not:
$ fpdns ns1.vnsl.com.
Testing of Automatic fingerprinting tool “fpdns”
The reality is quite different though. fpdns uses a series of borderline DNS queries to determine the vendor, product and version of a nameserver.
The methodology used to identify individual nameserver implementations is based on “borderline” protocol behaviour. The DNS protocol offers a multitude of message bits, response types, opcodes, classes, query types and label types in a fashion that makes some mutually exclusive while some are not used in a query messages at all. Not every implementation offers the full set of features the DNS protocol set currently has. Some implementations offer features outside the protocol set, and there are implementations that do not conform to standards.
Also, new features added to – or bugs removed allow for differentiations between versions of an implementation.
Using fpdns
fpdns [-c] [-d] [-f] [-p port] [-Q srcaddr] [-r retry] [-s] [-t timeout] [-v] server
Where: server is an ip address or a resolvable name
or ‘-’ to read list of servers from stdin
-c (where appropriate check CH TXT version) [off]
-d (debug) [off]
-f (force check CH TXT version) [off]
-F (maximum forked processes) [10]
-p port (nameserver is on this port) [53]
-Q srcaddr (source IP address) [0.0.0.0]
-r retry (set number of attempts) [1]
-s (short form) [off]
-t time (set query timeout) [5]
-v (show version)
outcomes :
$ fpdns localhost
fingerprint (localhost, 127.0.0.1): TIMEOUT
fingerprint (localhost, 0:0:0:0:0:0:0:1): TIMEOUT
$ fpdns -D google.com
fingerprint (google.com, 216.239.34.10): XBILL jnamed (dnsjava)
fingerprint (google.com, 216.239.32.10): XBILL jnamed (dnsjava)
fingerprint (google.com, 216.239.38.10): XBILL jnamed (dnsjava)
fingerprint (google.com, 216.239.36.10): XBILL jnamed (dnsjava)
**** How to install nmap on ubuntu
Nmap is a utility for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning techniques, version detection (determine service protocols and application versions listening behind ports), and TCP/IP fingerprinting (remote host OS or device identification). Nmap also offers flexible target and port specification, decoy/stealth scanning, sunRPC scanning, and more. Most Unix and Windows platforms are supported in both GUI and commandline modes. Several popular handheld devices are also supported, including the Sharp Zaurus and the iPAQ.
open a terminal and enter:
$ sudo apt-get install nmap
how to use nmap:
$ sudo nmap domainname (or IP address) is the most simple syntax to scan the open ports on the remote system. The other switches are used for more selective scans.
Command Line
How to use it:-
Nmap has lots of options, so we are going to focus on only some of them.
$ sudo nmap -sS -O 127.0.0.1
-sS
TCP SYN scan
-O
Enable Operating System detection
$ sudo nmap -sU 127.0.0.1
-sU
UDP ports scan
$ sudo nmap -sS -O -p 20-25 127.0.0.1
-sS
TCP SYN scan
-p 20-25
Scan on ports 20 to 25
$ sudo nmap -sS -F 127.0.0.1
-sS
TCP SYN scan
-F
Fast (limited port) scan
Singh Gurjot 