xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. xprobe2 relies on fuzzy signature matching, probabilistic guesses, multiple matches simultaneously, and a signature database.
As xprobe2 uses raw sockets to send probes, you must have root privileges in order for xprobe2 to be able to use them. Some of its logic has been absorbed into Nmap and it’s basically an active OS fingerprinting tool meaning it sends actual data to the machine it’s fingerprinting rather than a passive tool like p0f which just listens.
Xprobe2 Active OS Fingerprinting Tool Features
- Port scanning is now available through the usage of the -T (TCP) and -U (UDP) command line option
- Added the -B command line option (‘blind port guess’) used for searching an open TCP port among the following ports: 80,21, 25, 22, 139
- Include XSD schema with distribution and make our XML comply with that XSD
- loopback (lo) is supported
If you want to understand more in depth you can check out the paper: xprobe2 – A ‘Fuzzy’ Approach to Remote Active Operating System Fingerprinting
How to use Xprobe2 For OS Fingerprinting
xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o logfile ] [ -p port ] [ -t receive_timeout ] [ -m numberofmatches ] [ -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec ] host
-v be verbose.
-r display route to target (traceroute-like output).
-c use configfile to read the configuration file, xprobe2.conf, from a non-default location.
-D disable module number modnum.
-m set number of results to display to numofmatches.
-o use logfile to log everything (default output is stderr).
-p specify port number (portnum), protocol (proto) and it's state for xprobe2 to use during rechability/fingerprinting tests of remote host. Possible values for proto are tcp or udp, portnum can only take values from 1 to 65535, state can be either closed (for tcp that means that remote host replies with RST packet, for udp that means that remote host replies with ICMP Port Unreachable packet) or open (for tcp that means that remote host replies with SYN ACK packet and for udp that means that remote host doesn't send any packet back).
-t set receive timeout to receive_timeout in seconds (the default is set to 10 seconds).
-F generate signature for specified target (use -o to save fingerprint into file)
-X write XML output to logfile specified with -o
-B causes xprobe2 to be a bit more noisy, as -B makes TCP handshake module to try and blindly guess an open TCP port on the target, by sending sequential probes to the following well-known ports: 80, 443, 23, 21, 25, 22, 139, 445 and 6000 hoping to get SYN ACK reply. If xprobe2 receives RST|ACK or SYN|ACK packets for a port in the list above, it will be saved in the target port database to be later used by other modules (i.e. RST module).
-T, -U enable built-in portscanning module, which will attempt to scan TCP and/or UDP ports respectively, which were specified in port spec
-A enable experimental support for detection of transparent proxies and firewalls/NIDSs spoofing RST packets in portscanning module. Option should be used in conjunction with -T. All responses from target gathered during portscanning process are divided in two classes (SYN|ACK and RST) and saved for analysis. During analysis module will search for different packets, based on some of the fields of TCP and IP headers, withing the same class and if such packets are found, message will be displayed showing different packets withing the same class.
Download Xprobe2 here:
Or read more here.