xprobe

What is Xprobe?
Written and maintained by Fyodor Yarochkin, Meder Kydyraliev and Ofir Arkin, Xprobe (I & II) is an active OS fingerprinting tools based on Ofir Arkin’s ICMP Usage In Scanning Research project.Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting.

The first version of Xprobe2 combined various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the “ICMP Usage in Scanning” research project, into a simple, fast, efficient and a powerful way to detect the underlying operating system a targeted host is using.

Xprobe2 is an active operating system fingerprinting tool with a different approach to operating system fingerprinting. Xprobe2 rely on fuzzy signature matching, probabilistic guesses, multiple simultaneously matches, and a signature database.

Project History

Download
xprobe2-0.3.tar.gz

SHA-1: c28d48823c1b953f73fd1b1fbced5c77a63d2bf0
MD5: 3ebb89ed9380038d368327816e34ec54
First Version Published: August 9, 2002.
Current Version Published: July 29th, 2005.
Ofir Arkin, Fyodor Yarochkin, Meder Kydyraliev

Xprobe (1 & 2) are copyright © Ofir Arkin, Meder Kydyraliev and Fyodor Yarochkin 2001-2008

Papers

The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting
Published: July 31, 2003.
Ofir Arkin, Fyodor Yarochkin, Meder Kydyraliev

Although some advancement was made in the field of active operating system fingerprinting in the recent years, still, there are many issues to resolve. This paper presents the enhancements made with Xprobe2 v0.2 RC1 and discusses the tool’s future development. Both the present and future versions of Xprobe2 introduce many enhancements and advancements to the field of active operating system fingerprinting, which are discussed throughout the paper.

The paper in PDF format [~492kb]

XProbe2 – A ‘Fuzzy’ Approach to Remote Active Operating System Fingerprinting
Version 1.0
Published: August 2nd, 2002.
Ofir Arkin & Fyodor Yarochkin

The tools used today for remote active operating system fingerprinting use a signature database to perform a match between the results they receive from a targeted machine and known operating system fingerprints. Usually, the process is done by utilizing strict signature matching to identify the type of the remote operating system. The operating system fingerprinting tools that rely on strict signature matching face several problems with their way of operation, which when present lead to false identification of the target operating system(s). With this paper we present a different approach to signature matching with remote active operating system fingerprinting. Our approach is one which aims to solve the problems presently faced by remote active operating system fingerprinting tools, as well as providing more accurate results when used against any network topology.

The paper in PDF format

A remote active OS fingerprinting tool using ICMP
;login: Magazine, Volume 27, No. 2
Published: April, 2002.
The paper in PDF format

X
Version 1.0
Published: August 14, 2001.
Ofir Arkin & Fyodor Yarochkin

X is a logic which combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the “ICMP Usage in Scanning” research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.Xprobe is a tool written and maintained by Fyodor Yarochkin (fygrave@tigerteam.net) and Ofir Arkin (ofir@sys-security.com) that automates X.Why X? – X is a very accurate logic.Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows 2000 and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when ‘ using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example…

The paper in PDF format

ICMP based remote OS TCP/IP stack fingerprinting techniques
Phrack Magazine, Volume 11, Issue 57, File 7 of 12
Published: August 11, 2001.
The article in PDF format

Presentations
Please see the Past Conferences page.

Additional Sites
Sourceforge xprobe’s project page

Advertisements

%d bloggers like this: