27 March 2012

xprobe2 -Remote active OS fingerprinting tool Tutorial

In our previous post Active OS fingerprinting tool The XProbe2 we posted an introduction of this tool. Today I am going to post Xprob2 command options, xprobe2-80x108firstly i described each and every option and below the post you will also find some examples which will helpful for you.

xprobe2 fingerprints remote operating system by analyzing the replies from the target, so to get the most out of xprobe2 you need to supply xprobe2 with as much information as possible, in particular it is important to supply at least one open TCP port and one closed UDP port. Open TCP port can either be provided in command line (-p), obtained through built-in portscanner (-T) or -B option can be used to cause xprobe2 to try to blindly guess open TCP port. UDP port can be supplied via command line (-p) or through built-in portscanner (-U).


Xprobe2 command options described below:

xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o logfile ] [ -p port ] [ -t receive_timeout ] [ -mnumberofmatches ] [ -D modnum ] [ -F ] [ -X ] [ -B ] [ -A ] [ -T port spec ] [ -U port spec ] host


be verbose.
display route to target (traceroute-like output).
use configfile to read the configuration file, xprobe2.conf, from a non-default location.
disable module number modnum.
set number of results to display to numofmatches.
use logfile to log everything (default output is stderr).
specify port number (portnum), protocol (proto) and it's state for xprobe2 to use during rechability/fingerprinting tests of remote host. Possible values for proto are tcp or udp, portnum can only take values from 1 to 65535, state can be eitherclosed (for tcp that means that remote host replies with RST packet, for udp that means that remote host replies with ICMP Port Unreachable packet) or open (for tcp that means that remote host replies with SYN ACK packet and for udp that means that remote host doesn't send any packet back).
set receive timeout to receive_timeout in seconds (the default is set to 10 seconds).
generate signature for specified target (use -o to save fingerprint into file)
write XML output to logfile specified with -o
causes xprobe2 to be a bit more noisy, as -B makes TCP handshake module to try and blindly guess an open TCP port on the target, by sending sequential probes to the following well-known ports: 80, 443, 23, 21, 25, 22, 139, 445 and 6000 hoping to get SYN ACK reply. If xprobe2 receives RST|ACK or SYN|ACK packets for a port in the list above, it will be saved in the target port database to be later used by other modules (i.e. RST module).
-T, -U
enable built-in portscanning module, which will attempt to scan TCP and/or UDP ports respectively, which were specified inport spec
enable experimental support for detection of transparent proxies and firewalls/NIDSs spoofing RST packets in portscanning module. Option should be used in conjunction with -T. All responses from target gathered during portscanning process are divided in two classes (SYN|ACK and RST) and saved for analysis. During analysis module will search for different packets, based on some of the fields of TCP and IP headers, withing the same class and if such packets are found, message will be displayed showing different packets withing the same class.


xprobe2 -v -D 1 -D 2

Will launch an OS fingerprinting attempt targeting Modules 1 and 2, which are reachability tests, will be disabled, so probes will be sent even if target is down. Output will be verbose.

xprobe2 -v -p udp:53:closed

Will launch an OS fingerprint attempt targeting The UDP destination port is set to 53, and the output will be verbose.

xprobe2 -M 11 -p tcp:80:open

Will only enable TCP handshake module (number 11) to probe the target, very usefull when all ICMP traffic is filtered.

xprobe2 -B

Will cause TCP handshake module to try blindly guess open port on the target by sequentially sending TCP packets to the most likely open ports (80, 443, 23, 21, 25, 22, 139, 445 and 6000).

xprobe2 -T 1-1024

Will enable portscanning module, which will scan TCP ports starting from 1 to 1024 on

xprobe2 -p tcp:139:open

If remote target has TCP port 139 open, the command line above will enable application level SMB module (if remote target has TCP port 445 open, substitue 139 in the command line with 445).

xprobe2 -p udp:161:open

Will enable SNMPv2c application level module, which will try to retrieve sysDescr.0 OID using community strings taken from xprobe2.conf file.

AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date