OS fingerprinting with xprobe

I was asked to identify Linux servers running on our 10.x global network. Instead of scanning the entire Class A address space (2^24 hosts, or 16,777,216 hosts!), we were content with scanning hosts listed in our internal DNS.

nmap's OS fingerprinting (-O flag) could have been used to determine the remote operating system, but it is not as fast as xprobe.

I used the following procedure to fingerprint all "live" hosts in our DNS namespace. After the process is complete, I searched through the output for hosts running Linux.


1. Perform a zone transfer of the DNS zone to scan.
dig @namesever DNS_zone_to_transfer axfr > axfr.out

2. Scan each host in axfr.out using the following logic:

* Do not include lines in axfr.out beginning with a comment (;)
* Send one ICMP ECHO REQUEST (ping) packet to each host in axfr.out. If an ICMP ECHO REPLY is not returned within one second, do not run xprobe against the host.
* Print the host and OS fingerprint to both STDOUT and fingerprint.out using the tee command.


for i in `grep -v "^;" axfr.out | awk '{print $5}'`
   ping -c 1 -w 1 $i > /dev/null 2>&1
   if [ $? -eq 0 ] ; then
      xprobe -o xprobe.tmp $i > /dev/null 2>&1
      OS=`grep FINAL xprobe.tmp`
      rm xprobe.tmp
      echo "$i $OS" | tee -a fingerprint.out

Back to brandonhutchinson.com.

Last modified: 01/13/2003