Sniffing out a box.

Forum Moderators: bakedjake

Message Too Old, No Replies

Sniffing out a box.

ahem, (*nix webserver that is...)

Brett_Tabke

9:34 pm on Jul 19, 2001 (gmt 0)

What's a good strategy for sniffing out what type of os and box you are on from the command line? Even if things are disabled, obfuscated, or out of your group that you'd normally use:
foo2:~$ uptime
4:23pm up 0 min, 1 user, load average: 0.00, 0.00, 0.00
foo2:~$ ps
bash: /bin/ps: Permission denied
foo2:~$ w
Segmentation fault
foo2:~$

I run into this one an different servers. Where to go from there? ya...I've probably tried it...

theperlyking

9:43 pm on Jul 19, 2001 (gmt 0)

Have you tried:
uname -a

added:
or using the "whats that site running" form at [uptime.netcraft.com...] on one of its hosted sites?

evinrude

10:43 pm on Jul 19, 2001 (gmt 0)

Sneaky ways to determine the OS you are on.

1. perl -v : often tells the environment it was compiled for.
2. on "not so well" designed *nix systems, locate the file dmesg and view it (most likely...errr...hopefully...you'll get a permission denied).
3. <? phpinfo() ?> Assuming PHP Access, anyway.

The netcraft link is probably best bet if all others are locked down. But if they're paranoid enough to lock out every other possible command, they probably have altered what their server reports, as well.

littleman

10:55 pm on Jul 19, 2001 (gmt 0)

gcc -dumpmachine -> the most reliable for me :)
echo $MACHTYPE

could also try:
less /etc/redhat-release
less /etc/debian_version

uname -a will give the OS but doesn't tell much about package configuration.

sugarkane

11:00 pm on Jul 19, 2001 (gmt 0)

telnet 127.0.0.1 80
HEAD / HTTP/1.0
[return]
[return]

...will give info on the server - basically a command line version of the netcraft tool.

Brett_Tabke

11:34 pm on Jul 19, 2001 (gmt 0)

I've tried all but littles' trick with gcc before. (they've covered their bases here). So far, Generic linux is all that can be determined. I'll have to assume its RH. I've not done the core dump yet...hehe. That's a good one.

/etc is off limits.
Although, I'd not tried the perl -V recently and found the box name it was compiled on anyway (dev1.host4u.net) which reveals a touch about the real host.

Some day we are going to find out that all these little hosting companies are really owned by exodus.net. Is there anyone out there who actually OWN's their own box that they sell hosting on anymore...

evinrude

1:02 am on Jul 20, 2001 (gmt 0)

Hmmmm....some others...

4. If you have access to compile your own binaries, you could locate the source to uname...may or may not work.

5. If /var contains a "cobalt" directory you are most likely on a Cobalt RaQ/Qube/whatever, running their version of RedHat.

6. at the prompt - "locate redhat" (or other linux distro)
6a. at the prompt - "find / -name redhat" (or other linux distro) should generate lots o' permission denieds, but could have useful info.

7. FTP in and read the greeting message?

msgraph

2:10 am on Jul 20, 2001 (gmt 0)

There is a program out there called Genius from www.indiesoft.com

It'll do a http request with a detailed output on any URL you want. You can even spoof the UA

cmd > GET / HTTP/1.0
cmd > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
cmd > User-Agent: Blahblah
cmd > Host: www.ajdfkljasldasf.com
cmd > Pragma: no-cache
cmd >
text/html => document.htm
Document = document.htm
RequestDone Error = 0
StatusCode = 200
hdr>HTTP/1.1 200 OK
hdr>Date: Fri, 20 Jul 2001 02:05:29 GMT
hdr>Server: Apache/1.3.12 (Unix) mod_rdbcookie/1.0 mod_backwash/3.36 yasl/2.21 mod_oas/4.65m sw/1.5 rewrite/3.3 include/3.6
hdr>Set-Cookie: LANG=eng; path=/; domain=.agagdsagsdg.com
hdr>Connection: close
hdr>Content-Type: text/html

maybe this can help figure out how to do it off of a prompt. I'm not too well versed in the tech parts of it. I just code other stuff

windsor

6:02 am on Jul 20, 2001 (gmt 0)

"uname -a" is about the best start. Then if you are on a linux box you'll need to poke around as littleman mentioned to determine what your userland is.

POSIX dictates that there should be a "uname", so just about every *NIX includes it with the base binary set (I can't think of one that doesn't have it).

See manpage for details. :>

Rob++