Sunday, March 25, 2012

Free Best OCR

I just needed a cool yet Free OCR tool and were trying hands on multiple available. BUT finally found the below 3 to be the best in order of perfection and efficiency -

  1. OnlineOCR ( One +plus is that - it gives me a download option with various output format)
  2. Free-OCR
  3. NewOCR

Extract of text from image format is so simplified !!

The Engineering attempts at automated recognition of printed characters started much before World War II. But it was only by early 1950's some commercial attempt was undertaken to have funded R&D on this area.

OCR has taken new feats & heights - I know some of the Engineering efforts from IITG where Handwritten Character Recognition has taken a whole new dimension and heading for interesting feats in this niche area.



Sunday, March 4, 2012

OS Fingerprinting

Yo Dawg! You never told me its a pure Windows box and I wasted my time trying to do SSH rather than a RDP! A common fuming statement by most of the Ops guys !?

OS Fingerprinting is normally used by attackers to probe a wide variety of hosts and add them in their hit-lists for the next application/OS exploit is released. Idea is they should not be trying IIS exploits against Linux hosts.

Well - in either case lets empower ourselves too how this can be done.

Network traffic from a computer system can be captured and analyzed to detect what OS the host is running. This is possible due to differences in how the TCP/IP stack is implemented in various operating systems.

The TCP/IP fields that may vary include the following:

  1. Initial packet size (16 bits)
  2. Initial TTL (8 bits)
  3. Window size (16 bits)
  4. Max segment size (16 bits)
  5. Window scaling value (8 bits)
  6. "don't fragment" flag (1 bit)
  7. "sackOK" flag (1 bit)
  8. "nop" flag (1 bit)
Some of the most common known TTL and TCP windows set is shown below:

Operating System(OS)

Intial TTL

TCP Windows


Linux Kernel (2.4 and 2.6)



Windows XP



Windows 7, Vista and Server 2008



Free BSD



Cisco Router (IOS 12.4)









The initial TTL value usually is a little tricky job to analyze since the TTL value of a sniffed packet varies depending on where you sniff it from. The sender system will set the TTL value to the Operating Systems default TTL value - but this value will then be decremented by one (-1) for every router the packet passes through on its way to the destination IP address. Hence an IP packet with a TTL value of 55 can therefore be expected to be a packet with an initial TTL of 64 that has done 9 router hops before it was sniffed.

Very common tool that can be used -


As I said ICMP ping is always the first thing and arrive at some initial level of idea what OS the host might be running


I would try multiple nmap combinations to come to a conclusion:

nmap -sV -P0 -O
nmap -O -v
nmap -sV
nmap -vv -O -P0

Xprobe2 is a basically remote, active OS fingerprinting tool -

[root@DebaTestBox ~]# xprobe2

Xprobe2 v.0.3 Copyright (c) 2002-2005,,

[+] Target is
[+] Loading modules.
[+] Following modules are loaded:
[x] [1] ping:icmp_ping - ICMP echo discovery module
[x] [2] ping:tcp_ping - TCP-based ping discovery module
[+] Primary guess:
[+] Host 10.X.X.X Running OS: "OpenBSD 2.5" (Guess probability: 90%)

To be contd/-


8c tips for Freshers / NCG's

I have been having a great company with some of the very talented NCG’s ( New College Hires/ Grads ) last ~2yrs.  I work for Intuit I...