Provided by: xprobe_0.3-4_amd64 bug


       xprobe2 - A Remote active operating system fingerprinting tool.


       xprobe2 [ -v ] [ -r ] [ -p proto:portnum:state ] [ -c configfile ] [ -o logfile ] [ -p
       port ] [ -t receive_timeout ] [ -m numberofmatches ] [ -D modnum ] [ -F ] [ -X ] [ -B ] [
       -A ] [ -T port spec ] [ -U port spec ] host


       xprobe2  is  an  active  operating system fingerprinting tool with a different approach to
       operating system fingerprinting. xprobe2 relies on fuzzy signature matching, probabilistic
       guesses, multiple matches simultaneously, and a signature database.

       The  operation  of xprobe2 is described in a paper titled "xprobe2 - A ´Fuzzy´ Approach to
       Remote Active Operating System Fingerprinting", which is  available  from  http://www.sys-

       As  xprobe2  uses  raw  sockets to send probes, you must have root privileges in order for
       xprobe2 to be able to use them.


       -v     be verbose.

       -r     display route to target (traceroute-like output).

       -c     use configfile to read the configuration file,  xprobe2.conf,  from  a  non-default

       -D     disable module number modnum.

       -m     set number of results to display to numofmatches.

       -o     use logfile to log everything (default output is stderr).

       -p     specify  port  number (portnum), protocol (proto) and it's state for xprobe2 to use
              during rechability/fingerprinting tests of remote host. Possible values  for  proto
              are   tcp  or   udp,  portnum  can  only take values from  1 to 65535, state can be
              either closed (for  tcp that means that remote host replies with  RST  packet,  for
              udp  that means that remote host replies with ICMP Port Unreachable packet) or open
              (for  tcp that means that remote host replies with SYN ACK packet and for  udp that
              means that remote host doesn't send any packet back).

       -t     set  receive  timeout  to  receive_timeout  in  seconds  (the  default is set to 10

       -F     generate signature for specified target (use -o to save fingerprint into file)

       -X     write XML output to logfile specified with -o

       -B     causes xprobe2 to be a bit more noisy, as -B makes TCP handshake module to try  and
              blindly  guess  an open TCP port on the target, by sending sequential probes to the
              following well-known ports: 80, 443, 23, 21, 25, 22, 139, 445 and  6000  hoping  to
              get SYN ACK reply. If xprobe2 receives RST|ACK or SYN|ACK packets for a port in the
              list above, it will be saved in the target port database to be later used by  other
              modules (i.e. RST module).

       -T, -U enable  built-in  portscanning  module,  which  will attempt to scan TCP and/or UDP
              ports respectively, which were specified in port spec

       -A     enable  experimental   support   for   detection   of   transparent   proxies   and
              firewalls/NIDSs  spoofing RST packets in portscanning module. Option should be used
              in conjunction with -T. All responses  from  target  gathered  during  portscanning
              process are divided in two classes (SYN|ACK and RST) and saved for analysis. During
              analysis module will search for different packets, based on some of the  fields  of
              TCP  and  IP  headers, within the same class and if such packets are found, message
              will be displayed showing different packets within the same class.


              xprobe2 -v -D 1 -D 2

              Will launch an OS fingerprinting attempt targeting Modules 1  and  2,
              which  are  reachability  tests,  will  be disabled, so probes will be sent even if
              target is down. Output will be verbose.

              xprobe2 -v -p udp:53:closed

              Will launch an OS fingerprint attempt targeting The  UDP  destination
              port is set to 53, and the output will be verbose.

              xprobe2 -M 11 -p tcp:80:open

              Will  only enable TCP handshake module (number 11) to probe the target, very useful
              when all ICMP traffic is filtered.

              xprobe2 -B

              Will cause TCP handshake module to try blindly guess open port  on  the  target  by
              sequentially  sending  TCP  packets to the most likely open ports (80, 443, 23, 21,
              25, 22, 139, 445 and 6000).

              xprobe2 -T 1-1024

              Will enable portscanning module, which will scan TCP ports starting from 1 to  1024

              xprobe2 -p tcp:139:open

              If  remote  target  has  TCP  port  139  open,  the  command line above will enable
              application level SMB module (if remote target has TCP port 445 open, substitue 139
              in the command line with 445).

              xprobe2 -p udp:161:open

              Will enable SNMPv2c application level module, which will try to retrieve sysDescr.0
              OID using community strings taken from xprobe2.conf file.


       xprobe2 fingerprints remote operating system by analyzing the replies from the target,  so
       to  get  the  most  out  of xprobe2 you need to supply xprobe2 with as much information as
       possible, in particular it is important to supply at least  one  open  TCP  port  and  one
       closed  UDP  port.  Open  TCP  port  can either be provided in command line (-p), obtained
       through built-in portscanner (-T) or -B option can be used to  cause  xprobe2  to  try  to
       blindly  guess  open  TCP  port. UDP port can be supplied via command line (-p) or through
       built-in portscanner (-U).


       xprobe has been developed in 2001 based  on research performed by  Ofir  Arkin  <ofir@sys->.  The  code  has  been officially released at the BlackHat Briefings in Las-
       Vegas in 2001. xprobe2 is a logical  evolution  of  xprobe  code.  Signature  based  fuzzy
       fingerprinting logic was embedded.


       nmap(1) queso(1) pcap(3)


       Fyodor  Yarochkin  <>,  Ofir  Arkin <>, Meder Kydyraliev

       (see also CREDITS in distro tarball).


       The current version and relevant documentation is available from following url:


       None known (please report).