Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?

[Rich Smith <richard.j.smith () hp com>]

Cheers for the explanation for the lack mstask.exe UUID's in 2k3 SP1 and
the links :)

It was Urity's presentation which set me off down the road of looking
at/implementing RPC fingerprinting in the first place :), after the
presentation I thought more people would investigate the
technique.......doesn't seem like many people have, however I find it
quite a useful technique in many situations.

--Rich--

On Fri, 2005-06-10 at 11:37 +0200, Jean-Baptiste Marchand wrote:
> * Rich Smith <richard.j.smith () hp com> [10/06/05 - 10:16]:
>
> > -- SP1 does not show endpoint UUID data for the mstask.exe whereas SP0
> > has quite a number of entries (typically 20+).
>
> Right, in Windows Server 2003 SP1, the Task Scheduler service
> (mstask.exe process) does not register its RPC services on the
> ncacn_ip_tcp transport but only on the ncacn_np transport (\pipe\atsvc):
>
> http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.html
>
> http://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.en
>
>
> Urity gave in 2004 a presentation on the subject of fingerprinting systems
> looking at registered RPC interfaces, you might be interested in looking
> at the RpcScan tool and the related presentation:
>
> http://www.securityfriday.com/tools/RpcScan.html
>
> Jean-Baptiste Marchand
-- 
Rich Smith

Trusted Systems Laboratory
Hewlett Packard Labs

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave