Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?

[Dave Aitel <dave () immunitysec com>]

One thing CANVAS does to determine random things is fingerprint COM 
objects present on remote systems. This can often tell you if a certain 
software package is available or not. I haven't seen anyone else do this 
yet, but it's not that hard...

-dave


Rich Smith wrote:

> Cheers for the explanation for the lack mstask.exe UUID's in 2k3 SP1 and
> the links :)
>
> It was Urity's presentation which set me off down the road of looking
> at/implementing RPC fingerprinting in the first place :), after the
> presentation I thought more people would investigate the
> technique.......doesn't seem like many people have, however I find it
> quite a useful technique in many situations.
>
> --Rich--
>
> On Fri, 2005-06-10 at 11:37 +0200, Jean-Baptiste Marchand wrote:
>  
>
> > * Rich Smith <richard.j.smith () hp com> [10/06/05 - 10:16]:
> >
> >    
> >
> > > -- SP1 does not show endpoint UUID data for the mstask.exe whereas SP0
> > > has quite a number of entries (typically 20+).
> > >      
> > Right, in Windows Server 2003 SP1, the Task Scheduler service
> > (mstask.exe process) does not register its RPC services on the
> > ncacn_ip_tcp transport but only on the ncacn_np transport (\pipe\atsvc):
> >
> > http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.html
> >
> > http://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.en
> >
> >
> > Urity gave in 2004 a presentation on the subject of fingerprinting systems
> > looking at registered RPC interfaces, you might be interested in looking
> > at the RpcScan tool and the related presentation:
> >
> > http://www.securityfriday.com/tools/RpcScan.html
> >
> > Jean-Baptiste Marchand
> >    

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave