Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

FYI : Satori - Passive OS fingerprinting, revisited

From: Thierry Zoller <Thierry () Zoller lu>
Date: Sat, 12 Aug 2006 18:45:26 +0200


Dear List,
Just posted a bit of information about a tool that (imho) has seen not
the spotlight it deserves. It's name is Satori.


Excerpt from my post :
---------------------------------------------------------------------
I started using this tool last year ago and it became immediately
obvious to me that this is a great tool to have. It's name is Satori
[1] , if you never heard about it that's not a proof the tool is no
good but rather that it's Author Eric Kollman does not really seem
to care if you do (or at least doesn't scream it from the top of
every house)

I found out about Satori while reading the paper [2] "Chatter on the Wire"
(from the same author) which goes into great length about passive OS
fingerprinting and it's potential for improvement as done by several
other tools. What is interesting is that the paper was not only
theoretical but rather practical, it's outcome was Satori, a
beautiful plug-in based Passive enumeration and Fingerprinting tool.

Satori uses Winpcap and captures packets passively at the NDIS level,
every packet flying by is being scrutinised for information that might
determine it's OS. Nothing new here you might say, well Satori does
the fingerprinting on :

DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB,
SNMP, STP, UPNP precisely enough to either correlate the results with
nmap or to rely on them. It makes spotting potential vulnerable
systems a breeze.

--------------------------------------------------------------------
I'd like to encourage you to submit singatures or even plugins to the
Author. He is actively developing it and is very interested in
feedback. [3]

[1] Satori : http://myweb.cableone.net/xnih/mortalx.htm
[2] Chatter on the Wire : http://myweb.cableone.net/xnih/download/OS%20FingerPrint.pdf
[3] Eric Kollmann <xnih13 () gmail com>



-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 4813 c403 58f1 1200 7189 a000 7cf1 1200 9f89 a000

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: