Nmap Development mailing list archives
Some thoughts from Defcon ...
From: "Andrew A. Vladimirov" <andrew () arhont com>
Date: Thu, 14 Aug 2003 18:08:40 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, we talked at Defcon about stack fingerprinting, mapping firewall port forwarding rules and distinguishing the virtual IPs from the real hosts. As it was happening, our guys back in UK were running a pentest and while doing the tested network recon found a very obvious but not mentioned before method (at least to our kniowledge base) of distinguishing the real/virtual IP's - looking at the scanned host/s uptime and tcp timestamps. Apparently we were not only able to distinguish that the host's services are in fact running on five different hosts, but also classified the three different groups of operating systems. We think it could be useful and have incorporated it into the report submitted to the tested client which really impressed their sysadmins since our identification was correct. In general, adding the functinality of TCP/IP stack comparison and firewall port forwarding rules mapping & virtual/real IP distinguishing to nmap sounds like a good idea. To summarise, the following can be used to perform this function: - - IPID's - - TCP initial sequence numbers (ISNProber style) - - timestamps / uptime - - OS fingerprint itself / kernel version etc - - services banners - - TTL per port (Packetto Kerietsu style) - - MAC addresses obtained via ARP requests when on LAN - - supported protocols (-sO, will probably work on LAN only) - - perhaps, average TCP "ping" packet return time for different ports tested (not sure about the reliability of that but was thinking about it after Tony Kapela's presentation on RTT). There would be a need for a somewhat "fuzzy" engine (a la xprobe) to compare the output of techniques used and give the probabilistic answer. By the way, ISNProber I've mentioned at Defcon is available for download at ftp://ftp.ubizen.com/tools Feel free to write us anytime if you find it interesting and need more info. Luck, Andrew. - -- Dr. Andrew A. Vladimirov CISSP #34081, CWNA, CCNP/CCDP, TIA Linux+ Security Manager Arhont Ltd - Information Security. Web: http://www.arhont.com Tel: +44 (0)870 44 31337 Fax: +44 (0)1454 201200 GPG: Key ID - 0x1D312310 GPG: Server - gpg.arhont.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/O9AolOHkKR0xIxARAv0gAJ4jj001Mzz9IYe1oi/DL33LwaJqXwCdEQ2x lVRh3Nlh698DAkRpbxsiHOo= =JFlb -----END PGP SIGNATURE----- ---------------------------------------------------------------------For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Some thoughts from Defcon ... Andrew A. Vladimirov (Aug 14)
- Message not available
- Re: Some thoughts from Defcon ... Andrew A. Vladimirov (Aug 14)
- Re: Some thoughts from Defcon ... Philippe Biondi (Aug 18)
- Re: Some thoughts from Defcon ... Andrew A. Vladimirov (Aug 14)
- Message not available