Some thoughts from Defcon ...

["Andrew A. Vladimirov" <andrew () arhont com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

we talked at Defcon about stack fingerprinting, mapping firewall port
forwarding rules and distinguishing the virtual IPs from the real hosts.
As it was happening, our guys back in UK were running a pentest and
while doing the tested network recon found a very obvious but not
mentioned before method (at least to our kniowledge base) of
distinguishing the real/virtual IP's - looking at the scanned host/s
uptime and tcp timestamps. Apparently we were not only able to
distinguish that the host's services are in fact running on five
different hosts, but also classified the three different groups of
operating systems.


We think it could be useful and have incorporated it into the report
submitted to the tested client which really impressed their sysadmins
since our identification was correct. In general, adding the
functinality of TCP/IP stack comparison and firewall port forwarding
rules mapping & virtual/real IP distinguishing to nmap sounds like a
good idea.

To summarise, the following can be used to perform this function:

- - IPID's
- - TCP initial sequence numbers (ISNProber style)
- - timestamps / uptime
- - OS fingerprint itself / kernel version etc
- - services banners
- - TTL per port (Packetto Kerietsu style)
- - MAC addresses obtained via ARP requests when on LAN
- - supported protocols (-sO, will probably work on LAN only)
- - perhaps, average TCP "ping" packet return time for different ports
tested (not sure about the reliability of that but was thinking about it
after Tony Kapela's presentation on RTT).

There would be a need for a somewhat "fuzzy" engine (a la xprobe) to
compare the output of techniques used and give the probabilistic answer.

By the way, ISNProber I've mentioned at Defcon is available for download
at ftp://ftp.ubizen.com/tools

Feel free to write us anytime if you find it interesting and need more info.

Luck,

Andrew.

- --
Dr. Andrew A. Vladimirov
CISSP #34081, CWNA, CCNP/CCDP, TIA Linux+
Security Manager
Arhont Ltd - Information Security.

Web: http://www.arhont.com
Tel: +44 (0)870 44 31337
Fax: +44 (0)1454 201200
GPG: Key ID - 0x1D312310
GPG: Server - gpg.arhont.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/O9AolOHkKR0xIxARAv0gAJ4jj001Mzz9IYe1oi/DL33LwaJqXwCdEQ2x
lVRh3Nlh698DAkRpbxsiHOo=
=JFlb
-----END PGP SIGNATURE-----



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).