Penetration Testing mailing list archives

RE: Identifying Machines

From: Yonatan Bokovza <Yonatan () xpert com>
Date: Tue, 19 Jun 2001 16:57:41 +0300

Two things jumps to my mind:
1. IP_ID changes: if all the (say: UDP) ports are closed
you get a reply saying so (ICMP_UDP_PORT_UNREACHABLE).
You can check two consecutive packets for IP_ID change and
deduct the OS from that. I don't know of any database of
IP_ID -> OS, though.
2. NMAP tests 5, 6, 7 and UDP rely on closed ports. See fyodor's
article at: 
http://www.insecure.org/nmap/nmap-fingerprinting-article.html

Best Regards, 

Yonatan Bokovza
IT Security Consultant
Xpert Systems

-----Original Message-----
From: Rick Who Else? [mailto:myworld () hotmail com]
Sent: Tuesday, June 19, 2001 03:11
To: PEN-TEST () SECURITYFOCUS COM
Subject: Identifying Machines

I'm looking for as many ways as possible to identify machines 
on a network. 
Considering ICMP is disabled, and all ports on the end 
machine are closed.

Ideas? the more the merrier.

This question goes for NT, 2K, and Unix/Unix-like machines.

Thanks,
Rick
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

Current thread:

Identifying Machines Rick Who Else? (Jun 18)
- Re: Identifying Machines Blake Frantz (Jun 19)
- Re: Identifying Machines Don Tansey (Jun 19)
- Re: Identifying Machines Lance Spitzner (Jun 19)
- <Possible follow-ups>
- Re: Identifying Machines Rick Who Else? (Jun 19)
  - Re: Identifying Machines Jose Nazario (Jun 19)
  - Re: Identifying Machines Crist Clark (Jun 19)
    - Re: Identifying Machines Blake Frantz (Jun 20)
  - Re: Identifying Machines Ryan Russell (Jun 19)
- RE: Identifying Machines Yonatan Bokovza (Jun 19)
- Re: Identifying Machines Jeremy Sanders (Jun 19)
- Re: Identifying Machines Victor A. Rodriguez (Jun 19)