Penetration Testing mailing list archives
RE: Identifying Machines
From: Yonatan Bokovza <Yonatan () xpert com>
Date: Tue, 19 Jun 2001 16:57:41 +0300
Two things jumps to my mind: 1. IP_ID changes: if all the (say: UDP) ports are closed you get a reply saying so (ICMP_UDP_PORT_UNREACHABLE). You can check two consecutive packets for IP_ID change and deduct the OS from that. I don't know of any database of IP_ID -> OS, though. 2. NMAP tests 5, 6, 7 and UDP rely on closed ports. See fyodor's article at: http://www.insecure.org/nmap/nmap-fingerprinting-article.html Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems
-----Original Message----- From: Rick Who Else? [mailto:myworld () hotmail com] Sent: Tuesday, June 19, 2001 03:11 To: PEN-TEST () SECURITYFOCUS COM Subject: Identifying Machines I'm looking for as many ways as possible to identify machines on a network. Considering ICMP is disabled, and all ports on the end machine are closed. Ideas? the more the merrier. This question goes for NT, 2K, and Unix/Unix-like machines. Thanks, Rick _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com
Current thread:
- Identifying Machines Rick Who Else? (Jun 18)
- Re: Identifying Machines Blake Frantz (Jun 19)
- Re: Identifying Machines Don Tansey (Jun 19)
- Re: Identifying Machines Lance Spitzner (Jun 19)
- <Possible follow-ups>
- Re: Identifying Machines Rick Who Else? (Jun 19)
- Re: Identifying Machines Jose Nazario (Jun 19)
- Re: Identifying Machines Crist Clark (Jun 19)
- Re: Identifying Machines Blake Frantz (Jun 20)
- Re: Identifying Machines Ryan Russell (Jun 19)
- RE: Identifying Machines Yonatan Bokovza (Jun 19)
- Re: Identifying Machines Jeremy Sanders (Jun 19)
- Re: Identifying Machines Victor A. Rodriguez (Jun 19)