Bugtraq mailing list archives
Re: Crimelabs Paper: Passive System Fingerprinting using Network Client Applications
From: Szilveszter Adam <sziszi () PETRA HOS U-SZEGED HU>
Date: Thu, 18 Jan 2001 10:15:44 +0100
Hello everybody, I would like to make a couple of comments on this paper. Although generally the point stands that network applications often leak more information about themselves and their environment than it would be absolutely necessary, but the effectiveness of the techniques presented in the paper are dependent on a couple of things. First: The admin/user must not be able to alter/remove the ident strings that are sent out by the application. This is the case for most of Windows apps and even where it is possible people usually do not take any measures in this departement. So we can move on. Second: The information displayed must actually be correct. This is when the fun begins. To take a really good example, the Pine on most Linux systems *always* sends messages with a Message-Id that contains "LNX" although I think most are using shadow passwords. (In fact I have never seen any other variant for Linux... must be because many install ready-made packages from rpm/debs and the string displays the stand of affairs on the compiling rather than on the running machine? Just speculating, I do not use Pine:-) Also, most mail agents are quite good at rewriting headers if I ask them to, MTAs being another hidden champions of this. If you ever happen to receive a mail from me with a From: header that says root, do not even for a second think that it was actually sent from that account:-) Also, you do not seem to adequately account for the fact that many people are not running mail servers on their systems. So if you eg see: Outlook Express, than fine, you know that the sender machine was running this MUA. But it also makes it more than likely that the email address you found is not actually that on the sending machine but rather one on a big mail server, which may be running anything. You have no knowledge of how mail collection at that site works, so you cannot be sure that your exploit will actually work. (eg person can make an email enquiry with their browsers email client after clicking on a link but use someting else for "normal" mail and may not even be aware of the difference:-) and yes, I have seen a setup like this.) Also, emulation is (or rather can be) a quite big issue with lesser known OSs for which not enough native applications exist. Eg there is no Netscape binary of the current release available for any BSD operating system. (With BSDi support having been dropped after 4.75) so if you want to use Netscape on any BSD, you have to use emulation. But if you go after the presumably old, 2.0.x kernel based Linux system it reports itself as, you will be in for a surprise:-) But the real kicker is using Wine (Windows emulation package for UNIX) and a windows-based web-browser... (yes I have done things like this. Sometimes you are forced to, eg if there is not even a Linux port of the sw you need to run.) For proxies: It is known that there exist proxies that hide your real IP address and cannot be detected any easy way. (because they do not insert an X-Forwarded-IP field.) See: http://neworder.box.sk/ in the relevant section for tips. Yes, some of them are slow, but it really rocks when they believe you were coming from some far-away place:-) and users can be made to use these without their knowledge if you configure it centrally. Because of this, the proxy may or may not be local, so you do not necessarily have the entrance to the network either. Also, web search engines can be helpful for finding vulnerabilities in servers but to compile lists of target hosts from mailing list archives is fragile... there may not be many live hits from those. (Even for server fingerprinting, some surpriese are in the game: eg Walmart was suspected of forging their server signature because at least on one occassion they reported themselves as Microsoft-IIS/4.0 (Unix) mod_ssl/2.6.6 OpenSSL/0.9.5.. outright funny:-) So the point is: although the information may be there, it may already be forged intentionally or otherwise incorrect. Also, the fact that you found eg Mutt does not tell a lot to you unless you have a specific exploit... because many of these programs run on many UNIX/UNIX-like systems plus on DOS/Windows. So you do not know a lot. And finally: with all this information you have to go out and do some actual scanning to verify/gather more information and this is where you can already get caught. But, yes, even with the above points made, considering the average Windows/Mac user and admin, information leakage can be a cause for many an interesting occurance... why, at this rate I got the idea for a paper titled: "utilizing information gleaned from Internet-accessible support pages of various big organizations and institutions in network incidents..." It is at least as interesting a topic as this one:-) Best to y'all! -- Regards: Szilveszter ADAM Szeged University Szeged Hungary
Current thread:
- Crimelabs Paper: Passive System Fingerprinting using Network Client Applications jose nazario (Jan 17)
- Re: Crimelabs Paper: Passive System Fingerprinting using Network Client Applications Szilveszter Adam (Jan 18)