Dailydave mailing list archives
Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?
From: Rich Smith <richard.j.smith () hp com>
Date: Wed, 08 Jun 2005 17:36:01 +0100
Hi there,
Another way is differences in the 'RPC fingerprint' of the systems.
I've found that 2K3 SP0 and SP1 differ in a few ways wrt their
advertised RPC interfaces:-
-- SP1 has a UUID that appears in its RPC tower data which does not
appear in SP0 boxen:
<snip>
Tower: 1
Floor: 1 UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 ver 1.0
Annotation: DHCP Client LRPC Endpoint
Floor: 4 Transport: ncalrpc (0x10)
Data: dhcpcsvc
and
Tower: 32
Floor: 1 UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 ver 1.0
Annotation: DHCP Client LRPC Endpoint
Floor: 4 Transport: ncalrpc (0x10)
Data: DNSResolver
</snip>
(although now and again the DNSResolver entry does not appear - not sure
why ??)
-- SP1 does not show endpoint UUID data for the mstask.exe whereas SP0
has quite a number of entries (typically 20+).
-- SP0 has tower data entries for UUID's that appear in both SP0 and
SP1, but in SP0 the same UUID's have an additional entry with the
transport combinations of ncacn_ip_tcp and ncacn_ip:
<snip>
Tower: 26
Floor: 1 UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f ver 1.0
Annotation: mstask.exe
Floor: 4 Transport: ncacn_ip_tcp (0x07)
Port 1025
Floor: 5 Transport: ncacn_ip (0x09)
IP addr: 10.0.0.40
</snip>
This same pattern occurs for UUID's 0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
ver 1.0 and 1ff70682-0a51-30e8-076d-740be8cee98b ver 1.0 in addition to
the UUID shown above.
This is what I have found to be true for all the systems I have been
able to test, however the total number of systems tested is still quite
low. Would be good to hear if the above works for other people testing
their 2K3 systems and if it doesn't work then what did I get wrong :)
Cheers
Rich
On Mon, 2005-06-06 at 15:54 -0700, Hamid . K wrote:
Thanks for usefull hint. I did some excersises ( using Hping and manualy comparing resaults )but as first try was still boring and disappointing , to do it manually. Later I came accross "RING" provided az PoC and still playing with. btw any new tool based on RING methodology ? aside RTT technique , is there any other reliable technique ? consider both Daveless and Daved staff ;p Hamid --- Tod Beardsley <todb () planb-security net> wrote:Hamid . K wrote:is there anyway to remotely guess SP version ofrunning host ? Specific to Dave's stuff, or just in general? In the latter case, yes. Just use TCP RTT timing. -tod__________________________________ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
-- Rich Smith Hewlett Packard Labs Trusted Systems Laboratory _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 06)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Dave Aitel (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Isaac Dawson (Jun 11)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? MindsX (Jun 12)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 19)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)