Dailydave mailing list archives
Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?
From: MindsX <mindsx () gmail com>
Date: Sun, 12 Jun 2005 23:28:01 +0100
Hi Hamid, Not sure if this is going to help.... but it may be quicker than googling 'enumerate COM' or 'fuzz COM'.... [ bottom line.. still haven't had the time to play with it properly so on this topic "I'm no expert"] http://sourceforge.net/projects/axfuzz/ 2 programs... enumeration & fuzzing of COM... from the author... --CUT-- axenum. (C) Shane Hird 2005 This tool will enumerate every CLSID and attempt to query it for IObjectSafety. Each CLSID that is processed it output to stderr. Objects which suport IObjectSafety or contain the "safe" keys are output to stdout. You can start the enumeration at a given CLSID in the event that a given component causes axenum to crash (very likely). You can edit the source to get this tool to call simple method on every component as it is enumerated to test for other crashing behaviour. axfuzz (C) Shane Hird Attempts to set and get all properties of a COM object, and call all methods. It will simply use 0 values or a large "AAAA.." BSTR for the values. You should modify the code to do any other advanced fuzzing. A suggestion is to use a valid filename if the type info indicates a BSTR with the name "*file*". --CUT-- <daveless>MindsX</daveless> On 6/11/05, Isaac Dawson <isaac.dawson () gmail com> wrote:
Hamid, it's very easy! go to www.immunitysec.com and click on products -> Canvas. Then call dave and buy it. :D -Isaac On 6/11/05, Hamid . K <elite_netbios () yahoo com> wrote:wow ! so much usefull information , Thank you all , for supporting me specially Rich and Jean :> The time I found that some RPC ports are open on systems , the same idea came across my mind but had no idea what to to/where to begin. I had the secuityFriday PoC but to be honest never completely reviewd their paper :p and thank you Jean for scheduling service hint which will save me time . and , Dave Can you explain more about fingerprinting based on COM ojects ? any hint/paper/refrence to review ? regards -Hamid --- Dave Aitel <dave () immunitysec com> wrote:One thing CANVAS does to determine random things is fingerprint COM objects present on remote systems. This can often tell you if a certain software package is available or not. I haven't seen anyone else do this yet, but it's not that hard... -dave Rich Smith wrote:Cheers for the explanation for the lack mstask.exeUUID's in 2k3 SP1 andthe links :) It was Urity's presentation which set me off downthe road of lookingat/implementing RPC fingerprinting in the firstplace :), after thepresentation I thought more people wouldinvestigate thetechnique.......doesn't seem like many people have,however I find itquite a useful technique in many situations. --Rich-- On Fri, 2005-06-10 at 11:37 +0200, Jean-BaptisteMarchand wrote:* Rich Smith <richard.j.smith () hp com> [10/06/05 -10:16]:-- SP1 does not show endpoint UUID data for themstask.exe whereas SP0has quite a number of entries (typically 20+).Right, in Windows Server 2003 SP1, the TaskScheduler service(mstask.exe process) does not register its RPCservices on thencacn_ip_tcp transport but only on the ncacn_nptransport (\pipe\atsvc):http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.htmlhttp://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.enUrity gave in 2004 a presentation on the subjectof fingerprinting systemslooking at registered RPC interfaces, you might beinterested in lookingat the RpcScan tool and the related presentation: http://www.securityfriday.com/tools/RpcScan.html Jean-Baptiste Marchand_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec comhttps://lists.immunitysec.com/mailman/listinfo/dailydave__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 06)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Dave Aitel (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Isaac Dawson (Jun 11)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? MindsX (Jun 12)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 19)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)