Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?

["Hamid . K" <elite_netbios () yahoo com>]

Hi Minds and others ,

thank you all for supporting the topic by great hints.
like the RPC fingerprinting hints which guided me
through mstask.exe UUIS`s to look for ,
is there any alike comment about COM enumeration ? ;p

would be gread if Dave reveal his hints :)


regards

Hamid


--- MindsX <mindsx () gmail com> wrote:

> Hi Hamid,
>
> Not sure if this is going to help.... but it may be
> quicker than
> googling 'enumerate COM' or 'fuzz COM'.... [ bottom
> line.. still
> haven't had the time to play with it properly so on
> this topic "I'm no
> expert"]
>
> http://sourceforge.net/projects/axfuzz/
>
> 2 programs... enumeration & fuzzing of COM... from
> the author...
>
>
> --CUT--
> axenum. (C) Shane Hird 2005
>
> This tool will enumerate every CLSID and attempt to
> query it for IObjectSafety.
> Each CLSID that is processed it output to stderr.
> Objects which suport IObjectSafety or contain the
> "safe" keys are
> output to stdout.
> You can start the enumeration at a given CLSID in
> the event that a
> given component causes axenum to crash (very
> likely).
> You can edit the source to get this tool to call
> simple method on
> every component as it is enumerated to test for
> other crashing
> behaviour.
>
> axfuzz (C) Shane Hird
>
> Attempts to set and get all properties of a COM
> object, and call all methods.
> It will simply use 0 values or a large "AAAA.." BSTR
> for the values.
> You should modify the code to do any other advanced
> fuzzing. A
> suggestion is to use a valid filename if the type
> info indicates a
> BSTR with the name "*file*".
>
> --CUT--
>
> <daveless>MindsX</daveless>
>
> On 6/11/05, Isaac Dawson <isaac.dawson () gmail com>
> wrote:
> > Hamid, it's very easy! go to www.immunitysec.com
> and click on products
> > -> Canvas. Then call dave and buy it. :D
> > -Isaac
> >
> > On 6/11/05, Hamid . K <elite_netbios () yahoo com>
> wrote:
> > > wow !
> > > so much usefull information ,
> > > Thank you all , for supporting me
> > > specially Rich and Jean :>
> > >
> > > The time I found that some RPC ports are open
> > > on systems , the same idea came across my mind
> > > but had no idea what to to/where to begin.
> > > I had the secuityFriday PoC but to be honest
> never
> > > completely reviewd their paper :p
> > > and thank you Jean for scheduling service hint
> > > which will save me time .
> > >
> > > and , Dave
> > > Can you explain more about fingerprinting based
> on
> > > COM ojects ? any hint/paper/refrence to review ?
> > >
> > > regards
> > > -Hamid
> > >
> > >
> > > --- Dave Aitel <dave () immunitysec com> wrote:
> > >
> > > > One thing CANVAS does to determine random
> things is
> > > > fingerprint COM
> > > > objects present on remote systems. This can
> often
> > > > tell you if a certain
> > > > software package is available or not. I
> haven't seen
> > > > anyone else do this
> > > > yet, but it's not that hard...
> > > >
> > > > -dave
> > > >
> > > >
> > > > Rich Smith wrote:
> > > >
> > > > > Cheers for the explanation for the lack
> mstask.exe
> > > > UUID's in 2k3 SP1 and
> > > > > the links :)
> > > > >
> > > > > It was Urity's presentation which set me off
> down
> > > > the road of looking
> > > > > at/implementing RPC fingerprinting in the
> first
> > > > place :), after the
> > > > > presentation I thought more people would
> > > > investigate the
> > > > > technique.......doesn't seem like many people
> have,
> > > > however I find it
> > > > > quite a useful technique in many situations.
> > > > >
> > > > > --Rich--
> > > > >
> > > > > On Fri, 2005-06-10 at 11:37 +0200,
> Jean-Baptiste
> > > > Marchand wrote:
> > > > > > * Rich Smith <richard.j.smith () hp com>
> [10/06/05 -
> > > > 10:16]:
> > > > > > > -- SP1 does not show endpoint UUID data for
> the
> > > > mstask.exe whereas SP0
> > > > > > > has quite a number of entries (typically
> 20+).
> > > > > > >
> > > > > > Right, in Windows Server 2003 SP1, the Task
> > > > Scheduler service
> > > > > > (mstask.exe process) does not register its
> RPC
> > > > services on the
> > > > > > ncacn_ip_tcp transport but only on the
> ncacn_np
> > > > transport (\pipe\atsvc):
> > > > > >
>
> > http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.html
> > > > > >
>
> > http://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.en
> > > > > > Urity gave in 2004 a presentation on the
> subject
> > > > of fingerprinting systems
> > > > > > looking at registered RPC interfaces, you
> might be
> > > > interested in looking
> > > > > > at the RpcScan tool and the related
> presentation:
> > > > > >
> > > http://www.securityfriday.com/tools/RpcScan.html
> > > > > > Jean-Baptiste Marchand
> _______________________________________________
> > > > Dailydave mailing list
> > > > Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
> > > >
> __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > > http://mail.yahoo.com
> > > _______________________________________________
> > > Dailydave mailing list
> > > Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
> > >
> > _______________________________________________
> > Dailydave mailing list
> > Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
> >
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave