Dailydave mailing list archives
Re: how to remotely fingerprint 2k3 SP0 vs SP1 ?
From: "Hamid . K" <elite_netbios () yahoo com>
Date: Sun, 19 Jun 2005 21:15:25 -0700 (PDT)
Hi Minds and others , thank you all for supporting the topic by great hints. like the RPC fingerprinting hints which guided me through mstask.exe UUIS`s to look for , is there any alike comment about COM enumeration ? ;p would be gread if Dave reveal his hints :) regards Hamid --- MindsX <mindsx () gmail com> wrote:
Hi Hamid, Not sure if this is going to help.... but it may be quicker than googling 'enumerate COM' or 'fuzz COM'.... [ bottom line.. still haven't had the time to play with it properly so on this topic "I'm no expert"] http://sourceforge.net/projects/axfuzz/ 2 programs... enumeration & fuzzing of COM... from the author... --CUT-- axenum. (C) Shane Hird 2005 This tool will enumerate every CLSID and attempt to query it for IObjectSafety. Each CLSID that is processed it output to stderr. Objects which suport IObjectSafety or contain the "safe" keys are output to stdout. You can start the enumeration at a given CLSID in the event that a given component causes axenum to crash (very likely). You can edit the source to get this tool to call simple method on every component as it is enumerated to test for other crashing behaviour. axfuzz (C) Shane Hird Attempts to set and get all properties of a COM object, and call all methods. It will simply use 0 values or a large "AAAA.." BSTR for the values. You should modify the code to do any other advanced fuzzing. A suggestion is to use a valid filename if the type info indicates a BSTR with the name "*file*". --CUT-- <daveless>MindsX</daveless> On 6/11/05, Isaac Dawson <isaac.dawson () gmail com> wrote:Hamid, it's very easy! go to www.immunitysec.comand click on products-> Canvas. Then call dave and buy it. :D -Isaac On 6/11/05, Hamid . K <elite_netbios () yahoo com>wrote:wow ! so much usefull information , Thank you all , for supporting me specially Rich and Jean :> The time I found that some RPC ports are open on systems , the same idea came across my mind but had no idea what to to/where to begin. I had the secuityFriday PoC but to be honestnevercompletely reviewd their paper :p and thank you Jean for scheduling service hint which will save me time . and , Dave Can you explain more about fingerprinting basedonCOM ojects ? any hint/paper/refrence to review ? regards -Hamid --- Dave Aitel <dave () immunitysec com> wrote:One thing CANVAS does to determine randomthings isfingerprint COM objects present on remote systems. This canoftentell you if a certain software package is available or not. Ihaven't seenanyone else do this yet, but it's not that hard... -dave Rich Smith wrote:Cheers for the explanation for the lackmstask.exeUUID's in 2k3 SP1 andthe links :) It was Urity's presentation which set me offdownthe road of lookingat/implementing RPC fingerprinting in thefirstplace :), after thepresentation I thought more people wouldinvestigate thetechnique.......doesn't seem like many peoplehave,however I find itquite a useful technique in many situations. --Rich-- On Fri, 2005-06-10 at 11:37 +0200,Jean-BaptisteMarchand wrote:* Rich Smith <richard.j.smith () hp com>[10/06/05 -10:16]:-- SP1 does not show endpoint UUID data forthemstask.exe whereas SP0has quite a number of entries (typically20+).Right, in Windows Server 2003 SP1, the TaskScheduler service(mstask.exe process) does not register itsRPCservices on thencacn_ip_tcp transport but only on thencacn_nptransport (\pipe\atsvc):http://www.hsc.fr/ressources/articles/win_net_srv/ch04s09s02.htmlhttp://www.hsc.fr/ressources/breves/min_w2k3_net_srv.html.enUrity gave in 2004 a presentation on thesubjectof fingerprinting systemslooking at registered RPC interfaces, youmight beinterested in lookingat the RpcScan tool and the relatedpresentation:http://www.securityfriday.com/tools/RpcScan.htmlJean-Baptiste Marchand_______________________________________________Dailydave mailing list Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
__________________________________________________Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spamprotection aroundhttp://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
=== message truncated === __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 06)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Dave Aitel (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Isaac Dawson (Jun 11)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? MindsX (Jun 12)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Hamid . K (Jun 19)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Jean-Baptiste Marchand (Jun 10)
- Re: how to remotely fingerprint 2k3 SP0 vs SP1 ? Rich Smith (Jun 08)