Re: Uniquely identifying an Nmap install from NSE?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 07 Aug 2009 17:31:09 -0500
Ron <ron () skullsecurity net> wrote:

> On 08/07/2009 05:19 PM, Brandon Enright wrote:
> > What about stealing one from the conficker playbook and use the
> > current week as a source of entropy.
> >
> > Something like svcname = hash(localip + localmac + remoteip + week)
> >
> > Still not much entropy but certainly raising the bar above just MAC.
> >
> > Brandon
>
> I don't think including the week or remoteip would make a
> considerable difference, since they're going to be known to the
> attacker. But hashing the localip and localmac together is a good
> idea, it'd create a significantly more difficult bruteforce.
>
> Ron

It further occurs to me that we don't need collision-free hash.  In
fact, if we hashed to say, 32 bits, then we'd almost certainly be
collision free even with 300+ people banging on the same machine while
at the same time, not providing enough uniqueness in the hash to
actually brute force.

That is,

If you truncate a hash to 32 bits, as long as the domain of input
greatly exceeds the domain of output then you can't be sure that you
cracked to the actual original input of the hash.

The question becomes, how many bits do we want?  I think we should
design for up to 100 people hitting the machine at the same time, with
a less than 1% chance that there will be any collisions in the
resulting hash.

Anybody feel like popping this into the binomial theorem to compute what
we should truncate to?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkp8rIQACgkQqaGPzAsl94KmhQCeNSOeHTrvBln93haZsB6dmWe4
2aMAn1mhsqQuXH3L+n1cghwO7ns6pZIK
=J4tj
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org