Re: Uniquely identifying an Nmap install from NSE?

[Ben Rosenberg <suicidalbob () gmail com>]

On Fri, Aug 7, 2009 at 3:31 PM, Ron<ron () skullsecurity net> wrote:
> On 08/07/2009 05:19 PM, Brandon Enright wrote:
> > What about stealing one from the conficker playbook and use the current
> > week as a source of entropy.
> >
> > Something like svcname = hash(localip + localmac + remoteip + week)
> >
> > Still not much entropy but certainly raising the bar above just MAC.
> >
> > Brandon
>
> I don't think including the week or remoteip would make a considerable
> difference, since they're going to be known to the attacker. But hashing the
> localip and localmac together is a good idea, it'd create a significantly
> more difficult bruteforce.
>
> Ron
>
> --
> Ron Bowes
> http://www.skullsecurity.org/

Something like the current Unix timestamp plus the 3rd and 6th octets
of the source's MAC would give a decent sized number and would not
contain enough information to necessarily give away the identity of
whoever is initiating the connection. Though I guess the collision
rate for that might be less than optimal.

Ben

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org