Penetration Testing mailing list archives

Re: Identifying Machines

From: "Victor A. Rodriguez" <victor () bit-man com ar>
Date: Tue, 19 Jun 2001 20:46:55 -0200

Rick and all,

one thing you can do is to capture the traffic and make an analysis
of, mainly, flags and windows usage (a.k.a. stack fingerprinting).
The difference with the article in
http://www.insecure.com/nmap/nmap-fingerprinting-article.html
is that instead of asking the stack (you are blocked) is to look
at the traffic that may get out of these machines (the credit dues to
Honeynet project)

<RANT>
If you are patient enough there's no more that waiting for that
machines traffic to pass through your network. Otherwise you can
force them to transmit and obtain more data. You can mix this with
some social engineering, of course.

One source of tracing is SMTP, so if there's some SMTP relay on
those machines that can't be reached from outside (is the equivalent
of closed ports) they will leave the trace in the e-mails. You could
send an e-mail to any of the organization and wait for an answer ...
and pray that the SMTP relay doesn't strip the headers. In this way
can make use of banners.

If there's some proxy server, you can obtain more data by installing
some web site in your network, and analyze not only the IP traffic but
all the standard info that the machine offers to the server through '
the environment variables (remember that in the proxy is who makes 
the connection to the web site)

Noe if there's no open ports at all in those machines, we can suppose
that these are a kind of firewalls or IDS, so you can learn more of 
them through packet sending to them and waiting (praying ??) from 
some answer (I know, no ICMP is allowed to leave the network).

The less common is to call the sysadmin and ask her/him for that net
configuration =p
</RANT>

Other place you can ask for this is http://lists.insecure.org/ or,
 perhaps from the Honeynet project at :

http://project.honeynet.org/papers/finger/

BTW, there's a very good article on this in the last CRYPTO-GRAM 
newsletter at http://www.counterpane.com/crypto-gram-0106.html

Hope this helps
--
Victor A. Rodriguez (http://www.bit-man.com.ar)
El bit Fantasma (Bit-Man)
"aMail: a lot of fun in a bunch of Perl scripts"

Current thread:

Re: Identifying Machines, (continued)
- Re: Identifying Machines Blake Frantz (Jun 19)
- Re: Identifying Machines Don Tansey (Jun 19)
- Re: Identifying Machines Lance Spitzner (Jun 19)
- Re: Identifying Machines Rick Who Else? (Jun 19)
  - Re: Identifying Machines Jose Nazario (Jun 19)
  - Re: Identifying Machines Crist Clark (Jun 19)
    - Re: Identifying Machines Blake Frantz (Jun 20)
  - Re: Identifying Machines Ryan Russell (Jun 19)
- RE: Identifying Machines Yonatan Bokovza (Jun 19)
- Re: Identifying Machines Jeremy Sanders (Jun 19)
- Re: Identifying Machines Victor A. Rodriguez (Jun 19)