Re: RE: RE: PIX and ttl

["Fernando Cardoso" <fernando.cardoso () whatevernet com>]

[...]
> > The work around is break in and NMAP from the internal network ;)
>
>        Another option is to do some research on the possibility of
> doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
> ...).
>        A method I use to discover windows machines behind a statefull
> aware firewall with syndefender is to create ESTABILISHED connections
> and analyze the ip.id increments. This analysis can be expanded to 
> otherfields of the packets and other states by doing some research.

That's my approach too. DF field and window sizes (if stuff like 
Packeteer is not messing with it) can be also used. If pinging is 
enabled Ofir Arkin's papers would be valuable too (the last version of 
sing implements some nice fingerprinting based on them).

>        Perhaps a fingerprinting system that uses traces from a 
> tcpdumpsession? anyone?

That would be a nice tool. Anyway, siphon already does some part of the 
job,  maybe with some code grabbed from idlescan (ever heard of it? ;-) 
and sing something could be done. 

Um abraco

Fernando


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------