Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Xprobe 0.0.2 Released

From: "Fernando Cardoso" <fernando.cardoso () whatevernet com>
Date: Thu, 25 Oct 2001 14:44:35 +0100
Hi

Just did a little hack on logic_tree.c in order to identify IBM OS/400.

Without this, xprobe would identify OS/400 boxes as "Novell (FreeBSD
4.3-current(?)". Main differences between Novell and OS/400:

- TTL is 128 for Novell and 64 for OS/400
- OS/400, as opposite to Novell, replies to ICMP Timestamp queries
- Every reply from OS/400 (echo or tstamp) is marked with TOS=32

I used the latter approach, since TTL can be deceptive with boxes many hops
away and Timestamp would require a new packet to be issued.

Use at your own risk :)

[root@brutus xprobe-0.0.2]# diff logic_tree.c
../xprobe-0.0.2patched/logic_tree.c
226a227,233

                              if (icmpecho_res->ip->ip_tos == 0x20) {
                                 tree_message("TOS 32");
                                   fin_message("IBM OS/400");
                                   free_res(&icmpecho_res);
                                   free_res(&udp_res);
                                   return 38;
                              } else {

230a238

                                }


--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: