Penetration Testing mailing list archives
Re: xprobe 0.2
From: "Ryan Permeh" <ryan () eEye com>
Date: Sun, 28 Oct 2001 10:30:58 -0800
the codebases are exactly the same(or should be). kernels between workstation and server should be the same. The main difference is in tuning, a few registry checks, and sometimes more software is installed. If you can use theese techniques to id the different systems, you may have a chance. try looking at things like #of syns before dropping, perhaps distribution of ISN's, or something along those lines. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "nobody" <pentester () yahoo com> To: <pen-test () securityfocus com> Sent: Friday, October 26, 2001 6:25 AM Subject: xprobe 0.2
All, the new xprobe 0.2 works well - as far as it goes. But - does anyone know if there is sufficient difference between the tcp/ip signature of an NT WORKSTATION and an NT SERVER OS. Problem: I need to (without making a windows connection via SMB using pgms like gettype, winmsd, winffingerprint etc..) determine which Windows machines are running NTSERVER OS. Does anyone know or think the the tcp/udp packet response from the NT SERVER will be different enough from the NT WORKSTATION - so that I can tell them apart. again - i cannot use the normal windows connections to do this (no port 139 connections). If there are any difference in the packet response - then I could add an NT SERVER (does not matter if it is NT or W2K) to the signature file for xprobe 0.3 ?? any help ? thanks __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- xprobe 0.2 nobody (Oct 26)
- Re: xprobe 0.2 Ryan Permeh (Oct 29)
- RE: xprobe 0.2 Ofir Arkin (Oct 30)
- Re: xprobe 0.2 Ryan Permeh (Oct 30)
- RE: xprobe 0.2 Ofir Arkin (Oct 30)
- Re: xprobe 0.2 Ryan Permeh (Oct 29)