Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xprobe 0.2

From: "Ryan Permeh" <ryan () eEye com>
Date: Sun, 28 Oct 2001 10:30:58 -0800
the codebases are exactly the same(or should be).  kernels between
workstation and server should be the same.  The main difference is in
tuning, a few registry checks, and sometimes more software is installed.  If
you can use theese techniques to id the different systems, you may have a
chance.  try looking at things like #of syns before dropping, perhaps
distribution of ISN's, or something along those lines.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "nobody" <pentester () yahoo com>
To: <pen-test () securityfocus com>
Sent: Friday, October 26, 2001 6:25 AM
Subject: xprobe 0.2



All,

the new xprobe 0.2 works well - as far as it goes.
But - does anyone know if there is sufficient
difference between the tcp/ip signature of an NT
WORKSTATION and an NT SERVER OS.

Problem:

I need to (without making a windows connection via SMB
using pgms like gettype, winmsd, winffingerprint
etc..)
determine which Windows machines are running NTSERVER
OS.

Does anyone know or think the the tcp/udp packet
response from the NT SERVER will be different enough
from the NT WORKSTATION - so that I can tell them
apart.  again - i cannot use the normal windows
connections to do this (no port 139 connections).

If there are any difference in the packet response -
then I could add an NT SERVER (does not matter if it
is NT or W2K) to the signature file for xprobe 0.3 ??

any help ?

thanks


__________________________________________________
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus Security Intelligence Alert

(SIA)

Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please

see:

https://alerts.securityfocus.com/





----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: