RE: xprobe 0.2

["Ofir Arkin" <ofir () sys-security com>]

> From the ICMP protocol point of view the TCP/IP implementation of both
Windows NT 4 Server and Workstation is exactly the same.

However, what you CAN DO is differentiate between different Service
Packs.

Ofir Arkin [ofir () sys-security com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: Ryan Permeh [mailto:ryan () eEye com] 
Sent: א 28 אוקטובר 2001 20:31
To: nobody; pen-test () securityfocus com
Subject: Re: xprobe 0.2

the codebases are exactly the same(or should be).  kernels between
workstation and server should be the same.  The main difference is in
tuning, a few registry checks, and sometimes more software is installed.
If
you can use theese techniques to id the different systems, you may have
a
chance.  try looking at things like #of syns before dropping, perhaps
distribution of ISN's, or something along those lines.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS
Vulnerabilities

----- Original Message -----
From: "nobody" <pentester () yahoo com>
To: <pen-test () securityfocus com>
Sent: Friday, October 26, 2001 6:25 AM
Subject: xprobe 0.2


> All,
>
> the new xprobe 0.2 works well - as far as it goes.
> But - does anyone know if there is sufficient
> difference between the tcp/ip signature of an NT
> WORKSTATION and an NT SERVER OS.
>
> Problem:
>
> I need to (without making a windows connection via SMB
> using pgms like gettype, winmsd, winffingerprint
> etc..)
> determine which Windows machines are running NTSERVER
> OS.
>
> Does anyone know or think the the tcp/udp packet
> response from the NT SERVER will be different enough
> from the NT WORKSTATION - so that I can tell them
> apart.  again - i cannot use the normal windows
> connections to do this (no port 139 connections).
>
> If there are any difference in the packet response -
> then I could add an NT SERVER (does not matter if it
> is NT or W2K) to the signature file for xprobe 0.3 ??
>
> any help ?
>
> thanks
>
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/