Penetration Testing mailing list archives
Re: xprobe 0.2
From: "Ryan Permeh" <ryan () eEye com>
Date: Tue, 30 Oct 2001 10:30:32 -0800
well, only service packs that make changes to network aspects. not all service packs do this (take win2k for example). Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "Ofir Arkin" <ofir () sys-security com> To: "'Ryan Permeh'" <ryan () eEye com>; "'nobody'" <pentester () yahoo com>; <pen-test () securityfocus com> Sent: Tuesday, October 30, 2001 3:28 AM Subject: RE: xprobe 0.2
From the ICMP protocol point of view the TCP/IP implementation of both
Windows NT 4 Server and Workstation is exactly the same. However, what you CAN DO is differentiate between different Service Packs. Ofir Arkin [ofir () sys-security com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Ryan Permeh [mailto:ryan () eEye com] Sent: א 28 אוקטובר 2001 20:31 To: nobody; pen-test () securityfocus com Subject: Re: xprobe 0.2 the codebases are exactly the same(or should be). kernels between workstation and server should be the same. The main difference is in tuning, a few registry checks, and sometimes more software is installed. If you can use theese techniques to id the different systems, you may have a chance. try looking at things like #of syns before dropping, perhaps distribution of ISN's, or something along those lines. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "nobody" <pentester () yahoo com> To: <pen-test () securityfocus com> Sent: Friday, October 26, 2001 6:25 AM Subject: xprobe 0.2
All, the new xprobe 0.2 works well - as far as it goes. But - does anyone know if there is sufficient difference between the tcp/ip signature of an NT WORKSTATION and an NT SERVER OS. Problem: I need to (without making a windows connection via SMB using pgms like gettype, winmsd, winffingerprint etc..) determine which Windows machines are running NTSERVER OS. Does anyone know or think the the tcp/udp packet response from the NT SERVER will be different enough from the NT WORKSTATION - so that I can tell them apart. again - i cannot use the normal windows connections to do this (no port 139 connections). If there are any difference in the packet response - then I could add an NT SERVER (does not matter if it is NT or W2K) to the signature file for xprobe 0.3 ?? any help ? thanks __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
------------------------------------------------------------------------ -- --
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please
see:
https://alerts.securityfocus.com/
------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- xprobe 0.2 nobody (Oct 26)
- Re: xprobe 0.2 Ryan Permeh (Oct 29)
- RE: xprobe 0.2 Ofir Arkin (Oct 30)
- Re: xprobe 0.2 Ryan Permeh (Oct 30)
- RE: xprobe 0.2 Ofir Arkin (Oct 30)
- Re: xprobe 0.2 Ryan Permeh (Oct 29)