Re: Device fingerprinting

["The Blueberry" <acr872k () hotmail com>]

Hi again all,

Since I get many

> Do you get any headers from
> 21,23,25,80,110,119,443,8080?

I will remind you that that ports on the unknown device are exactly the same 
as on the webserver so I assume that they are forwards. Proper checks of the 
banners on the device have been done and they are the same as the ones of 
the corresponding ports on the webserver. The only remaining port that 
doesn't looks a forward to the webserver is 53. I successfully compromised a 
low account on the webserver and verified the fact that no nameserver is 
running on it. So either it is a forward to another box, either it is a 
daemon on the device itself (eliminates the fact of it being a 
cisco/firewall?) that is handling the requests. But now, how can I 
fingerprint the device since all ports are forwards? even on the internal 
adapter's port 23 I do not see any telltale sign of any way to administer it 
remotely. Could it be (like one person suggested off the list) a Checkpoint? 
A fact that goes in this theory is that an account exists on a NT 
workstation/mailserver (do not remember which) that has a login name of 
Borderware and a password of CheckPoint. Any insights?

--TB

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/