Re: Application-based fingerprinting ?

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Anders Thulin wrote:
> Hi!
>
>   Fingerprinting a TCP stack seems a fairly well understood technique by
> now, and there are several tools, more or less developed, for
> the task: nmap, ring, ICMP-based techniques, etc.
>
>   A recent glance over the output from a dozen different finger
> servers suggests that fingerprinting might be done fairly well on
> application level, too, although possibly not always as exactly as
> for TCP/IP-based techniques: applications are easier to move around
> than TCP stacks are.
>
>   Have there been any attempts to explore this area further?
> I've googled around, but not found anything obvious, except
> for observations of some fingerprints, such as responses to
> DNS SERVER_STATUS_REQUEST (a few respond with something else
> than 'not implemented'), and so on.

	There's also the issue of knowing "what's listening in an open port". 
Sample: web servers in ports 41254 or ldap servers on port 46254.
Amap can do this kind of fingerprinting 
(http://www.thehackerschoice.com/releases.php) and so does Nessus with 
the find_service plugin  #10330 
(http://cvs.nessus.org/cgi-bin/cvsweb.cgi/nessus-plugins/plugins/find_service/).

        You might want to take a look at these too.

        Javi


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/