Vulnerability Development mailing list archives
Re: Blind Remote Buffer Overflow
From: lamont () ICOPYRIGHT COM (Granquist, Lamont)
Date: Mon, 1 May 2000 12:01:22 -0700
On Fri, 30 Apr 100, Ralph The Wonder Llama wrote:
How does one tell the diffrence in architechture remotely, when the OS runs on multiple architechtures? Other than just taking a stab at it untill itwell.. if it is a unix system and you have access to the shell, the uname -a command will do the trick: $ uname -a Linux intra 2.0.33 #2 Thu Dec 11 14:08:32 MET 1997 i586 unknown $thats not in any way "blind attacking". If I'm not mistaken some of the network scanners like nmap will do os fingerprinting based on responses to certain types of network packets. Search the bugtraq lists at http://www.securityfocus.com for "os fingerpringing" for more info.
NMAP (www.insecure.org/nmap) and queso will both do remote OS identification based on the characteristics of the TCP/IP stack of the target machine. They do this by sending out various valid or invalid TCP packets and comparing the responses to a database. You will find that different machines use different window sizes, do different things with the TCP sequence number, do different things with TCP options and reorder them in the response packet, etc, etc. Fyodor wrote a good article on how this works in a recent Phrack article (see the NMAP page for links). Of course if you have an F5 or Cisco Localdirector (?) in front of your machines then you will be fingerprinting the VIP rather than either the switch or the machines behind it and results will probably not be what you need to try to exploit the machines behind it.
Current thread:
- Re: Blind Remote Buffer Overflow Ex Machina (Apr 30)
- <Possible follow-ups>
- Re: Blind Remote Buffer Overflow Matthew R. Potter (Apr 30)
- Re: Blind Remote Buffer Overflow Arturo Busleiman (Apr 30)
- Re: Blind Remote Buffer Overflow Ralph The Wonder Llama (May 01)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Reinier Heeres (May 02)
- Re: Blind Remote Buffer Overflow Matthew R. Potter (May 02)
- Re: Blind Remote Buffer Overflow Jani Ollikainen (May 02)
- Re: Blind Remote Buffer Overflow Granquist, Lamont (May 01)
- Re: Blind Remote Buffer Overflow Bluefish (May 01)
- Re: Blind Remote Buffer Overflow Marc (May 01)
- Re: Blind Remote Buffer Overflow Blue Boar (May 01)
- Re: Blind Remote Buffer Overflow matej (May 01)
- Re: Blind Remote Buffer Overflow Pavol Luptak (May 02)
- Ascii-x86 was: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Ascii-x86 was: Blind Remote Buffer Overflow Robert Collins (May 03)