Re: Blind Remote Buffer Overflow

[lamont () ICOPYRIGHT COM (Granquist, Lamont)]

On Fri, 30 Apr 100, Ralph The Wonder Llama wrote:
> > > How does one tell the diffrence in architechture remotely, when the OS runs
> > > on multiple architechtures? Other than just taking a stab at it untill it
> > well.. if it is a unix system and you have access to the shell, the uname
> > -a command will do the trick:
> >
> > $ uname -a
> > Linux intra 2.0.33 #2 Thu Dec 11 14:08:32 MET 1997 i586 unknown
> > $
>
> thats not in any way "blind attacking".
>
> If I'm not mistaken some of the network scanners like nmap will do os
> fingerprinting based on responses to certain types of network packets.
>
> Search the bugtraq lists at http://www.securityfocus.com for
> "os fingerpringing" for more info.

NMAP (www.insecure.org/nmap) and queso will both do remote OS
identification based on the characteristics of the TCP/IP stack of the
target machine.  They do this by sending out various valid or invalid TCP
packets and comparing the responses to a database.  You will find that
different machines use different window sizes, do different things with
the TCP sequence number, do different things with TCP options and reorder
them in the response packet, etc, etc.  Fyodor wrote a good article on how
this works in a recent Phrack article (see the NMAP page for links).

Of course if you have an F5 or Cisco Localdirector (?) in front of your
machines then you will be fingerprinting the VIP rather than either the
switch or the machines behind it and results will probably not be what you
need to try to exploit the machines behind it.