> [ snip - note that it is often exactly bugs in the > is-this-an-existing- > connection lookup that os detection code exploits. ] You'd be suprised at how untrue this is (the "often" part). While much of whats publically available may do this, there are many other variables in a stack unrelated to TCP state that can be used to identify an OS - and are also virtually impossible for someone to fix. Virtually every commercial and free OS supports different IP otions, and will handle them in different ways. It would be virtually impossible to get every vendor to synchronize what they support. TCP options give you even more variety. CyberCop Scanner 5.5 uses a variety of these methods to identify the target OS.. Anthony Osbourne can probably comment more on this.. I don't believe any of this is proprietary, since you can see it with a sniffer anyways - and the arachNIDS database at whitehats.com detects this. - Oliver securityfocus.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:20 PDT