Fernando Cardoso wrote:
[...]
> I don't think so... I've tested all kind of Windows stuff and I always get
> 128 (local LAN). Maybe the results you're showing are the result of some
> kind of "PIX tweaking".
>
> > -- Windows NT 4.0 x86 SP6a ( ttl = 128 ) in MY LAN
> > 46 bytes from 10.1.3.20: flags=SA seq=0 ttl=128 id=25884 win=8576
> > rtt=0.5 ms
It's the default setting in WinNT´s Registry, but you can set it up to
whatever value you want, just editing your NT Box.
I already post, some times ago, talking about ICMP Fingerprint.
The registry key you need modify to confuse the attacker(maybe
penetration tester ;)) is:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DefaultTTL"=dword:000000ff
This means the TTL is now set to 255 or 0x000000ff in hex.
So, I could set this value to 0x00000081(129 in decimal), so it would be
weird when some attacker try to "traceroute" this host. What do you
think? ;))
PS: Sorry my poor English...
Sem mais
--
# Nelson Brito
# Security Analyst and Penetration Tester
# Security Networks AG - The trust Company!
#
# Usage: cat <file> | perl .signature
foreach(<STDIN>){chop;split;(//,$_);print reverse @_;print "\n";}
This archive was generated by hypermail 2b30 : Sat May 26 2001 - 23:50:00 PDT