[...]
> > The work around is break in and NMAP from the internal network ;)
>
> Another option is to do some research on the possibility of
> doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
> ...).
> A method I use to discover windows machines behind a statefull
> aware firewall with syndefender is to create ESTABILISHED connections
> and analyze the ip.id increments. This analysis can be expanded to
> otherfields of the packets and other states by doing some research.
That's my approach too. DF field and window sizes (if stuff like
Packeteer are not used) can be also used. If pinging is enabled Ofir
Arkin's papers would be valuable too.
> Perhaps a fingerprinting system that uses traces from a
> tcpdumpsession? anyone?
That would be a nice tool. I wonder if siphon already does part of the
job? I don't the code right now to check...
Um abraco
Fernando
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 20:36:53 PDT