> Another option is to do some research on the possibility of
>doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
>...).
> A method I use to discover windows machines behind a statefull
>aware firewall with syndefender is to create ESTABILISHED connections
>and analyze the ip.id increments. This analysis can be expanded to other
>fields of the packets and other states by doing some research.
> Perhaps a fingerprinting system that uses traces from a tcpdump
>session? anyone?
siphon is a passive fingerprint system that works analyzing the informacion on a SYN TCP segment - same idea used in p0f. for both to work the "target" computer has to start a session towards a machine under your control, while you've siph0n/p0f running on it . . . and i of them (at least) can read & analyze tcpdump files.
AFAIK nobody has done the same kind of analysis on non SYN flags . . . . but if the firewall in question also randomizes/changes the SEQ number (as the PIX does) and/or IP ID fields, what you're going to learn is what kind of firewall is in use, not what hosts are behind it . . .
D
>--
>Filipe Almeida filipeat_private
>Aka LiquidK
>Administração da Rede das Novas Licenciaturas
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 20:58:36 PDT