[...]
> > The work around is break in and NMAP from the internal network ;)
>
> Another option is to do some research on the possibility of
> doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
> ...).
> A method I use to discover windows machines behind a statefull
> aware firewall with syndefender is to create ESTABILISHED connections
> and analyze the ip.id increments. This analysis can be expanded to
> otherfields of the packets and other states by doing some research.
That's my approach too. DF field and window sizes (if stuff like
Packeteer is not messing with it) can be also used. If pinging is
enabled Ofir Arkin's papers would be valuable too (the last version of
sing implements some nice fingerprinting based on them).
> Perhaps a fingerprinting system that uses traces from a
> tcpdumpsession? anyone?
That would be a nice tool. Anyway, siphon already does some part of the
job, maybe with some code grabbed from idlescan (ever heard of it? ;-)
and sing something could be done.
Um abraco
Fernando
_____________________________________________________________________
INTERNET MAIL FOOTER
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 21:01:43 PDT