On Mon, May 28, 2001 at 08:28:59PM +0100, Fernando Cardoso wrote: > [...] > > > The work around is break in and NMAP from the internal network ;) > > > > Another option is to do some research on the possibility of > > doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT, > > ...). > > A method I use to discover windows machines behind a statefull > > aware firewall with syndefender is to create ESTABILISHED connections > > and analyze the ip.id increments. This analysis can be expanded to > > otherfields of the packets and other states by doing some research. > > That's my approach too. DF field and window sizes (if stuff like > Packeteer are not used) can be also used. If pinging is enabled Ofir > Arkin's papers would be valuable too. > > > Perhaps a fingerprinting system that uses traces from a > > tcpdumpsession? anyone? > > That would be a nice tool. I wonder if siphon already does part of the > job? I don't the code right now to check... siphon uses libpcap and has an option for feeding in your tcpdump -w sessions
This archive was generated by hypermail 2b30 : Tue May 29 2001 - 22:31:35 PDT