Two things jumps to my mind: 1. IP_ID changes: if all the (say: UDP) ports are closed you get a reply saying so (ICMP_UDP_PORT_UNREACHABLE). You can check two consecutive packets for IP_ID change and deduct the OS from that. I don't know of any database of IP_ID -> OS, though. 2. NMAP tests 5, 6, 7 and UDP rely on closed ports. See fyodor's article at: http://www.insecure.org/nmap/nmap-fingerprinting-article.html Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems > -----Original Message----- > From: Rick Who Else? [mailto:myworldat_private] > Sent: Tuesday, June 19, 2001 03:11 > To: PEN-TESTat_private > Subject: Identifying Machines > > > > I'm looking for as many ways as possible to identify machines > on a network. > Considering ICMP is disabled, and all ports on the end > machine are closed. > > > Ideas? the more the merrier. > > This question goes for NT, 2K, and Unix/Unix-like machines. > > Thanks, > Rick > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com >
This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 14:40:15 PDT