Re: Identifying Machines

From: Victor A. Rodriguez (victor@bit-man.com.ar)
Date: Tue Jun 19 2001 - 15:46:55 PDT

Next message: Spencer, Ed M. -ND: "RE: What is your policy on customers participating in a pen test?"

Previous message: Ryan Russell: "Re: Identifying Machines"
Maybe in reply to: Rick Who Else?: "Identifying Machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rick and all,

one thing you can do is to capture the traffic and make an analysis
of, mainly, flags and windows usage (a.k.a. stack fingerprinting).
The difference with the article in
http://www.insecure.com/nmap/nmap-fingerprinting-article.html
is that instead of asking the stack (you are blocked) is to look
at the traffic that may get out of these machines (the credit dues to
Honeynet project)

<RANT>
If you are patient enough there's no more that waiting for that
machines traffic to pass through your network. Otherwise you can
force them to transmit and obtain more data. You can mix this with
some social engineering, of course.

One source of tracing is SMTP, so if there's some SMTP relay on
those machines that can't be reached from outside (is the equivalent
of closed ports) they will leave the trace in the e-mails. You could
send an e-mail to any of the organization and wait for an answer ...
and pray that the SMTP relay doesn't strip the headers. In this way
can make use of banners.

If there's some proxy server, you can obtain more data by installing
some web site in your network, and analyze not only the IP traffic but
all the standard info that the machine offers to the server through '
the environment variables (remember that in the proxy is who makes 
the connection to the web site)

Noe if there's no open ports at all in those machines, we can suppose
that these are a kind of firewalls or IDS, so you can learn more of 
them through packet sending to them and waiting (praying ??) from 
some answer (I know, no ICMP is allowed to leave the network).

The less common is to call the sysadmin and ask her/him for that net
configuration =p
</RANT>

Other place you can ask for this is http://lists.insecure.org/ or,
 perhaps from the Honeynet project at :

http://project.honeynet.org/papers/finger/

BTW, there's a very good article on this in the last CRYPTO-GRAM 
newsletter at http://www.counterpane.com/crypto-gram-0106.html

Hope this helps
--
Victor A. Rodriguez (http://www.bit-man.com.ar)
El bit Fantasma (Bit-Man)
"aMail: a lot of fun in a bunch of Perl scripts"

Next message: Spencer, Ed M. -ND: "RE: What is your policy on customers participating in a pen test?"
Previous message: Ryan Russell: "Re: Identifying Machines"
Maybe in reply to: Rick Who Else?: "Identifying Machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 21:00:40 PDT