RE: Xprobe 0.0.2 Released

From: Fernando Cardoso (fernando.cardosoat_private)
Date: Thu Oct 25 2001 - 06:44:35 PDT

Next message: Steve Culligan: "ICMP unreachable question"

Previous message: Ofir Arkin: "Xprobe 0.0.2 Released"
In reply to: Ofir Arkin: "Xprobe 0.0.2 Released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi

Just did a little hack on logic_tree.c in order to identify IBM OS/400.

Without this, xprobe would identify OS/400 boxes as "Novell (FreeBSD
4.3-current(?)". Main differences between Novell and OS/400:

- TTL is 128 for Novell and 64 for OS/400
- OS/400, as opposite to Novell, replies to ICMP Timestamp queries
- Every reply from OS/400 (echo or tstamp) is marked with TOS=32

I used the latter approach, since TTL can be deceptive with boxes many hops
away and Timestamp would require a new packet to be issued.

Use at your own risk :)

[root@brutus xprobe-0.0.2]# diff logic_tree.c
../xprobe-0.0.2patched/logic_tree.c
226a227,233
>                               if (icmpecho_res->ip->ip_tos == 0x20) {
>                                  tree_message("TOS 32");
>                                    fin_message("IBM OS/400");
>                                    free_res(&icmpecho_res);
>                                    free_res(&udp_res);
>                                    return 38;
>                               } else {
230a238
>                                 }

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardosoat_private     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Steve Culligan: "ICMP unreachable question"
Previous message: Ofir Arkin: "Xprobe 0.0.2 Released"
In reply to: Ofir Arkin: "Xprobe 0.0.2 Released"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 25 2001 - 08:08:53 PDT