Re: xprobe 0.2

From: Ryan Permeh (ryanat_private)
Date: Sun Oct 28 2001 - 10:30:58 PST

Next message: Penetration Testing: "Re: ICMP unreachable question"

Previous message: nobody: "xprobe 0.2"
In reply to: nobody: "xprobe 0.2"
Next in thread: Ofir Arkin: "RE: xprobe 0.2"
Reply: Ofir Arkin: "RE: xprobe 0.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the codebases are exactly the same(or should be).  kernels between
workstation and server should be the same.  The main difference is in
tuning, a few registry checks, and sometimes more software is installed.  If
you can use theese techniques to id the different systems, you may have a
chance.  try looking at things like #of syns before dropping, perhaps
distribution of ISN's, or something along those lines.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "nobody" <pentesterat_private>
To: <pen-testat_private>
Sent: Friday, October 26, 2001 6:25 AM
Subject: xprobe 0.2


> All,
>
> the new xprobe 0.2 works well - as far as it goes.
> But - does anyone know if there is sufficient
> difference between the tcp/ip signature of an NT
> WORKSTATION and an NT SERVER OS.
>
> Problem:
>
> I need to (without making a windows connection via SMB
> using pgms like gettype, winmsd, winffingerprint
> etc..)
> determine which Windows machines are running NTSERVER
> OS.
>
> Does anyone know or think the the tcp/udp packet
> response from the NT SERVER will be different enough
> from the NT WORKSTATION - so that I can tell them
> apart.  again - i cannot use the normal windows
> connections to do this (no port 139 connections).
>
> If there are any difference in the packet response -
> then I could add an NT SERVER (does not matter if it
> is NT or W2K) to the signature file for xprobe 0.3 ??
>
> any help ?
>
> thanks
>
>
> __________________________________________________
> Do You Yahoo!?
> Make a great connection at Yahoo! Personals.
> http://personals.yahoo.com
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Penetration Testing: "Re: ICMP unreachable question"
Previous message: nobody: "xprobe 0.2"
In reply to: nobody: "xprobe 0.2"
Next in thread: Ofir Arkin: "RE: xprobe 0.2"
Reply: Ofir Arkin: "RE: xprobe 0.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 29 2001 - 10:21:29 PST