From the ICMP protocol point of view the TCP/IP implementation of both Windows NT 4 Server and Workstation is exactly the same. However, what you CAN DO is differentiate between different Service Packs. Ofir Arkin [ofir@sys-security.com] Founder The Sys-Security Group http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA -----Original Message----- From: Ryan Permeh [mailto:ryanat_private] Sent: א 28 אוקטובר 2001 20:31 To: nobody; pen-testat_private Subject: Re: xprobe 0.2 the codebases are exactly the same(or should be). kernels between workstation and server should be the same. The main difference is in tuning, a few registry checks, and sometimes more software is installed. If you can use theese techniques to id the different systems, you may have a chance. try looking at things like #of syns before dropping, perhaps distribution of ISN's, or something along those lines. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities ----- Original Message ----- From: "nobody" <pentesterat_private> To: <pen-testat_private> Sent: Friday, October 26, 2001 6:25 AM Subject: xprobe 0.2 > All, > > the new xprobe 0.2 works well - as far as it goes. > But - does anyone know if there is sufficient > difference between the tcp/ip signature of an NT > WORKSTATION and an NT SERVER OS. > > Problem: > > I need to (without making a windows connection via SMB > using pgms like gettype, winmsd, winffingerprint > etc..) > determine which Windows machines are running NTSERVER > OS. > > Does anyone know or think the the tcp/udp packet > response from the NT SERVER will be different enough > from the NT WORKSTATION - so that I can tell them > apart. again - i cannot use the normal windows > connections to do this (no port 139 connections). > > If there are any difference in the packet response - > then I could add an NT SERVER (does not matter if it > is NT or W2K) to the signature file for xprobe 0.3 ?? > > any help ? > > thanks > > > __________________________________________________ > Do You Yahoo!? > Make a great connection at Yahoo! Personals. > http://personals.yahoo.com > > ------------------------------------------------------------------------ -- -- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ > > ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Oct 30 2001 - 09:39:50 PST