Bugtraq mailing list archives

Re: Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation

From: GomoR <bt () gomor org>
Date: Sat, 7 Apr 2007 17:44:03 +0200

On Tue, Apr 03, 2007 at 02:23:21PM -0700, Jim Hoagland wrote:
[..]

[2]
http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.
pdf ( http://preview.tinyurl.com/2qrglc )


Hello Jim,

you have a section on stack fingerprint in your report.
I find it rather odd to no see the use of SinFP [1] (my tool, 
shameless plug).

It is able to identify Vista since BETA2. With or without 
firewall activated (there need to be one open TCP port, 
though). Furthermore, you would have been able to analyze 
the IPv6 stack also.

Currently your stack analysis is based on nmap, and is made 
harder than if you have used SinFP. I will show different 
signatures obtained with SinFP:


For IPv4 stacks:

Windows XP (SP2, but no difference between SPs):
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0

Windows Vista (BETA2):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0

Windows Vista (RC1 && final):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0

For IPv6 stacks:

Windows XP (SP2):
P1: B10013 F0x12 W17080 O0204ffff M1440
P2: B10013 F0x12 W17280 O0204ffff M1440
P3: B10020 F0x04 W0 O0 M0

Windows Vista (BETA2):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0

Windows Vista (RC1 && final):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0

So, I think it is easier to compare TCP/IP stacks with signatures 
like that, but it is only my viewpoint ;)


[1] http://www.gomor.org/sinfp

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/          Systems & Security Engineer         |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

Current thread:

Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation Jim Hoagland (Apr 03)
- Re: Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation Jim Hoagland (Apr 06)
- Re: Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation GomoR (Apr 07)