Re: An Embryonic Counterintelligence Tool

[core.lists.incidents () CORE-SDI COM (Iván Arce)]

"Stephen P. Berry" wrote:

> Several months ago, I asked if anyone knew of any tools (or projects
> to produce tools) that present an aribitrarily-chosen TCP fingerprint
> to a scanner.  I had been fiddling around with such a thing, and
> was curious if there were any similar widgets already in
> a `finished product' state.

CyberCop Sting (from NAI), of which me and some other guys from CORE were
developers does exactly that. It emulates the stacks of Cisco IOS ,
Solaris 2.x, MS NT4 and a generic 4.4BSD, it successfully fools queso, nmap
and all other OS fingerprint tools that were known at the development time
(early last year). Actually it goes a lot further than the ~7 OS fingerprint
checks
from nmap, as it implements 200+ differences spotted between the stacks
mentioned.

I do not know if its a commercial available product or free or even if its been
distributed, last time i checked it was available for down load on their ftp
site,
runs on NT.

I also dont think its anything more than a toy or a very naive honeypot but thats

probably because i lack commercial vision  :)

-ivan

--
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com