Penetration Testing mailing list archives

Re: RE: RE: PIX and ttl

From: Eugene Tsyrklevich <eugene () securityarchitects com>
Date: Tue, 29 May 2001 17:11:25 -0700

On Mon, May 28, 2001 at 08:28:59PM +0100, Fernando Cardoso wrote:

[...]

The work around is break in and NMAP from the internal network ;)


       Another option is to do some research on the possibility of
doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
...).
       A method I use to discover windows machines behind a statefull
aware firewall with syndefender is to create ESTABILISHED connections
and analyze the ip.id increments. This analysis can be expanded to 
otherfields of the packets and other states by doing some research.


That's my approach too. DF field and window sizes (if stuff like 
Packeteer are not used) can be also used. If pinging is enabled Ofir 
Arkin's papers would be valuable too.

       Perhaps a fingerprinting system that uses traces from a 
tcpdumpsession? anyone?


That would be a nice tool. I wonder if siphon already does part of the 
job? I don't the code right now to check...



siphon uses libpcap and has an option for feeding in your tcpdump -w sessions

Current thread:

Re: PIX and ttl, (continued)
- - - Re: PIX and ttl Konstantin Rozinov (May 27)
  - RE: PIX and ttl Jacek Lipkowski (May 25)
    - RE: PIX and ttl Jason Lewis (May 26)
- Re: PIX and ttl Fabio Pietrosanti (naif) (May 25)
  - RE: PIX and ttl Fernando Cardoso (May 25)
    - Re: PIX and ttl Nelson Brito (May 26)
- Re: RE: PIX and ttl Fernando Cardoso (May 28)
  - RE: RE: PIX and ttl Filipe Almeida (May 28)
    - RE: RE: PIX and ttl Dario Ciccarone (May 28)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)
  - Re: RE: RE: PIX and ttl Eugene Tsyrklevich (May 29)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)