Penetration Testing mailing list archives
Re: RE: RE: PIX and ttl
From: Eugene Tsyrklevich <eugene () securityarchitects com>
Date: Tue, 29 May 2001 17:11:25 -0700
On Mon, May 28, 2001 at 08:28:59PM +0100, Fernando Cardoso wrote:
[...]The work around is break in and NMAP from the internal network ;)Another option is to do some research on the possibility of doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT, ...). A method I use to discover windows machines behind a statefull aware firewall with syndefender is to create ESTABILISHED connections and analyze the ip.id increments. This analysis can be expanded to otherfields of the packets and other states by doing some research.That's my approach too. DF field and window sizes (if stuff like Packeteer are not used) can be also used. If pinging is enabled Ofir Arkin's papers would be valuable too.Perhaps a fingerprinting system that uses traces from a tcpdumpsession? anyone?That would be a nice tool. I wonder if siphon already does part of the job? I don't the code right now to check...
siphon uses libpcap and has an option for feeding in your tcpdump -w sessions
Current thread:
- Re: PIX and ttl, (continued)
- Re: PIX and ttl Konstantin Rozinov (May 27)
- RE: PIX and ttl Jacek Lipkowski (May 25)
- RE: PIX and ttl Jason Lewis (May 26)
- Re: PIX and ttl Fabio Pietrosanti (naif) (May 25)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: PIX and ttl Nelson Brito (May 26)
- RE: PIX and ttl Fernando Cardoso (May 25)
- Re: RE: PIX and ttl Fernando Cardoso (May 28)
- RE: RE: PIX and ttl Filipe Almeida (May 28)
- RE: RE: PIX and ttl Dario Ciccarone (May 28)
- RE: RE: PIX and ttl Filipe Almeida (May 28)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)
- Re: RE: RE: PIX and ttl Eugene Tsyrklevich (May 29)
- Re: RE: RE: PIX and ttl Fernando Cardoso (May 28)