Penetration Testing mailing list archives
Re: Banner Grabbing
From: "Eric Kollmann" <xnih13 () gmail com>
Date: Thu, 28 Dec 2006 23:10:02 -0700
The problem with both Ettercap and p0f is they just do passive TCP fingerprinting. I did a paper on this about 12-18 months ago. The first 11 pages out of about 50 are on active fingerprinting. The next 35-40 are on passive fingerprinting. You can find it at: http://packetstormsecurity.org/papers/general/OSFingerPrint.pdf There are multiple tweaks you can do, but it all depends on what you are attempting to fingerprint. Are we talking a web, ftp, telnet, print server. Are we talking the OS in general or a service. Based on "banner grabbing" I would assume most of what has been mentioned would work. The gist of it would be to telnet into a port and grab the banner that is sent in response.
From a passive side if they are doing http traffic you can grab the
info that their web browser sends out and utilize it to fingerprint the OS. Or use the info sent in response to their packets to fingerprint the remote site. Besides tweaking a banner on a ftp/telnet/smtp/web server there isn't a lot you can do to keep it from happening. Tweaking the banner alone won't fix you're overall problem either. As mentioned before most attacks don't even both checking to see if you are windows, linux, mac, or a commadore 64 for that matter. They just fire, forget, and move on. Anyway, since tweaking the banner alone won't fix the issue you may want to look at tweaking the underlying OS specific settings so that it may throw off many utilities that rely on a specific TCP setting such as ID, TTL, etc, but that may only fool it on the underlying OS, not the actual service in question. There are fuzzer utils out there, but then again if most scripts that are going to hit you don't care and just fire off anyway, does it matter? Now for a specific targeted attack this may help, but not sure how much in the long run. Eric On 12/28/06, Vikas Singhal <vikas.programmer () gmail com> wrote:
You can do banner grabbing or OS finger printing(according to discussion going on here) in two ways. active and passive. Active OS fingerprinting is risky but more reliable then passive and vice versa. You can have a look in irongeek's passive OS fingerprintig video. its pretty good. http://www.irongeek.com/i.php?page=videos/passive-os-fingerprinting - Vikas Singhal .:[ Keep Learning ]:.
Current thread:
- Re: PCI Compliance (Vulnerability Scans), (continued)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 19)
- Re: PCI Compliance (Vulnerability Scans) bf (Dec 21)
- Re: PCI Compliance (Vulnerability Scans) David M. Zendzian (Dec 21)
- Banner Grabbing Michael J Condon (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Message not available
- Re: Banner Grabbing Jamie Riden (Dec 21)
- Re: Banner Grabbing Dan Catalin Vasile (Dec 22)
- Re: Banner Grabbing sami ghourabi (Dec 22)
- Message not available
- Re: Banner Grabbing sami ghourabi (Dec 26)
- Re: Banner Grabbing Vikas Singhal (Dec 28)
- Re: Banner Grabbing Eric Kollmann (Dec 29)