Penetration Testing: Re: RE: RE: PIX and ttl

[Eugene Tsyrklevich <eugene () securityarchitects com>]

On Mon, May 28, 2001 at 08:28:59PM +0100, Fernando Cardoso wrote:
> [...]
> > > The work around is break in and NMAP from the internal network ;)
> >        Another option is to do some research on the possibility of
> > doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
> > ...).
> >        A method I use to discover windows machines behind a statefull
> > aware firewall with syndefender is to create ESTABILISHED connections
> > and analyze the ip.id increments. This analysis can be expanded to 
> > otherfields of the packets and other states by doing some research.
> That's my approach too. DF field and window sizes (if stuff like 
> Packeteer are not used) can be also used. If pinging is enabled Ofir 
> Arkin's papers would be valuable too.
>
> >        Perhaps a fingerprinting system that uses traces from a 
> > tcpdumpsession? anyone?
> That would be a nice tool. I wonder if siphon already does part of the 
> job? I don't the code right now to check...

siphon uses libpcap and has an option for feeding in your tcpdump -w sessions