Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Patch management tool
From: James Riden <j.riden () massey ac nz>
Date: Fri, 10 Sep 2004 12:59:25 +1200

"Todd Towles" <toddtowles () brookshires com> writes:

Patrick is right, Red Hat will patch services but doesn't change the
default version number in their banners. That way, you don't really know
what level a service is, if you are trying to attack it.

I did a "rpm -q OpenSSH" and it came back with a older version. Maybe it
was patched and I couldn't tell..it is possible. But I know for sure I

I can't remember the term for this process (patching without changing
the presented version) but I do know that RH does it.

% rpm -q kernel

2.4.22 is the kernel version that was used as the base
1.2188 is a number that presumably means something to someone at Red Hat.

Redhat tend to backport security fixes into their current version -
this is done for stability reasons. When they do this, they rev the
number after the last '-', e.g. as in openssh-3.6.1p2-19.

This is a cool trick but in my mind it doesn't protect you very

It does protect you - the fix is there, but it does mean you get
e.g. nessus reporting openssh as vulnerable when it's not. 

James Riden / j.riden () massey ac nz / Systems Security Engineer
GPG public key available at: http://www.massey.ac.nz/~jriden/
This post does not necessarily represent the views of my employer.

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]