Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: RE: PIX and ttl

From: Dario Ciccarone <dciccaro () employees org>
Date: Mon, 28 May 2001 18:52:19 -0300


       Another option is to do some research on the possibility of
doing fingerprinting on the other TCP states (ESTABILISHED, FIN_WAIT,
...).
       A method I use to discover windows machines behind a statefull
aware firewall with syndefender is to create ESTABILISHED connections
and analyze the ip.id increments. This analysis can be expanded to other
fields of the packets and other states by doing some research.
       Perhaps a fingerprinting system that uses traces from a tcpdump
session? anyone?


siphon is a passive fingerprint system that works analyzing the informacion on a SYN TCP segment - same idea used in 
p0f. for both to work the "target" computer has to start a session towards a machine under your control, while you've 
siph0n/p0f running on it . . . and i of them (at least) can read & analyze tcpdump files.

AFAIK nobody has done the same kind of analysis on non SYN flags . . . . but if the firewall in question also 
randomizes/changes the SEQ number (as the PIX does) and/or IP ID fields, what you're going to learn is what kind of 
firewall is in use, not what hosts are behind it . . . 

                                                                                                                D




--
Filipe Almeida filipe () rnl ist utl pt
Aka LiquidK
AdministraĆ§Ć£o da Rede das Novas Licenciaturas
Previous By Date Next
Previous By Thread Next

Current thread: