I guess find this whole discussion fascinating but yet still in its
infancy regarding OS or system fingerprinting fascinating since it appears
that no one is attempting to do system identification at the MAC level,
since most devices (i.e a SunBox, a router, a NT box) have a MAC address
which is usually bound to its Network interface, but also one has the
ability to read the MAC assigned to the particular machine or operating
system most of it is passed in packet.
Some of the early anomalous system identification script that have been
cobbled together and passed around the Internet actually do this and also
build a database if it detects a new system it does not know about. I
have no idea where those people went.
The real opportunity here is develop a HoneyPot that one has the ability
to emulate any operating system regardless of the particular operating
system and box it is installed on. ManTrap from Recourse Technologies is
an early adopter but they are still relying on the underlying operating
system, which kind of defeats the purpose of a HoneyPot, but they will
address that issue soon.
OK, Anybody out want to a form a company and beat CounterPane Systems and
Recourse Technologies to the punch ???
/mark
"Paul D. Robertson" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/04/00 06:44 AM
To: "Stephen P. Berry" <[EMAIL PROTECTED]>
cc: [EMAIL PROTECTED]
Subject: Re: OS response to probes
On Sat, 3 Jun 2000, Stephen P. Berry wrote:
> What I'm mildly surprised about is that the prevalence of IP
fingerprinting
> tools of nmap and queso hasn't resulted in more code for actively
thwarting
> such scans. By their very nature the heuristics for such scans tend
> be fairly brittle and suceptable to spoofing.
I suspect that thwarting such scans isn't that high on many people's radar
because if you've actively secured a site OS information isn't generally
exploitable. I am surprised that the Open Source community hasn't
produced patches to emulate different behaviour though.
I also think that those who are most likely to be harmed by
fingerprinting are those least likely to deploy anything that thwarts it.
Certianly one of the packet filtering firewall vendors should see this as
a marketing oppertunity if nobody starts hacking on IPFilter first (If I
get time to do this it'll be a miricle.)
> In addition to `active' fingerprinting (as done by nmap and queso),
> remote OS identification can be accomplished by what Lance Spitzner
> calls `passive' fingerprinting. See:
>
> http://www.enteract.com/~lspitz/finger.html
This is significantly easier to thwart given the information in the paper
and the first-cut tools (IOW at this stage in its life.)
> http://www.meshuggeneh.net/shoki/
>
> ...and has widgetry that does both passive fingerprinting and nmap
fingerprint
> foiling.
Interesting toolset! Thanks for providing it.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal
opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
