On Sun, 4 Jun 2000 [EMAIL PROTECTED] wrote:
> I guess find this whole discussion fascinating but yet still in its
> infancy regarding OS or system fingerprinting fascinating since it appears
> that no one is attempting to do system identification at the MAC level,
> since most devices (i.e a SunBox, a router, a NT box) have a MAC address
> which is usually bound to its Network interface, but also one has the
> ability to read the MAC assigned to the particular machine or operating
> system most of it is passed in packet.
MAC addresses don't pass routers, so from a remote detection standpoint,
it's not "interesting." Also, these days fewer and fewer NIC vendors are
out there, so looking at the MAC address' vendor component isn't as useful
as it once was. Finally, setting a different vendor code is trivial. If
there are Ethernet layer fingerprinting techniques, I'd find that
interesting, but MAC addresses themselves aren't that interesting.
> Some of the early anomalous system identification script that have been
> cobbled together and passed around the Internet actually do this and also
> build a database if it detects a new system it does not know about. I
> have no idea where those people went.
It's pretty easy to watch for ARP advertisements and requests and build a
table. Most commercial sniffer packages will do this. It's not that
difficult to do even with the output from tcpdump and some perl.
> The real opportunity here is develop a HoneyPot that one has the ability
> to emulate any operating system regardless of the particular operating
> system and box it is installed on. ManTrap from Recourse Technologies is
Why is this a big oppertunity? For the ammount of code necessary, why not
just build tcprelay and udprelay for the target OS, plonk one down that
relays everything to a monitor box, then do detection there? That way you
don't have to play catch-up each time a stack changes.
> OK, Anybody out want to a form a company and beat CounterPane Systems and
> Recourse Technologies to the punch ???
Not a compelling enough business model for me. "We're going to do all
this stack emulation work" is pretty expensive versus someone just running
VMWare with each of about 6 guest OS' taking turns at answering the
packets.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
