Re: Banner Grabbing

From: Eric Kollmann (xnih13@gmail.com)
Date: Fri Dec 29 2006 - 01:10:02 EST

• Next message: Luke Eckley: "Re: Virtual environments security"
• Previous message: Datta Vaidya: "Re: RE Traceroute question"
• In reply to: Vikas Singhal: "Re: Banner Grabbing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The problem with both Ettercap and p0f is they just do passive TCP
fingerprinting. I did a paper on this about 12-18 months ago. The
first 11 pages out of about 50 are on active fingerprinting. The next
35-40 are on passive fingerprinting.

You can find it at:
http://packetstormsecurity.org/papers/general/OSFingerPrint.pdf

There are multiple tweaks you can do, but it all depends on what you
are attempting to fingerprint. Are we talking a web, ftp, telnet,
print server. Are we talking the OS in general or a service.

Based on "banner grabbing" I would assume most of what has been
mentioned would work. The gist of it would be to telnet into a port
and grab the banner that is sent in response.

>From a passive side if they are doing http traffic you can grab the
info that their web browser sends out and utilize it to fingerprint
the OS. Or use the info sent in response to their packets to
fingerprint the remote site.

Besides tweaking a banner on a ftp/telnet/smtp/web server there isn't
a lot you can do to keep it from happening. Tweaking the banner alone
won't fix you're overall problem either. As mentioned before most
attacks don't even both checking to see if you are windows, linux,
mac, or a commadore 64 for that matter. They just fire, forget, and
move on.

Anyway, since tweaking the banner alone won't fix the issue you may
want to look at tweaking the underlying OS specific settings so that
it may throw off many utilities that rely on a specific TCP setting
such as ID, TTL, etc, but that may only fool it on the underlying OS,
not the actual service in question. There are fuzzer utils out there,
but then again if most scripts that are going to hit you don't care
and just fire off anyway, does it matter? Now for a specific targeted
attack this may help, but not sure how much in the long run.

Eric

On 12/28/06, Vikas Singhal <vikas.programmer@gmail.com> wrote:
>
> You can do banner grabbing or OS finger printing(according to
> discussion going on here) in two ways.
> active and passive.
> Active OS fingerprinting is risky but more reliable then passive and vice versa.
> You can have a look in irongeek's passive OS fingerprintig video. its
> pretty good.
>
> http://www.irongeek.com/i.php?page=videos/passive-os-fingerprinting
>
>
> - Vikas Singhal
> .:[ Keep Learning ]:.
>

• Next message: Luke Eckley: "Re: Virtual environments security"
• Previous message: Datta Vaidya: "Re: RE Traceroute question"
• In reply to: Vikas Singhal: "Re: Banner Grabbing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:30 EDT