Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Banner Grabbing

from [Eric Kollmann] Network Security [Permanent Link]
Subject: Re: Banner Grabbing
Date: Thu, 28 Dec 2006 23:10:02 -0700 
The problem with both Ettercap and p0f is they just do passive TCP
fingerprinting.  I did a paper on this about 12-18 months ago.  The
first 11 pages out of about 50 are on active fingerprinting.  The next
35-40 are on passive fingerprinting.

You can find it at:
http://packetstormsecurity.org/papers/general/OSFingerPrint.pdf

There are multiple tweaks you can do, but it all depends on what you
are attempting to fingerprint.  Are we talking a web, ftp, telnet,
print server.  Are we talking the OS in general or a service.

Based on "banner grabbing" I would assume most of what has been
mentioned would work.  The gist of it would be to telnet into a port
and grab the banner that is sent in response.

From a passive side if they are doing http traffic you can grab the 
info that their web browser sends out and utilize it to fingerprint
the OS.  Or use the info sent in response to their packets to
fingerprint the remote site.

Besides tweaking a banner on a ftp/telnet/smtp/web server there isn't
a lot you can do to keep it from happening.  Tweaking the banner alone
won't fix you're overall problem either.  As mentioned before most
attacks don't even both checking to see if you are windows, linux,
mac, or a commadore 64 for that matter.  They just fire, forget, and
move on.

Anyway, since tweaking the banner alone won't fix the issue you may
want to look at tweaking the underlying OS specific settings so that
it may throw off many utilities that rely on a specific TCP setting
such as ID, TTL, etc, but that may only fool it on the underlying OS,
not the actual service in question.  There are fuzzer utils out there,
but then again if most scripts that are going to hit you don't care
and just fire off anyway, does it matter?  Now for a specific targeted
attack this may help, but not sure how much in the long run.

Eric

On 12/28/06, Vikas Singhal <vikas.programmer@gmail.com> wrote: 

You can do banner grabbing or OS finger printing(according to
discussion going on here) in two ways.
active and passive.
Active OS fingerprinting is risky but more reliable then passive and vice versa.
You can have a look in irongeek's passive OS fingerprintig video. its
pretty good.

http://www.irongeek.com/i.php?page=videos/passive-os-fingerprinting


- Vikas Singhal
.:[ Keep Learning ]:.


[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  re: Traceroute question, Robert MacDonald
Next by Date:  Re: Virtual environments security, Luke Eckley
Previous by Thread:  Re: Banner Grabbing, Vikas Singhal
Next by Thread:  SIP Proxy VoIP Security Test Tool, Philipp Haupt
Indexes:  [Date] [Thread] [Top] [All Lists]