Date: Mon, 30 Nov 1998 14:00:46 +0500 (KGT) From: CyberPsychotic <fygrave@tigerteam.net> To: Adam Shostack <adam@homeport.org> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, freebsd-security@FreeBSD.ORG Subject: Re: Detecting remote host type and so on.. Message-ID: <Pine.LNX.4.05.9811301357150.1181-100000@gizmo.kyrnet.kg> In-Reply-To: <19981129150948.A18609@weathership.homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help
~ Two tools that do this are queso (at Apostools.org, if memory serves),
~ and nmap2 (currently in closed beta.) Also, Tony Osborne has been
~ working on a paper based on ICMP differences.
~
yeah. thanks. well 'DESCR' for queso gives pretty clear answer for my
question, thanks for points:
--[cut here]--
How we can determine the remote OS using simple tcp packets? Well,
it's easy, they're packets that don't make any sense, so the RFCs
don't clearly state what to answer in these kind of situations.
Facing this ambiguous, each TCP/IP stack takes a different approach
to the problem, and this way, we get a different response. In some
cases (like Linux, to name one) some programming mistakes make the OS
detectable.
QueSO sends:
0 SYN * THIS IS VALID, used to verify LISTEN
1 SYN+ACK
2 FIN
3 FIN+ACK
4 SYN+FIN
5 PSH
6 SYN+XXX+YYY * XXX & YYY are unused TCP flags
-more- http://www.apostols.org/projectz/queso/
--[cut here]--
well, I think that there could be the similar differences in responces
for badly-formed ICMP packets as well as for other stuff..
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.05.9811301357150.1181-100000>