From owner-freebsd-security  Mon Nov 30 01:02:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id BAA05595
          for freebsd-security-outgoing; Mon, 30 Nov 1998 01:02:55 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ol.kyrnet.kg (ol.kyrnet.kg [195.254.160.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA05584
          for <freebsd-security@FreeBSD.ORG>; Mon, 30 Nov 1998 01:02:49 -0800 (PST)
          (envelope-from fygrave@tigerteam.net)
Received: from gizmo.kyrnet.kg (IDENT:fygrave@gizmo.kyrnet.kg [192.168.1.125])
	by ol.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id NAA28128;
	Mon, 30 Nov 1998 13:32:08 +0600
Received: from localhost (fygrave@localhost)
	by gizmo.kyrnet.kg (8.9.1a/8.9.1) with ESMTP id OAA03905;
	Mon, 30 Nov 1998 14:00:46 +0500
X-Authentication-Warning: gizmo.kyrnet.kg: fygrave owned process doing -bs
Date: Mon, 30 Nov 1998 14:00:46 +0500 (KGT)
From: CyberPsychotic <fygrave@tigerteam.net>
X-Sender: fygrave@gizmo.kyrnet.kg
To: Adam Shostack <adam@homeport.org>
cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
        freebsd-security@FreeBSD.ORG
Subject: Re: Detecting remote host type and so on..
In-Reply-To: <19981129150948.A18609@weathership.homeport.org>
Message-ID: <Pine.LNX.4.05.9811301357150.1181-100000@gizmo.kyrnet.kg>
Confirm-receipt-to: fygrave@usa.net
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

~ Two tools that do this are queso (at Apostools.org, if memory serves), 
~ and nmap2 (currently in closed beta.)  Also, Tony Osborne has been
~ working on a paper based on ICMP differences.
~ 
yeah. thanks. well 'DESCR' for queso gives pretty clear answer for my
question, thanks for points:
--[cut here]--
How we can determine the remote OS using simple tcp packets?  Well,
it's easy, they're packets that don't make any sense, so the RFCs
don't clearly state what to answer in these kind of situations.
Facing this ambiguous, each TCP/IP stack takes a different approach
to the problem, and this way, we get a different response.  In some
cases (like Linux, to name one) some programming mistakes make the OS
detectable.

QueSO sends:

        0 SYN           * THIS IS VALID, used to verify LISTEN
        1 SYN+ACK
        2 FIN
        3 FIN+ACK
        4 SYN+FIN
        5 PSH
        6 SYN+XXX+YYY   * XXX & YYY are unused TCP flags
-more- http://www.apostols.org/projectz/queso/
--[cut here]--


 well, I think that there could be the similar differences in responces
for badly-formed ICMP packets as well as for other stuff..



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message