OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: olivier courtay (olivier.courtayintranode.com)
Date: Thu Apr 18 2002 - 08:44:18 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Carefully studying the way TCP works, especially some timer value
    inside the TCP stack, we have derived on a new technique for remote OS
    detection, based on temporal response analysis.

    The idea is quite simple: send a TCP SYN packet to an open port on a
    remote system, and listen the different answers (usually successive
    SYN/ACK packets). By measuring the number of response, the delay
    between retries, and the optional presence of a "RST" packet after a
    few answers, we can easily recognize some operating systems.
    The nice thing is that it only required to send one packet on an open
    TCP port, which make this method really quiet.

    As a proof of concept, we also developed a standalone tool "RING"
    that will perform these testings and identifications, using a signature
    file.

    A patch for Nmap-2.54BETA32 is being prepared and should be released
    anytime soon
    At the moment, ring and nmap OS fingerprinting methods are launched
    simulteamously
    but results aren't merged for better accuracy.
    If you want to try this patch, please send me an
    email(ringintranode.com).

    More information is available at:
    http://www.intranode.com/site/techno/techno_articles.htm

    The open source tool can be downloaded from:
    http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz

    The open source tool for Linux2.4 kernel can be downloaded from:
    http://www.intranode.com/pdf/techno/ring-0.0.1-Linux-2.4.tar.gz

    The full, 13 pages, white paper is available at:
    http://www.intranode.com/pdf/techno/ring-full-paper.pdf

    We will be very happy to get your feedback on this technique.
    Feel free to contact us at: ringintranode.com

    Thanks,
    Olivier 

    -- 
________________________________
Olivier  Courtay
Research Engineer 
tel: +33 (0) 223 455 524
fax: +33 (0) 223 455 501
mailto: olivier.courtayintranode.com
http://www.intranode.com

    Intranode Software Technologies
Security you can see.

    --------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).