OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Corey Steele (CSteelegood-sam.com)
Date: Tue Aug 14 2001 - 08:23:29 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    true, except in this case we're really only interested in the DLLs so we don't have to keep track of the md5sum of EVERY file on the system...

    -C

    Corey J. Steele, Security Analyst
    Good Samaritan Society
    e-mail: csteelegood-sam.com
    voice: (605) 362-3899

    >>> <patrick.mannionus.socgen.com> 08/14/01 08:02AM >>>
    hmmmm..... sounds an awful lot like tripwire....

    "Corey Steele" <CSteelegood-sam.com> on 08/13/2001 16:52:48

    To: mforresterhsacorp.net, focus-mssecurityfocus.com
    cc: (bcc: Patrick MANNION/us/socgen)
    Subject: Re: Windows Binary Fingerprint Database (was DLL versioning info)

    one word: "perl". it'd be a simple script... the only hard part would be
    telling it what files to finger-print.

    I'd setup two default NT boxes, one with IIS, the other without. I would then
    ghost those systems. Then, I'd fingerprint them (bare, no SPs at all). Then,
    I'd go through each SP and finger print them again, then, I'd dump all that in
    to a database and slap a web-based front-end on it and live happy. All you'd
    have to do is fingerprint the system after applying each patch and then dumping
    the data into the database again... you could automate this all very very easily
    with Perl...

    Perl is a great glue language and would work for doing like an MD5 `sum` of each
    binary/dll, and would also be good for talking to different databases.

    That's my two cents on that one.

    -C

    Corey J. Steele, Security Analyst
    Good Samaritan Society
    e-mail: csteelegood-sam.com
    voice: (605) 362-3899

    >>> "Forrester, Mike" <mforresterhsacorp.net> 08/10/01 01:57PM >>>
    I was thinking of starting a collection of checksums of Windows binaries and
    figured I'd first check to see if anyone has done this yet and made it
    available on the web. I did a quick search of google and the focus-ms
    archives and couldn't find anything. Does anyone know of a webiste similiar
    to the Solaris Fingerprint Database for Windows?

    http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl

    Also, what recommendations do people have on already made and FREE tools
    that might help with creating such a database? I found a couple of tools
    that sounded interesting but the links were dead.

    Thanks,
    Mike

    -----Original Message-----
    From: RH [mailto:RHbeulah.org]
    Sent: Wednesday, August 08, 2001 12:51 PM
    To: 'MadHat'; focus-mssecurityfocus.com
    Subject: RE: DLL versioning info

    This is something that Microsoft should make a tool for and put in plain
    site on the patch area of their web site. It should should have remote
    connect capabilities, and a virus-scanner-like "signature" database of
    patches that can be kept auto-updated.
    I know that several MS employees read this list, so how about it? :-)

    Ric

    -----Original Message-----
    From: MadHat [mailto:madhatunspecific.com]
    Sent: Tuesday, August 07, 2001 3:47 PM
    To: focus-mssecurityfocus.com
    Subject: DLL versioning info

    I have seen a few people mention that the only real way of verifying that ah
     otfix is installed is by checking the version of the DLL, knowing that
    info in the registry may not be accurate because of reinstall apps (like
    IIS) may overwrite the newer DLL and the registry entry for the hotfix
    would still exist. So with this in mind, does anyone know of a
    comprehensive list of DLLs and the proper, most up to date versions, or
    versions that fix problem X?

    So a listing like

    IDA/CodeRed, idq.dll, 5.0.2195.3645 on W2K, 5.0.1781.3 on NT 4.0

    Thanks 

    --
MadHat at unspecific.com

     **************************************************************************
The information contained herein is confidential and is intended solely
for the addressee(s).  It shall not be construed as a recommendation to
buy or sell any security.  Any unauthorized access, use, reproduction,
disclosure or dissemination is prohibited.

    Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall assume any legal liability or responsibility for any incorrect,
misleading or altered information contained herein.
 **************************************************************************

    **************************************************************************
The information contained herein is confidential and is intended solely
for the addressee(s).  It shall not be construed as a recommendation to
buy or sell any security.  Any unauthorized access, use, reproduction,
disclosure or dissemination is prohibited.
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall assume any legal liability or responsibility for any incorrect,
misleading or altered information contained herein. 
**************************************************************************