RE: Passive OS Fingerprinting was Cisco CTR etc

From: Teicher, Mark (Mark) (teicher_at_avaya.com)
Date: 11/23/03

  • Next message: Andy Cuff [Talisker]: "Re: Passive OS Fingerprinting was Cisco CTR etc" 
    Date: Sun, 23 Nov 2003 06:13:38 -0700
To: "Andy Cuff [Talisker]" <talisker@securitywizardry.com>, "Ron Gula" <rgula@tenablesecurity.com>, <focus-ids@securityfocus.com>

    Not quite sure if they are ahead of the curve or just taking advertising
    a feature many people didn't realize was a possibility of the various
    Enterprise Management Systems available. Cabletron Spectrum had a
    network mapping feature based on ttl's a long time ago. Very few people
    even deployed Cabletron Spectrum. The other was ANMS (Automatic Network
    Monitoring System) a bash, perl, ksh scripting network architecture that
    is still or was used by many large telecommunications carriers.

    A most recent attempt at network mapping was the 3-d mapping option in
    Cybercop 5.0

    Although not as nifty as the comet tail network mapping RNA offers. :)

    I will be in the southeast quadrant of the country that week.

    /m

    -----Original Message-----
    From: Andy Cuff [Talisker] [mailto:talisker@securitywizardry.com]
    Sent: Saturday, November 22, 2003 3:10 AM
    To: Teicher, Mark (Mark); Ron Gula; focus-ids@securityfocus.com
    Subject: Re: Passive OS Fingerprinting was Cisco CTR etc

    Hey Mark,
    LTNS ! I was under the impression that anti-sniff was (thinking of a
    polite
    word) prone to false positives. Furthermore, I'd be tempted to deploy a
    passive OS fingerprinting tool on a Data In Nothing Out (DINO) tap, this
    would make the detection of the pf tool even more difficult through
    such measures.

    I think most IDS vendors are developing such technology (with one almost
    definite exception) But as usual Ron and Marty are ahead of the drag
    curve. I think it's really s3xy but as my wife will testify I'm sad and
    I need a life ;o) So s3xy that I have included a page detailing them all
    at http://www.securitywizardry.com/osfp.htm

    P0f
    Ettercap
    ARCHAEOPTERYX
    RNA
    NEVO
    Prelude
    pfprintd
    Disco
    There was one that was a predecessor I think to P0f but it is no longer
    supported so I left it out

    cheers Mark
    Are you anywhere near DC 11/12 Dec for a beer?
    -andy cuff
    Talisker Security Tools Directory http://www.securitywizardry.com
    ----- Original Message -----
    From: "Teicher, Mark (Mark)" <teicher@avaya.com>
    To: "Ron Gula" <rgula@tenablesecurity.com>;
    <focus-ids@securityfocus.com>
    Sent: Thursday, November 20, 2003 7:49 PM
    Subject: RE: NeVO Scan Application was RE: Cisco CTR

    > Ron,
    >
    > Didn't @Stake produce AntiSniff to detect passive type monitoring
    > applications ??
    >
    >
    >
    > /mark
    >
    > -----Original Message-----
    > From: Ron Gula [mailto:rgula@tenablesecurity.com]
    > Sent: Thursday, November 20, 2003 12:45 PM
    > To: Teicher, Mark (Mark); focus-ids@securityfocus.com
    > Subject: Re: NeVO Scan Application was RE: Cisco CTR
    >
    >
    > Woah ... no-one should be able to detect NeVO or RNA (or a NIDS) just
    > by sitting there. You need to do real complex things invoking timing
    > and other checks to find hosts that are passively listening.
    >
    > Desktop agents like Sygate will see scans from Nessus, Nmap, pings,
    > etc. but they will have a hard time detecting passive analysis of
    > their network traffic.
    >
    > Ron
    >
    >
    >
    > At 12:27 PM 11/20/2003 -0700, Teicher, Mark (Mark) wrote:
    > >Ron,
    > >
    > >Interesting, another lightweight and inexpensive monitoring/scanning
    > >software ?? Wondering if the Enterprise/Desktop firewall products
    > >can detect NeVO scans as they can nmap scans. It will be very
    > >interesting to see how Desktop firewalls in the corporate environment

    > >stand up to NeVO scans..
    > >
    > >Something to try in the lab against all those Enterprise/Desktop
    > >Firewall products.. :)
    > >
    > >/mark
    > >
    > >-----Original Message-----
    > >From: Ron Gula [mailto:rgula@tenablesecurity.com]
    > >Sent: Thursday, November 20, 2003 7:38 AM
    > >To: focus-ids@securityfocus.com
    > >Subject: Re: Cisco CTR
    > >
    > >
    > >At 04:54 AM 11/20/2003 -0700, Mark Teicher wrote:
    > > >Just curious on how NeVO compares to Intrusec Expose ??
    > >
    > >I have not seen Expose recently, but my thought was that it was a
    > >continuous low-volume active scan that could launch other
    > >vulnerability
    >
    > >scanners when change was detected. NeVO does the same sort of thing,
    > >but passively through network packet/session monitoring. Besides
    > >looking for change in the network, it also looks for the
    > >vulnerability.
    >
    > >NeVO needs to wait for a packet to be sent before it sees a host,
    > >port,
    >
    > >client, server or vulnerability. If folks deploy NeVO with a
    > >Lightning Console, they can launch distributed Nessus scans if they
    > >see a system or a vulnerability data that they would like to follow
    > >up with an active scan.
    > >
    > >Ron Gula
    > >Tenable Network Security
    > >http://www.tenablesecurity.com
    > >
    > >
    > >
    > >
    > >
    > >---------------------------------------------------------------------
    > >--
    > >-
    > >---
    >
    >-----------------------------------------------------------------------
    > -
    > >---
    >
    >
    > ----------------------------------------------------------------------
    > ----
    -
    > ----------------------------------------------------------------------
    > ----
    -
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Andy Cuff [Talisker]: "Re: Passive OS Fingerprinting was Cisco CTR etc"

    Relevant Pages

    • Re: Cisco CTR
      ... >> passive network discovery system. ... things to be fully explored by active vulnerability scanners, ... There was an earlier post referring to RNA and Ron added that Nevo was ...
      (Focus-IDS)
    • Re: Passive OS Fingerprinting was Cisco CTR etc
      ... Correct me if I'm wrong but didn't Cybercop use active fingerprinting to ... network mapping feature based on ttl's a long time ago. ... The other was ANMS (Automatic Network ... Subject: NeVO Scan Application was RE: Cisco CTR ...
      (Focus-IDS)
    • Re: Passive OS Fingerprinting was Cisco CTR etc
      ... definite exception) But as usual Ron and Marty are ahead of the drag curve. ... Subject: NeVO Scan Application was RE: Cisco CTR ... >>looking for change in the network, it also looks for the vulnerability. ...
      (Focus-IDS)
    • RE: NeVO Scan Application was RE: Cisco CTR
      ... Subject: NeVO Scan Application was RE: Cisco CTR ... >but passively through network packet/session monitoring. ... >looking for change in the network, it also looks for the vulnerability. ...
      (Focus-IDS)
    • Re: Pinning items to Start Menu
      ... Open My Network Places and locate the shared folder you want pinned to the Start ... the feature, ... There's a group policy setting that when enabled will turn off ...
      (microsoft.public.windowsxp.customize)
    • Quantcast