Thursday, October 16, 2008

Network Miner

One program that is currently using parts of Satori is NetworkMiner, which is actually where most of the other news about Satori has been coming out from lately.

NetworkMiner uses the dhcp fingerprinting DB in the currently released version at:
http://sourceforge.net/projects/networkminer/

I believe the next version that is released should also have the tcp fingerprinting piece from Satori based on emails with the author in the past.

Some good articles on NetworkMiner and what all it can do can be found here:
http://holisticinfosec.org/toolsmith/docs/august2008.pdf
http://www.net-security.org/dl/insecure/INSECURE-Mag-18.pdf

The 2nd one you'll need to jump to page 18.

NetworkMiner is a very nice program to pull information off the network and rebuild the files that are being downloaded. Driftnet for windows along with a lot of other nice features. Its OS identification is not nearly as polished as Satori, in my opinion at least, but that is not what it is geared towards.

Check it out

Satori in the news "out there"

The following sites/blogs have information on OS identification that mention Satori:
One of the first references to it that I recall was by Thierry Zoller in a post on full disclosure, then later on his blog

http://snoopsec.blogspot.com/2008/10/obfuscating-your-os-tcp-stack-or-way-to.html

http://www.binrev.com/forums/index.php?showtopic=39194&st=0&gopid=319785&#entry319785
http://www.irongeek.com/i.php?page=security/osfuscate-change-your-windows-os-tcp-ip-fingerprint-to-confuse-p0f-networkminer-ettercap-nmap-and-other-os-detection-tools
http://hackaday.com/2008/10/04/avoiding-os-fingerprinting-in-windows/

The hackaday post came out on Oct 4, 2008, the hits to my website jumped from roughly 100 hits a month, to about 350 in a 4-5 day period after that spot came out!