Saturday, November 15, 2008


Well finally decided to setup a twitter account. Long story short, someone got a hold of me mentioning my DHCP paper, he was one of the original authors from KU on it and mentioned my paper was mentioned by yet someone else on twitter. Decided it was time to check it out.

My site probably will never see postings, but who knows. I'm basically just using it to follow some other sites, which I could probably do via other means, but....

Saturday, November 8, 2008

Active AP 802.11 Fingerprinting

Toorcon recently seems to have had a presentation on Fingerprinting APs to see if they are ones you should trust. (Click on the Title to see it)

Some interesting tests by tweaking flags sent and doing clock skew tests. Looks like it may have also been presented at Blackhat and ShmooCon also this year.

The presentation material for Toorcon seems to be a little longer than the ShmooCon one, though ShmooCon's seems to have a few different slides in it. Didn't go looking for it at Blackhat.

Makes me think I should work on getting Satori to be able to use my AirPCap adapter and start working at breaking down those 802.11 packets!

Advanced application level OS fingerprinting

A short (36 pages or so) powerpoint type paper on Application Level Fingerprinting.

I found it interesting how, depending on the OS the application was running on, it would act differently depending on what was sent at it. After doing some of this for going on 10 years, I'm surprised to find that I'm surprised by it, but I was.

Anyway, seems like a nice writeup on a new way of thinking/testing a few things. If I was still big into Active Fingerprinting I may have had to try to expand on this, but for now, I have enough projects.

Check it out. And if you don't like pdf's, check out the original post at SecurityFocus and grab one of the other formats. Otherwise click on the Title up top and you should hit the pdf version of it.

Sunday, November 2, 2008

Future papers & projects

After looking at what I had out there from my 2005 paper I realized there are a lot of things I've added to Satori that I really don't have documented well on how I did it. Since Satori and my papers are my way of giving back to the community, I'm going to try to go back and document each of the protocols I parse and use in Satori and do a quick whitepaper on each. Nothing like the DHCP one, since that was written specifically for Blackhat 2007, but enough to help others who are trying to duplicate what I've done.

Also, I've been thinking about writing my own DHCP client for Windows. It goes along with the idea irongeek worked on about changing your TCP stack. I have the initial plan in my head, but have not started coding it. Not sure it will ever come to completion, but will be fun to create a DHCP program to do DHCP Request, Inform, Discover, etc packets while looking like it is a Linux 2.2 box, or a Windows 95 box, etc. It will give me a chance to test some of the questions I had while writing the DHCP paper originally to see who well some DHCP servers adhere to things.

First things first though, 2 new certs to work on, hopefully coding or writing of the whitepapers will start by Dec 1, but who knows. Still need to get back to some Satori work one of these days!

Wikipedia post

Ok, not sure who originally updated the OS Fingerprinting post on wikipedia and added Satori, but it wasn't me. Glad to see NetworkMiner and Satori were added!

Since it was already there, I flushed out the Passive Fingerprinting stuff a bit more, putting links to my 2 papers on OS fingerprinting in general and to DHCP fingerprinting. I know shameless, but figured if that stuff was going to be mentioned it might as well have some decent reference material!

Wikipedia post can be seen at: