Saturday, August 22, 2009

Telnet Recon

Google Alert just popped this up on a program called telnetrecon. Telnetrecon is just that a recon program for the telnet service. It appears to be an active scanner. I have very few devices/systems with telnet open these days, so it isn't something I've tried out. If anyone runs it let me know any feedback you have or feel free to add a post.

Looks like it was initially released about a year ago. Not sure how much additions have been done to it. Something that may come in useful to do some testing though.

Wednesday, August 12, 2009

Sayings that drive me crazy

Ok, nothing to do with OS Fingerprinting, but I've seen this comment twice this week and it drives me nuts:

"Either way, ESX is just software and can suffer from
vulnerabilities just like any other piece of software."

Yes, 100% true, the above was when I asked if VM Escape had actually been shown in ESX, not just workstation/server. Earlier this week, someone else said the same thing on a different security list in regards to trunked VLANs into an ESX box and that trusting VMware to do it in ESX was crazy and you should use a real Firewall because "ESX is just software... and has vulns in it".

What do these security people think runs firewalls? Lets see, Cisco device runs IOS, IOS is software! Better yet, Network Engineers put rules in FWs, NEs get lazy sometimes and put bad rules in them.

Give me a break, YES ESX is software, YES software has vulns in it, but everything we do on these lovely pieces of hardware we are sitting at requires software to run. Even to boot them up there is software. What do you think the BIOS is!

Ok enough ranting, but next time you hear someone say "It is just software, so it has vulns in it" smack them upside the head for me!

ICMP OS Fingerprinting

Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.

Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio: http://www.screencast.com/users/laurachappell/folders/Media%20Roll/media/75047d06-2801-49b7-87d3-0e41a3abd500

NetscanPro appears to be doing the standard:
ICMP Request
Timestamp Request
AddressMask Request
Information Request
ICMP Request (Code <> 0)
TOS and Precedence

Without going back and reading Ofir's paper again, or looking at my old ICMP program I'm not sure if any of them are new from what Ofir presented in his paper back in 2001 "ICMP Usage In Scanning" or not. I wonder if LNSS is still using the the Code <> 0 test at all?

ICMP fingerprinting seems about the same as before. Useful in some cases, not so useful in others. It is good to see that it is still being used and therefor some new database has probably been made.

Out of the 4 main types of devices on my network it identified them as [Actual - Identification}:
Netgear WAP - HP Procurve Switch 2500 Series
Brother Printer - Unable to identify operating system.
Linksys VOIP Device - HP LaserJet 2800 Series
XP - Windows XP responding to Ping only

Ok, I had my box crash twice while doing OS Fingerprinting with this. It could be a problem on my box or it could be a bad dissector on their end. Will follow up with them. [note: Kirk was quick on responses, looks like it was probably in WinpCap since the BSOD pointed at npf.sys, trying to duplicate on another system, may also be a NIC driver combination, looking into it, but doesn't appear to be NetScanTools related]

Anyway, out of 4 devices it could ID 1 correctly. Any fingerprinting program is only as good as its DB, so maybe I'll have to play with it a bit more and send it some new fingerprints if they have the ability to add them. [Note: Looks like the ability to add more will be in version 11, so I'll have to try to follow up with them in the future]