tag:blogger.com,1999:blog-53432004449189659582024-03-05T00:14:08.281-07:00Chatter on the Wire: How excessive network traffic gives away too much!OS Fingerprinting info, primarily geared towards passive OS identification means, but also links to active OS identification.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.comBlogger113125tag:blogger.com,1999:blog-5343200444918965958.post-66214782878935598632021-11-12T09:14:00.004-07:002021-11-12T09:14:42.026-07:00Satori Updates<p> I've continued to update Satori little by little out there on github. Both updating the underlying code and fingerprints. Always happy to have new ideas or feedback on the program.</p>xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-87967288459728978132019-02-23T20:55:00.003-07:002019-02-23T20:55:53.625-07:00Youtube channelI've continued to make updates to the python version of satori and have put a lot of time in the past few weeks to updating fingerprints and fixing some minor bugs that have cropped up. But.... I thought I'd take this opportunity to do a quick intro to the youtube channel I started.<br />
<br />
It is called, you guessed it, <a href="https://www.youtube.com/channel/UCQdbiw660DDsyDGagJWw4uA">Chatter on the Wire, or CotW</a> for short. It won't just be about OS Fingerprinting, but I'm sure I'll put some demo's of Satori and other programs I've written out there. It will be videos about a number of different things, small electronics, coding projects, melting metals and whatever else I find myself periodically doing that I decided I'd document. Mostly I believe it will be reviews of products I've been using myself or testing out for certain specific applications for home, work, or other areas of my life.<br />
<br />
It will bounce around a bit and I hope to put stuff out every so often. Not sure if that will be every few days, weeks, or months, but will all depend on time and the amount of effort it takes to put the videos together.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-80152927093379281812018-11-11T20:18:00.002-07:002018-11-11T20:18:47.510-07:00posted to githubhttps://github.com/xnih/satori<br />
<br />
3 modules so far:<br />
<br />
<ul>
<li>dhcp</li>
<li>tcp</li>
<li>useragent</li>
</ul>
<br />
Speed increase of anywhere from 7.5 to 20.4 times faster than my old windows version.<br />
<div>
<br /></div>
<div>
</div>
<br />
<div>
I have not run all my old pcaps through it at this point, but did run a few from my last sans course through it to find a few bugs I had.</div>
<div>
<br /></div>
<div>
Fingerprint files for each of those 3 have been updated, with a number more hopefully coming with the next week.</div>
<div>
<br /></div>
<div>
I also hope to get smb done before long, as I do see there is an smb one in pypacker (missed it before).</div>
<div>
<br /></div>
<div>
<br /></div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-16866759102849072642018-11-04T19:40:00.002-07:002018-11-04T19:40:24.711-07:00Satori rewrite updateReal life/work always gets in the way.....<br />
<br />
Lost 2 weeks to work related fun, but finally had a chance to revisit the rewrite this weekend and parse some of the tcp pcaps I've gathered in the past month or so to feed it.<br />
<br />
tcp.xml has been updated with a number of newer OS's. Since it had been 4+ years or so since I'd last updated it, there were a lot of Windows OS's to add to it. I did find it interesting that I can tell the difference between windows 10 - build 14393 (and potentially earlier) to 15063 and greater! Something changed in the tcp stack between those builds. Also added some 2012 and 2016 server fingerprints and a few others such as some newer OS X ones. By no means complete with what I have, but when you're that far behind on things, takes awhile to start adding things again!<br />
<br />
As for the rewrite itself, got some command line options so you can choose which modules you want to use (tcp is done, dhcp is next to be worked on). Not sure what all ones I'll port, but moving along. Also got code in place to choose the file you want to read in, instead of just having it hard coded. Neither huge accomplishments, but something I had to get fixed to make it even partially usable.<br />
<br />
I also got things broken out into different files, initially was all one big jumble, but hey, i'm not really a programmer, I hack stuff together to make it work! <br />
<br />
Hope to have something out on github for testing in the near future, but all depends on free time.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-90295380141605322042018-10-14T19:49:00.001-06:002018-10-14T19:49:30.393-06:00TCP module done???<h3>
First the good news, the tcp module, including reading in the tcp.xml from years ago seems to be done.</h3>
I ran nmap -O 192.168.x.0/24 against my local home network and saved a tcpdump file to disk while it was running. Of course I forgot about it and it was listening while any traffic it could see was going out to the internet as well. Currently satori.py is hard coded to read one specific .pcap file, which I then read in:<br />
<br />
python3 satori.py | awk -F';' '$7 != "" { print $3, $6, $7 }' | sort -u<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
Output:</div>
<div>
<div>
192.168.1.108 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
192.168.1.109 29200:64:1:60:M1460,S,T,N,W7:. Ubuntu 18.x:5</div>
<div>
192.168.1.131 8760:64:0:52:M1460,N,W0,N,N,S:A Hewlett-Packard JetDirect:5</div>
<div>
192.168.25.128 29200:64:1:60:M1460,S,T,N,W7:. Ubuntu 18.x:5</div>
<div>
198.8.71.207 65535:128:1:52:M1460,N,W1,N,N,S:A Windows 7:5</div>
<div>
207.198.x.38 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
207.198.x.39 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
207.198.x.40 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
207.198.x.41 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
207.198.x.42 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
209.15.x.11 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
<div>
209.15.x.8 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Format above is just src IP, tcp fingerprint, OS guess. In true satori fashion, the OS guess has a value associated with it, so that I can tie the different ones together and give a guess based on different protocol fingerprints. Format is OS Guess:Weight | next OS Guess:Its weight etc....</div>
<div>
<br /></div>
<div>
Full output from Satori looks like:</div>
<div>
<br /></div>
<div>
2018-10-14T01:50:57.063663;00:0C:29:5F:9F:42;192.168.25.128;TCP;S;29200:64:1:60:M1460,S,T,N,W7:.;Ubuntu 18.x:5</div>
<div>
<br /></div>
<div>
Date/Time in UTC, ISO Format; SRC MAC; SRC IP; What protocol it came from; In the case of TCP, if it was a S or SA; TCP Fingerprint; OS Guess w/ Weight</div>
<div>
<br /></div>
<div>
In the case of TCP, the SRC MAC is normally worthless as it will be the router, but for DHCP and others it is the Unique Identifier I need.</div>
<div>
<br /></div>
<h3>
Now the minor bad news....</h3>
<div>
pypacker doesn't have any built in ability to read live packets, it only has its ppcap piece that has read in it for captured files. I'm going to dink around with pcapy later and verify if I can use it to read live packets and just feed the packets in similar to the pypacket buffer. I have high hopes, but be a few days until I get some time to verify.</div>
<div>
<br /></div>
<h3>
So what is next...</h3>
<div>
<ol>
<li>Add feature to read specific capture files from disk instead of a single hard coded one that I keep manually renaming to test.pcap!</li>
<li>Investigate pcapy for live capture input into the script instead of just saved files</li>
<li>Update tcp.xml as it is WAY out of date!</li>
<li>Get setup on github or something similar (think I already have account) and publish this as I go</li>
<li>Add a ton of error checking into this, currently only one try: except: clause in it and was only added due to last round of testing when things were blowing up on my nmap pcap file.</li>
</ol>
<div>
<br /></div>
</div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-16355283344679478252018-10-07T07:54:00.000-06:002018-10-07T07:58:57.491-06:00Satori Rewrite? Ok, it has been 3 years since the last time I posted on rewriting Satori.....<br />
<br />
I sat down Friday after work with pypacker. I put an hour or two into getting it to read packets with some example code and parse through tcp packets to at least get my TCP fingerprinting under way. I bounced a question off of the developer (one earlier in the week when I was hoping to start and then again once I finally did). He was helpful in both cases and by the end of Saturday I had code in place that properly dissects TCP packets. I have 2 pieces to fix, one which has always been my nemesis, bit shifting, never really got it in my head how that works 15 years ago when I wrote Satori in Delphi and now that I rarely program this type of stuff anymore, no better off with python. The difference in 2018 though is I'm not writing the protocol dissectors anymore!<br />
<br />
Pypacker isn't really decided per se for what I'm using it for, it is really more for making your own packets, but it has the ability to decode them as well! He already has the protocol stack built out for almost everything I need, just missing SMB. Once I get through TCP, DHCP and a few others I'll start looking at that one, but it will be a bit down the road.<br />
<br />
The one difference with this rewrite vs the one I claimed in 2015, 2014, 2013..... I'm actually really interested it doing this this time. Code will also all be open sourced this time around and project will be hosted out on something like github.<br />
<br />
Time permitting today, I should have TCP, p0f v2 style and ettercap done. I hope to have something in place as well to actually parse through the fingerprint files and spit out a guess at the OS. While I'd prefer to do DHCP as my first one, as that was where I really enjoyed this the most, TCP seems like the most useful. Once I get this done I'll look at p0fv3 that came out in the 2014 time frame as I was really winding down my work in this field.<br />
<br />
Anyway, if you are doing any type of python and network type stuff, I highly recommend you check out pypacker. I had tried doing this before with scapy, dpkt and a few others, but they were all a bit slow on convoluted for me and didn't have enough of the protocols already built out. Or maybe they really did and I just wasn't motivated enough, can't really say. <br />
<br />
Its fun to be working on this project again after this long break. Once I get it moving along, fingerprint files will be updated again as well.<br />
<br />
Initial output:<br />
192.168.25.128:36526 -> 216.58.217.34:443<br />
Flags: S ,Fingerprint: 29200:64:4096:60:M1460,S,T,N,W7:.<br />
216.58.217.34:443 -> 192.168.25.128:36526<br />
Flags: SA ,Fingerprint: 64240:128:0:44:M1460:A<br />
<div>
<br /></div>
<div>
The 4096 part is due to bad bit shifting on my part to read the don't fragment bit (reading 1 bit out of 16 is so much fun). I did a kludge elsewhere in the code, but now that i remember about bitshifting, may have to go back and rewrite that. But 95% of the way there on TCP at this point!</div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-43920155273188397202017-05-10T08:42:00.002-06:002017-05-10T08:42:35.504-06:00Fingerbank CollectorOk, it has been eon's since my last post and this has more to do with other projects taking up my time in electronics than in fingerprinting, but I still like to dabble in this world as time permits.<br />
<br />
Going back to 2007 and a lot of what Satori does/did, it looks like fingerbank has taken on, which is very cool to see!<br />
<br />
<a href="https://fingerbank.org/collector.html?utm_source=pf-announce-en&utm_medium=email&utm_campaign=gartner_collector">https://fingerbank.org/collector.html?utm_source=pf-announce-en&utm_medium=email&utm_campaign=gartner_collector</a><br />
<br />
ARP, DHCP v4 and v6, DNS and mDNS, HTTP and HTTPS, Radius (one I never tried to utilize) and TCP<br />
<br />
They are doing it cloud based and it is closed source, but still cool to see what I was doing 7 years ago is making it main stream these days in yet another project.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-6965641407529214282015-11-14T09:51:00.002-07:002015-11-14T09:51:53.350-07:00Satori rewriteOk, for years I've been planning on rewriting Satori in python (or something else) and never have gotten around to it. Well 2 weeks ago I started playing with pyshark while working with SMB packets for FOR572 class. More on that project in the future, but it got me thinking, why go to all of the headache of writing new code to parse all those packets, instead use the power of tshark, via pyshark.<br />
<br />
So with that said, I really do plan on Satori 2.0 (or would it be 1.0 since I never made it out of the 0.7x arena). The future releases of Satori will be pyshark/python based with tshark on the backend to do the heavy lifting. I plan on just coding enough to pull the needed info and query the underlying .xml files for fingerprint data. This will get it off the ground again, though may not make it as fast as it could be, but trade offs, it is that or I probably never get back to it :)<br />
<br />
I'm not sure I can do everything I was doing with Satori before, but I can easily do dhcp, http agent string, and some of the smb stuff I was doing.<br />
<br />
I'm thinking about adding some SSL fingerprinting to it also.<br />
<br />
All of this to say, evidently Satori isn't dead from my end! Just taken a bit of a break.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com2tag:blogger.com,1999:blog-5343200444918965958.post-34594499022850305162015-01-13T09:26:00.000-07:002015-01-13T09:26:52.757-07:00OS's - patching and supportIn the past few weeks Microsoft has appeared a bit peeved with Google's disclosure policy. They had a patched planned for Patch Tuesday (today) and the information about it hit the 90 day mark back at the end of December and was released by Google. <div>
<br /></div>
<div>
There have been a number of threads going on the different lists I'm on, some supporting this saying Microsoft knew their policy and knew the dead line, while others upset at google who knew a patch was in the plans and released the data anyway.</div>
<div>
<br /></div>
<div>
I've been back and forth on Full Disclosure vs Responsible Disclosure over the years. I see both sides and understand the needs. I do believe the security researchers that find these bugs and push the vendors to get patches out the door are important, but I also believe a lot of these researchers (not all, but a lot) haven't had to support large organizations and deal with the "headache" these things cause.</div>
<div>
<br /></div>
<div>
In the end, supporting or trying to secure a large organization is tough to start with, made tougher by the numerous pieces of software and hardware that may be out there and made even tougher when you don't have total control over what is on your network (at least in the .edu space). Add to that screwed up patches that get pulled and 3rd parties disclosing things "days" before a patch is due out, its almost enough to make you pull your hair out some days.</div>
<div>
<br /></div>
<div>
Microsoft has the problem of trying to make sure that things are backwards compatible, supporting things from 10+ years ago. Google on the other hand just drives forward with a new OS and dropping support for older ones.</div>
<div>
<br /></div>
<div>
Case in point:</div>
<div>
https://community.rapid7.com/community/metasploit/blog/2015/01/11/google-no-longer-provides-patches-for-webview-jelly-bean-and-prior</div>
<div>
<br /></div>
<div>
As we see more and more devices built on the Android OS and their support just ending, due to carriers not doing upgrades, or whatever, it will be interesting to see how things plays out in the future. Will Google actually be the one that takes the heat or will the carrier (from the public). Or will the idea of just throwing the old equipment away and constantly upgrading continue to be the norm?</div>
<div>
<br /></div>
<div>
I'm still running an old 2.3.x "smart" phone. I don't surf the net with it, it gives me phone access and it gives me my calendar stuff. It works for what I need, but I know its limitations and security implications if I surf the web with it. How many users do? Should we really be forced to spend that much every 2 years to replace older tech? Maybe things change constantly, it isn't like when I started and we used to get new AV definitions every 6 months anymore :) But I hate to see us continue to throw away perfectly working tech that could be patched.</div>
<div>
<br /></div>
<div>
Oh well, I digress. Another Patch Tuesday is upon us and another will come next month. Changes will continue to happen and those that have to support systems will continue to adapt or short of that move on to other things!<br /><div>
<br /></div>
</div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com2tag:blogger.com,1999:blog-5343200444918965958.post-72348688348446800512014-12-26T09:30:00.002-07:002014-12-26T09:30:52.876-07:00Pi clonesThe raspberry pi was a great little device a few years ago. Great price point, allowed you to run linux on a very small device that if lost/stolen wouldn't be the end of the world, but it also had very little horse power to do much of anything. Trying to run a GUI on it was painfully slow due to the limited ram and single core proc running at 700 or so.<br />
<br />
There have been a few different clones, found 2 I liked last night in searching around for things.<br />
<br />
The ODROID-C1- <a href="http://ameridroid.com/products/odroid-c1">http://ameridroid.com/products/odroid-c1</a><br />
At $37 bucks hard to beat a quad cpu, 1 GB ram device. It should provide a bit more omf when needed! It is on my wish list to order now since I found it, perhaps today I'll do it.<br />
<br />
The BPi-R1 - <a href="http://www.bananapi.com/index.php/component/content/article?layout=edit&id=59">http://www.bananapi.com/index.php/component/content/article?layout=edit&id=59</a><br />
Newegg is carrying these at $75 (<a href="http://www.newegg.com/Product/Product.aspx?Item=9SIA6DB29F2479)">http://www.newegg.com/Product/Product.aspx?Item=9SIA6DB29F2479)</a>. While not as powerful as the ODROID-C1, this one is the kitchen sink, designed specifically for a home router type setup, it has what I've wanted which is a built in switch. I've wanted to build a box to route game traffic through and do some manipulation of the traffic. Not sure if it will be powerful enough, but doing some tcpdumps off this may be an option.<br />
<br />
For now I'll stick with the ODROID-C1 I think and just put a USB to ethernet jack on it so I have a 2nd wired port to route stuff through.<br />
<br />
Anyway, raspberry pi has made some great things possible. I hope we continue to see higher powered systems (more ram actually) at the sub $50 mark. <br />
<br />
Maybe I'll just build a few of these with ARPWatch on them and drop them on some of my closed networks!<br />
<br />
<br />xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-47831190500889724192014-06-23T19:08:00.000-06:002014-06-23T19:08:28.305-06:00Filters and updatesThis was one of those learning moments. You've used a tool for years and it has always worked for you and then all of a sudden you're getting results you aren't expecting. After 30 mins of looking at the code, verifying it works in your primary location but not in the one you've provided to the rest of the world, it finally dawns on you that you've added filters into the program to limit the garbage that you have to process.<br />
<br />
This could have been wireshark or a plethora of programs out there, but this was in Satori. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnyBvp1gFHO9lp3BvVC8AXUXfOC00aUhJgSHZiMbgWTs7Mw7i_XYEUaqOXbTf3xHbyQEoX0JEdR8qeaQmi_nVSacsTbXRXalSGxHKDIPUeYxthQYzyKuT5-D4fY1rK_lFuYC-U0XGR9eK0/s1600/satori.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnyBvp1gFHO9lp3BvVC8AXUXfOC00aUhJgSHZiMbgWTs7Mw7i_XYEUaqOXbTf3xHbyQEoX0JEdR8qeaQmi_nVSacsTbXRXalSGxHKDIPUeYxthQYzyKuT5-D4fY1rK_lFuYC-U0XGR9eK0/s1600/satori.PNG" height="218" width="640" /></a></div>
<br />
Historically I didn't use the filters much, it was something added at the request of someone else, but more are more at home I've found myself using them. Problem is, I sometimes forget they are turned on. I wanted all of my local 192.168.x.x traffic and any of my local IPv6 traffic (FE80::), but when doing DHCP work, it makes a big difference if you've added that last one in there. Without 0.0.0.0 I wasn't seeing any discover or request packets and for the life of me I couldn't figure out why!<br />
<br />
It is always wise to go back to the basics when something all of a sudden stops working. Get things back to a set starting point with no tweaks in place and make sure it is working there, before spending 30 mins digging through code and realizing there is nothing wrong with it and it works fine on that system!<br />
<br />
Anyway, all that to lead up to the fact that I've updated web, tcp, webagents, sip and the main satori.exe file (that was one change to make sure Windows 8.1 was in the hard coded part of the program I've never got out to config files yet).xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-53294643322862546282014-05-29T14:56:00.002-06:002014-05-29T14:56:29.667-06:00DHCP Inform vuln?I have not verified this, but since most of my work was around DHCP related fingerprinting I found it interesting. I wonder how many other DHCP clients are vuln to this on my test systems. <br />
<br />
Anyway, this is a direct repost off of FD from earlier today with only slight modifications for formatting issues:<br />
<br />
<div class="aju">
<div class="aCi">
Title: Microsoft DHCP INFORM Configuration Overwrite</div>
</div>
<div class="gs">
<div class="ii gt m14649bb579db6f1e adP adO" id=":575">
<div class="a3s" id=":516" style="overflow: hidden;">
Version: 1.0<br />
Issue type: Protocol Security Flaw<br />
Affected vendor: Microsoft<br />
Release date: 28/05/2014<br />
Discovered by: Laurent Gaffié<br />
Advisory by: Laurent Gaffié<br />
Issue status: Patch not available<br />
==============================<wbr></wbr>==============================<br />
<br />
Summary<br />
-------<br />
<br />
A vulnerability in Windows DHCP (<a href="http://www.ietf.org/rfc/rfc2131.txt" target="_blank">http://www.ietf.org/rfc/<wbr></wbr>rfc2131.txt</a>) was<br />
found on Windows OS versions ranging from Windows 2000 through to Windows server 2003. This<br />
vulnerability allows an attacker to remotely overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user interaction. Successful exploitation of this issue will result in a remote network configuration overwrite. Microsoft acknowledged the issue but has indicated no plans to<br />
publish a patch to resolve it.<br />
<br />
<br />
Technical details<br />
-----------------<br />
<br />
Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.<br />
<br />
Impact<br />
------<br />
<br />
Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.<br />
<br />
Affected products<br />
-----------------<br />
<br />
Windows:<br />
- 2000<br />
- XP<br />
- 2003<br />
<br />
Proof of concept<br />
----------------<br />
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.<br />
<br />
git clone <a href="https://github.com/Spiderlabs/Responder" target="_blank">https://github.com/Spiderlabs/<wbr></wbr>Responder</a><br />
<br />
Solution<br />
--------<br />
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\<wbr></wbr>Interfaces\<br />
<br />
Response timeline<br />
-----------------<br />
* 18/04/2014 - Vendor notified.<br />
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )<br />
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was<br />
asked what code change made this DHCP INFORM issue different on Windows<br />
Vista than Windows Server 2003.<br />
* 21/04/2014 - MSRC answers with an automated response.<br />
* 08/05/2014 - Request for a reply.<br />
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for a DHCPINFORM message is properly implemented'.<br />
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with Responder.<br />
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.<br />
<br />
<br />
References<br />
----------<br />
* Responder: <a href="https://github.com/Spiderlabs/Responder" target="_blank">https://github.com/Spiderlabs/<wbr></wbr>Responder</a><br />
* <a href="http://g-laurent.blogspot.ca/" target="_blank">http://g-laurent.blogspot.ca/</a><br />
* <a href="https://twitter.com/PythonResponder" target="_blank">https://twitter.com/<wbr></wbr>PythonResponder</a><br />
* <a href="http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html" target="_blank">http://blog.spiderlabs.com/<wbr></wbr>2014/02/responder-20-owning-<wbr></wbr>windows-networks-part-3.html</a><br />
<br /></div>
</div>
</div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-62506515272665962872014-05-08T08:39:00.001-06:002014-05-08T08:39:19.065-06:00Accelerometer fingerprinting in mobile devicesInteresting research here.<br />
<br />
http://www.scmagazineuk.com/phone-tilt-sensors-can-be-used-to-track-you/article/345712/<br />
<br />
They say: “An accelerometer fingerprint can serve as an electronic
cookie, empowering an adversary to consolidate data per user, and track
them over space and time. Alarmingly, such a cookie is hard to erase,
unless the accelerometer wears out to the degree that its fingerprint
becomes inconsistent. We have not noticed any evidence of this in the
nine months of experimentation with 107 accelerometers.”<br />
<br />
Original writeup:<br />
http://synrg.csl.illinois.edu/papers/AccelPrint_NDSS14.pdf<br />
<br />
---<br />
<br />
It would be interesting to know how accurate this really is once you start getting into 1000's and 100,000's of devices. While I can see where you could determine general info about what device and accelerometer is it in, using it to track and individual user may be a bit more problematic. With that said, I haven't read the 16 page right up yet, just the quick news article and with that I'll admit I scanned it.<br />
<br />
Interesting approach and cool way to do it!<br />
<br />
<br />xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-87112600887816196662013-12-31T23:00:00.001-07:002014-02-17T07:33:17.990-07:00Satori and AV (SEP at least)Funny thing today. I went to download Satori and install it on my work computer and Symantec deleted it for reputation......<br />
<br />
Looks like I need to put in a request to get them to whitelist it. Guess I know what I get to do on my vacation. Thanks a lot Symantec! Nothing like not being able to install ones own software because the AV company decided it didn't like it (I know I'm not the first and won't be the last).<br />
<br />
Update: Look at that, Kaspersky has no issue with it on another system. <br />
<br />
2/17/2014 - update. If any of you using Satori are Symantec users, please submit false positive reports as this is what I got back!<br />
<br />
<span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">We are writing in relation to your application through Symantec's on-line Software White-listing Request form for your software Satori.</span><br style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;" /><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Symantec has decided not to add this software to its white-list at this time.</span><br style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;" /><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Please note that this decision does not mean that Symantec products will necessarily detect your software in the future.</span><br style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;" /><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">It simply means that Symantec could not conclude from its analysis at this time that your software should be included in its white-list.</span><br style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;" /><span style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">Symantec does not disclose or discuss its decision or analysis; however, in the event Symantec products detect your software at any point and you believe the detection to be a false positive, you may notify us through Symantec's on-line Security Risk/False Positive Dispute Submission form available at: </span><a href="https://submit.symantec.com/false_positive/" style="background-color: white; color: #1155cc; font-family: arial, sans-serif; font-size: 13px;" target="_blank">https://submit.symantec.com/<wbr></wbr>false_positive/</a>xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-35048883945181380262013-07-05T13:56:00.000-06:002013-07-05T13:56:16.423-06:00SANS webinar - What Matters in Your Chatter?I like to listen to a lot of SANS webinars and most I get a bit out of, but some I get a lot out of.<br />
<br />
The presenter on this <a href="https://www.sans.org/webcasts/matters-chatter-96742">one</a> pointed out that one of the big issues in our field is most of us aren't excited anymore about things, digging into them because we want to learn more, instead just spending time filtering through stuff we already know. We need to be looking for new things and be excited doing it!<br />
<br />
It reminded me of why I got into this field before and how excited I was when I found the ability to do DHCP fingerprinting.<br />
<br />
It was by no means the best webinar I've ever listened to, but it was a good one to listen to.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-19194716346555449312013-06-29T22:18:00.003-06:002013-06-29T22:18:45.483-06:00More on Interesting PatentsAmazing what you find when you start searching even more. I'm really surprised Google Alerts never picked some of these up before and alerted me on them!<br />
<br />
Detecting Rouge Wireless Devices via DHCP Fingerprinting:<br />
<a href="http://www.faqs.org/patents/app/20110271345">Microsoft - 2011</a><br />
<br />
Appears to be a similar one, but not sure of differences right now.<br />
<a href="http://www.google.com/patents/US20070298720">Microsoft - 2007</a><br />
<br />
System and Method for Resolving OS or Service Identity Conflicts (using SMB, DHCP, etc)<br />
<a href="http://www.faqs.org/patents/app/20110314143">SourceFire - 2011</a><br />
<br />
So it looks like a few other places have put some patents on DHCP fingerprinting in the past few years also.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-37721212426937525912013-06-29T21:43:00.001-06:002013-06-29T21:48:51.703-06:00Patents on OS Fingerprinting - DHCP specificallyI'll admit, I've never looked much into patents and how they work (what protection they give you, how much they are worth, etc), but I'm curious how one gets one for OS fingerprinting? Specifically on a technology that many people were freely writing about prior to the patent being filed.<br />
<br />
Infoblox was one of my last posts after they popped up on a google alert and a buddy just sent me a link to this:<br />
<br />
<a href="http://www.freepatentsonline.com/8458308.html">http://www.freepatentsonline.com/8458308.html</a><br />
<br />
On Aug 23, 2006 they filed this patent. It took until Jun 4, 2013 for it to be approved if I read this correctly.<br />
<br />
General history on DHCP fingerprinting from what I've found in my research on it over the years and my personal involvement in it:<br />
<br />
Dave Hull and George F Willard III publish a paper on it from their research at KU.<br />
Feb 2005 - <a href="http://kuscholarworks.ku.edu/dspace/bitstream/1808/584/1/NGDHCP.pdf">http://kuscholarworks.ku.edu/dspace/bitstream/1808/584/1/NGDHCP.pdf</a><br />
<br />
Many small spinoff programs start up based on the POC code and info.<br />
<br />
March 2005 - I'm sitting in Iraq and find out about it myself for the first time looking through packets with no idea of the paper published the month before. I was stoked when I first found out about using this technique and was a bit crushed when I found I wasn't the first to have found it.<br />
<br />
I publish a general paper on OS fingerprinting and start discussing DHCP fingerprinting in more detail<br />
August 2005 - <a href="http://chatteronthewire.org/download/OS%20Fingerprint.pdf">http://chatteronthewire.org/download/OS%20Fingerprint.pdf</a><br />
<br />
Sometime over the next two years I start working with David LaPorte from the PacketFence project to see if we can get something together to talk about DHCP fingeprinting at Blackhat. We eventually get accepted to present it at BH Japan in 2007:<br />
July 2007 - <a href="http://chatteronthewire.org/download/chatter-dhcp.pdf">http://chatteronthewire.org/download/chatter-dhcp.pdf</a><br />
October 2007 - <a href="http://chatteronthewire.org/download/bh-japan-laporte-kollmann-v8.ppt">http://chatteronthewire.org/download/bh-japan-laporte-kollmann-v8.ppt</a><br />
<br />
During the last of my research I found indications that everyone listed so far was at least 2 years behind on this idea when we started talking about it in 2005 since there was a group out of Japan in Feb 2003 that published something on it! Though I never found a translated copy on it at the time, you may be able to order a copy in Japanese <a href="http://sciencelinks.jp/j-east/article/200309/000020030903A0221182.php">here</a>:<br />
"New scheme for passive OS fingerprinting using DHCP message" - Joho Shori Gakkai Kenkyu Hokoku, Feb 2003!<br />
<br />
Since 2007 many large companies have finally gotten onto the band wagon of DHCP fingerprinting which I'm glad to see. It has taken 10 years since the first papers I'm aware of and at going on 6 years after the BH 2007 event which seemed to generate a lot of interest. I know this since I had calls and some emails from at least one very large company now doing it and many small companies over the years.<br />
<br />
I'm hoping that this patent doesn't cause any issues in the world of using DHCP fingerprinting for OS identification, but only time will tell.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-76412128243100892502013-06-12T21:19:00.000-06:002013-06-13T07:54:40.642-06:00Infoblox, new player in the DHCP fingeprinting worldI got a new Google Alert yesterday on "DHCP Fingerprinting", hadn't had much traffic on it in quite awhile now. <br />
<br />
The notice I found was <a href="http://eon.businesswire.com/news/eon/20130610005300/en">here</a>.<br />
<br />
I'll admit I know nothing about this company, though I did like their writeup on <a href="http://www.infoblox.com/sites/infobloxcom/files/resources/infoblox-note-dhcp-fingerprinting.pdf">DHCP Fingerprinting</a>. It is only 2 pages long, so short and to the point, covering what most upper management needs. What their writeup I assume they are only doing Option 55 fingerprinting.<br />
<br />
With that said though I did find the original writeup a bit funny.<br />
<br />
"With the new Infoblox
DHCP Fingerprinting technology, network administrators can see device
type information - such as iOS or Android devices, an Xbox, or a Linksys
router -"<br />
<br />
New? Did they say new? I presented on this in 2007 and a few people, myself included were discussing it as early as 2005. So while it may be new for them, this is by no means new technology!<br />
<br />
Ok, all of that aside, it is cool to see another company using it. xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-68712891138048707212013-03-15T11:11:00.002-06:002013-03-15T11:11:22.611-06:00File updates to go with site change<span lang="EN-US">I've been quite happy with the quick turn around that
those that are using or have links to Satori have been able to update
blog posts, urls, and in this case a program to the new url. I'm still waiting for some people to get back to me, but little by little it will get taken care of.</span><br />
<span lang="EN-US"> </span> <br />
Jeff updated his two programs that point to my website to grab fingerprinting files. They can be found/download here:<br />
<br />
<span lang="EN-US"></span><br />
<div class="MsoNormal">
<span lang="EN-US">DHCP Fingerprint Manager</span></div>
<div class="MsoNormal">
<span lang="EN-US"><a href="http://cycocrew.pagesperso-orange.fr/delphi/applications.html#DHCPFingerprintManager" target="_blank">http://cycocrew.pagesperso-<wbr></wbr>orange.fr/delphi/applications.<wbr></wbr>html#DHCPFingerprintManager</a></span></div>
<div class="MsoNormal">
<span lang="EN-US"><a href="http://cycocrew.pagesperso-orange.fr/delphi/DHCPFingerprintManager-1.00.09-Setup.exe" target="_blank">http://cycocrew.pagesperso-<wbr></wbr>orange.fr/delphi/<wbr></wbr>DHCPFingerprintManager-1.00.<wbr></wbr>09-Setup.exe</a></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US">Fingerprint Editor</span></div>
<div class="MsoNormal">
<span lang="EN-US"><a href="http://cycocrew.pagesperso-orange.fr/delphi/applications.html#FingerprintEditor" target="_blank">http://cycocrew.pagesperso-<wbr></wbr>orange.fr/delphi/applications.<wbr></wbr>html#FingerprintEditor</a></span></div>
<div class="MsoNormal">
<span lang="EN-US"><a href="http://cycocrew.pagesperso-orange.fr/delphi/FingerprintEditor-1.00.11-Setup.exe" target="_blank">http://cycocrew.pagesperso-<wbr></wbr>orange.fr/delphi/<wbr></wbr>FingerprintEditor-1.00.11-<wbr></wbr>Setup.exe</a></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US"> </span></div>
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-13741468748353427892013-03-13T21:54:00.001-06:002013-03-13T21:54:09.376-06:00UpdateSo my ISP decided to stop offering web hosting. It wasn't great to start with, but it was free and is where my programs and papers have been hosted for 10+ years so I was a little sad to see http://myweb.cableone.net/xnih go away. It is out there in many news groups and many posts over at least the last 7-8 years of posts, but oh well.<br />
<br />
I purchased the name chatteronthewire.org as it was a name I've used for a lot of other things, this blog included, so I figured it made sense.<br />
<br />
In looking for locations on the net, that I had access to post info at least, I began searching for where I could and found http://myweb.cableone.net/xnih all over the place.<br />
<br />
The nice thing about that, found 3 different articles where either I'm mentioned or Satori is that I didn't know about.<br />
<br />
Starting with 2009, I believe a russian magazine. They are actually talking about NetworkMiner, but there appears to be a link to Satori. Page 39 here <a href="http://issuu.com/rus43x2/docs/xakep__5_2009">at xakep</a>. (if there is anything bad about the site or anything else, my apologies!)<br />
<br />
Late 2012, December time frame a Gold paper for SANS for his GCIA. "What's running on your network? Analyzing pcap data with tshark". My only complaint, my name is misspelled as always :) But it can be found <a href="http://www.giac.org/paper/gcia/8941/running-network/116813">here</a>.<br />
<br />
And the 3rd one I found was an article in INternation Jounal of Computer Applications from Feb of this year. "Investigation of DHCP Packets using Wireshark". My last name got hosed again, but I'm quite used to it these days! This paper can be found <a href="http://research.ijcaonline.org/volume63/number4/pxc3885155.pdf">here</a> and I was just a reference.<br />
<br />
Can't say I've read either of the 2 papers there yet, but guess that will be this weekends project.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-68048926162708060102013-02-15T14:15:00.002-07:002013-02-15T14:15:58.683-07:00Catching upErik has released a new version of caploader and you can find more information <a href="http://www.netresec.com/?page=Blog&month=2013-01&post=CapLoader-1-1-Released">here</a>. One of the complaints I got when I posted about 1.0 was that people wanted a demo, and guess what, there is a demo version now along with a number of enhancements.<br />
<br />
Most of my time of late has been playing with my Raspberry Pi and looking at different options I can do with it.<br />
<br />
My main goal years ago for releasing my linux version of satori was to put it on a little system like this. In that vein I've started looking at rewriting Satori in python and making the code available. This has been a goal for a long time and is not going very far very fast, but eventually I hope to have something to release!xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-89507359858089524682012-12-07T11:39:00.002-07:002012-12-07T11:39:33.263-07:00ICMP OS FingerprintingInteresting, this was in draft form, not sure how long it has been here, nor where I was going, but here it is as I left it..... <br />
<br />
Quite honestly I thought ICMP based OS Fingerprinting was dead and had been for years now that almost all OS's default to running a firewall! I was quite surprised to see that NetScanTools Pro has an option in it to still do this.<br />
<br />
Happened to pick up an article from Laura Chappell, which had a link to this quicktime audio: http://www.screencast.com/users/laurachappell/folders/Media%20Roll/media/75047d06-2801-49b7-87d3-0e41a3abd500<br />
<br />
I really hate installing software that installs half a dozen other pieces of software (such as C++ Redistributable, I mean I understand why, but it just drives me nuts, I miss all inclusive programs)xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-5101026144395016582012-12-07T11:38:00.000-07:002012-12-07T11:38:00.228-07:00Stuff in the Q...These come into my google alerts some times, but I don't always get around to them very timely.<br />
<br />
1. This one was from back in Oct. <a href="http://www.utdallas.edu/~zhiqiang.lin/file/SOCC12.pdf">Memory-Only Operating System Fingerprinting in the Cloud</a><br />
<br />
Has some interesting pieces of info in it. On my list to get back to and actually read all the way through instead of just skimming it.<br />
<br />
Abstract for those interested:<br />
Precise fingerprinting of an operating system (OS) is critical to<br />many security and virtual machine (VM) management applications<br />in the cloud, such as VM introspection, penetration testing, guest<br />OS administration (e.g., kernel update), kernel dump analysis, and<br />memory forensics. The existing OS fingerprinting techniques primarily<br />inspect network packets or CPU states, and they all fall short<br />in precision and usability. As the physical memory of a VM is<br />always present in all these applications, in this paper, we present<br />OS-SOMMELIER, a memory-only approach for precise and efficient<br />cloud guest OS fingerprinting. Given a physical memory dump<br />of a guest OS, the key idea of OS-SOMMELIER is to compute the<br />kernel code hash for the precise fingerprinting. To achieve this<br />goal, we face two major challenges: (1) how to differentiate the<br />main kernel code from the rest of code and data in the physical<br />memory, and (2) how to normalize the kernel code to deal with<br />practical issues such as address space layout randomization. We<br />have designed and implemented a prototype system to address these<br />challenges. Our experimental results with over 45 OS kernels, including<br />Linux, Windows, FreeBSD, OpenBSD and NetBSD, show<br />that our OS-SOMMELIER can precisely fingerprint all the tested<br />OSes without any false positives<br />
<br />
2. I've been sitting on since back in September, though it may have been out much longer than that. That was when the google alert showed up.<br />
<br />
<a href="http://tools.netsa.cert.org/yaf/yafdhcp.html">YAF</a> does DHCP fingerprinting. It appears tojust use the fingerprints from packetefence based on the writing, but it is nice to see another program out there taking up dhcp fingerprinting.<br />
<br />
By looking at the order of the DHCP options in the DHCP
requests from the Operating System's DHCP client, it may be possible to
identify the client's OS version. The <strong>yaf</strong> DHCP fingerprinting plugin does
exactly that. For flows that <strong>yaf</strong> has labeled as DHCP, <strong>yaf</strong> will look at
the DHCP options if available in the payload captured for that flow.
<strong>yaf</strong> specifically looks
at Option 55. Option 55 requests a list of parameters. The order in which
they are requested can usually identify the OS of the requesting IP address.<br />
<br />
xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-60467581258229832932012-11-25T22:20:00.000-07:002012-11-25T22:20:28.689-07:00SinFP and Syn/Ack fingerprintingWith SinFP3 v1.2 they claim to do <a href="http://www.networecon.com/blog/2012/11/25/One-Packet-OS-Fingerprinting-And-API-Access-Unveiled/#.ULL56IaiHj4">one packet OS fingerprinting</a><br />
<br />
"The latest version of <a href="http://www.networecon.com/tools/sinfp/">SinFP3</a>
(v1.20) introduces two new cool features: the ability to perform a SYN
scan and doing OS fingerprinting at the same time. The idea is to use
SYN|ACK answers to the SYN scanning process to acurately identify the
remote operating system nature. The second new feature is a server mode
allowing third-party applications to access the <a href="http://www.networecon.com/tools/sinfp/">SinFP3</a> fingerprinting engine. We also created a new output plugin to display results in a simpler manner than in previous versions of <a href="http://www.networecon.com/tools/sinfp/">SinFP3</a>."<br />
<br />
It is cool that since they are already scanning the systems and looking for open ports they've added the ability to use the Syn/Ack response and passively fingerprint the return data. p0f had a syn/ack feature and I added it to Satori back in the day, but I know p0fv2 didn't have a very big syn/ack DB and I honestly don't know how big Satori's is as I have it all rolled into the tcp.xml file. <br />
<br />
I need to look at their fingerprint file and see if it is something I can incorporate into Satori. If it appears feasible to convert what I get back into the same format, i'll have to follow up with the authors and see about adding it in. That just means finding time to play with SinFP now! Not sure when that will happen, but added to the list.xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0tag:blogger.com,1999:blog-5343200444918965958.post-43653360104103178242012-10-05T16:00:00.001-06:002012-10-05T16:00:36.269-06:00Network Forensics - How to get better atOk, I like to toy in the network forensics world, but it is hard to get any better at it when I have so little time to dedicate to it on top of everything else going on with life and work!<br />
<br />
Lets digress a bit, I like to play a game on facebook, almost 2 years sunk into it when I have spare time, called Battle Pirates. In trying to track down an issue way back when the game started I realized that it sent some info in the clear about what was going on. JSON files would provide you with whose ship was going across the map, where it was going on how strong the fleet was. They might have a simple ship as the lead ship, making it look weak, but seeing it was a lvl 40 fleet you knew it was a farce. I also realized I could see bases under their fog of war. At the initial time the only way to find someone was to scout, remove the fog of war and find their base, but by scanning around the map, even with the FOW there I could still see underneath it because the data was on the wire to read if you knew how.<br />
<br />
Eventually they lifted the whole idea of the fog of war and I stopped paying much attention what I could pull until I got bored with the game and was about to quit. I noticed that I could actually tell, based on the JSON files exactly what was on a fleet when it was launched. Once it was on the water all I could do was get updates on where it was going, etc, but if I was "watching" when it was launched, I could get exactly what was on it. Only problem was it was in code looking something like this:<br />
...[["create","oid",999999,"level",7,"on","Some User","type",3,"minidata",{"hullid":30},"x",999999900,"y",58500,"fleetid",3]],"updated_at":"99999999.837","transitionid":"99999999","data":{"fleet":{"mpm":0,"ships":[{"weapons":[104,112],"hullID":30,"tacticalModules":[],"armors":[303,303],"actives":{"flt":3,"fltp":1,"hp":192,"bid":99999,"f":1,"rank":5,"id":14},"specials":[550]},{"weapons":[121,104],"hullID":30,"tacticalModules":[],"armors":[310,310],"actives":{"flt":3,"fltp":4,"hp":172,"bid":99999,"f":0,"rank":3,"id":15},"spels":[550]},{"weapons":[104,121],"hullID":30,"tacticalModules":[],"armors":[302,302],"actives":{"flt":3,"fltp":2,"hp":132,"bid":99999,"f":0,"rank":5,"id":13},"specials":[550]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[312],"actives":{"flt":3,"fltp":3,"hp":362,"bid":99999,"f":0,"rank":0,"id":27},"specials":[530]},{"weapons":[182,182],"hullID":45,"tacticalModules":[],"armors":[320],"actives":{"flt":3,"fltp":5,"hp":225,"bid":99999,"f":0,"rank":0,"id":28},"specials":[500]}],"fspd":55,"adstats":[],"fnum":1,"mcap":28613,"fid":3}}<br />
<br />
<br />
It provided me with where it was launched from, the rank and HP on the ship, the armor, any specials, and any tact modules along with the type of ship.<br />
<br />
Only problem was looking through what I could find to translate those numbers to actual useful info.<br />
<br />
I never did find it in the swf file, but didn't look too hard there, instead, little by little I launched my fleets, compared what I had on them to what it reported and built out a list.<br />
<br />
I rarely use the program except to try to spot new ships being launched that I may not have, or to identify new weapons, armor, etc and then ask the people if they are ones I know.<br />
<br />
My latest trick was to notice that at the end of the battle you can see what was on the fleet you just battled. With that in mind and the tweaks they made today to BP, I decided to list out what was on the new fleets. This is subject to change, as just before this writing, most Drac fleets disappeared off the map as I believe Kixeye may be revamping them due to outcry from those that don't like today's changes, but I digress. Here are the ones I've checked so far (had to do this manually via a packet capture and my list of numbers as it wasn't programmed into my program to disect this):<br />
<br />
<span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[1]"> </span><span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[0]"><span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[0]">29:</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[1]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[2]">1 - LightCruiser (HP:980)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[3]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[4]">specials[Sonar3,SFB1]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[5]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[6]">weapons:[D53C,D53M,D53R]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[7]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[8]">armors:[Unknown93,Unknown93]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[9]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[10]">2 - LightCruiser (HP:980)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[11]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[12]">specials:[Sonar3,AA2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[13]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[14]">weapons:[D71N,D71L,D71A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[15]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[16]">armors:[Unknown93,Unknown93]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[17]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[18]">3 - Battleship (HP:3188)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[19]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[20]">specials:[Sonar3,SFB2,Autoload3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[21]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[22]">weapons:[D71N,D71L,D71A,D53C,D53M,D53R]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[23]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[24]">armors:[Unknown94,Unknown94]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[25]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[26]">4 - Battlecruiser (HP:1478)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[27]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[28]">specials:[Sonar3,Eng2,HB2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[29]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[30]">weapons:[D33P,D33A,D33P,D33A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[31]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[32]">armors:[Unknown92,Unknown92]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[33]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[34]">5 - LightCruiser (HP:642)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[35]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[36]">specials:[Sonar3,AA2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[37]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[38]">weapons:[D35S,D35S]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[39]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394246947312043}..[1]..[1]..[0].[2]..[40]">armors:[Unknown93]</span></span></span></span></span></span><br />
<br />
<span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[0]">37:</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[1]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[2]">1 - LightCruiser (HP:980)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[3]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[4]">specials:[Sonar3,SFB2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[5]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[6]">weapons:[D53C,D53M,D53R]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[7]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[8]">armors:[Armor93,Armor93]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[9]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[10]">2 - Battlecruiser (HP:1732)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[11]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[12]">specials:[Sonar3,HB2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[13]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[14]">weapons:[D33P,D33A,D33P,D33A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[15]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[16]">armors:[Armor93,Armor93]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[17]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[18]">3 - Dreadnought (HP:8749)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[19]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[20]">specials:[Sonar3,AA3,SFB3,Laser3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[21]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[22]">weapons:[D53C,D53M,D53R,D53C,D93M,D93R,D33P,D33X]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[23]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[24]">armors:[Armor95,Armor95,Armor95,Armor95]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[25]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[26]">4 - Battlecruiser (HP:1732)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[27]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[28]">specials:[Sonar3,HB2,Eng2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[29]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[30]">weapons:[D33P,D33A,D33P,D33A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[31]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[32]">armors:[Armor93,Armor93]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[33]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[34]">5 - LightCruiser (HP:642)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[35]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[36]">specials:[Sonar3,SFB2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[37]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[38]">weapons:[D53C,D53M,D53R]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[39]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[40]">armors:[Armor93]</span></span></span><br />
<br />
<span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[40]"><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[1]"> </span><span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[0]">45:</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[1]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[2]">1 - Battlecruiser (HP:2546)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[3]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[4]">specials:[Sonar3,SFB3,AA2]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[5]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[6]">weapons:[D51L,D51A,D53M,D53R]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[7]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[8]">armors:[Armor95,Armor95]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[9]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[10]">2 - Battlecruiser (HP:2586)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[11]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[12]">specials:[Sonar3,AA2,HB3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[13]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[14]">weapons:[D71N,D71L,D71A,D33P]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[15]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[16]">armors:[Armor95,Armor95]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[17]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[18]">3 - Battleship (HP: 5220)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[19]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[20]">specials:[RA3,Eng3,HB3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[21]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[22]">weapons:[D35S,D35S,D35S,D35X,D35X,D35X]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[23]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[24]">armors:[Armor95,Armor96,Armor95]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[25]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[26]">4 - Battleship (HP:4515)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[27]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[28]">specials:[AA3,HB3,HES3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[29]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[30]">weapons:[D33X,D33P,D33A,D71N,D71L,D71A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[31]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[32]">armors:[Armor96,Armor95]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[33]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[34]">5 - Battleship (HP:4874)</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[35]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[36]">specials:[AA3,SFB3,Laser3]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[37]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[38]">weapons:[D53C,D53M,D53M,unknown,D71A]</span><br id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[39]" /><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[40]">armors:[Armor96,Armor96]</span></span></span></span></span></span><br />
<br />
<span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[40]"><span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[40]">55:<br />(1) - Battleship (hp:6378)<br />specials[Sonar3,AA3,HES3]<br />weapons:D71L,D71L,D71L,D71L,D33P,D33A]<br />armors:[Unknown96,Unknown96,Unknown96]<br />(2) - Battleship (hp:6258)<br />specials:[Sonar3,AA3,SFB3]<br />weapons:[D71L,D71L,D53C,D53C,D53M,D53R]<br />armors:[Unknown96,Unknown96,Unknown96]<br />(3) - Battleship (hp:6578)<br />specials:[Eng3,HB3,AA3]<br />weapons:[D33X,D33X,D33P,D33P,D33A,D33A]<br />armors:[Unknown96,Unknown96,Unknown96]<br />(4) - Battleship (hp:6258)<br />specials:[Sonar3,AA3,SFB3]<br />weapons:D53C,D53M,D53R,D71L,D71L,D93C]<br />armors:[Unknown96,Unknown96,Unknown96]<br />(5) - Battleship (hp:6258)<br />specials:[HB3,Eng3,unknown],<br />weapons:D35L,D35L,D35S,D35S,D35X,D35X]<br />armors:[Unknown96,Unknown96,Unknown96]</span></span></span></span></span></span><br />
<br />
<span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[40]"><span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254203977984}..[1]..[1]..[0].[2]..[40]">One thing I've noticed of late is the armor on the drac fleets is different than what we as players have access to. Also all the drac hull's, while named the same, are different ID's so they may have different specs than the ones players have. The weapons and specials, for the most part though all seem to be the same as what we have access to except for some of the weapons and tacticals that were in the last 2 raids. </span></span></span> </span></span></span><br />
<br />
<span data-ft="{"tn":"K"}" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]"><span class="UFICommentBody" id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]."><span id=".reactRoot[47].[1][2][1]{comment394225580647513_394254167311321}..[1]..[1]..[0].[2]..[40]">Ok, so what does all this have to do with Network Forensics? Only that you have to get comfortable with looking at tons of packet captures and be willing to go back over them afterwards, because you never know what you may have missed in the past! The fact that I could see launched fleets and killed fleets was there from my packet captures a year ago, but up until recently I hadn't see it because I was filtering it down to what I thought I wanted to see and missing what I really wanted in the process!</span></span></span>xnihhttp://www.blogger.com/profile/13163054542096571716noreply@blogger.com0