lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 7 Apr 2007 17:44:03 +0200
From: GomoR <bt@...or.org>
To: Jim Hoagland <jim_hoagland@...antec.com>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation

On Tue, Apr 03, 2007 at 02:23:21PM -0700, Jim Hoagland wrote:
[..]
> [2]
> http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.
> pdf ( http://preview.tinyurl.com/2qrglc )

Hello Jim,

you have a section on stack fingerprint in your report.
I find it rather odd to no see the use of SinFP [1] (my tool, 
shameless plug).

It is able to identify Vista since BETA2. With or without 
firewall activated (there need to be one open TCP port, 
though). Furthermore, you would have been able to analyze 
the IPv6 stack also.

Currently your stack analysis is based on nmap, and is made 
harder than if you have used SinFP. I will show different 
signatures obtained with SinFP:


For IPv4 stacks:

Windows XP (SP2, but no difference between SPs):
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0

Windows Vista (BETA2):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0

Windows Vista (RC1 && final):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0

For IPv6 stacks:

Windows XP (SP2):
P1: B10013 F0x12 W17080 O0204ffff M1440
P2: B10013 F0x12 W17280 O0204ffff M1440
P3: B10020 F0x04 W0 O0 M0

Windows Vista (BETA2):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0

Windows Vista (RC1 && final):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0

So, I think it is easier to compare TCP/IP stacks with signatures 
like that, but it is only my viewpoint ;)


[1] http://www.gomor.org/sinfp

-- 
  ^  ___  ___             http://www.GomoR.org/          <-+
  | / __ |__/          Systems & Security Engineer         |
  | \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
  +-->  Net::Frame <=> http://search.cpan.org/~gomor/  <---+

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ