[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070407154401.GA2438@dani.enslaved.lan>
Date: Sat, 7 Apr 2007 17:44:03 +0200
From: GomoR <bt@...or.org>
To: Jim Hoagland <jim_hoagland@...antec.com>
Cc: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Nine Vista CVEs, including Microsoft inaccurate Teredo use case documentation
On Tue, Apr 03, 2007 at 02:23:21PM -0700, Jim Hoagland wrote:
[..]
> [2]
> http://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.
> pdf ( http://preview.tinyurl.com/2qrglc )
Hello Jim,
you have a section on stack fingerprint in your report.
I find it rather odd to no see the use of SinFP [1] (my tool,
shameless plug).
It is able to identify Vista since BETA2. With or without
firewall activated (there need to be one open TCP port,
though). Furthermore, you would have been able to analyze
the IPv6 stack also.
Currently your stack analysis is based on nmap, and is made
harder than if you have used SinFP. I will show different
signatures obtained with SinFP:
For IPv4 stacks:
Windows XP (SP2, but no difference between SPs):
P1: B11113 F0x12 W65535 O0204ffff M1460
P2: B11113 F0x12 W65535 O0204ffff010303000101080a000000000000000001010402 M1460
P3: B11021 F0x04 W0 O0 M0
Windows Vista (BETA2):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0
Windows Vista (RC1 && final):
P1: B11113 F0x12 W8192 O0204ffff M1460
P2: B11113 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1460
P3: B11121 F0x04 W0 O0 M0
For IPv6 stacks:
Windows XP (SP2):
P1: B10013 F0x12 W17080 O0204ffff M1440
P2: B10013 F0x12 W17280 O0204ffff M1440
P3: B10020 F0x04 W0 O0 M0
Windows Vista (BETA2):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff030308010402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0
Windows Vista (RC1 && final):
P1: B10013 F0x12 W8192 O0204ffff M1440
P2: B10013 F0x12 W8192 O0204ffff010303080402080affffffff44454144 M1440
P3: B10021 F0x04 W0 O0 M0
So, I think it is easier to compare TCP/IP stacks with signatures
like that, but it is only my viewpoint ;)
[1] http://www.gomor.org/sinfp
--
^ ___ ___ http://www.GomoR.org/ <-+
| / __ |__/ Systems & Security Engineer |
| \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- |
+--> Net::Frame <=> http://search.cpan.org/~gomor/ <---+
Powered by blists - more mailing lists