lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080701134709.GA14457@2ka.mipt.ru>
Date:	Tue, 1 Jul 2008 17:47:10 +0400
From:	Evgeniy Polyakov <johnpol@....mipt.ru>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	Jeff Garzik <jeff@...zik.org>, netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org
Subject: Re: Passive OS fingerprinting.

On Tue, Jul 01, 2008 at 03:35:02PM +0200, Patrick McHardy (kaber@...sh.net) wrote:
> >It sure would be nice for regular socket applications to have an easy, 
> >unprivileged way to query the OS fingerprint information of a given 
> >socket.
> 
> I'm not sure how much OSF depends on the TTL, but doing this
> more than one hop away from the host (or without knowledge of
> the number of hops) makes using the TTL basically impossible.

There are three modes in OSF: LAN where things are simple, no-ttl, where
things are even more simpler and false positive, and heueristic mode,
which checks ttl, but with some addons. Like if ttl is 31, it is
possible that it is OS with initial TTL being equal to 32, and other OS,
with initial TTL 48, and whatever other checks succeeded for that cases,
determine what OS is.

It works quite good in internet not only LAN, since it is frequently
only enough to roughly determine initial TTL.

> >Another use case is validating whether a browser is "lying" about its 
> >OS, when parsing HTTP user-agent info, or in general when any remote 
> >agent is "lying" about its OS.  Security software can use that as an 
> >additional red-flag factor. 
> 
> I for one would be much happier to only have netfilter as a user
> of this :)

Security checkers do like to put its hands into sooo deep places in the stack :)

-- 
	Evgeniy Polyakov
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ