Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
IDing remote hosts, without them knowing

By noeld in News
Mon May 01, 2000 at 04:32:36 PM EST
Tags: Security (all tags)
Security

Lance Spitzner tells us about IDing remote hosts, without them knowing using Passive Fingerprinting.
"One of the challenges of network security is learning about the bad guys. To understand your threats and better protect against them, you have to Know Your Enemy. Passive Fingerprinting is a method to learn more about the enemy, without them knowing it. Specifically, you can determine the operating system and other characteristics of the remote host using nothing more then sniffer traces. Though not 100% accurate, you can get surprisingly good results."


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o IDing remote hosts
o Also by noeld


Display: Sort:
IDing remote hosts, without them knowing | 23 comments (23 topical, editorial, 0 hidden)
not thruough enough... (1.00 / 1) (#17)
by Prep on Mon May 01, 2000 at 07:57:40 AM EST

Prep voted -1 on this story.

not thruough enough

Interesting article, the technique ... (none / 0) (#14)
by h2odragon on Mon May 01, 2000 at 08:33:41 AM EST

h2odragon voted 1 on this story.

Interesting article, the technique seems a bit too easy to fool for it to replace nmap's OS ID. Hopefully they'll have the signature database they mention actually available by the time this hits the front page.

I'm sick and tired of articles that... (3.70 / 3) (#5)
by inspire on Mon May 01, 2000 at 08:36:31 AM EST

inspire voted -1 on this story.

I'm sick and tired of articles that just link to rootprompt, and use the first paragraph as a feeder. Please stop.
--
What is the helix?

I can read this on rootprompt.org, ... (3.00 / 2) (#1)
by bmetzler on Mon May 01, 2000 at 08:55:16 AM EST

bmetzler voted -1 on this story.

I can read this on rootprompt.org, I don't need another link here.
www.bmetzler.org - it's not just a personal weblog, it's so much more.

Nice article +1. ... (none / 0) (#9)
by schporto on Mon May 01, 2000 at 08:55:30 AM EST

schporto voted 0 on this story.

Nice article +1. No write up or discussion of points -1. -cpd

So what? Neither you nor the artic... (2.00 / 1) (#11)
by heinzkeinz on Mon May 01, 2000 at 09:13:02 AM EST

heinzkeinz voted -1 on this story.

So what? Neither you nor the article give much indication of the consequences of this. Why should I care?

... (1.00 / 1) (#7)
by dlc on Mon May 01, 2000 at 10:01:27 AM EST

dlc voted 1 on this story.


(darren)

Security :-)... (none / 0) (#4)
by gnuchris on Mon May 01, 2000 at 11:05:18 AM EST

gnuchris voted 1 on this story.

Security :-)
"He had alot to say, He had alot of nothing to say" -TOOL-

Your marketing campaign backfires o... (2.00 / 1) (#6)
by End on Mon May 01, 2000 at 11:06:41 AM EST

End voted -1 on this story.

Your marketing campaign backfires on itself when you go around spamming weblogs with links to the latest articles on your own site. I thought rootprompt was interesting when I first saw an article from there in a k5 story, but now I'm sick of them and their weblog spamming. This submitted the exact same thing, anonymously, to geeky.org too.

-JD

Re: Your marketing campaign backfires o... (none / 0) (#19)
by noeld on Tue May 02, 2000 at 07:10:05 AM EST

spamming weblogs with links to the latest articles on your own site.

I am not spamming weblogs or anyone else.

I am not flooding anyone with irrelevant or inappropriate messages. I am not trolling or Excessive Cross-Posting. On my site I request submissions, the ones I like and that I think others will like I approve, the others I do not. I do not care if the author submitts his own stuff or a stranger. I do not are if they submit every story they write. I would care if they submitted the same story ten times a day every day, or a hundred. That would be spam. Submitting one article a day on bicycle racing to my site could be considered spam. A submission queue is not a public forum.

This article must be on topic and interesting or it would not have been voted onto the front page.

This is also not a "marketing campaign", I submitted the article here because I thought it would be appreciated. As it was voted onto the front page it must must have be appreciated. I respect the opinions of those that have read the article on RootPrompt.org and those that just do not like the article or those that feel there is to much rootprompt/mp3/whatever here. They can vote -1, fine with me. Other places can post it or not their choice.

I don't have an account on geeky, so I had to post it anonymously. So what? They like it they post it they don't they don't post it. Up to them and again a submission queue is not a public forum.

An interesting thing about geeky.org on the bottom it says copywrite the managment. It would appear that they are holding their copywrite anonymously ;-)

As for the comment by End aka JD let me define the following term:

Troll
1; regularly posts specious arguments, flames or personal attacks to a newsgroup, discussion list, or in email for no other purpose than to annoy someone or disrupt a discussion. Trolls are recognizable by the fact that the have no real interest in learning about the topic at hand - they simply want to utter flame bait. Like the ugly creatures they are named after, they exhibit no redeeming characteristics, and as such, they are recognized as a lower form of life on the net, as in, "Oh, ignore him, he's just a troll."

If you will note his posting says nothing about the quality of the article or the subject the article was written about it says when you go around spamming and I'm sick of them it feels like a personal attack to me. It after all does not say the article is off topic or badly written. Sounds like a troll to me.

As for me this topic is now closed. As the jargon file says ...comes from mainstream "trolling", a style of fishing in which one trails bait through a likely spot hoping for a bite.. Well I bit even though I should have ignored it, and am not going to bite anymore. As the definition of troll says that one should just ignore trolls.

Noel

[ Parent ]

Re: Your marketing campaign backfires o... (none / 0) (#22)
by End on Tue May 02, 2000 at 11:26:09 PM EST

An interesting thing about geeky.org on the bottom it says copywrite the managment. It would appear that they are holding their copywrite anonymously ;-)

Hah. You'll note that kuro5hin does the same thing. So does scoop.kuro5hin.org. Why?

It's part of Scoop's default setup.

-JD
[ Parent ]

Re: Your marketing campaign backfires o... (none / 0) (#23)
by rusty on Wed May 03, 2000 at 01:11:39 AM EST

And it says that because I took the text straight out of slash's default database. It's one of the few remaining signs that slash played any part in Scoop development. :-)

____
Not the real rusty
[ Parent ]
Re: Your marketing campaign backfires o... (none / 0) (#21)
by End on Tue May 02, 2000 at 11:21:00 PM EST

Obviously noel took offense to my remarks. He maintains that somehow, repeatedly submitting stories with identical text from his own site to multiple weblogs is not spam. I say it is. He says I should frequent some other weblog if I don't like the constant rootprompt.org links. I say I do frequent many other sites and everywhere I go, there are noel's rootprompt stories on the front page. If I want to read rootprompt.org articles, I can read them at rootprompt.org. If he really wants to contribute to the sites he submits his stories to, he should submit the entire article as a story and link to it from rootprompt.org or something. Just find a way to eliminate all this redundancy.

I think everyone else agrees that, the quality of the articles themselves notwithstanding, this method of drumming up visitors to your site is nonoptimal and inappropriate. We have slashbox-type functionality for this sort of thing. I also know there are a lot of new weblogs springing up out there and I think noel is unwittingly exploiting their need for easy content.

I agree that, by itself, the article was worth posting, as demonstrated by the voting. But c'mon, noel, a smart, tech-savvy person like yourself ought better to observe the bounds of propriety in these matters. I urge you to take a fresh look at the situation.

-JD
[ Parent ]

I....love.....sniffing. ... (1.00 / 1) (#16)
by flamingcow on Mon May 01, 2000 at 11:15:35 AM EST

flamingcow voted 1 on this story.

I....love.....sniffing.

It's a decent entry level article. ... (3.00 / 1) (#15)
by deimos on Mon May 01, 2000 at 11:34:09 AM EST

deimos voted 1 on this story.

It's a decent entry level article. I'd be surprised, though, if those that are security aware are not already aware of this. It is an old tactic used for ages in the online world.
irc.kuro5hin.org: Good Monkeys, Great Typewriters.

Looks good so far.... (1.00 / 1) (#13)
by Saint Zero on Mon May 01, 2000 at 12:43:57 PM EST

Saint Zero voted 1 on this story.

Looks good so far.
---------- Patron Saint of Nothing, really.

Sounds interesting, but more write ... (2.00 / 1) (#10)
by slycer on Mon May 01, 2000 at 01:40:42 PM EST

slycer voted 0 on this story.

Sounds interesting, but more write up?

ID scanning ... (none / 0) (#3)
by kmself on Mon May 01, 2000 at 01:58:56 PM EST

kmself voted 1 on this story.

ID scanning

I use queso myself, and have been known to run nmap against hosts which have scanned or otherwise attempted connections to my (dialup) box. These results are then passed on to the service provider of said host <g>.

I've found that, for whatever reason, queso seems not to function from behind my own ISP's systems (EarthLink).

--
Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

looks like an interesting article.... (1.00 / 1) (#12)
by thelaw on Mon May 01, 2000 at 02:02:23 PM EST

thelaw voted 1 on this story.

looks like an interesting article.

You never know who is watching ...... (1.00 / 1) (#18)
by EricM on Mon May 01, 2000 at 02:52:31 PM EST

EricM voted 1 on this story.

You never know who is watching ...

Tres cool...... (1.00 / 1) (#8)
by warpeightbot on Mon May 01, 2000 at 03:47:30 PM EST

warpeightbot voted 1 on this story.

Tres cool...

Too much Microsoft. Too much MP3/RI... (1.00 / 1) (#2)
by xah on Mon May 01, 2000 at 03:53:31 PM EST

xah voted -1 on this story.

Too much Microsoft. Too much MP3/RIAA. Too much Rootprompt.

Reverse information gathering. (5.00 / 1) (#20)
by inspire on Tue May 02, 2000 at 10:45:43 AM EST

There was a fairly recent discussion about gathering information about a portsniffer or attacker on the Portsentry mailing list, in relation to retalitory measures to take after an attack. The general consensus was that it is not the smartest thing in the world to do.

The thing is, most script kiddies (which Spitzner seems to be writing about) run a couple of known scripts on a network, and if nothing responds, they give up or move to another network. However if they see that they've elicited some sort of response (granted, its supposed to be a discreet fingerprint), they are going to show a lot more interest in that particular net.

The use of discreet methods to fingerprint OS'es is usually the domain of the hacker or script kiddie.

If you've been attacked or portscanned, finding out the other person's OS is not going to help much - what are you going to do? Try to DoS them back with the OS-appropriate tools? Much more effective is to contact the attackers upstream and get the account closed down. Remotely getting the OS information sounds like someone is a wannabe computer crime detective or something.

The other thing I take issue with in Spitzner's writing is the continual analogy of getting portscanned or attacked as some kind of warfare, which requires careful strategic planning and espionage and counterstrikes. I'm a systems admin, and my boxes have been hacked before. No big deal, restore from a trusted backup, install the latest security patches, look through the firewall logs, find the attacker and shut them down with a polite note to the upstream.

"Know your enemy" sounds like the catchcry someone who is planning an attack would use, not someone defending against one.
--
What is the helix?

IDing remote hosts, without them knowing | 23 comments (23 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!