[ntp:questions] Re: Fingerprinting hosts by clock skew

mayer at gis.net mayer at gis.net
Wed Mar 9 23:02:06 UTC 2005


----- Original Message Follows -----
> At 4:52 PM -0500 2005-03-09, mayer at gis.net wrote:
> 
> >  It's not worth bothering with all this. I've seen code that use two
> >  or three ICMP messages to fingerprint your system and tell exactly
> >  what you're running for O/S and hardware. You don't even need to
> >  worry about the clock. It can tell just be looking at how it
> handles the message.
> 
>     I know about nmap, and I have some idea of how it works.  One 
> problem is that a lot of places block ICMP, and many host-level 
> firewalling implementations will do the same.  Operating systems like 
> OpenBSD will randomize certain aspects of any response packets that 
> do get sent back, and the result will be a machine that will be 
> difficult or impossible to determine what they're running.
> 

This technique has nothing to do with nmap. It's something else
entirely.
Unfortunately I don't remember any of the details.

Danny



More information about the questions mailing list