Stealthy Services
The latest breed of Trojans have further complicated the process ofdetection through remote scanning by requiring a special and secret
signature to be transmitted to the port before any response is issued. To
an ordinary scan, the port will appear closed, the Trojan only
responding, and opening the port, upon receipt of a packet containing
the secret signature.
Remote OS Identification
Whilst port scanning will potentially identify the services and versions
running on the ports, to narrow down the list of relevant attacks to a
system we ideally require knowledge of the platform type on which
those services reside. Buffer Overflows in particular are by definition,
highly platform and software specific, as they involve injecting code
directly into the machines executing stack in native machine code.
We will now look at some of the ways a remote attacker may identify
which operating system, and indeed what version of the operating
system is running.
Many of the techniques below are in the Active category - this requires
querying the remote host in some way and basing our deductions on
the response. The Passive techniques discussed later that involve
sniffing traffic arriving from the remote host are derived from Lance
Spritzner’s paper, referenced below.
No comments:
Post a Comment