Xprobe - Remote Icmp Based Os Fingerprinting Techniques

No ratings

Presented at Blackhat Europe 2001 by

Ofir Arkin

Written and maintained by Fyodor Yarochkin and Ofir Arkin, Xprobe is an Active OS fingerprinting tool based on Ofir Arkin's ICMP Usage in Scanning Research project (http://www.sys-security.com). Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. Xprobe's inner working will be discussed and explained. This includes the various active OS fingerprinting methods, using the ICMP protocol, implemented with the tool, and the little tricks and gizmos used in the process. The tool's advantages, as well as disadvantages, will be demonstrated. A new version of Xprobe will be presented (v0.1, to be released at Black Hat Europe 2001) adding a signature database support to the tool. I will be explaining how this new version works, and what problems it aims to solve. The tool's limitations, ways to detect its usage, and how to defeat its usage will also be discussed. Future plans and enhancements will also be presented. Ofir Arkin is a Managing Security Architect for @stake. Ofir is most widely known for his research about the ICMP protocol usage in scanning. He has extensive knowledge and experience with many aspects of the Information Security field including: Cryptography, Firewalls, Intrusion Detection, OS Security, TCP/IP, Network Security, Internet Security, Networking Devices Security, Security Assessment, Penetration Testing, E-Commerce, and Information Warfare. Ofir has worked as consultant for several European finance institutes where he played the role of Senior Security Analyst, and Chief Security Architect in major projects. Ofir has published several papers, the newest deal with "Passive Fingerprinting techniques" and with the "ICMP protocol usage In Scanning", available from his web site http://www.sys-security.com