[Discussion] Automated Info Gathering

Matt Jonkman jonkman at jonkmans.com
Sun Mar 1 15:17:02 UTC 2009


Kevin Ross wrote:

Perhaps the ability to either autofind or being able to enter in the
network topology it can determine the source of the attack within the
network kind of like csmars does (demos here
http://www.demolabs.co.uk/ciscoportal.htm). Also gathering information
such as hostname/netbios name, mac-address etc using tools like nbtscan
on the detection of a local attack (to avoid scanning outside the
network which is a bit scetchy). So if an attack is detected from an
inside host (by specifying rfc 1918 addresses) then execute information
gathering tools to provide more information to the analyst about the
source or target of the attack. That was it becomes easier to determine
if it is an fp. i.e if there is a buffer overflow for a windows system
but the target determined by a tool such as xprobe, nmap or whatever is
some other OS and that information is available immediately upon opening
the even then the analyst has a better understanding of the attack risk
and likely result. Also such a system could be intergrated into some
sort of risk system, such as a netbios attack against a linux system
would lower the risk rating of the attack.n/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Discussion mailing list