 before you all leave the room and go away because you're saying hey ICMP you'll not see something interesting here let me just say that using one to four packets only with speeds like 200 milliseconds to 350 milliseconds this is what my tool does so I think the guys that want to go away will now stay basically what we will be talking about is some theoretical analysis I changed that from blackhead so we'll have real-world examples along the talk we will have some interesting sites that I've been scanning in the last three days so at the end we will see some Chinese website actually pretty cool websites and there will be some surprises to see what they are using some of them are government so X is a logic developed again from the various active voice fingerprinting system methods I discovered using my research x-probe is the tool that actually was released at blackhead two days ago and is available from our website it was written along with further your keen is from the snore development team is not the same further from nmap so there are different few others in the world I guess the tool automates X its version O that O that one it works I'll talk about the limitation later and what will be the future the logic and the well the tool is simple fast and efficient which I think every tool should be it's a still a proof-of-concept and in the future this tool will have some kind of artificial intelligence and failover mechanism say you started the scanning using some method and you failed it will fail over automatically to another logic and eventually it will intelligently identify the operating system the problem with some tools today especially the open source one when you do scanning the sometimes you get inaccurate and inconsistent results and I'll show some examples this is true especially with windows based operating systems with TCP and I will be showing examples with nmap for example and now how X can solve this thing so basically it is all depends where you sit if you are a penetration tester you sit inside an internal network you want to see which operating system you have this is one thing if you are a hacker and you sit outside somewhere in the internet say outside of firewall sit here this is another thing so you may be having to use some different protocols or some different probes or some different techniques it depends where you sit sure it depends on the firewall and what it lets in but eventually you need to use something intelligently for example if you have a firewall you will not expect to see traffic flying in for for UDP ports which are not used on targets inside the internal networks or you will be filtering heavily if you're doing it good but if you are inside a network it changes the picture and usually between internal segments you can use ICMP because management or IT management need to see the availability of operating systems because they are lazy to get their fat asses from the seats and go up to mrs. Robinson up in the ninth floor just to see she plugged off her ethernet cable about the license license and GNU the code is available but all material is for non-profit educational use only so if you want to use this for commercial stuff you need to talk to me if you guys want to use that and you're not using it for commercial usage and if it's education you can download it from our website again the tool uses one to four packets and I'll show you how it does it okay the logic starts with a UDP datagram sent to definitely closed UDP port I sent some data inside the data portion of the packet it is up to 70 bytes of data inside the offending packet why definitely close UDP port definitely closed so I can get important reachable so how can pick a definitely close UDP port one of the examples will be go to the analyst for assigned ports and get yourself some ports and then randomly when you use the tool use random ports that are eventually needs to be closed now a close UDP port send you a port and reachable if you don't get the port and reachable you understand there is a firewall filtering you and you will you may fail over to another logic we will see an example when we will talk about Windows based operating systems Jeff Moss let me play with Defconn.org so you can see how I can do failover and identify Defconn.org using a failover mechanism so we have a way to identify firewall presence and if we receive back a reply we play we will be using a nice fingerprinting thing with some operating systems and networking devices when they send an error message they send the preceding bits which is part of the type of service byte as you can see here set to the value of 0.6 decimal which is C0 hex this means that Linux play the role of a router like RFC 1812 states that router has to do well I don't know why Linux does that but if we want to differentiate between Linux Cornell 2.0, 2.2, 2.4 and Cisco routers and extreme network switches we will look at echoing integrity problems inside the echo data I don't know how many of you know but with a nice impier message certain amount of data from the offending packet is getting echoed back with the error so you can understand which packet caused the error the IP header and at least 8 data bytes are echoed back there are some operating systems and networking devices that will echo more for example we have here Linux we'll see that in the next slide that echoes nearly everything that will give him and in the other hand we have Cisco and extreme networks that echoes only a data bytes so basically using another internal test not a test that I need to repeat I can differentiate between the Linux bunch and the Cisco and extreme network punch if I want to differentiate furthermore between Cisco and extreme networks I can let look at the UDP checks some header 40 header with the extreme networks it'll be zero with Cisco it will be echoed correctly so basically using one datagram I'm able to identify Cisco routers using iOS 11 X 12 X and extreme network switches if I look at the Linux bunch I will be defining it according to the IP time to leave field value Linux 2.0 uses 64 the others using 255 and using another query which makes two queries to the Linux 2.2 and 2.4 I can look if we are having IP ID set to zero which is a common problem with IP ID with Linux 2.40 to 2.44 and therefore I can differentiate between Linux kernel 2.2 and 2.45 to Linux kernel 2.40 to 2.44 so using only two datagrams I was able to get Linux 2.2 access and 2.4 access using one datagram I was able to get a Cisco the extreme networks and the Linux 2.0 now if you will look at the real-world example look here it's a real IPs port scanning is legal and I would like to thank Jennifer Granick for the legal advice yeah well we can see the first query first parameter to check is the preceding beats set to C0 here we can see that the data portion well the data echoed sorry it's a mistake here no sorry this is the data echoed really from this point we can see that everything that was sent inside the data portion of the the offending packet got echoed here and you see the time to leave is 255 so we're basically differentiated as 2.2 or 2.4 and we send another ICMP echo request the IP ID is not zero then this is 2.2 X2 or 2.45 now we'll use a foobar right you'll not believe me so this is redhat.com and now I might be getting more acceptance wait until you see the Chinese sites this is actually X running you can see first test here first test here all the trees are like internal tests that I show you before and it identifies at 2.2 X2 or 2.45 now if I use Nmap I get the same results I get more packet send three seconds and I get 2.2 12 to 2.2 19 here I was using closely nearly 300 milliseconds to get the same results so if we go back now to the main branch of the of the tree we can now look at another parameter how much echoing data is given with the error message we have three groups the groups that echo back eight a data bytes a group that echo only 64 by default and a group that echo everything here is Linux he echoes everything like the other networking devices and boxes here but we identify it again this is like if we have some kind of a shaping or a traffic shaping device and is placed with the preceding beats and if he fails to identify Linux in the first stage then it will identify Linux here as well let's look at the main branch here at Sensularis HP UX and Mac OS again very simple test to differentiate between them and if you didn't know that Mac OS 7 X 2 9x acts like HP UX 11 X so they both bought the TCP IP code I guess from the same company no twice thing to do I was able to play with Mac OS 9 1 at blackhead and I would like to thank Chris from C gate for letting me abusing his box now if I'm having false results here if the time stamp here is blocked on the Sensularis sure it will be identified at HP UX 11 still it's it's just 0.0.1 so in the future we'll have better firewalling test with other queries as well here is an example with Sensularis 2.7 we can look the here's the offending packet here's the error message we don't see the preceding beats here so we are at the main branch the data portion echoed if you will count the 58s it will give you 56 and here's the UDP header another 8 data bytes give you 64 if you now look at the second packet sent you see that again I get time stamp reply so it does it was identified Sensularis 2.3 28 to play really cool tricks with other printing systems I'm using echoing integrity problems mainly using some fields inside the IP header I have a couple of fields I can play with I have the IP total length field value which might sometimes might be with 20 bytes less or 20 bytes higher than the original IP ID because of beat-order problems might be flipped the IP header checksum might be miscalculated of 0 the three beat flags an offset field values if I set the DF bit with my request or with my authentic packet it might be flipped so I might be seeing an error message stating I send a fragmented thing and get the error for so we'll see how we can use that and the UDP checksum might be miscalculated of 0 so as you can see we have a lot of power methods to work with so how can we use that to slice and dice this correctly the first power method we will be using is the IP total length field value here we can see that we have three groups the one that echoes the field value with 20 bytes higher than was in the original here it's less with 20 bytes and here it's okay let's look at the AIX machines we can see that we have here AIX BSD I older net BSDs and Mac OS X server well if you think about them they are all sharing the same base code at least the BSD I net BSDs and Mac OS X they are all using the same base code for TCP IP again using some echoing integrity checks we can differentiate between the X machine here which miscalculated the IP header checksum to the one the other operating system we just send zero here as the IP header checksum and differentiate between this group a bit more having group one group with little and then problems and the other group with big end-to-end problems so again this is only one packet sent and again get a range of networking devices and sorry opening systems that using the same base TCP IP code after you sent one packet to get the results here we might have more networking devices but the reason I didn't included them it was like your grandmother come your grandmother's printer from 1985 so if you really know what your target is you're understand that if you are targeting host or networking devices and in the future will add everything up so if you look again at the example it's not a real world but I have more of these sent against an AIX 3.2 base machine see one query sent to UDP query got the error message to check for the IP total length got the base groups of running systems got the IP header check got it miscalculated got an AIX well how much time was used 290 milliseconds to get the results one packet sent just processing the reply and I get the operating system so you can see here proceedings checked amount of data bytes echo checked IP total length field checked the echoed value 118 and it was only 98 so one packet 290 milliseconds you get AIX someone got any question until that point until this point yeah the implementation is publicly available yeah so here is a way how we can identify open BSD 2.6 to 2.9 quite easily with one packet as well from 2.6 with open BSD the IP total length echoed is less with 20 bytes than the original I don't know why they are doing it but it's a problem there are some other reporting systems and networking devices doing so we look at another echoing integrity check here's the UDP checks and checked again we get here NFR IDS appliance which basically is open BSD with some minor changes it echoes the UDP checks and badly we can identify it here we have basically two operating systems here which can we do another echoing integrity test and get the open BSD 2.6 to 2.9 quite fast so if we look at another example we can see that again one test here and some internal test for the reply I'm getting so pretty fast I'm getting open BSD 2.6 to 2.9 here is the example 310 milliseconds after sending the request I get the reply you can see proceeding zero amount of data by say code here IP headers checks some and UDP are correct and the only parameter which is bad is the total length field value so again gives you pretty fast gives you the open BSD 2.8 to the group of 2.6 to 2.9 so I was looking to do other tests with some good methods again one good method is three beats flags and offset field value if you set it to a certain field value to flip between them with free BSD 2.2x to 4.1 and net BSD 1.3x group for example here if we are going to check what will be done here you can see that this group will flip the beat order and ultra just send zero we can see a demonstration here that's a free BSD 4.0 machine we send one datagram passes all our checks we see that the frag bits are flipped and we are doing another internal test which basically involves looking at the IP header checks some echoed which is zero with all free BSDs and we get free BSD very fast again 350 milliseconds one packet sent internal test and you get free BSD 2.2x to 4.1 basically your reply with your reply it's like looking at us fragmented packet you have sent with your offending packet what this basically was the DF bit was set here it was flipped so it's parsed differently with the TCP dump now this is what causes the UDP checks and sorry the IP header checks them to be bad as well if you can see it from the TCP dump trace so until now we just quickly went through the most basic Unix printing systems we saw that with one or with two packets we are able to identify pretty fast print systems just as a reminder this is also automated with a tool now I needed an ultimate test to differentiate between Microsoft based operating systems to Unix based operating systems this was actually my first post-bug trick about ICMP stuff what happens with Microsoft based is if you set the code field there are type field and code field which defines the type of ICMP message you are sending or sitting if you play with a code field and you send a field value which is different than zero with your request with your ICMP request the reply with Microsoft based operating systems will set the this field to zero now the RFC states that you only have to change the type recalculate the checksum and send the error message back well I guess at Microsoft they wanted to play God so they changed that to zero and send back the echo reply so we are able to identify each and every Microsoft based operating system according to this little fingerprinting mechanism I loaded up another test with it which uses preceding bits I will refer it a bit later and the DFB let's look at the Microsoft branch after understanding from the yes the ICMP echo reply that this is belongs to Microsoft I have some unique test identifying this we'll look at the IP TTL with Microsoft Windows 95 they are using 32 as the default field value for that field when the sandy echo reply it is unique between the Microsoft based operating systems and others are using 128 now you will remember I put the value inside the preceding bits with my ICMP echo request what will happen is that there are some operating systems that will not echo back my preceding bits which I have set it with my request what will happen is guess what Microsoft win 2k sp1 and sp2 will not echo this field value so what will happen will allow us to identify win 2k versions quite easily just after two packets and looking at the TTL look in the code field TTL preceding beats are zero here we go with win 2k of the two packets the other Microsoft based operating system which are the older one and I'm not referring to Microsoft Windows for work groups 95 sorry 98 98 SE ME NT SP 3 and less and now NT 4 NT sorry NT 4 sp4 and above are here so we can differentiate between them as well but let's look at the example with win 2k this is a real world example with win 2k sp2 you can see here proceedings checked amount of data echo checked total length is fine and we play another we check another criteria here the DFBT is not echoed at all with our reply and is not flipped here you can see that so basically we need to send another packet if we're now sending it you can see where is that here that I set a certain field value inside the code field and I got back zero and I set a certain field value for the proceeding beats here it's hex hex hex and I didn't rep rep well I didn't see it back with the reply it wasn't echoed so this was Wimbledon.org I wanted to see Anna Kornikova so I went to Wimbledon.org yeah go tennis and this is what I got there when using win 2k up there here you can see the actual X running on Wimbledon.org two tests all the internal test gets you Windows 2k pretty fast if we do better grabbing just to prove you guys that this is Windows 2000 here you get a great application running there call IIS 5.0 and just type go tennis couple of enters and you get that so I wanted to differentiate between the entire group of Microsoft based operating systems basically we're all dependent here upon our replies we are getting from our hosts as you will see in the next two examples well they give us what we need here we send an ICMP timestamp request differentiate between two groups the anti-4 and 9898 the C and ME for another address mask I am able with a reply to identify 9898 the C and ME which does not reply with the second address mask for the anti box I am able to differentiate between NTSP 3 minus and NTSP 4 plus so let's see some examples skip okay let's see that that example I will not skip it I have four tests here as you can see and internal logic is being used here identify the Microsoft Windows family TCP IP stack and gives me NTSP 4 plus as you can see from the trace this is again I'm see I'm looking I see that I don't qualify for any of the tests I'm using I'm using an echo request set the code to 1 2 3 get the code 0 set the type of service to 6 get the type of service back this means this is not win 2k machine sending a timestamp request and address mask request doesn't get any reply so this is win and T for SP 4 and above so if you guys will not like my talk I might join the French foreign Legion and ran away for a couple of years so if you just look at what I got after I type triple W French for legend org I got a nice error message that ASP well I guess what this is if you give us your name and email address we might call you for duty okay yeah right so here is actual screenshot you can see X running on my box French foreign legend running Windows NT for SP 4 and above now if you don't believe me this is end map I was trying to do always fingerprinting and give it actually end map an open port that I can tell them up to use less traffic initiation to identify that machine but guess what this didn't help in this case and I didn't get anything back so I was actually telling em up okay do whatever you want to and here after 1500 packets after I can get basically problematic results as you can see and before or win 95 or win NT 4 SP 3 or win NT 4 server SP 5 and the hot fixes this is not accurate but if I can for example this is a good example to understand that if we can tell the tool we are going to a web server then port 80 is open I don't need it to port scan the operating system if I for example want to use an IIS exploit right so I told you I'll get to Defconn.org thanks to Jeff for letting me do that I like to design Defconn.org basically what it gives me is the ability to show you why I need to fail over a mechanism well because I'm sending a UDP datagram to close port and I need the ICMP port and reachable Jeff kindly close down the UDP stuff I want to thank him for giving me hard life here but if I'm just using the Windows portion of the tree as a query only mechanism this means that let's go back a bit if for example I start and use the yeah I've been here I send the code field set to 0 set to a value different than 0 and I get the reply with the code 0 and I can play only with the Microsoft base tree now I have to get back oh I didn't think it's frightening the kid okay I'm struggling here okay so if I'm doing the same tests I'm able to state like mr. Moss is running nt4 sp4 and above and it actually was shut up and it was actually cross-reference with Jeff yeah if you try to play on that website you'll have to deal with me so as a courtesy to Jeff here are the traces you can see code field is not a code proceeding proceedings are a code so basically it gives you the other Microsoft based operating systems it doesn't answer timestamp request or address mess we quest which are allowed on the box and this is nt4 sp4 and above this is nmap again trying to give him up a port to work with and it gives me win nt4 win 95 win 98 trying to not to give any port and it generates in two minutes here this result well you saw that before so basically it's sure it tells me it's windows but it doesn't let me understand what is the windows box I'm attacking or probing or auditing so we can do a lot of stuff more than that if we're going back to the main branch we can do a lot of other tests I have said the DFB inside the echo request and I'm expecting several operating systems when they generate the ICMP echo reply to put the DFB there even though if they are not usually doing so this means that if I send the ICMP echo request without the DFB the DFB it will not be set with the reply so there are some operating systems with just you know flip around the IP addresses do their recalculating change it type recalculate checksum and send back the results there are some other operating systems which are more intelligent and will build up a new packet I don't know if no veil or world tweaks are that intelligent but here they're didn't echo DDF bit and we are able to identify them both because of the TTL we can do other tests like this with the error with the DFB to identify net BSD the newer versions and 2.4 2.5 open BSD and older open BSD as well so basically this is still here is two packets with the anti-force stuff it was up to four packets with win 95 it was two packets so very small amount of packet sent and you see how fast replies getting back and recalculation is being done if I still on the main branch I can send nice imp information request and try to identify DGX for example different different DGX is HPX 10x and open VMS I will not go through that because you all can read that from my website I want to show the examples now this is example with the DGX 5.6 we have three three datagram sends here one is UDP close port ICMP a request with various tests and information request which is get a response for that and we can see another test and gets it as a DGX again we do our magic here and here and here and here and here and basically get the results it's six three two yeah basically six hundred milliseconds after three packets and all the process on their appliance so six hundred milliseconds we get DGX 5.6 so the rest of the three so I can say I cover free BSD 4.125 might be unreliable according to our target if we are targeting an operating system and we know that we are targeting operating system for example if we target well our next nice example would be a known website we know that we are not targeting a networking device which might be giving us false results here so basically if we will follow the logic here and here we'll be might able to look at the free BSDs now if you didn't know free BSD 5.0 change its IP TTL field value with their appliance to 64 guess some didn't know that so you all know Nessus right who doesn't know Nessus okay this main Nessus site basically what the tool gives me here is that I checked all the logic and this is some kind of a Yenix the logic goes and stops at that point because of accuracy problem with the networking devices now if you look closely at what we have received back we can see that we have the UDP header checks I'm set to zero here and the time to live 64 was set to 64 initially here now if we go to the logic we can see that the IP header was okay the IP ID was okay we go down the UDP checks I'm had it was zero and the TTL was 64 so it needs to give us free BSD 5.0 now this is a map I guess it needs to fill in it to insert the TTL thingy against a free BSD 4.3 questions until this point no questions yeah to have this example working I have it's hardcoded but ODOTO2 which is scheduled soon will have its own fingerprinting database and a logic that will work dynamically with some nifty tricks in the database so what we'll have to do only is to put more fingerprinting inside a tool and run it independently sure so people can tell can send me fingerprints yeah well if it feels be at the end of the slides are in slides about this thank you for reminding me this so I will thinking what websites can be interesting for myself to look and might interest you guys I went for one of the American favorite nations the nation that deny of service the Navy China so in order to look what is so good to China and to see if they need some thick guys I went to the Communist Party newspaper I went to people's daily now what is so nice about the Chinese newspaper is that everything is so cool in the world here see Chinese NBA player doing some good stuff and all the news are so good and everything is cool so cool in the world okay so I sent I fired away X on people's daily one packet got me back people's daily using open BSD something between 2.6 to 2.9 okay there was they weren't wise enough to use open BSD but why not firewall UDP you can see here why this trace back to open BSD the IP total length field value is 20 bytes less than it was with the offending packet echoed 20 byte less and the other fields are okay so this is open BSD 2.6 2.9 one packet sand and you see the link to China man I now understand why they deny of service in the Navy this is look at the home many milliseconds it took like 360 milliseconds it took the reply to get back and for me to identify people's daily comm that's yeah so after looking at the newspaper I was thinking if it's so damn nice let's get us something cool at Beijing why not buying some mics the microphone stored Beijing but before that tried to do the same thing with n-map failed nine minutes after didn't get any results so it shows you that sometimes TCP is not enough and we need to fail over or use something else so I went to Beijing 7 on audio I wanted that mics man so there is a some kind of a microphone here dynamic microphone wireless microphone and other pro audio devices out of Beijing so I bet they have some kind of online orders form I went and tried to identify what it ran on and gave me a Linux 2.2 or 2.4 two packets here you can see very nice I mean for a audio shop here is the same results with n-map gives the accurate results but again the amount of packets I have to invest in order to get the results is about 1500 if I don't specify the open ports was so damn nice I was so satisfied with it with the microphones so I wanted to buy myself a car I mean the car car guy that comes that's the end why don't we have a Ferrari here with this we have this engine car I don't get it but there was a super awesome cool animation here that you don't see that gave it away as you'll see what it is as a Microsoft Windows NT SP4 plus based box the animation was so ugly so I spared you four packets sent really fast identified as a win NTSP for here again sorry for the comparison with n-map but it's the tool that nearly everybody uses here again I get several results which the tool is not able to identify different TCP stuff between Microsoft based burning system and it's not just n-map it other tools that are based on TCP only nearly TCP only stuff after all I was so dissatisfied with my car I went to buy a trailer look at that trailer awesome trailer so I didn't understand anything but I bet they need you to deposit something before you buy something so China trailer.com uses Linux 2.2 or 2.45 2.45 again pretty fast you have to send two packets and you get the results this is accurate results takes more time more packets invested what is so nice with this is my train stuff what is so nice with X you basically are very still because you don't understand what the hell hit you and you cannot understand that you've been mapped and now if if in the future and this is planned I will add like real data portion information of a real application say I identify DNS service of the organization I know where there are and I send this offending packet to UDP 53 and I steal some code from Manus lookup and I do lookups and send them to the IP address which is my target so what are the admins might might say oh look at that retard script kitty thank you guy I just mapped you I don't need anything back from you so adding some real-world data portion to these cans might do much more still stuff and if you can play with the you say I want to send my UDP stuff with this and that application my might or randomized act nobody will understand what you're doing so after I was so satisfied with my trailer I went to buy a train up in Mongolia there is a website called IM1MGT.com the CN which basically bids you build you a train I was so impressed running a Win2k SP1 or SP2 again two packets and I get the Win2k identifier well look at that you want to buy a train or you want to owe the world if you look down this is quite amazing because hey we are running black eyes here and we're ultra cool with all these open ports we have FTP, HTTP, HTTPS, we play Doom here man does your management know that so basically I tried to map these websites with Nmap as well I guess I'll chat with you about giving some other kind of intelligence inside Nmap so we can easily identify some Microsoft based learning system because if you are using the defaults thing with Nmap it sends echo requests so if we play with some parameters I might be doing that a bit better and we can have it the results bet better than that so here you can see that this is IIS 5 Win2k so you can just believe me that it is the train stuff okay after the train I saw that stuff in China is so cool so I wanted to see how many childs I can have in China if I want to move there statefamilyplanning.com look at that awesome view this is what you see from your room when you okay well stop here okay so what they are running oh Windows 2000 I guess they know their shit I mean oh yeah this is FTP, HTTP, well IRC but dude he's IRC the world with a server so everybody from the world can ask the same question and get real-time answers. Again Nmap really failed to differentiate between 2000 and me so after I saw China is so damn cool I can have whatever child I want yeah sure I can buy my trailer my truck I can buy a train I can buy my microphone chip and I can have my favorite communist newspaper on the web I wanted to go to China so bad so my last example if I want to go to China I need to get myself a visa right so I went to China Foreign Office this is the English side of the China Foreign Office which it tells you that what was there oh yeah we met with President Bush yeah it's so cool and we just had a visit or calling power we visit us and blah blah blah and bunch of stuff that really helps you get to China and they really update the website July 10 okay leave them alone I guess they're running Windows 2000 you want to see what ports are open here you go but just as a reminder this is a byproduct of the Nmap scan the real cool thing is that I scan it with two packets man just to see the ports the net buyers SSN stuff well gee don't we need updates from home and PC anywhere you know if someone really important comes to China and we need to update it immediately I hope the admin will stay alive after this talk so I guess my name will be up upfront on the list of the people who will not visit China in the next couple of years and I will need to get a visa to get to China so these were just port scans and scans with my tool just to show you up that in order to get accurate results you don't need to puke on the network you can do it wisely now how wisely you can do that for the operating systems it's it is listing here one query two queries three queries four queries and the tool is just over that all that one without a failover mechanism so I guess it's pretty cool what do I have to do next or what do I have to implement and I'll do that fast I need to put some firewall checks more firewall checks and I need to do the logic thing and I need to add DB support and fingerprinting DB more logic failovers artificial intelligence and you saw that this is working so oh well what will happen with order to this is no person's project in the next couple of days there will be a page stating if you want to send me some information or fingerprints about the stuff you're you want to show me or you want to donate hardware because I have only two boxes and when installing 15 operating systems in four hours to just check something it's not that nice if you'll go to my website you can go and download the tool this is you know the last thing I added between blackhead and Defconn everybody is doing host detection port scanning then I was fingerprinting and then exploiting this is dumb why because if I'm doing the OS fingerprinting in my style if for example I'm using Win2k and I need to exploit IIS and I'm not endorsing it in any way no really so I can understand that I have Win2k in two packets and for example if I know my what is my target for example a web server I can send the exploit right away so in three or four packets I owe the box and this really cool because with the other stuff that is being done today you only scan to understand your burning system which which cause which you send a lot of packets and basically it's not still but if you do the opposite way using the stuff I showed you here three to four packets you owe the box so just think about it access available from my website soon there will be a page for X problem source forge to be a daily CVS well all that all that too will be unreliable for a lot of time until we'll stable it and it will be available from Fjelerirachin website as well so we'll have four mirrors for that the failover mechanism was implemented by a simple nomad I didn't check verified it until the end so I might react that part again acknowledgement and this is important so bear with me I'd like to thank DT here for having me for the last year at the black hat world tour JD Glaser who was pressuring me to do the window thing and it's evolved from their simple nomad and told Sabin for the time they gave me last year here at DEF CON we talked to me and basically listened to all my mumbo jumbo when I did not have in really stuff in hand Fjelerirachin for helping implement the stuff Marty wrote from snort for putting stuff at snort Jennifer Granik for the legal advice the people that send me emails and help me out with my research and basically you people for attending here again thank you DT for having me thank you guys