Hi2all, I hope this can bring some more light in the fingerprint issue ... This is done by using active tools like nmap, that operate on the principle that every OS's IP stack has his own idiosyncrasies. This means that each OS responds in diferent ways to malformed packets. A database with this responses is needed by the tool, for comparing the responses of the target OS with the ones from the database. This is called Active Fingerprint. Passive fingerprint is based on capturing packets send from the target system. Based on sniffer traces of those packets, for determine the OS of the target. For knowing the OS of the target box, you must know: TTL (Time To Live) used for outbound packets; Window Size used; DF (Don't Fragment bit) is used or not; TOS (Type of Service) used. But this is not a garanty that you will know the OS on the target machine, it is just a way for trying to know. As you may know IT it is not an exact science, when it will be, my technical client support job will blow up eheh It is also not hard to mix things for your OS cant be fingerprinted, like you can change the default TTL value: echo 'number' > /proc/sys/net/ipv4/ip_default_tll I hope this can help on our esoteric issue =) Much better then me, the SuSe Security Team got the knowledge to clarify such things (sorry guys but i have enough trouble in helping my own clients eheh). And they can also talk a little about this kind of tools, like the tests they have done with Nessus for 64bit systems, that they could share with us (could they? at least it is a much better info then some linux magazine cover on resumees, dont you think? eheh) [ ]'s bacano --------------------------------------------- Esta mensagem foi enviada usando o WebPOP II. http://www.via-net-works.pt/email