News
September 18th, 2006
New whitepaper release: Bypassing Network Access Control (NAC) Systems. The paper examines different strategies used to provide with network access controls and their associated flaws. These flaws allow the complete bypass of each and every network access control mechanism currently offered on the market.
August 3rd, 2006
Download Ofir Arkin’s presentation given at Blackhat USA 2006 about bypassing network access control systems.
May 2006
Ofir Arkin to speak at Blackhat USA 2006 (August 2-3, 2006; Caesars Palace, Las Vegas, USA) about bypassing network access control systems.
July 29th, 2005
Version 0.3 of xprobe2, a remote active OS fingerprinting tool, was released today at Defcon 13. This version contains new application-based OS fingerprinting modules (SMB, and SNMP), bug fixes, and new OS signatures.
June 20th, 2005
New whitepaper release: Risks of Passive Network Discovery Systems. The whitepaper sheds light on the weaknesses of passive network discovery and monitoring systems.
May 16th, 2005
Ofir Arkin to speak at Defcon 13 (July 29-31, 2005; Alexis Park, Las Vegas, USA) about ‘Next generation infrastructure discovery, monitoring and control’ and about ‘On the Current State of Remote Active OS Fingerprinting’.
May 15th, 2005
Ofir Arkin to speak at Blackhat USA 2005 (July 27-28, 2005; Caesars Palace, Las Vegas, USA) about next generation infrastructure discovery, monitoring and control.
April 15th, 2005
Ofir Arkin to speak at NetSEC 2005 (June 13-15, 2005; The Phoenician, Scottsdale, Arizona, USA) about next generation infrastructure discovery, monitoring and auditing.
February 25th, 2005
Ofir Arkin to speak at Interz0ne IV about next generation infrastructure discovery.
February 17th, 2005
Version 0.2.2 of xprobe2, a remote active OS fingerprinting tool, was released today. This version contains a new fingeprinting module (R|A), an experimental obstacle detection module, bug fixes and signatue DB additions. Xprobe2 v0.2.2 is the most accurate release of the tool till today.
February 14th, 2005
A new version of Xprobe2 will be released at the IT Underground computer security conference in Prague.
February 1st, 2005
Ofir Arkin to speak at the IT Underground computer security conference about the accuracy of remote active OS fingerprinting tools.
December 20th, 2004
Version 0.2.1 of xprobe2, a remote active OS fingerprinting tool, was released today.
May 28, 2004
The AusCERT 2004 presentation, “Why E.T. Can’t Phone Home? - Security Risk Factors with IP Telephony based Networks”, is available for download. For more information please see the past conferences section.
May 10th, 2004
The second edition of the Honeynet’s team book was released.Know Your Enemy, 2nd Edition is a total re-write from the original, resulting in over 700 pages of detailed information and examples. We cover everything from how to deploy the latest honeynet technology, to analyzing the data they collect and what we have learned. Each chapter is written by individuals who specialize in that area.Example chapters, including chapter 16: Profiling, in which I was one of its authors, can be downloaded from the Honeynets project book web site.
October 1st, 2003
Xprobe2 v0.2 was released today at the Blackhat Federal 2003.
July 31st, 2003
Xprobe2 v0.2rc1 was released today at the Blackhat Briefings.
April 7th, 2003
Advisory release: “Using ICMP queries to fingerprint some networking equipment”. For more information please see the advisories section.
April 7th, 2003
xprobe2 0.1, which is an active OS fingerprinting tool, was released today.
March 27th, 2003
Interviewed by Kevin Poulsen from SecurityFocus about the FBI’s will to put surveillance on IP Telephony. For more information please see the articles section.
February 10th, 2003
Advisory release - “IOS Accepts ICMP Redirects in Non-default Configuration Settings”. For more information please see the advisories section.
January 6th, 2003
Paper release - “Etherleak: Ethernet frame padding information leakage”. For more information please see the papers section.
December 6th, 2002
The HiverCon 2002 presentation, “Why E.T. Can’t Phone Home? - Security Risk Factors with IP Telephony based Networks”, is available for download. For more information please see the conferences section.
November 23rd, 2002
Paper release - “Security Risk Factors with IP Telephony based Networks”. For more information please see the papers section.
November 5th, 2002
An article at the November issue of Network Magazine features Ofir Arkin’s VoIP Security research. For more information please see the articles section.
September 19th, 2002
“The Trivial Cisco IP Phones Compromise” paper was released. For more information please see the papers section.
August 20th, 2002
Advisory: More Vulnerabilities with Pingtel xpressa SIP-base IP Phones. For more information please see the advisories section.
August 9th, 2002
Xprobe2 version 0.1 release candidate 1 has been released. The release fixes a number of bugs with the program.
August 2nd, 2002
Xprobe2 has been released along with a white paper. For more information please see the papers section.
July 12th, 2002
Advisory: Multiple Vulnerabilities with Pingtel xpressa SIP Phones. For more information please see the advisories section.
May 28th, 2002
Posted to bugtraq about a “Nuisance with small (< 46bytes) IP packets and tcpdump". For more information please see the advisories section.
May 7th, 2002
The CanSecWest/Core02 presentation I gave about VoIP Security is now available online.
April 13th, 2002
An update of my original postings about the IP ID handling in the ICMP and UDP protocols with Linux Kernel 2.4.x was sent to bugtraq. For more information please see the advisories section.
April, 2002
;login: magazine has published my article about Xprobe in its April 2002 edition. A copy of the article is available locally in pdf format.
February 5-8, 2002
Got back from the BlackHat Briefings Windows 2002 in New Orleans , were I have lectured about “VoIP - The next generation of Phreaking”. I have also held a training session about the ICMP protocol.
January 31st, 2002
Trace-Back a white paper describing “A Concept for Tracing and Profiling Malicious Computer
January 25th, 2002
Posted to Bugtraq about “Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs”. For more information please see the advisories section.
November 21-22th, 2001
Got back from the BlackHat Briefings Europe 2001 conference in Amsterdam, were I have lectured about “Xprobe - Remote ICMP Based OS Fingerprinting Techniques”. I have also held a training session about the ICMP protocol.
October 25th, 2001
Xprobe version 0.0.2 has been released.
August 14th, 2001
X White paper was released today. See the papers page for more details.
August 11th, 2001
Phrack 57 is out featuring our article about ICMP based remote OS TCP/IP stack fingerprinting techniques.
July 24th, 2001
X version 0.0.1p1 is officialy released. New version has several new options including the ability to scan an IP range, the ability to specify the targeted UDP port, and a manual page.
July 12th, 2001
X version 0.0.1 was officialy released at the Black Hat Briefings 2001.
July 7th, 2001
A post titled “ICMP Echoing Integrity Problems with the IP Header’s 3Bits flags and Offset Fields” was sent to Bugtraq. See the advisories section for more details.
June 26th, 2001
A post titled “Identifying OpenBSD 2.6-2.9 based machines using ICMP Port Unreachables” was sent to Bugtraq. See the advisories section for more details.
June 4th, 2001
Version 3.0 of my research paper “ICMP Usage In Scanning” was released today. See the papers section for more details.
May 9th, 2001
A post titled “Fingerprinting Linux Kernel 2.4.x based machines using ICMP” was sent to Bugtraq. See the advisories section for more details.
May 5th, 2001
A post titled “Fun with IP Identification Field Values (Identifying Older MS Based OSs)” was sent to Bugtraq. See the advisories section for more details.
May 2nd, 2001
A post titled “Several Misbehaviors with the ICMP implementation (and the ‘ping’ utility) with MS based operating systems” was sent to Bugtraq. See the advisories section for more details.
April 26-27, 2001
I have lectured at “The Blackhat Briefings 2001” in Singapore. My lecture title was “ICMP Usage In Scanning (The Advanced Methods)”. I also held a full day training of “Advanced System Scanning with ICMP”.
April 25th, 2001
Held a full day training titled “Advanced System Scanning with ICMP” at the “The Blackhat Briefings 2001” in Singapore.
April 23-24, 2001
I have lectured at “The Blackhat Briefings 2001” in Hong Kong. My lecture title was “ICMP Usage In Scanning (The Advanced Methods)”.
April 10th, 2001
I have finally added some of the pictures I took at the BlackHat Win2k Security conference back in February 2001 in Las Vegas.
February 14-15, 2001
I have spoken at the “Blackhat Windows 2000 Security Conference” about “Active & Passive Fingerprinting of Microsoft Based Operating Systems using the ICMP protocol”.
February 12-13, 2001
Did a full day training at the “Blackhat Windows 2000 Security Conference” on “Advanced Scanning Techniques with ICMP”. I would like to thank the attendees for their participant.
January 8th, 2001
An article about “Hackers and the Industry” was published today at the Israeli news paper Ma’ariv. I was asked to provide my opinion on the subject.
January 5th, 2001
A letter to the Editor I have sent to Network Magazine was published in the January 2001 volume of the magazine.
January 1st, 2001
Sys-Security.com has a new look and feel. Hope you will enjoy it.
December 22nd, 2000
Version 2.5 of the “ICMP Usage In Scanning” research paper was released today. This version introduce more OS fingerprinting methods, and new dirty tricks with the ICMP Protocol. The research paper is available from the papers section.
December 20th, 2000
Introduced a more advanced basic ICMP rules for snort. They are available for Download. The rule base now alerts for legitimate ICMP Type but bad ICMP Code.
December 13th, 2000
Introduced basic ICMP rules for snort. They are available for Download.
December 6th, 2000
A post about “Foundry Networks Networking Devices Padded Bytes with ICMP Port Unreachable(s) - The 12 Bytes from No Where” was sent to Bugtraq. See the advisories section for more details.
December 6th, 2000
A post about “LINUX ICMP Error Message Quoting Size Differences (The 20 Bytes from No Where)” was sent to Bugtraq. See the advisories section for more details.
December 6th, 2000
A post about “ICMP Error Message Quoting Size With Different Operating Systems” was sent to Bugtraq as a fix to my previous post about this subject. See the advisories section for more details.
December 4th, 2000
An article I have written titled “Identifying ICMP Hackery Tools Used In The Wild Today” was published in SecurityFocus.com the IDS section. You can view a local copy or go to SecurityFocus.com.
November 25th, 2000
A post about Sun Solaris, HP-UX 11.x and LINUX based machines identification according to their ICMP Error Message Quoting size was sent to Bugtraq. See the advisories section for more details.
November 23rd, 2000
Reported a BUG with Novell Netware’s Echoing Integrity with ICMP Fragment Reassembly Time Exceeded error messages to Bugtraq and Novell. See the advisories section for more details.
November 20th, 2000
Lectured at the Second Annual Israeli Security Conference. Lecture Title: “Identifying ICMP Hackery Tools Used In the Wild Today”.
November 17th, 2000
Two new fingerprinting methods using crafted ICMP Query Messages (and replies) were found. One dealing with echoing the Precedence Bits field value, and the second dealing with echoing the TOS Byte’s Unused bit. Both methods will allow us to fingerprint Microsoft Windows 2000 Family based machines. Posts about this issue were sent to Bugtraq. See the advisories section for more details.
November 12th, 2000
An article about my lecture at BlackHat was published in the Israeli Newspaper Maariv.
November 6th, 2000
Rik Farrow had published an artice at Network Magazine titled “System Fingerprinting With Nmap“. In his article he mentions again the work I have done with ICMP research.
October 23rd-25th, 2000
I have spoken @ Blackhat 2000 Amsterdam. I had two lectures, one at the training session that JD Glaser held, and one at the convention’s second day. Both my lectures will be available from the Blackhat web site.
October 20th, 2000
Sent another Bugtraq post titled “TOS bits (=field) Echoing with ICMP Error Messages”. See the advisories section for more details.
October 19th, 2000
After mixing some stuff with “TOS Field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4″ I have corrected that post and sent another titled “Precedence field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4″. See the advisories section for more details.
October 18th, 2000
We got a new, and faster link to the net.
October 14th, 2000
Posted the “FreeBSD 4.x Bug with ICMP Error Messages” to Bugtraq. It deals with a bug quoting the correct IP ID field value in the quoted ICMP Header of the offending packet with the ICMP Error message FreeBSD 4.x produce. See the advisories section.
October 14th, 2000
Published a short paper titled: “Unverified Fields - A Problem with Firewalls & Firewall Technology Today”. See the papers section.
October 14th, 2000
Posted the “TOS Field value in ICMP Error Messages with LINUX Kernels 2.2.x & 2.4″ to Bugtraq. It clarifies the issue. See the advisories section.
October 8th, 2000
Final correction for “The DF Bit Playground” post to Bugtraq back in September 13, was posted to Bugtraq. See the advisories section.
October 8th, 2000
Sent another post to Bugtraq about “ICMP Timestap with code!=0 - LINUX 2.2.x and 2.4.x changed pattern”. See the advisories section.
September 19th, 2000
New look for the web site!
September 13th, 2000
Published corrections for the “Using the Unused” & for the “DF Bit Playground” Bugtraq posts.
September 12th, 2000
Published two new Fingerprinting methods. See the advisories section.
September 10th, 2000
Version 2.01 of the “ICMP Usage In Scanning” Research paper was published. See the papers section for more information.
September 5th, 2000
Rik Farrow had published an artice at Network Magazine titled “ICMP Stands For Trouble”. In his article he mentions more than once the work I have done with ICMP research.