Bypassing Network Access Control (NAC) Systems
Published: September 18th, 2006.
Ofir Arkin

The threat of viruses, worms, information theft and lack of control of the IT infrastructure lead companies to implement security solutions to control the access to their internal IT networks. A new breed of software and hardware solutions from a variety of vendors has recently emerged. All are tasked with one goal ׀ controlling the access to a network using different methods and solutions. This paper will examine different strategies used to provide with network access controls. Flaws associated with different NAC solutions will be presented. These flaws allow the complete bypass of each and every network access control mechanism currently offered on the market.

Click here to download the whitepaper

Risks of Passive Network Discovery Systems
Published: June 20, 2005.
Ofir Arkin

This paper sheds light on the weaknesses of passive network discovery and monitoring systems. It starts by defining passive network discovery, and goes over the advantages and disadvantages of the technology. It then demonstrates why passive network discovery cannot live up to its expectation, and is unable to deliver the promise of complete, accurate and granular network discovery and monitoring.

Click here to download the whitepaper.

On the Deficiencies of Active Network Discovery Systems
Published: June 20, 2005.
Ofir Arkin

This paper discusses the deficiencies of active network discovery technology. It starts by defining active network discovery, and goes over the advantages and disadvantages of the technology. It then demonstrates why active network discovery cannot live up to its expectations, and is unable to deliver the promise of complete, accurate and granular network discovery and monitoring.

Click here to download the whitepaper.

The Present and Future of Xprobe2 – The Next Generation of Active Operating System Fingerprinting
Published: July 31, 2003.
Ofir Arkin, Fyodor Yarochkin, Meder Kydyraliev

Although some advancement was made in the field of active operating system fingerprinting in the recent years, still, there are many issues to resolve. This paper presents the enhancements made with Xprobe2 v0.2 RC1 and discusses the tool’s future development. Both the present and future versions of Xprobe2 introduce many enhancements and advancements to the field of active operating system fingerprinting, which are discussed throughout the paper.

The paper in PDF format [~492kb]

Etherleak: Ethernet frame padding information leakage
Published: January 6th, 2003.
Ofir Arkin & Josh Anderson

Multiple platform Ethernet Network Interface Card (NIC) device drivers incorrectly handle frame padding, allowing an attacker to view slices of previously transmitted packets or portions of kernel memory. This vulnerability is the result of incorrect implementations of RFC requirements and poor programming practices, the combination of which results in several variations of this information leakage vulnerability. This bug is explored in its various manifestations through code examples and packet captures. Solutions to this flaw are provided.

The paper in PDF format [~281kb]

More information regarding Etherleak can be found here.

The CERT/CC Vulnerability Note VU#412115
The advisory note sent to Bugtraq

Security Risk Factors with IP Telephony based Networks
Published: November 23, 2002.
Ofir Arkin

IP Telephony based networks, which might be a core part of our Telephony infrastructure in the near future, introduce caveats and security concerns which traditional telephony based networks do not have to deal with, have long forgotten about, or have learned to cope with. The security risk is usually overshadowed by the technological hype and the way IP Telephony equipment manufacturers push the technology to the masses. This paper highlights the different security risk factors with IP Telephony based networks.

The paper in PDF format ~450kb

The Cisco IP Phones Compromise
Published: September 19th, 2002.
Ofir Arkin

The following paper lists several severe vulnerabilities with Cisco systems’ SIP-based IP Phone 7960 and its supporting environment. These vulnerabilities lead to complete control of a user’s credentials, the total subversion of a user’s settings for the IP Telephony network, and the ability to subvert the entire IP Telephony environment. Malicious access to a user’s credentials could enable “Call Hijacking”, “Registration Hijacking”, “Call Tracking”, and other voice related attacks. The vulnerabilities exist with any deployment scenario, but this paper deals specifically with large scale deployments as recommended by Cisco.

The paper in PDF format [~492kb]

XProbe2 – A ‘Fuzzy’ Approach to Remote Active Operating System Fingerprinting
Version 1.0
Published: August 2nd, 2002.
Ofir Arkin & Fyodor Yarochkin

The tools used today for remote active operating system fingerprinting use a signature database to perform a match between the results they receive from a targeted machine and known operating system fingerprints. Usually, the process is done by utilizing strict signature matching to identify the type of the remote operating system. The operating system fingerprinting tools that rely on strict signature matching face several problems with their way of operation, which when present lead to false identification of the target operating system(s). With this paper we present a different approach to signature matching with remote active operating system fingerprinting. Our approach is one which aims to solve the problems presently faced by remote active operating system fingerprinting tools, as well as providing more accurate results when used against any network topology.

The paper in PDF format

Trace-Back: A Concept for Tracing and Profiling Malicious Computer Attackers
Version 1.0
Published: January 31st, 2002.
Ofir Arkin

In the computer security arena, every now and then, a vulnerability comes along causing a significant impact. The impact of a vulnerability is based on factors such as popularity of the vulnerable platform and the ease of exploitation of the vulnerability. Lots of research gets done on a vulnerability, beginning from its origin to the various permutations and combinations of exploit code that come out subsequently. In recent years, we have seen self-propagating exploit code (in other words, worms) becoming quite popular.

Very little is known about the events taking place in the time period between the instance that a vulnerability gets discovered by an individual or a small group of individuals, and the moment when exploit code becomes publicly available on the Internet. To zero in on the origins of a particular piece of exploit code is quite a daunting task. Very little research has been done on the subject outside of government or military organizations. Tracing back origins is a very tricky task, especially if one has to reconstruct events backwards. This paper addresses this very issue – trying to roll the film reel backwards from the time the exploit code becomes widespread in public, and filling in the blank frames to the beginning of the movie. This may not be the ultimate “big-bang” theory of the exploit universe, but it provides us with new viewpoints on exploits and their originators…

The paper in PDF format

Version 1.0
Published: August 14, 2001.
Ofir Arkin & Fyodor Yarochkin

X is a logic which combines various remote active operating system fingerprinting methods using the ICMP protocol, which were discovered during the “ICMP Usage in Scanning” research project, into a simple, fast, efficient and a powerful way to detect an underlying operating system a targeted host is using.

Xprobe is a tool written and maintained by Fyodor Yarochkin ( and Ofir Arkin ( that automates X.

Why X?
X is a very accurate logic.

Xprobe is an alternative to some tools which are heavily dependent upon the usage of the TCP protocol for remote active operating system fingerprinting. This is especially true when trying to identify some Microsoft based operating systems, when TCP is the protocol being used with the fingerprinting process. Since the TCP implementation with Microsoft Windows 2000 and Microsoft Windows ME, and with Microsoft Windows NT 4 and Microsoft Windows 98/98SE are so close, usually when ‘ using the TCP protocol with a remote active operating systems fingerprinting process we are unable to differentiate between these Microsoft based operating system groups. And this is only an example…

The paper in PDF format

ICMP Usage In Scanning
Version 3.0
Published: June 2001.

The Internet Control Message Protocol may seem harmless at first glance. Its goals and features were outlined in RFC 792 (and than later cleared in RFCs 1122, 1256, 1349, 1812), as a way to provide a means to send error messages, troubleshoot networking problems, and more.

There is no consent between the experts in charge for securing Internet networks (Firewall Administrators, Network Administrators, System Administrators, Security Officers, etc.) regarding the actions that should be taken to secure their network infrastructure in order to prevent those risks.

The risks involved in implementing the ICMP protocol in a network, regarding scanning, are the subject of this research paper.

The paper in PDF format

Identifying ICMP Hackery Tools Used In The Wild Today

Version 1.0
Published: December 2000.

Several tools exist in the wild today that allow a malicious computer attacker to send crafted ICMP datagrams. Those datagrams can be used for various tasks: host detection, advanced host detection, Operating System Fingerprinting and more. This article by Ofir Arkin will examine whether we can identify the different tools used for ICMP hackery that are available in the wild today. If we can identify the tool, we may be able to identify the underlying operating system or a number of operating systems that this tool might be running on top of.

Unverified Fields – A Problem with Firewalls & Firewall Technology Today
Version 1.0
Published: October 2000.

The following problem (as discussed in this paper) has not yet been identified. Certain firewalls today, will not authenticate the validity of certain protocol fields, within the packet they are processing.

The risk is exposure of information. What kind of information can be exposed? Mainly it will be unique patterns of behavior produced by the probed machines answering our crafted queries (or other kind of network traffic initiated in order to elicit a reply)…

The paper in PDF format

Network Scanning Techniques
Version 1.0
Published: November 1999.

Take a walk throgh Network Scanning Techniques used by hackers today. Learn how they use simple & sophisticated tools to gather information about a potential target…

The paper in PDF format


%d bloggers like this: