Defacement Mirror to Track OS
Thu Aug  5 23:03:15 MDT 1999
ATTRITION Staff

At the suggestion of several users as well as the Attrition staff
getting motivated, the defacement mirror will now reflect the operating 
system of each defaced host. This is being implemented to help assess
what Operating Systems are more prevalent to attack.

Using two utilities, the attrition utility written to fetch mirrors
will now notate the OS and include the results on the main mirror
page. With this information, security professionals should be able
to notice trends in potentially vulnerable operating systems and
act accordingly.

The utility designed to perform this function calls on two well known
and stable resources already available to net users. By polling
the Netcraft Survey web page as well as running the NMAP utility with
the 'fingerprinting' option, we are able to accurately guess the 
OS currently running on the vulnerable server. All of this is performed
in conjunction with wget to retrieve mirrors of the sites.

The syntax we use:
 Netcraft: `lynx -dump http://www.netcraft.com/whats/?host=$1 | egrep -A1 "is running"`
 NMAP: `nmap -O $1 | grep -i "system guess"`

If no OS information is returned, the field will be left blank. This
is done to help prevent the return of 'false positives' (inaccurate
information that seems correct).

Attrition staff would like to thank the following:

Bruce Dennison - Inspiration and ideas to implement
Fyodor - For the much needed 'nmap' utility
Netcraft - For a great util/stats page.