Defacement Mirror to Track OS Thu Aug 5 23:03:15 MDT 1999 ATTRITION Staff At the suggestion of several users as well as the Attrition staff getting motivated, the defacement mirror will now reflect the operating system of each defaced host. This is being implemented to help assess what Operating Systems are more prevalent to attack. Using two utilities, the attrition utility written to fetch mirrors will now notate the OS and include the results on the main mirror page. With this information, security professionals should be able to notice trends in potentially vulnerable operating systems and act accordingly. The utility designed to perform this function calls on two well known and stable resources already available to net users. By polling the Netcraft Survey web page as well as running the NMAP utility with the 'fingerprinting' option, we are able to accurately guess the OS currently running on the vulnerable server. All of this is performed in conjunction with wget to retrieve mirrors of the sites. The syntax we use: Netcraft: `lynx -dump http://www.netcraft.com/whats/?host=$1 | egrep -A1 "is running"` NMAP: `nmap -O $1 | grep -i "system guess"` If no OS information is returned, the field will be left blank. This is done to help prevent the return of 'false positives' (inaccurate information that seems correct). Attrition staff would like to thank the following: Bruce Dennison - Inspiration and ideas to implement Fyodor - For the much needed 'nmap' utility Netcraft - For a great util/stats page.