On Thu, 28 Sep 2006 09:29:40 -0400, Brad Kramer <[log in to unmask]> wrote:

>This uses tcp/ip fingerprinting to detect the OS in a passive role...

A reasonably smart computer science student can easily bypass that. There is
a tool called security cloak, which changes the TCP parameters to match one
of 21 different operating systems.
We have used that to design a little program to bypass the CCA client
installation and automate the login.
See http://www.securityfocus.com/archive/1/444424/30/0/threaded

The previous "detection method", using the browser user-agent string, was,
quite frankly, brain-dead. Anybody using the browser user-agent string for
anything is stuck in the mid-90ies.

In my opinion, CCA is inherently flawed. It relies on whatever the client
reports, and anybody who has ever done client-server development knows that
the server should never trust anything that the client sends.

Using Nessus, btw, doesn't change that. I can put a $30 Linux-based router
in front of a Windows machine, and Nessus will detect it perfectly as a
Linux box.

I only found this list through a Wikipedia article on CCA, and I am actually
surprised that there seems to be complete ignorance of this vulnerability
here. Shouldn't network admins subscribe to lists like Bugtraq to stay
informed about threats to their networks?