Hack.lu is over! a nice security conference in Luxembourg. Had a great time, although sometimes organisation was a bit messed ;) Reeaaaallly nice and very interesting poeple, commercial rate was very low and finaly I saw some poeple I knew only virtually in real life.
Well as you knew or not knew, Kevin Finistere and myself gave a talk about Bluetooth security. Yaaaaaaaaaaawwwwwwwwwwnnnnnn ?

I don't believe so :
- Live demo : Remote ROOT shell over Bluetooth on MAC OS 10.3.9 / 10.4 (and source code release)- Live demo : Presenting BTCrack, Bluetooth PIN and Linkkey cracker Will be released on Nruns.com complete with source code in a few weeks!- Clearing the Air about Inqtana (The PoC Worm Kevin created)- FUD reduced to a minimum. What's a threat, what isn't.- Download our Slides from Hack.lu
See you next year !

I started using this tool last year ago during internal tests, it was immediately obvious to me that this is a great tool to have. It's name is Satori, if you never heard about it that's not a proof the tool is no good but rather that it's Author Eric Collman does not really seem to care if you do (or at least doesn't scream it from the top of every house)
I found out about Satori while reading the paper "Chatter on the Wire" (from the same author) which goes into great length about passive OS fingerprinting and it's potential for improvement as done by several other tools.

What is interesting is that the paper was not only theoretical but rather practical, it's outcome was Satori, a beautiful plug-in based Passive enumeration and Fingerprinting tool.
Satori uses Winpcap and captures packets passively at the NDIS level, every packet flying by is being scrutinised for information that might determine it's OS. Nothing new here you might say, well Satori does the fingerprinting on :DHCP, BOOTP, ICMP, TCP, CDP, EIGRP, HPSP , HSRP, HTTP, ICMP, IPX, SMB, SNMP, STP, UPNP precisely enough to either correlate the results with nmap or to rely on them. It makes spotting potential vulnerable systems a breeze.
It's obviously very handy for critical networks where you are not allowed to scan or to scan only a minimum. (This does exists.)

It shows it's strength when used in internal networks, I was able to spot machines that didn't belong in a certain critical network immediately (as they broadcasted their Netbios presence) by only using passive means. It's also very usefull when doing quick scans (nmap port 80 as example) across an internal network, it gathers all packets, makes a list of all responding machines, fingerprints them and gives you an exportable list. Very handy.. and speedy, I was able to pump 8000 packets per second thorough without any lags or problems.
Nice tool to have in your toolbox. Send it's author your support :)