Eric Kollmann

Email: with questions, comments, or derogatory remarks.

Website Construction:

This website was thrown together going on 10 years ago, it uses outdated frames, it has not been moved to .js, or .php, etc, and I like it that way.

Job Info:

I work as a Security Analyst for a University in the Western United States. Most of the certifications I hold are to keep my job, though a few have been for fun.

Certs so I can remember them all (starting in late 2005/early 2006):

Security +

MCSE 2003 + Security

VCP (original and VI 3 one)




GWAPT Programming and OS Identification History:

I've been writing programs to do OS fingerprinting, passive & active since around 2000. I did work, on the side, for GFI when Languard Network Security Scanner was in its early stages there, somewhere in the 1.1 days through LNSS 5 when I left to play in the big desert for awhile. That is when I realy got into Passive OS fingerprinting.

I find Passive Fingerprinting more enjoyable than active in that it is harder to do, in most cases, but it is hard to detect, and better yet, it does not have any chance of bouncing a remote system. Now that I actually support a large enviornment, I understand why some of the other admins disliked me scanning the network. Logs were so full of garbage with those active scans!

DHCP Fingerprinting has been being picked up by the NAC crowd now. A few have contacted myself or Dave about using my XML format in their products in some way/shape/form. Always a good feeling.

Also on the DHCP side of things, NetworkMiner by Erik Hjelmvik, can be found here: it uses my DHCP fingerprint file.


In 2007 I co-presented with David @ Black Hat Japan. It was a good experience overall and I'm glad I did it.

I've written 2 papers, both on this website, that I hope come in useful. I've seen both of them quoted a few times in other research papers since 2005 when I published the first one. That is always good to see.

I plan on writing a few more, but there is never enough time.

ARP Scanning - is the one I hope to write next, I have some of the research done. It has to do with SAM, my ARP fingerprinting program.

Remote VM Detection - very limited info, but intelguardians mention using TCP and ICMP packets. Looking at possiblities there. Have a program underway that may be useful there.