Nmap Announce mailing list archives
Re: fingerprint database
From: Fyodor <fyodor () insecure org>
Date: Tue, 13 Nov 2001 02:32:16 -0800
On Fri, Nov 09, 2001 at 07:05:35PM +0100, rieger () dest-unreach org wrote:
For me fingerprinting is nmap's most interesting feature. But recently I got a "Mac OS" response for a system that turned out to be some HP-UX box;
Actually this is a commonly reported problem that I am looking into. As counterintuitive as it sounds, the TCP stack of some HP boxes is extraordinarily similar to that of late-model Macs! If you (or anyone else with this problem) send me the Nmap output as well as the details of the host you are scanning (OS version #, basic hardware specs, IP if available), I will investigate. This goes for any misdiagnosis -- not just Macs recognized as HP. But be sure you have a clear connection to the target with no NAT gateways or load balancers in the way.
A simple "grep -i linux nmap-os-fingerprints" results in something like this (sorted by kernel version):
[ Cut ]
This looks a little chaotic with its sporadic hardware or distribution dependence, overlapping version ranges, and ambiguities.
The Nmap fingerprint file is "a little chaotic" because it is modeling a chaotic world :). Overlapping versions are legitimate -- it may be that they represent a series of tweaked kernels shipped by a certain distributor. Or it may be that they have a common patch installed. In the same way, hardware & distribution specifiers are sporatic because many fingerprints are too general to have such an association. In addition, the fingerprint database is evolving. If someone sends me a new fingerprint for "OpenBSD 2.9 on MIPS", I start with all of that information. Then I generalize it if someone reports the same fingerprint on SPARC or against OpenBSD 2.8. This is why the mechanism depends so much on feedback. Even if a fingerprint is only slightly wrong (like it says Linux kernel 2.4.1-2.4.5 and you are using 2.4.6), just drop me a quick note telling me exactly what Nmap reported and what you are using.
discovery. Why interesting? Because many operating systems provide system wide and/or per socket options to tune these values! While this fact seems to be known (e.g., http://razor.bindview.com/publish/papers/tcpseq.html#conclude last paragraph), the fingerprints database does not reflect it.
Well, operating systems may offer a lot of flexibility in this regard. But how many people do you think change their default TCP Window Scaling behavior? It rounds to zero percent. But if a distribution ships with a different version, it will soon be added to the fingerprint file as users scan & report those boxes. I do try to reflect parameters that are commonly changed (especially if they are security related). For example, Solaris has a tcp_strong_iss ndd parameter that allows users to tweak the initial sequence number predictability strength. You'll find separate fingerprints in the DB reflecting the various values of that variable. Same thing with the HP equivalent (tcp_random_seq).
So, let's do some magic: I found an opportunity to update me old Linux 2.2.10 kernel to 2.2.19 without rebooting! Here is the trick:
Neat :). And if you really want to get carried away, you can go to http://ippersonality.sourceforge.net/ and download code to make your Linux box look like an Appletalk Printer :). It is a very cool hack, but I don't actually recommend it. There are probably more effective ways you can spend your security effort than trying to obfuscate your OS from Nmap scans. Skilled attackers will figure it out anyway, and the script kiddies generally just blast their exploits at anything with port XX open :). Plus some of these patches have suffered security holes of their own! This does bring up an important point -- Nmap fingerprinting is designed to quickly provide an accurate OS guess for commonly encountered systems. If an administrator is actively mangling his kernel TCP parameters to confuse Nmap, then identification may require more work than "nmap -O". You can try application/banner fingerprinting or comparing the fingerprint against the Nmap DB manually.
(you need a software that allows you to set the SO_RCVBUF and IP_MTU_DISCOVER sockopts; you might checkout the beta version of socat at http://www.dest-unreach.org/socat/)
Looks like an interesting and useful program :). Cheers, Fyodor -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- fingerprint database rieger (Nov 13)
- <Possible follow-ups>
- Re: fingerprint database Fyodor (Nov 13)