Nmap Announce mailing list archives

Re: OS fingerprinting technique

From: olivier courtay <olivier.courtay () intranode com>
Date: Fri, 19 Apr 2002 14:40:21 +0200

Hello,

Lots of people want Ring patch for Nmap.
Please find enclosed the first release of Nmap patch.

In order to apply the patch, follow the instructions below:

        Install Libnet(1.0.2a) (www.packetfactory.net/Projects/Libnet)
        Install Libdnet(1.2) (libdnet.sourceforge.net)
        Get nmap-2.54BETA32.tgz source tarball(www.insecure.org)
        untar the source: tar zxvf nmap-2.54BETA32.tgz
        Go to the source directory nmap-2.54BETA32
        uncompress patch gunzip nmap-Ring.patch.gz in this directory.
        applied the Ring patch:
 
        patch -p 1 < nmap-Ring.patch
 
        if you have a Linux 2.4 kernel, edit the filter.h and follow
instructions.
 
        For installation, follow Nmap INSTALL file instructions
(./configure && make ).
 
        Use the --ring option when you call Nmap
        (example: nmap --ring -O 192.168.1.1)



We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring () intranode com

Regards,
Olivier

olivier courtay a écrit :


Carefully studying the way TCP works, especially some timer value
inside the TCP stack, we have derived on a new technique for remote OS
detection, based on temporal response analysis.

The idea is quite simple: send a TCP SYN packet to an open port on a
remote system, and listen the different answers (usually successive
SYN/ACK packets). By measuring the number of response, the delay
between retries, and the optional presence of a "RST" packet after a
few answers, we can easily recognize some operating systems.
The nice thing is that it only required to send one packet on an open
TCP port, which make this method really quiet.

As a proof of concept, we also developed a standalone tool "RING"
that will perform these testings and identifications, using a signature
file.

A patch for Nmap-2.54BETA32 is being prepared and should be released
anytime soon
At the moment, ring and nmap OS fingerprinting methods are launched
simulteamously
but results aren't merged for better accuracy.
If you want to try this patch, please send me an
email(ring () intranode com).

More information is available at:
http://www.intranode.com/site/techno/techno_articles.htm

The open source tool can be downloaded from:
http://www.intranode.com/pdf/techno/ring-0.0.1.tar.gz

The open source tool for Linux2.4 kernel can be downloaded from:
http://www.intranode.com/pdf/techno/ring-0.0.1-Linux-2.4.tar.gz

The full, 13 pages, white paper is available at:
http://www.intranode.com/pdf/techno/ring-full-paper.pdf

We will be very happy to get your feedback on this technique.
Feel free to contact us at: ring () intranode com

Thanks,
Olivier


-- 
________________________________
Olivier  Courtay
Research Engineer 
tel: +33 (0) 223 455 524
fax: +33 (0) 223 455 501
mailto: olivier.courtay () intranode com
http://www.intranode.com

Intranode Software Technologies
Security you can see.

Attachment: nmap-Ring.patch.gz
Description:

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

Current thread:

OS fingerprinting technique olivier courtay (Apr 18)
- Re: OS fingerprinting technique olivier courtay (Apr 19)