Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

3.70 fingerprinting issues

From: HIP-HiPpO <arthur () zaphod emanet net>
Date: Tue, 28 Sep 2004 03:32:48 -0700
I am attempting to fingerprint a host which has a known fingerprint in 
the nmap-os-fingerprint file.  Here is the fingerprint listed in the 
file.

# HP-UX test01 B.11.11 U 9000/800 1277844053 unlimited-user license
Fingerprint HP-UX 11.11
Class HP | HP-UX | 11.X | general purpose
TSeq(Class=RI%gcd=<6%SI=<C7A6A&>ABA%IPID=I%TS=100HZ)
T1(DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=Y%TOS=0%IPLEN=70%RIPTL=148%RID=F%RIPCK=E%UCK=E%ULEN=134%DAT=E)

The hosts banner is captured as 

HP-UX sbuxeu2 B.11.11 U 9000/800 1152444651 unlimited-user license

and the asociated fingerprint is 

SInfo(V=3.55%P=i686-pc-linux-gnu%D=9/21%Time=4150C213%O=7%C=1)
TSeq(Class=RI%gcd=1%SI=A636%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=D32D%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=A5F9%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
T2(Resp=Y%DF=N%W=400%ACK=S%Flags=AR%Ops=WNMETL)
T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AR%Ops=WNMETL)
T4(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
T4(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL)
T6(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=WNMETL)
T7(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
PU(Resp=Y%DF=Y%TOS=0%IPLEN=70%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

This host should map correclty to the fingerprint file, but it does not.
As shown in the received fingerprint, the string "WNMETL" is on almost 
every Tlevel except T5.  Could I receive an explanation on how to fix 
this so the host is correctly identified?

Regards,
Arthur

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org
Previous By Date Next
Previous By Thread Next

Current thread: