Nmap Development mailing list archives
3.70 fingerprinting issues
From: HIP-HiPpO <arthur () zaphod emanet net>
Date: Tue, 28 Sep 2004 03:32:48 -0700
I am attempting to fingerprint a host which has a known fingerprint in the nmap-os-fingerprint file. Here is the fingerprint listed in the file. # HP-UX test01 B.11.11 U 9000/800 1277844053 unlimited-user license Fingerprint HP-UX 11.11 Class HP | HP-UX | 11.X | general purpose TSeq(Class=RI%gcd=<6%SI=<C7A6A&>ABA%IPID=I%TS=100HZ) T1(DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT) T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT) T4(DF=Y%W=0%ACK=O%Flags=R%Ops=) T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=Y%W=0%ACK=O%Flags=R%Ops=) T7(DF=Y%W=0%ACK=S%Flags=AR%Ops=) PU(DF=Y%TOS=0%IPLEN=70%RIPTL=148%RID=F%RIPCK=E%UCK=E%ULEN=134%DAT=E) The hosts banner is captured as HP-UX sbuxeu2 B.11.11 U 9000/800 1152444651 unlimited-user license and the asociated fingerprint is SInfo(V=3.55%P=i686-pc-linux-gnu%D=9/21%Time=4150C213%O=7%C=1) TSeq(Class=RI%gcd=1%SI=A636%IPID=I%TS=100HZ) TSeq(Class=RI%gcd=1%SI=D32D%IPID=I%TS=100HZ) TSeq(Class=RI%gcd=1%SI=A5F9%IPID=I%TS=100HZ) T1(Resp=Y%DF=Y%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT) T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) T2(Resp=Y%DF=N%W=400%ACK=S%Flags=AR%Ops=WNMETL) T2(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AR%Ops=WNMETL) T3(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL) T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AR%Ops=WNMETL) T4(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL) T4(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=1000%ACK=S%Flags=AR%Ops=WNMETL) T6(Resp=Y%DF=N%W=C00%ACK=S%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=1000%ACK=S++%Flags=AR%Ops=WNMETL) T7(Resp=Y%DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL) PU(Resp=Y%DF=Y%TOS=0%IPLEN=70%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) This host should map correclty to the fingerprint file, but it does not. As shown in the received fingerprint, the string "WNMETL" is on almost every Tlevel except T5. Could I receive an explanation on how to fix this so the host is correctly identified? Regards, Arthur --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List archive: http://seclists.org
Current thread:
- 3.70 fingerprinting issues HIP-HiPpO (Sep 28)