Nmap Development mailing list archives
Comments on OS detection 2nd generation
From: GomoR <nmap-hackers () gomor org>
Date: Fri, 26 May 2006 19:14:38 +0200
Fyodor, I read your paper on OS fingerprinting 2nd generation. To be frank, I do not see major changes in probe packets (but it may be because of my lack of deep knowledge upon the 1st generation). I have some comments, though (in no particuliar order). 1. MSS/Window size I quote your paper: "MSS values have changed due to evidence that they can affect the returned window size on some platforms." Yes, in fact, by reading the Linux IP stack source (as far as I remember), one can see that the window size is computed using the MSS value (when available). Since an equipment from the source to the target may change the MSS in-between, the initial Window size in the reply will be changed. That is the main reason for SinFP to use a heuristic1 algorithm, that is to accept minor changes on MSS/Window size, and still not miss the detection. I have seen many different systems that work that way, there may be a RFC talking about that. 2. SackOK That is a difference with the first generation. I guess you found this option by looking at SinFP ;) and you're right to use it. It permits to differentiate Windows 98SE (which implements this) with Windows NT 4.0 (which does not). Same is true for the difference between SunOS 5.6 and 5.7 (5.6 does not implement it, 5.7 does). 3. TCP ack and seq comparison against probes I find this one particularly interresting, so I decided to take a look. While there is rarely a difference from an OS version to another, there are indeed some differences between an OS to another. So, I decided to add it to SinFP (for upcoming 2.00 release). I also decided to take a look at adding the same functionnality with IP ID. And there is also some differences from an OS to another. For example, Compaq Tru64 returns the same IP ID as the request when one send a SYN|ACK to an open port. In fact, Compaq Tru64 copies TCP seq/ack and IP ID from the request, and use it to reply. This is the only system to do this that I've seen. So, I think you could add IP ID comparison to the 2nd generation OSFP like you did with TCP seq and ack. 4. ICMP/UDP probes I do not like these probes just because when a target has an open TCP port, we are not totally assured that a firewall in-between is not crafting responses for these tests. So, you may end up with a fingerprint generated in part from the true target, and in part from a false target, leading to a bad detection. 5. Absence of response (Responsiveness test) I think this is also a difference with the first generation, and I totally agree with this change. 6. Last remark In the http://www.insecure.org/nmap/osdetect/osdetect-other-methods.html page, I did not see a note on SinFP (passive mode OS detection). Maybe you did not tried it, but I thing it is as good as p0f, with more signatures, since SinFP passive signatures are the active signatures. -- ^ ___ ___ http://www.GomoR.org/ <-+ | / __ |__/ Systems & Security Engineer | | \__/ | \ ---[ zsh$ alias psed='perl -pe ' ]--- | +--> Net::Packet <=> http://search.cpan.org/~gomor/ <--+ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Comments on OS detection 2nd generation GomoR (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Brandon Enright (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)