Nmap Development mailing list archives
Re: Comments on OS detection 2nd generation (soft fingerprinting)
From: Fyodor <fyodor () insecure org>
Date: Fri, 26 May 2006 21:18:54 -0700
On Fri, May 26, 2006 at 11:52:15PM -0400, Joshua D. Abraham wrote:
Nmap actually does have that capability. Doug added it last year. But the version detection signatures need to be augmented. Look at Josh's mail:Are you referring to my banner patch?
I'm referring to the (relatively) new o// d// and h// fields that Nmap can now use to determine the OS family, device type, and host name during version detection if the app (intentionally or accidently) reveals that information and the signature was carefully enough written to detect it. These are documented here: http://www.insecure.org/nmap/vscan/vscan-fileformat.html#id248104
I think that if the user could have access to the banner that they would be able to determine this information more easily.
If Nmap recognizes the service but misses useful information from the banner, we should rewrite the signature to include that information (in the i// extra information field if we can't parse it more specifically). If Nmap doesn't recognize the service, you do get the banner (if the service gave one) in the form of a version fingerprint in both normal and XML output.
Again, I'm sure there might be other services say for windows or something that might be of use as well.
You mean where the banner caries useful information that Nmap version detection doesn't pick up on? Then report those cases and we'll update the relevant signatures to report the extra information. To just say "we'll just print out whatever data the service spews at us and hope the user can figure it out" would be, I think, a copout.
Therefore, if we had people able to have the scan with the banner included in the xml we could parse that in a survey or something.
We may very well do that. We'll just erase the existing ssh signatures from a copy of nmap-service-probes, run our scans, and then collect the banner information from the version detection fingerprint in the XML or normal output. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: Comments on OS detection 2nd generation, (continued)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Brandon Enright (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 26)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Fyodor (May 27)
- Re: Comments on OS detection 2nd generation (soft fingerprinting) Joshua D. Abraham (May 27)
- Re: Comments on OS detection 2nd generation Arturo 'Buanzo' Busleiman (May 26)