Re: OS Fingerprinting Problem

["Michael Pattrick" <mpattrick () rhinovirus org>]

Hey Matt,

The best way to get a fingerprint corrected in the database is by
submitting it here:
http://insecure.org/cgi-bin/submit.cgi

If you include the full fingerprint plus all the information that you
have here, its very likely to be included in the OS db soon!

Cheers,
Michael Pattrick

On Tue, Sep 2, 2008 at 3:48 PM, net2004eng () yahoo com
<net2004eng () yahoo com> wrote:
> Hello Everyone,
> Recently a number of co-workers and I were in the process of attempting to identify a "Linksys BEFSR41 Firmware 
> Version: 1.46.02, Aug 03 2004" device using 2 different versions of nmap. I was using nmap version: Nmap 4.62 while a 
> co-worker was using Nmap 4.20. The device was properly identified by running 4.20, but was unable to be identified 
> while running 4.62. After performing a diff on both files, I noticed the following difference:
> Scan ran: "nmap -vA x.x.x.x"
> 4.20:
> SEQ(SP=F-16%GCD=A|14|1E|28|32|3C%ISR=4F-51%TI=I%II=I%SS=S%TS=U)
> 4.62:
> SEQ(SP=F-16%GCD=A|14|1E|28|32|3C%ISR=4D-51%TI=I%II=I%SS=S%TS=U)
> The only difference here is for "%ISR=4F-51" to "%ISR=4D-51"
> I understand that the ISR accounts for the average rate of increase for the returned TCP initial sequence number. I 
> wanted to know what can be done to get this included into the next update to nmap. The device that was scanned is 
> accurately detected as the Linksys BEFSR41 Firmware Version: 1.46.02, Aug 03 2003 device.
> I plan on researching this more later, and will post any findings. If a packet trace is desired, I can post a 
> scrubbed trace for that as well.
> Comments, input, and questions are welcome.
> Thanks,
> Matt

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org