Nmap Development mailing list archives
[PATCH] Change to OS Fingerprint XML output
From: Tom Sellers <nmap () fadedcode net>
Date: Tue, 27 Jan 2009 19:18:57 -0600
A couple of years ago I sent an email (1,2) describing how the OS fingerprint was not being output in XML under the same conditions that it would be in Normal, StdOut, etc. I said I would submit a patch to address this, but apparently forgot... So, some 2 years later.... Currently, OS fingerprints are only output to XML when verbosity or debugging is turned on. As far as I can tell, after -O2 was introduced they have not been output to XML even when an unknown OS was scanned. I had come across this originally when building some network scanning and reporting code. I came across it again doing pretty much the same thing using Kris Katterjohn's Ruby Nmap::Parser library. Good stuff, btw. Anyway, I am now in a situation where I will need to enable verbosity on the output to force the fingerprint to be written to XML and then write code to detect if a match was found. This would generate quite a bit more output and increase the complexity of the code. It would also mean that every host would have a fingerprint block when the XML was viewed in a browser, even if there was a 100% match. I think it would be better if nmap were to output the fingerprint to XML under the same conditions that it would write it to normal, standard output, ScriptKidde, etc. I want to preface the rest of this with the fact that I am not a C coder.. I have attached a patch I believe will make the change I have suggested. I have tested the patch in my environment against multiple OSes, some successfully identified and some not. At this point, I am only really unsure about one portion of the code. The original XML fp output code in output.cc is this: ******************************************************************* if (o.debugging || o.verbose) { char *xml_osfp = xml_convert(merge_fpr(FPR, currenths, reason != NULL, reason != NULL)); log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp); free(xml_osfp); } ******************************************************************* I deleted the block and moved the three core lines into 'write_merged_fpr' with the goal of having them called anytime a fingerprint is written for other outputs. ******************************************************************* static void write_merged_fpr(const FingerPrintResults *FPR, const Target *currenths, bool isGoodFP, bool wrapit) { log_write(LOG_NORMAL|LOG_SKID_NOXLT|LOG_STDOUT, "TCP/IP fingerprint:\n%s\n", merge_fpr(FPR, currenths, isGoodFP, wrapit)); /* Added code here to print fingerprint to XML file any time it would be printed to any other output format */ char *xml_osfp = xml_convert(merge_fpr(FPR, currenths, isGoodFP, wrapit)); log_write(LOG_XML,"<osfingerprint fingerprint=\"%s\" />\n", xml_osfp); free(xml_osfp); } ******************************************************************* I changed the parameters to merge_fpr for the XML related call from reason !=NULL to isGoodFP and wrapit in order to be more in line with the other outputs. I am concerned that the parameters to merge_fpr may need to stay the same as the original call. Other than the above, there is only one other change in behavior that I am aware of. Currently XML fingerprints are forced written at verbosity is 1 or higher, while other formats are forced to write when verbosity is 2 or higher. After the change they would be the same at verbosity = 2 or higher. Hopefully both the change in behavior and the patch will be accepted. Any feedback would be greatly appreciated. Thanks, Tom Sellers (1) - http://seclists.org/nmap-dev/2006/q4/0317.html (2) - http://seclists.org/nmap-dev/2006/q4/0319.html
Attachment:
xml_fp_output_change.txt
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Change to OS Fingerprint XML output Tom Sellers (Jan 27)
- Re: [PATCH] Change to OS Fingerprint XML output Fyodor (Feb 01)