Re: Other useless OS detection tests?

[Fyodor <fyodor () insecure org>]

On Fri, Mar 13, 2009 at 09:10:11AM -0400, Thomas Tavaris J (Tavaris) wrote:
> L. Greenwald and T. Thomas, "Toward Undetected Operating System
> Fingerprinting," Proceedings of the First USENIX Workshop on
> Offensive Technologies (WOOT '07), Boston, MA, August 6, 2007.

And here is a link to the paper, for folks who haven't read it yet:

http://www.usenix.org/events/woot07/tech/full_papers/greenwald/greenwald.pdf

The paper analyzes Nmap 4.21ALPHA4.  So it is looking at the 2nd
generation OS detection system, but the DB only contained 417
fingerprints then, vs. 1,761 now.  The paper only studied the TCP
probes, because "(1) they are more easily blocked by defensive
devices, and (2) our information gain evaluation reveals that they are
of marginal value."

> Granted this was on an earlier version of Nmap so I reran our code
> recently on the signature database of Nmap 4.76 and the results were
> similar. (have not published these yet)

Please let us know on the list when you can share the new results!  If
you haven't gone far beyond rerunning the code yet, you might want to
use a newer version of Nmap instead.  Nmap 4.76 had 1,503 signatures
in the DB, and we've (by which I mean mostly David's hard work, plus
hundreds of people who submitted signatures) already increased that by
17% to 1,761 in 4.85BETA3.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org